Ing. · Software Engineer

Available for new projects

FrancescoBarbato

I design and build scalable full-stack systems, integrate cutting-edge AI models into real products, and secure infrastructures against modern threats. From architecture to deployment — end to end.

View Projects Get in touch →

~ francesco — zsh

barbato.sh — type 'help' to start

30+Projects

5+Years exp.

Top 10%HackTheBox

<24hResponse

About me

Engineer by trade.
Builder by nature.

I'm a computer engineer based in Italy with a deep interest in the intersection of software craftsmanship, artificial intelligence, and digital security. I care as much about how things are built as about what they do.

I started coding at 14, dissecting old computers and writing my first scripts to automate the boring parts of life. That curiosity never left. Today I build full-stack applications that scale — from system design to the last pixel on screen.

Over the past few years I've shifted a significant part of my work toward AI engineering: designing RAG systems, integrating LLMs into production workflows, and building the guardrails that make them actually safe to ship.

Currently

Building a RAG-powered analytics tool, and learning more about LLM evals on the side.

Cybersecurity is my second lens on every project. I approach each system as both builder and attacker — threat modelling, pen testing, and writing code that doesn't apologise for existing in a hostile environment.

Frontend

Next.jsReactTypeScriptTailwind

Backend

FastAPINode.jsPostgreSQLRedis

LangChainOpenAI APIRAGVector DBs

Security

OWASPPentestingLinuxCTF

The path so far

2019
Started shipping for clients
First freelance projects — small business sites, internal tools. Year one was about learning to ship, not to perfect.
2021
Full-stack at scale
Joined a product team building SaaS for European mid-market. Owned the auth, billing, and infra side.
2023
AI engineering
Shifted focus to LLMs in production — RAG pipelines, evals, and the unglamorous work that makes them ship.
2024
Top 10% on HackTheBox
Security stopped being a side interest. Active CTF player, offensive-security mindset baked into every project.
Now
Independent, 30+ projects in
Available for full-stack, AI integration, and security work. Response within 24 hours.

5+Years

5Roles

4Public-sector

1Independent

Public Sector
IT Collaborator — Chief of Department Staff Unit
Ministry of Justice (Ministero della Giustizia) · Rome
Working alongside the Head of Technological Innovation to drive digitalization and security of ministerial systems. Azure Global Administrator managing VPN, SharePoint and videoconferencing. Member of the International Digital Justice Working Group — coordinating EU-level projects including EPO, LEILA, EIO and e-evidence regulations.
AzureSharePointAI AutomationDigital Policy
Public Sector
Cybersecurity Analyst
AgID — Agency for Digital Italy · Rome
Security analyst within CERT-AgID protecting Italian Public Administration infrastructure. Analysed phishing and malware campaigns via sandboxing and IoC extraction, distributed through official threat intelligence feeds. Conducted threat hunting, forensic analysis and incident coordination across critical PA systems.
OSINTThreat IntelCERTMalware Analysis
Independent
Full-Stack Developer & AI Consultant
Freelance · Remote
Designing and shipping web applications, AI systems and automation workflows for companies, startups and professionals. Specialised in LLM integration, RAG pipelines, REST APIs and secure cloud deployments on Vercel, AWS and Firebase.
Next.jsFastAPIRAGDevOpsGen AI
Public Sector
IT Manager
Higher School of the Judiciary (SSM) · Florence
Selected as IT Manager for Villa di Castel Pulci, the SSM educational campus. Managed the full IT infrastructure — servers, VLANs, Azure domain, A/V and videoconferencing. Oversaw the classroom modernisation project as DEC and developed an AI-based user support module for the institutional website.
Azure ADNetworkA/V SystemsAI Support
Public Sector
IT Assistant
Ministry of Justice — DAP · Milan
Winner of the national competition for IT Assistant roles within the Penitentiary Administration. Supported 200+ users, managed second-level tickets and maintained ministerial applications. Designed VLANs, configured switches and participated in national Active Directory management.
Active DirectoryGPONetworkingSupport

Trust & Recognition

Public institutions,
independent founders.

I've been entrusted with critical infrastructure by Italian public institutions and EU working groups, and with full-stack product builds by independent founders. Same engineering standards, same security mindset — regardless of the logo on the contract.

