.svg){kind=icon}
.svg){kind=icon}
The Cobalt Pentester Spotlight highlights the fascinating journey of our Core members. Through an interview style, we share their experiences, background, and insights into the world of an accomplished ethical hacker.
This month, we feature Mrityunjoy Biswas’ journey.
1. Can you tell us a bit about yourself and how you got started in penetration testing?
Back in my school days, I became interested in Cyber Security. I was intrigued by the stories of people who could earn rewards or swag for reporting security vulnerabilities to companies. I was determined to master the latest tools and techniques in this field. I threw myself into learning about security automation and participated in various bug bounty programs to test my skills.
At that time, I discovered my initial security vulnerability, an XSS vulnerability in Yahoo's Mail Box, for which I received a $10,000 bounty. This was my first reward in the cybersecurity field, and I was astonished. I could not believe that I had been given such a generous reward for my initial finding. This experience was thrilling and motivated me to pursue my passion for cybersecurity and penetration testing.
I used to actively participate in bug bounty programs offered by HackerOne and Synack. I have received recognition from top organizations, including over 300 companies such as Google, Yahoo, Mozilla, Twitter, Gitlab, Snapchat, Microsoft, Intel, and Valve. I am currently working as a Lead Pentester here at Cobalt and I have a strong passion for pentesting, with a track record of successfully identifying critical vulnerabilities.
2. What educational background and certifications do you have that prepared you for a career in pentesting?
I have completed my Bachelor's degree in Computer Science and Engineering and I worked together with my university professors on multiple academic research projects in the cybersecurity field during my undergraduate years and successfully published several research papers.
I have obtained the eCPPT V2 (Certified Professional Penetration Tester) as well as the eWPT (Web Application Penetration Tester) certifications by eLearnSecurity.
Currently, I'm now working on the OSCP and CREST certifications.
3. Walk us through your career journey as a pentester, are there any significant milestones or projects that stand out?
I started my career as a Pentester and I am fortunate to have discovered my passion for pentesting early in my career. I am delighted to be a member of the Cobalt Core Team. Here at Cobalt, the pentesters are highly skilled, collaborative and supportive, which has enabled me to expand my skills. I am a full time consultant, dedicating all of my time to Cobalt, which enables me to focus on the projects that are most appealing to me.
Working on different pentest projects at Cobalt has been another significant achievement in my career. Each pentest project presents unique challenges and makes every experience a noteworthy milestone in my career. It has provided me with the opportunity to continually learn and experiment with new exploitation methods across a wide variety of environments.
4. What are your go-to tools and techniques when conducting pentests, and why do you find them effective?
I am all about Burp Suite Pro along with several additional extensions such as Autorize, Param Miner, Reflected Parameters, Turbo Intruder, GraphQL Raider, JS Miner, and burpjslinkfinder, Logger++ among others.
I use Nmap, Nessus, nuclei, ffuf, dirsearch, sqlmap, MobSF, customized wordlists, Project Discovery Tools and fuzzing tools, depending on the specific use case.
Furthermore, I have created custom scripts and tools that automate the process of identifying interesting endpoints. My primary focus was on manual testing, which substantially improved the performance of the penetration testing engagements.
5. For individuals aspiring to enter the field, what advice would you offer in terms of skills development, networking, and breaking into the industry?
Become familiar with Linux, programming, Web, API technologies, and networking basics. I suggest that individuals who are new to the field of Cyber Security should consistently maintain a sense of curiosity and continue learning. Technology is constantly changing so it's really important for new people to stay on top of what's new and how things are done these days in the industry.
Gain valuable hands on experience through hackathons, Capture the Flag (CTF) competitions, and other opportunities to apply theoretical knowledge in real-world scenarios.
I would say networking is an invaluable asset in the cybersecurity industry. Engaging with the community fosters collaboration, knowledge sharing, and professional development. Attending conferences and events, and connecting with established cybersecurity professionals offers valuable insights and potential mentorship opportunities.
6. How do you approach client interactions during penetration tests? Are there specific communication skills that you find crucial for success in this aspect of the job?
The key to a good pentest is maintaining proper communication with the client. I actively communicate with clients to establish a well-defined scope for the pentest engagement.. This includes clearly outlining the targets and the scope of the work. This approach ensures that all parties have a clear and mutual understanding of the objectives and goals of the engagement.
Also, I make myself readily available to address client questions and concerns throughout the engagement. This promotes open communication and ensures a smooth testing process.
7. Can you share your experiences and preferences in terms of teamwork, communication, and coordination when engaging in pentests?
Teamwork is crucial for achieving outstanding results in penetration testing. Effective teamwork, clear communication, and efficient coordination, in addition to technical expertise, are necessary for successful completion of a penetration testing project. These soft skills play a vital role in the success of any penetration testing engagement.
Each member of the team typically contributes their specialized knowledge from various domains, enabling us to provide comprehensive assessments of the application from different perspectives.
As a pentest team lead, I always ensure that other pentesters must communicate with the customer during the testing process to ensure that everyone has a clear understanding of the goals and objectives. If the customer requests specific attention to critical functions, the pentesters must be aware of this.
I believe that a well coordinated team streamlines the testing process. This involves clearly defined roles and responsibilities for each member, ensuring everyone understands their tasks and completes the full coverage within the time.
8. Looking ahead, how do you envision the future of penetration testing evolving in 2024, and what do you believe will be the key challenges and opportunities in the coming years?
As time goes on, the use of artificial intelligence (AI) and large language model applications in the cybersecurity industry is expanding rapidly. In 2024, I think that pentesting will continue to grow and integrate more advanced technologies, such as AI and ML machine learning. Our workflows are already incorporating these language model applications, and they are becoming more prevalent in the cybersecurity industry.
We are already starting to use LLMs in our work, and this will keep happening for both attackers and defenders. Over the last years, researchers have found several vulnerabilities in these LLM applications. I think It's crucial for testers to stay updated on these models, understand their vulnerabilities, and know about different attack scenarios involving LLMs.
