The Cobalt Pentester Spotlight highlights the fascinating journey of our Core members. Through an interview style, we share their experiences, background, and insights into the world of an accomplished ethical hacker.
1. Can you tell us a bit about yourself and how you got started in penetration testing?
It all started in 2015 when I began my Masters in Secure Software Systems at Imperial College London. This consisted of mostly theoretical modules such as Coding Theory, Cryptography, and Formal Software Verification Techniques designed to prepare you for a PhD. While the path of academia was not for me, I was still fascinated by these courses and always hoped I could use some of that knowledge at my job.
2. What educational background and certifications do you have that prepared you for a career in pentesting?
During my career, I had the opportunity to obtain multiple security certifications: CREST CRT, OSCP, OSCE, OSWE, OSEP, and GXPN. The most relevant and my favorite was the OSWE - Advanced Web Attacks and Exploitation. I love doing white box tests and code reviews and this was just what I needed to improve at what I do.
3. Can you walk us through your career journey as a pentester, are there any significant milestones or projects that stand out?
Right after university, I joined a consulting firm as a junior penetration tester and worked on a variety of engagements from web testing to social engineering to red teaming. Five years into my consulting career, I switched to work in application security.
This switch was a crucial step in becoming a better security engineer. I felt I finally found my niche and could start developing targeted knowledge on my way to becoming an application security expert. I could see what production code actually looks like, perform code reviews on real applications, and most importantly understand how a vulnerability looks from a developer’s perspective.
4. What are your go-to tools and techniques when conducting pentests, and why do you find them effective?
I like to think that in general, I am quite tool-agnostic. I feel it’s better to understand the technique and then find the right tool to achieve it, rather than have a collection of tools that I cannot master. Of course, I use Burp Suite like everyone else, however, I do think there is a secret weapon that helps push security findings to the next level. That is code-assisted pentests. In my opinion, the ability to follow the codebase alongside pentesting activities is a superpower that will always yield impactful findings with real value. Not all customers provide that, but when they do, a static analysis tool will work wonders to help you find those interesting source-to-sink paths. I started by using CodeQL and stuck with it. Writing custom CodeQL queries is also a great way of finding those exotic code execution bugs we all look for.
5. For individuals aspiring to enter the field, what advice would you offer in terms of skills development, networking, and breaking into the industry?
Don’t be afraid to go deep. Remember how I said I always hoped to use some of my academic knowledge in my day to day? Several years after university, I had the opportunity to test a custom syntax compiler. It is not something I would normally encounter during a standard pentest, but having that extra bit of deeper knowledge gave me the confidence to approach this complex project.
I do not think there is one path to break into the industry that is better than others. Groups of people come from development, others from academia, and others from Bug Bounty. Feel free to choose your path, take it at your own pace, and stick to it.
6. How do you approach client interactions during penetration tests? Are there specific communication skills that you find crucial for success in this aspect of the job?
One of the aspects I consider to be crucial for a successful pentest is understanding what the asset you are testing means to the customer. Whether that is a web app, API or network resource, I always ask the customer what would be the biggest risk for them that could be uncovered during the test. Some customers don’t know and that’s okay. Commonly, they have a certain scenario in mind and this gives a good indication of their expectation from the engagement. It is then much easier to address those concerns and focus testing on what truly matters for them.
7. Can you share your experiences and preferences in terms of teamwork, communication, and coordination when engaging in pentests?
Collaborating with fellow security professionals is one of the best ways to grow. Watching other experts in action and exchanging insights provides a fast track to mastering new techniques and staying ahead of emerging vulnerabilities. It’s an invaluable way to deepen your knowledge and sharpen your skills in a rapidly evolving field.
8. Looking ahead, how do you envision the future of penetration testing evolving in 2024, and what do you believe will be the key challenges and opportunities in the coming years?
Mature development practices and modern secure-by-default frameworks make traditional pentesting more challenging and substantially more difficult to break into as a junior pentester. To continue bringing value, a pentester should direct their focus toward business logic and access control bugs. Those areas are developed by an actual person who is likely to make mistakes and are not automatically handled by the development framework.