Hi Carlos! Could you tell us a bit about yourself and your current role as a smart contract security auditor at Sigma Prime?
I’m just doing what I was doing before, but now I’m getting paid well :D
I could explain my job with lots of
Show full content
Hi Carlos! Could you tell us a bit about yourself and your current role as a smart contract security auditor at Sigma Prime?
I’m just doing what I was doing before, but now I’m getting paid well :D
I could explain my job with lots of complex, fancy words if I wanted to, but basically, my job is to read code and think about whether it's doing something unexpected.
The fancy way: I review and test distributed software systems to assess their use case reliability and sustainability, in order to provide protection against exploitation risks by malicious counterparties or accidental actions.
Cutting the fanciness — as of today, most of the cybersecurity work in Smart Contracts is just reading code and thinking creatively about what could go wrong.
Which input could I use to get more money than I should?
How can I interact with the network to take advantage of the public data blockchains have?
What happens if I call this function first and then another one?
In general, I mentally fuzz test the code and debug it. We also write some tests, and if the bug isn’t “too obvious,” we code Proof of Concepts (PoCs) to showcase the issues.
Furthermore, in between audits, I have some “free time” which you’re supposed to use to learn new technologies, attack vectors, etc.
Outside of that free time, I’d say the work distribution looks like this (though it varies from review to review):
5% writing tests and PoCs
10% writing up the issues
75% reading code and thinking
How did you get into smart contract auditing?
I was already into blockchain development for a year, and two years into software in general. I dropped out of Uni in my second year because Spanish university is — allow me the intensity of the phrasing — inefficient as f*ck. So I started learning faster and better with free resources online.
It just happened that one of the guys I followed because of the quality of his teachings (Patrick Collins) launched CodeHawks, his company’s competitive audits platform.
And I was like, wait a minute… I can get paid for reading code? Omg — no more hours and afternoons debugging and testing the same code, and I even get to see different code every 3 weeks?? (intellectually stimulating). No way, I gotta check this out.
So I started participating in CodeHawks, and then checked out other competitive platforms like Code4rena, Sherlock, and Cantina. I built my skills and CV and then started applying to some companies. Sigma Prime accepted me the fastest — and here I am now.
For those unfamiliar with what competitive auditing is:
A company puts X$ as rewards for people who find bugs.
They give you a time constraint — 1 week, 3 days, 1 month…
If someone finds and submits a valid bug, the money gets distributed among those people.
It’s like a traditional bug bounty program but with a time constraint and gamified to attract more people, since the X$ is usually given for sure, no matter how many bugs or how severe they are.
What advice would you give to an aspiring smart contract auditor?
IT IS HARD. Don’t fall for the marketing strategies of these companies showing you big numbers. A super, super small percentage of people actually make that kind of money. You can read more about the numbers in a short article I wrote (available via Google Drive or download below).
It takes time. There are people who make it in 6 months — but that is not the norm. Most people take years of constant practice (like I did). The marketing was toxic for me and many others. I felt like a loser, like I couldn't do this. But yes, you can. That same marketing affected even one of my teammates — who now is also making good money at another company.
Keep pushing. Consistent effort is most likely what you’ll need. Some of you reading this might be those geniuses who find stuff super quick — congrats to you, can we swap brains please? xdBut still, we can all reach expert levels with practice.
This question (and getting asked for advice so often) made me realize I should just make a tweet thread for beginners — a hub with all the advice posts I’ve made.
I'm creating this tweet as a hub to re-direct here all people asking for advice.
All these tweets/articles have a mix of: Resources to learn + Advises + Inspiration.
What auditing tools do you recommend? Have you utilized AI at all in your role?
I’m a ChatGPT basic guy — I pay 25€/month for it and that’s enough for now.
Finding issues with AI? Not valuable ones in contests. Everyone will find what AI finds. In private audits, automated tools and bots (like AST analyzers — not really AI) are useful though.
Some automated tools — not AI, but useful: Slither, Aderyn, etc. Check out my friend Deivito’s auditor toolbox. It’s a Docker container packed with useful Web3 auditing tools.
AI is currently useful for:
Searching for and digesting info
Improving the write-ups of audit reports
AI is NOT useful for:
Reasoning on top of smart contracts — it's horrible at that, at least for now.
I’ve been trying Claude too — and in my experience, it reasons better than GPT when it comes to code logic. But still, I don’t think it’s worth paying for both, so I’ve stuck with GPT for now.
I’ll probably explore this more when I get some research/free time at work — which is amazing to say. I get paid to learn, be curious, and keep leveling up my knowledge. I truly feel like I’m dreaming. xd
How has being active in the blockchain community impacted both your personal and professional life?
