About Us

Subgraph is an open source security company.

This means that we believe that open source means the best possible assurance of security at a time when trust is increasingly challenging.

Subgraph takes its inspiration from the domain of cryptography where proprietary algorithms are never trusted, and extends this principle to software.

If a proprietary algorithm cannot be trusted, why trust proprietary, closed-source security software?

  • Subgraph OS
  • Vega Web Vulnerability Scanner
  • Orchid Pure Java Tor Client Library

Meet our Team

The founders of Subgraph have deep roots in the world of open security research. They have run major forums for open discussion and collaboration in the security research community, contributed to widely used open standards, and built commercially successful security technology. Subgraph is the product of this combined experience.

With over 50 years combined experience in information security and software development, Subgraph's team is committed to making secure and usable open source computing available to everyone.

David Mirza Ahmad

David Mirza Ahmad


David has over 10 years of experience in the information security business. He started his professional experience as a founding member of Security Focus, which was acquired by Symantec in 2002. David also moderated the Bugtraq mailing list, a historically important forum for discussion of security vulnerabilities, for over four years. He has spoken at Black Hat, Can Sec West, AusCERT and numerous other security conferences, as well as made contributions to books, magazines and other publications. David also participated in a NIAC working group on behalf of Symantec to develop the first version of the CVSS (Common Vulnerability Scoring System) model and served as editor for the Attack Trends section of IEEE Security &mmp; Privacy for over three years.
Bruce Leidl

Bruce Leidl

Chief Technical Officer

Bruce has been developing innovative network security software for the last 15 years at companies such as Secure Networks, Inc., Network Associates (now McAfee), SecurityFocus (acquired by Symantec), and Core Security Technologies. As a security researcher he has published several vulnerability advisories including an exploitable heap overflow in the TCP reassembly component of the Snort IDS. Bruce was also a principal developer on the open source Netifera platform.

David McKinney

David McKinney

Principal Developer and Pentester

David McKinney has over ten years of experience in the security industry, specializing in application security. During this time, he has contributed to the Symantec Internet Security Threat Report and a number of papers about the threat landscape covering subjects such as attack toolkits and the underground economy. He also moderated the Bugtraq mailing list while working at Symantec. He is presently contributing to Vega, developing Subgraph OS, performing penetration testing, and conducting security research at Subgraph.