David Wolf · Portfolio Use Case
DFIR response to Operation Aurora at Adobe and Google; criminal attribution for FBI wanted financial fraud cases; FBI cybercrime academy instruction.
Principal consultant at Mandiant during one of the most consequential periods in enterprise security history — deployed on Operation Aurora DFIR efforts at Adobe and Google, achieved successful criminal attribution in active FBI financial fraud cases, and trained FBI cybercrime academy agents on investigation techniques. Also conducted wireless security assessments and hardened enterprise wireless deployments.
Client
Mandiant (now part of Google Cloud)
Engagement Type
Full-Time Consulting
Period
Jan 2009 – Jan 2011
Role
Principal Security Consultant & Instructor
Focus Areas
Nation-state intrusion response (Operation Aurora), Digital forensics and evidence preservation, Criminal attribution and federal case support
The Context
Operation Aurora (2009–2010) was a series of sophisticated nation-state cyberattacks — later attributed to Chinese state actors — targeting Google, Adobe, and over 30 other major enterprises. It was a watershed moment that forced enterprises and governments to confront the reality of persistent, targeted intrusions at a scale and sophistication previously unseen in public discourse. Mandiant was at the center of the DFIR response.
The Challenge
Operating at the intersection of active nation-state intrusion response and federal criminal investigation demands an unusual combination: the forensic discipline to build prosecution-grade evidence chains, the technical depth to characterize advanced attacker tradecraft, and the communication skill to translate highly technical findings for both executive audiences and federal law enforcement.
What I Did
The Outcome
Contributed to DFIR response at Adobe and Google during Operation Aurora — one of the most publicly documented nation-state intrusion campaigns of the era.
Response
At two Operation Aurora victim organizations: Adobe and Google
Attribution
Of active FBI Most Wanted financial fraud subjects
Cybercrime
Academy instructor — trained federal agents on advanced cybercrime investigation techniques
Key Deliverables
Client
Mandiant (now part of Google Cloud)
Engagement Type
Full-Time Consulting
Period
Jan 2009 – Jan 2011
Role
Principal Security Consultant & Instructor
Focus Areas
Nation-state intrusion response (Operation Aurora), Digital forensics and evidence preservation, Criminal attribution and federal case support
The Context
Operation Aurora (2009–2010) was a series of sophisticated nation-state cyberattacks — later attributed to Chinese state actors — targeting Google, Adobe, and over 30 other major enterprises. It was a watershed moment that forced enterprises and governments to confront the reality of persistent, targeted intrusions at a scale and sophistication previously unseen in public discourse. Mandiant was at the center of the DFIR response.
The Challenge
Operating at the intersection of active nation-state intrusion response and federal criminal investigation demands an unusual combination: the forensic discipline to build prosecution-grade evidence chains, the technical depth to characterize advanced attacker tradecraft, and the communication skill to translate highly technical findings for both executive audiences and federal law enforcement.
What I Did
The Outcome
Contributed to DFIR response at Adobe and Google during Operation Aurora — one of the most publicly documented nation-state intrusion campaigns of the era.
Response
At two Operation Aurora victim organizations: Adobe and Google
Attribution
Of active FBI Most Wanted financial fraud subjects
Cybercrime
Academy instructor — trained federal agents on advanced cybercrime investigation techniques
Key Deliverables
At a Glance
Focus Areas
Tools & Technologies
Public-Safe Caveat
Based on public professional record. Case-specific forensic findings, client identities beyond those publicly disclosed (Adobe, Google), active investigation details, and law enforcement case outcomes are omitted.
David Wolf
AI Security · Product Security · Security Leadership
Based on analyzed public signals, not proof of any individual's or company's internal state.