Allow me again the intense wording: it’s been crazy good — the impact this community has had on both my personal and professional life.
Before all this, I felt alone. Now I don’t. I’ve found people who are curious like me, people who question things, who seek to thrive — not just in coding or cybersecurity, but in life.
This industry is full of passionate, curious people who genuinely want to improve the world. To some extent, we share values that are hard to find all together in one person nowadays — drive, curiosity, freedom, community, creation.
It’s given me balance and responsibility. I can’t just party three times a week like I did back at uni xd. But now I’ve got money, freedom, wisdom… and all just from doing something that comes naturally to me: asking questions. This time, about software and code.
I’ve been lucky, yeah — but also, I went for it. I chased it with restless, consistent effort. People say success is where luck meets hard work — and yeah, I think that’s true. I’ve lived that.
Honestly, the impact has been the same on both sides — personal and professional. I found something that matches my attitude toward life and where my natural skills actually fit. That alignment has changed everything. I'm now happier and as less stressed as I’ve ever been, this kinda vibe: https://i.kym-cdn.com/entries/icons/original/000/038/426/unboth.jpg .
Outside of work, what hobbies or interests help you unwind and maintain a healthy work-life balance?
Dancing
Hanging out with friends — just talking or doing some activity like ping pong, pool, laser tag, whatever we come up with
Parties — especially if I can dance xd
Training calisthenics and flexibility outdoors in parks — sometimes I climb a tree too xd
Lastly, where can people connect with you or follow your work online?
My X account is more focused on the security side: @carlos_alegre.
Though sometimes I talk about my philosophy and life project: "Cheerfulism".
Summed up, it’s a philosophy that granted me success — and I think it can help people build utopia societies. Ambitious as f*ck — that’s why it’s a life project xd
Feel free to hit me up on X. I don’t have much time, so maybe all I can do is redirect you to the hub tweet I mentioned above. But hey, maybe I’m a bit more free and can answer more than expected — like in life, go for it.
Good luck to all readers — and if you’re just starting, even more luck to you! Have a nice day. :D
Wrapping Up
Thanks for reading! We are always looking to improve the platform and love receiving feedback from readers. Feel free to send a message on LinkedIn or Twitter.
We sell mugs and comfy clothing guaranteed to please your inner hacker. Check it out at https://shop.jasonturley.xyz/
Hi! Can you introduce yourself and describe your current role in cybersecurity?
My name is Saman Fatima, and I am a Senior Consultant at EY, currently based in Dallas, Texas. I bring five years of experience in the cybersecurity industry with a specialized focus on Identity and Access Management (IAM)
Show full content
Hi! Can you introduce yourself and describe your current role in cybersecurity?
My name is Saman Fatima, and I am a Senior Consultant at EY, currently based in Dallas, Texas. I bring five years of experience in the cybersecurity industry with a specialized focus on Identity and Access Management (IAM).
Educational Background
Master's in Information Security, Georgia State University, Atlanta (2022-2023)
Bachelor's in Engineering (Information Technology), Banasthali Vidyapith, India (2013-2017)
Professional Experience
Throughout my career, I have worked with two firms before joining EY, building a strong foundation in cybersecurity practices and developing expertise in Identity and Access Management solutions.
Current Role
In my position at EY, I leverage my IAM background while expanding into governance and compliance. I am currently supporting a retail client with their audit requirements, ensuring their security controls meet industry standards and regulatory requirements.
My role involves assessing access management frameworks, evaluating security policies, and providing recommendations to strengthen the client's overall security posture while maintaining compliance with relevant regulations and policies.
What’s your backstory and how did you first get into cybersecurity?
My journey into cybersecurity began during my undergraduate studies in Information Technology at Banasthali Vidyapith in India. While the curriculum provided a solid foundation in various IT disciplines, I found myself particularly drawn to security concepts and their critical importance in the digital landscape.
Early Inspiration
During my third year of university, I attended a cybersecurity workshop led by industry professionals that completely transformed my career trajectory. The workshop covered fundamental security principles, threat modeling, and basic penetration testing techniques. What resonated most strongly with me was understanding how security intersects with virtually every aspect of technology and business operations.
Career Entry Point
After completing my bachelor's degree, I secured an entry-level position at a technology services firm where I was initially assigned to general IT support. However, I actively sought opportunities to work on security-related projects, volunteering for tasks involving access reviews and security assessments. This initiative allowed me to gradually transition into a dedicated IAM (Identity and Access Management) role within the organization.
