.svg){kind=icon}
.svg){kind=icon}
The Cobalt Pentester Spotlight highlights the fascinating journey of our Core members. Through an interview style, we share their experiences, background, and insights into the world of an accomplished pentester.
1. What's your handle? Do you use more than one? Where did it come from/ What's the origin story?
My usual handle is "defaultuser", but nowadays I typically just go with my name, "cindee". I chose defaultuser because I wanted a simple handle that people wouldn't think much about if they saw it - I just wanted to fly under the radar. As a pentesting professional, I prefer to use my name cindee.
What got you into cybersecurity? How did you get into pentesting specifically?
I've always had an interest in cybersecurity since back in the AOL days when phishing attacks were rampant using progs and I just needed working AOL accounts. That's where I learned to code and run servers for warez. My passion for IT led me to earn a degree in Computer Science and start coding in c# as an entry-level job. At the time, I didn’t realize there was an entire cybersecurity community being paid to hack applications and networks. After working as a programmer for several years, I started browsing Craigslist for new opportunities and stumbled upon a security startup willing to train me in cybersecurity while offering free home-brewed beer after work every day—I was sold. That was 17 years ago.
2. What exploit or clever attack are you most proud of and why?
Over the years, I’ve had many opportunities to test a wide variety of applications. The most interesting ones have been the banking applications, as they are extremely sensitive and store highly confidential information. The cleverest hacks are those that cannot be identified by an automated scan—only through manual testing. For example, I tested a banking app and discovered that it was passing the exchange rate parameter in the bank transfer request. By manipulating this exchange rate, I was able to transfer $1,000,000 to/from an account that didn't actually have this amount. I made $1,000,000 from an initial $100. In the end, this Fortune 500 client decided not to purchase the banking app after reviewing this vulnerability.
3. What is your go-to brag when talking about your pentesting skills?
I honestly don’t like to brag about my pentesting skills, but if I had to choose one, it would be this story. We had a client who was hesitant about using our services to pentest one of their applications because they didn’t think it was necessary. We offered to poke around (unauthenticated) to see if we could demonstrate some weaknesses in the application. I started with the registration page, where you could enter a phone number and a 6-digit account number of a member to gain access to their account. I figured it should be easy to brute-force the 6-digit account number, but tying it to a phone number wouldn’t be as easy. I began by trying the phone number 111-111-1111 with account number 123456. That didn’t work, so I tried 000-000-0000 with 123456—and that did it. I gained access to account 123456 and, in fact, any account I wanted by using 000-000-0000 as the phone number. There was an audible gasp when we demonstrated the vulnerability over the call. It turned out they had a backdoor used for testing that the developer never removed. They eventually signed up for another pentest after we shared this.
4. Share a time something went wrong in the course of a pentest? What happened and what did you do?
There have been many incidents where the in-scope servers couldn’t handle the load of automated scans, which is concerning because if a simple pentest scan can take down a server, then anyone with a computer capable of running a basic tool could do the same in production. I always try to encourage our clients to allow us to test a non-production environment so that we don’t cause a DoS or tamper with production data, though I know that isn’t always possible. When we run into this issue, we typically stop the scans and note in our report that we did not perform a thorough automated scan on the application, opting instead for performing significant manual testing.
5. What are your favorite tools or TTPs when conducting pentests? Why do you find them effective?
I use many tools during each pentest, and depending on the technology stack, those tools can vary. My favorite tool is Burp Professional. I’ve been using it since the beginning of my cybersecurity journey, and it has been extremely reliable, assisting me in my most interesting exploits. Burp Repeater, Intruder, and Collaborator make it incredibly easy to navigate, identify, and confirm exploits. There’s always an extension available for almost everything, and if not, you can easily create one yourself.
6. What are your favorite asset types (web applications, APIs, network, etc.) to pentest and why?
My favorite asset types are web and mobile applications. I enjoy exploiting application vulnerabilities, especially business logic flaws. Over the years, I’ve found that mobile applications tend to have more vulnerabilities, and exploiting them is quite exciting. It’s also fascinating to be able to visit a website without any provided credentials and bypass the login using SQL injection, command injection, or a default username/password to gain access to private data.