Who I work with

Public

Ministry of Justice

Italian Government

Public

AgID — CERT Italy

National Cybersecurity

Public

Higher School of the Judiciary

Italian Judiciary

Public

DAP

Penitentiary Administration

Public

EU Working Groups

EPO · LEILA · EIO

Private

Startups & SMBs

EU, US, remote

Private

Independent Founders

MVPs & product launches

Private

Professional Services

Law, finance, healthcare

What I deliver

End-to-end web platforms

Production systems from architecture to deployment. Auth, billing, infra, observability — the parts most projects underestimate.

From €8k · 4–12 wks

AI integration & RAG

LLMs that actually ship: evals, guardrails, retrieval that retrieves the right thing. Built to survive the boring parts.

From €6k · 3–8 wks

Security review & hardening

Threat modelling, code review, and pentest of web apps and cloud infrastructure. Findings you can act on, not a 60-page PDF.

From €4k · 1–3 wks

Digital transformation advisory

For organisations modernising legacy stacks. Strategy backed by hands-on engineering, not slides.

Day rate · retainer

01 —

Scope & clarity

30-min call, scoping doc within 48h, fixed price or T&M — your choice.

02 —

Build in the open

Weekly demos, shared repo, decisions documented as we go.

03 —

Ship & stay

Production handoff, 30-day stabilisation window, retainer if needed.

Selected Work

Institutional systems.
Indie products. Both.

A curated set of work across full-stack engineering, AI and security. Most projects are under NDA or private to clients — get in touch and I'll walk you through what's relevant to your case.

Filter

11 projects

Writing & Research

The thinking behind
the work.

Long-form writing on cryptography, AI security, prompt engineering and the systems I build. Not deliverables under NDA — public research and analysis, free to read and share.

ResearchCybersecurity

12 min read2024

Understanding hashing algorithms: MD5, SHA-1 and SHA-256 in production security

What it covers

3AlgorithmsMD5, SHA-1, SHA-256

5+Attack vectorscovered in depth

1Migration guidestep-by-step

Context

Most development teams integrate hashing libraries without understanding the threat-model differences between algorithms. The result: legacy systems still relying on broken MD5 and SHA-1, silent data integrity failures, and no practical migration framework. The risk is especially severe in authentication flows and document verification pipelines.

Approach

Conducted a deep-dive analysis of cryptographic hashing properties — collision resistance, pre-image resistance and avalanche effect — across all three algorithms. Mapped each to real-world attack scenarios including rainbow tables, length-extension attacks and GPU-accelerated brute-force. Produced an architecture guide for integrity verification in modern API and storage layers with a step-by-step migration path.

Takeaway

The article gives engineering teams a reusable decision framework for algorithm selection — when SHA-256 is genuinely needed, when SHA-3 should be considered, and what to do with legacy MD5 in existing systems. Includes an actionable migration checklist.

SHA-256MD5CryptographyIntegritySecurity Architecture

Read the full article

AnalysisAI & Prompt Engineering

18 min read2024

The art of prompting: how to query AI models effectively and engineer the perfect prompt

What it covers

40+Prompt patternsdocumented & tested

6Task categoriesend-to-end coverage

20+Worked examplesbefore / after

Context

Most people interact with AI models the same way they'd type a Google search — vague, context-free, one-shot. The result is generic output that requires extensive editing, misses the actual need, or confidently produces plausible but wrong answers. Teams adopting AI tools without a prompting framework see low return on the technology investment and growing frustration with model reliability.

Approach

Researched and systematised the core principles behind effective prompt engineering: role framing, context injection, chain-of-thought elicitation, output format constraints, few-shot examples and negative prompting. Tested patterns against real workflows — content production, code generation, data analysis and document summarisation — iterating against measurable output quality benchmarks.

Takeaway

A practical playbook of 40+ reusable prompt patterns across six task categories. Each pattern includes the structure, when to use it, when not to, and concrete before/after examples. Designed as an onboarding guide for teams new to AI tools.