Professional Development
Recognizing the need for specialized knowledge in this rapidly evolving field, I invested significant time in self-study while gaining hands-on experience. After three years, I moved to my second company where I took on more advanced IAM responsibilities, working with enterprise-scale implementations.
Graduate Education
The practical experience I gained in the field highlighted both my passion for cybersecurity and the areas where I wanted to deepen my expertise. This realization led me to pursue a Master's degree in Information Security at Georgia State University, which provided advanced theoretical knowledge and research opportunities to complement my practical experience.
Current Trajectory
Following my graduate studies, I joined EY as a Senior Consultant, where I've been able to apply both my industry experience and academic knowledge to help clients strengthen their security postures, particularly in the IAM and compliance domains.
Throughout this journey, I've found that cybersecurity offers a perfect blend of technical challenges, continuous learning, and meaningful impact - protecting organizations and individuals in an increasingly connected world.
What advice would you give to someone aspiring to work in Identity and Access Management?
For those looking to build a career in Identity and Access Management (IAM), I would offer the following professional guidance based on my experience in the field:
Foundation Building
Develop a strong technical foundation: Ensure you have a solid understanding of networking fundamentals, authentication protocols, directory services (particularly Active Directory and LDAP), and database concepts.
Understand security principles: Familiarize yourself with core security concepts like least privilege, separation of duties, defense in depth, and zero trust architecture.
Specialized Knowledge
Learn IAM frameworks and technologies: Study major IAM solutions such as Okta, SailPoint, CyberArk, ForgeRock, and Microsoft Entra ID (formerly Azure AD). Understanding how these platforms implement access management, provisioning, and governance is invaluable.
Master federation protocols: Become proficient in SAML, OAuth, OpenID Connect, and other federation standards that enable secure authentication across applications and organizations.
Professional Development
Pursue relevant certifications: Consider certifications like Certified Identity and Access Manager (CIAM), CISSP with IAM concentration, or vendor-specific certifications for platforms you're targeting.
Bridge technical and business understanding: IAM sits at the intersection of technology, security, compliance, and business operations. Developing the ability to translate technical concepts to business value is crucial for success.
Practical Experience
Seek hands-on experience: Look for entry points through security operations roles, help desk positions with access management responsibilities, or junior IAM analyst roles where you can apply theoretical knowledge.
Develop automation skills: Learn scripting languages (PowerShell, Python) and understand API integration concepts to support IAM automation efforts, which are increasingly important in modern environments.
Career Growth
Network with IAM professionals: Join communities like the Identity Management Institute, attend IAM conferences, and participate in webinars to build connections and stay current with industry trends.
Consider the governance angle: As you progress, develop expertise in the governance aspects of IAM, including compliance frameworks, audit processes, and risk management methodologies.
The IAM field offers excellent career prospects as organizations increasingly recognize identity as the new security perimeter. By combining technical proficiency with business acumen and staying adaptable to evolving technologies, you can build a rewarding long-term career in this critical cybersecurity domain.
What are your favorite tools to use? Have you utilized AI at all in your role?Favorite Security Tools
While I aim to maintain flexibility rather than strict preferences, certain tools have proven particularly valuable in my IAM and governance work:
SailPoint has emerged as my primary IAM platform of choice due to its comprehensive functionality across the identity lifecycle. Its robust capabilities for access certification, role management, and policy administration provide an excellent foundation for enterprise identity governance.
For governance frameworks, I find the appropriate tools vary significantly by organization. The effectiveness of governance solutions depends heavily on organizational structure, compliance requirements, and integration with existing security infrastructure.
My approach focuses on mastering core platforms while maintaining adaptability across various tools, as specialized knowledge across multiple platforms can be challenging to develop and maintain.
AI Integration in Security Work
My experience with AI tools began with ChatGPT and expanded to include Claude. Both have become valuable assets in my professional toolkit for several use cases:
Professional documentation refinement: Using AI to improve the clarity and structure of technical documentation, client deliverables, and security recommendations
Process automation: Developing scripts and automation frameworks with AI assistance
Research acceleration: Gathering information on emerging security threats and compliance requirements
Analytical support: Analyzing patterns in access data and identifying potential security insights
These AI tools have significantly enhanced my productivity by streamlining routine tasks and allowing me to focus on higher-value strategic work that requires human judgment and expertise.
The integration of AI has become increasingly valuable as security teams face growing demands with limited resources, though I always ensure appropriate validation of AI-generated content, particularly for sensitive security documentation.
How has being active in the cybersecurity community impacted both your personal and professional life?