7. What advice do you wish someone had given you when you first started pentesting?
Take your time to learn and explore the application you are testing. Opt for a demo of the application if possible. The more you understand the application functionalities, the more interesting vulnerabilities you will identify—especially business logic ones. I believe many functionalities get overlooked when a pentester doesn’t fully understand how the application operates.
8. How do you approach explaining findings to customers during a pentest? Is there a way you discuss your findings with customers? How do you ensure they have a quality experience?
I think it’s important to make our customers feel that what they are doing for their security is a positive step. Just by reaching out for a pentest, they are taking a big step forward. I like to explain the positives before presenting the vulnerabilities—which they might view negatively—because it reinforces that they are proactively identifying and addressing issues. This approach helps improve their overall security posture moving forward.
9. What is your favorite part of working with a pentesting team? What about working on your own?
I enjoy collaborating with other pentesters because you can bounce ideas off each other and learn from one another. You also benefit from having a second pair of eyes when you’re trying to exploit an issue and are unsure if your approach is correct or if you’re missing something. It’s a lot of fun to work as a team and discuss your findings openly. One of the most enjoyable pentests I participated in was with a colleague, where we discovered command injection vulnerabilities in various pages of the application and API for a large client. We identified these issues during a code review and then spent our time finding additional instances in the API as well as bypassing the login. While working on my own gives me full control—and I do enjoy it—it’s just not as exciting as collaborating with a team.
10. Why do you like pentesting with Cobalt?
I really enjoy pentesting with Cobalt because of the collaboration with other team members. All the pentesters I have worked with here have been extremely patient and helpful whenever I needed it. They are highly skilled, and I feel that I’m constantly learning from them. Additionally, the support that I have received from the Cobalt staff is exceptional, making it a very enjoyable working environment.
11. Would you recommend Cobalt to someone looking for a pentest? Why or why not?
I definitely would recommend Cobalt and have already done so. Cobalt has an ironclad pentesting structure that makes me feel clients get the best bang for their buck when they sign up for pentests. With multiple pentesters working on the same project, you benefit from a wide variety of specialized skills, resulting in the best possible pentest for the client. This is my perception from working for different companies and reviewing previous reports. Cobalt pentests are also very thorough and maintain excellent, open communication with clients.
12. What do customers or the media often misunderstand about pentesters?
Customers and the media often have a skewed view of what pentesters really do. They might imagine pentesters as shadowy “hackers” who break into systems using flashy, cinematic techniques. In reality, pentesters are ethical professionals who operate under strict rules of engagement and legal boundaries to simulate real-world attacks in a controlled manner. They aren’t performing reckless “hacks” but are methodically identifying vulnerabilities, providing detailed reports, and advising on how to remediate risks. The media also tends to portray pentesters as lone geniuses or they just simply run automated scans and call it a day, which is also inaccurate.
13. How do you see pentesting changing in 2025 and over the next few years?
I believe artificial intelligence (AI) will play a major role in the future of pentesting, particularly with the increasing use of AI-driven tools for automating tasks like vulnerability scanning, pattern recognition, and phishing simulations. These tools will allow pentesters to quickly identify weaknesses and simulate more sophisticated social engineering attacks, including highly realistic phishing scenarios. AI-driven systems will improve the dynamic nature of attack simulations, enabling adaptive testing that mirrors real-world threats more closely. However, despite AI's capabilities, I believe human expertise will still be critical for handling complex vulnerabilities, refining AI results, and ensuring ethical use. As AI becomes more prevalent, pentesters will face new opportunities and challenges, including the risk of over-reliance on automated solutions and the need to stay ahead of adversaries also leveraging AI.
14. What’s your p(Doom)?
My p(Doom) is pretty high because AI is evolving at an unprecedented pace, and its accessibility means that even individuals with minimal expertise can now harness its power to launch sophisticated cyber attacks. The ease with which advanced AI tools can be employed for everything from crafting highly realistic phishing schemes to automating complex exploitation techniques is alarming, especially given the current regulatory vacuum. Without clear guidelines and oversight, there's a significant risk that these powerful technologies will be misused, leaving our critical infrastructure and sensitive data increasingly vulnerable to breaches.
