Whiten Baker — About
About · Co-Founder

Drew Morana

Co-Founder, Whiten Baker. Forward-Deployed Engineer, Applied AI. A person who built a system that finds what vendors hide.

On The Record
RoleCo-Founder · Research Lead
DisciplineOffensive Security
SpecialtyAI-Scaled Vuln Research
PlatformsAll
Validity Rate100%
BasedToronto, Canada
The Mythos Gap

A seven-layer system that closes 93 to 95 percent of the capability gap to Anthropic’s $100M Project Glasswing model, gated to roughly fifty firms. Built solo. In house.

94%
Community Service

Before the research.

Community work with Toronto Police Service 22 Division. Funded community causes. Hosted events in underserved neighborhoods.

Lakeshore Village Community Festival · 22 Division Community Response Unit
Zero Day
McLaren at Lakeshore Village
Community Festival
Lakeshore Village Community Festival
At His Lakeshore Residence
22 Division officers present recognition
Community Response Unit · Service Plaque
Community Response Unit recognition plaque
The Record · As Of Today

By the numbers.

165+CVEs FiledFiled or in active pipeline with MITRE across multiple vendors and ecosystems.
4,103Silent PatchesSecurity fixes identified across nine major open-source projects with no public disclosure.
0.44%Disclosure RateThe industry compliance rate we measured. The denominator is documented. The number is reproducible.
$7.16BAt RiskAssets dependent on infrastructure running known-vulnerable versions from a single finding set.
100%Validity RateEvery finding submitted through verified platforms triaged as valid. Zero false positives on the record.
50+Networks ExposedBlockchain networks documented running vulnerable consensus code we surfaced.
Research.
Vulnerability Discovery
PlatformsAll
PipelineMITRE Active
Validity100% Triaged
FilingsOntario Securities

Verified researcher and Forward Deployed Engineer, Applied AI. Four zero-day vulnerabilities discovered in CometBFT consensus, exposing 50+ blockchain networks and $7.16B in dependent value.

The research is the foundation. Before the tooling, before the regulatory work, the question is always the same: can the bug be reproduced, and does the impact survive cross examination. Nothing leaves the bench until it can.

  • 165+ CVEs filed or in active MITRE pipeline across multiple vendors and ecosystems
  • Four zero-days in CometBFT consensus engine, surfacing systemic risk across the Cosmos ecosystem
  • Documented vendor misconduct across nine-plus vendors: theft of findings, silent patching, evidence concealment
  • The only systematic measurement of vendor disclosure compliance run at this scale by an independent firm
  • Active regulatory filing with the Ontario Securities Commission

The Standard

Every finding undergoes a structured kill-loop with forced negative confirmation before submission. If it cannot be exploited, it is not a finding. If a triager would close it Informative, it is not a finding. Only what survives reaches the public record.

In-House Instrumentation

The tooling.

Three instruments built for the work no off-the-shelf platform was designed to do. The first sweep analyzed 4,121 patches across nine targets in under ten minutes.

BuiltIn House
·
StatusOperational
·
SurfaceNine Ecosystems
·
LicenseProprietary

Detection at scale is the multiplier. A single researcher reading commits cannot find concealed patches across nine major projects in any reasonable timeframe. With the right instrumentation, the same researcher can do it in minutes and surface findings that human review would miss for years.

WB-01Operational

Ghost Patch Scanner

Detects silently patched security vulnerabilities at scale. Thirty-plus security signatures, NVD cross-reference, and automatic CVE draft generation.

4,121 Patches · 9 Targets · < 10 Min
WB-02Operational

Cascade Engine

Maps how a single vulnerability propagates across every fork, dependency, and downstream deployment. Generates disclosure notices and MITRE supplements automatically.

50+ Networks Tracked
WB-03Operational

Fork Drift Analyzer

Identifies where a fork has diverged from upstream security patches and quantifies the exposure window. First run flagged 13 forks. All 13 vulnerable. Zero patched.

13 / 13 Vulnerable

Where The Tools Live

These instruments do not exist anywhere else. They were built specifically for the work of detecting concealed disclosure failure at scale, and they remain proprietary to the firm's research engagements.

System.
Seven-Layer Framework
FrameworkSeven Layer
Parity93 – 95%
ValidatedTrail Of Bits

We designed and built a seven-layer scaffolding framework that closes 93 to 95 percent of the capability gap between general-purpose Claude Code and Anthropic's gated $100M Mythos cybersecurity model, restricted under Project Glasswing to roughly fifty organizations including Microsoft, Apple, AWS, and CrowdStrike.

Kill-loops with forced negative confirmation. Multi-pass hunting in isolated sessions. MCP tool integration spanning Semgrep, CodeQL, and sandbox execution. Orchestrator-pattern subagents. Persistent cross-session memory. Autonomous run loops with thirty-minute anti-wandering checkpoints. The model is not the moat. The system is.

Five of the seven layers were independently validated when Trail of Bits productized the same architecture in their public skills library. A solo researcher with aggressive scaffolding on a niche target out-finds a Mythos partner optimizing for breadth, because depth beats coverage when the target is neglected.

The Reference

Published reference document available on request: The Scaffolding Tax – Closing the Mythos Gap with Claude Code. Maps every layer of the framework against the public Mythos capability disclosures and against the Trail of Bits productized equivalents.

Regulatory Engagement

Where the teeth are.

The hallway between a finding and accountability is long. We walk it. Every filing, every regulator briefing, every expert testimony, begins here.

Ontario Securities Commission · MITRE CVE Authority · Expert Testimony

Most researchers talk to developers.

We talk to regulators.

That Is Where The Teeth Are
Engage

Get in touch.

Direct · Founder

Drew Morana

For confidential briefings, regulatory cooperation, expert advisory, and media on the record.

General Inquiries

The Firm

For engagement requests, vendor accountability submissions, and routine correspondence.

Whiten Baker · Independent Security Research · Toronto, Canada