Prompt EngineeringLLMChain-of-ThoughtFew-ShotAI Workflow

Read the full article

ResearchAI × Security

22 min read2025

Biometric systems and deepfakes: attack vectors, detection strategies and how not to be fooled

What it covers

5Attack vectorsanalysed in depth

3Detection layersevaluated

1Mitigation mapprioritised framework

Context

Deepfake technology has outpaced the biometric authentication systems most organisations rely on. Face verification APIs, liveness detection layers and voice authentication endpoints — all originally designed for fraud prevention — now face adversarial inputs generated by consumer-grade tools in minutes. The gap between what organisations believe their biometric systems can detect and what they actually stop is growing faster than most security teams realise.

Approach

Analysed five major deepfake attack vectors against biometric systems: face-swap injection, replay attacks, voice cloning, GAN-generated synthetic identities and 3D mask spoofing. For each vector, mapped the specific failure modes of current detection approaches — passive liveness checks, texture analysis, frequency-domain anomaly detection — and evaluated the state of the art in adversarial-robust biometric pipelines.

Takeaway

A structured threat landscape view identifying which signal combinations (frequency artifacts, physiological micro-signals, temporal consistency) are hardest to simultaneously spoof — and therefore most worth investing in. Includes a prioritised mitigation framework for high-stakes deployments.

DeepfakesBiometricsLiveness DetectionGANAdversarial AI

Read the full article

BuildFull-Stack × Game Dev

Build log2026

Royal Chess: a full-featured chess game with Minimax AI, luxury dark UI and complete rules — built in Next.js 15

What it covers

10+Chess rulescastling, en passant…

8Eval tablesone per piece type

0UI librariespure CSS + Tailwind

Context

Building a fully playable chess game from scratch — without a game engine or UI library — means implementing every rule correctly (castling, en passant, promotion, stalemate, threefold repetition), designing an AI opponent that is responsive and genuinely competitive, and doing all of it within a React/Next.js stack while maintaining a design quality that matches commercial chess applications.

Approach

Built a single Next.js 15 application with TypeScript end-to-end. chess.js handles rule enforcement; a custom Minimax algorithm with alpha-beta pruning (depth 3) and eight piece-square evaluation tables drives the AI bot. Zustand manages all game state — board position, timers, move history, captured pieces, promotion flow — as a single source of truth shared across every component.

Takeaway

A fully deployable, production-ready chess game live at royalchess-tau.vercel.app. Complete rule set, per-player 10-minute countdown timers with pause/resume, scrollable SAN move history, pawn promotion dialog, material advantage display, and a dark-gold luxury aesthetic built entirely in CSS with no animation libraries.

Next.jsTypeScriptchess.jsZustandMinimaxAlpha-BetaGame Dev

Read the full article

FrancescoBarbato

Engineer by trade.Builder by nature.

Started shipping for clients

Full-stack at scale

AI engineering

Top 10% on HackTheBox

Independent, 30+ projects in

Public institutions.Private clients. One trail.

IT Collaborator — Chief of Department Staff Unit

Cybersecurity Analyst

Full-Stack Developer & AI Consultant

IT Manager

IT Assistant

Public institutions, independent founders.

Ministry of Justice

AgID — CERT Italy

Higher School of the Judiciary

DAP

EU Working Groups

Startups & SMBs

Independent Founders

Professional Services

End-to-end web platforms

AI integration & RAG

Security review & hardening

Digital transformation advisory

Institutional systems.Indie products. Both.

Chatbot AI — SSM

Digitalizzazione Capri

Open Source AI Chatbot

Audio/Video Transcriber

GPT Compiler — FormAutoGPT

Impresa Sostenibile AI

Il Diritto Vivente

Zendata AI

Centro Ester

DF Barber Shop

Street Barber

The thinking behind the work.

Understanding hashing algorithms: MD5, SHA-1 and SHA-256 in production security

The art of prompting: how to query AI models effectively and engineer the perfect prompt

Biometric systems and deepfakes: attack vectors, detection strategies and how not to be fooled

Royal Chess: a full-featured chess game with Minimax AI, luxury dark UI and complete rules — built in Next.js 15

Got something complex to build?

Engineer by trade.
Builder by nature.

Public institutions.
Private clients. One trail.

Public institutions,
independent founders.

Institutional systems.
Indie products. Both.

The thinking behind
the work.

Got something
complex to build?