Active participation in the cybersecurity community has significantly influenced my career trajectory. Being connected to this vibrant ecosystem has provided:
Enhanced Knowledge Exchange
Expanded Professional Network
Increased Visibility
My engagement with organizations focused on diversity in cybersecurity has been particularly rewarding.
BBWIC Foundation (Breaking Barriers for Women in Cybersecurity): As an active member, I've contributed to mentorship programs designed to support women entering the field. I have served as the Global Lead here and have conducted and been part of many amazing sessions to promote women.
Women in Cybersecurity (WiCyS): Through WiCyS, I've participated in both mentorship initiatives and technical knowledge sharing. The organization's focus on building a strong community of women in security has provided invaluable support throughout my career development.
These organizations have been instrumental in helping me find my voice in a historically male-dominated field while allowing me to support others on similar journeys.
Personal Impact and New Opportunities
The decision to actively engage with the cybersecurity community has yielded significant personal and professional benefits:
Mentorship Connections
Speaking and Leadership Opportunities
Recruitment and Advisory Roles
The cybersecurity community has become not just a professional resource but a significant part of my identity, providing both purpose and connection that extends beyond career advancement.
What has your experience as a podcast host been like?
Off The Record Podcast With Saman Fatima
My experience as a podcast host has been incredibly fulfilling, especially since the podcast focuses on the lives of international students. This topic is particularly close to my heart, as it allows me to assist students transitioning from the comfort of their home countries to a new environment. Given that there are little to no podcasts addressing this specific demographic, I feel like I'm making a meaningful contribution by sharing real experiences and helping to build a supportive network for students.
While I may not have initially been passionate about hosting, I certainly am now. Hosting the podcast has become a daily endeavor for me - reaching out to influential individuals, engaging in insightful conversations, and sharing those stories with a wider audience. It's an evolving journey, and I’ve truly come to enjoy the process.
My advice for someone interested in starting their own podcast would be to simply go for it. You never know the impact you'll have on others. At first, growth may be slow, and engagement may be minimal, but over time, the podcast will find its rhythm. The most important piece of advice I can offer is to come up with a unique concept that will help you stand out and provide maximum value. And of course, consistency is crucial - stick with it, even when progress feels gradual.
Outside of work, what hobbies or interests help you unwind and maintain a healthy work-life balance?
Outside of work, Pilates has become a key part of my routine. It's made a significant positive impact on both my body and my mental well-being. The physical transformation has been remarkable, and it's also been a great way to unwind. Additionally, attending regular classes has allowed me to meet many new people, which has further enhanced my social life. Overall, Pilates has been an essential practice that helps me maintain a balanced and healthy lifestyle, benefiting both my mental and physical health.
Lastly, where can people connect with you or follow your work online?
Thanks for reading! We are always looking to improve the platform and love receiving feedback from readers. Feel free to send a message on LinkedIn or Twitter.
We sell mugs and comfy clothing guaranteed to please your inner hacker. Check it out at https://shop.jasonturley.xyz/
Hi! Can you introduce yourself and describe your current role in cybersecurity?
I’m Ryan "Roll4Combat" Bonner, and I currently work as a Senior Cybersecurity Consultant at ProCircular. My role primarily involves penetration testing and providing strategic guidance to help organizations enhance their security posture. I do
Show full content
Hi! Can you introduce yourself and describe your current role in cybersecurity?
I’m Ryan "Roll4Combat" Bonner, and I currently work as a Senior Cybersecurity Consultant at ProCircular. My role primarily involves penetration testing and providing strategic guidance to help organizations enhance their security posture. I do web application, mobile pentesting as well as internal and external assessments.
What’s your backstory and how did you first get into cybersecurity?
My journey into cybersecurity started at the beginning of the pandemic. I was working a mix of marketing and sales jobs, but honestly, I just wasn’t happy with where I was or where my life seemed to be heading. I knew I needed to make a change, and for some reason, I got it in my head that I wanted to go to school to become a welder. I didn’t know much about it other than what I remembered from a high school class, but the idea of working with my hands and building something real really appealed to me.
While I was figuring that out, I spent a lot of time on Twitch since I’m a big gamer. One day in September 2020, I stumbled across this guy streaming cybersecurity stuff. He was talking about hacking and how much fun it was. I started asking him a million questions because I’d always been into computers, building my own rigs and messing around with programming (even though I was terrible at it). I’d even spent months trying to teach myself to code on Twitch, but hacking felt like a whole new level of cool and really sparked for me.
From hanging out in that streamer’s chat, I met some awesome people who invited me to join their Discord server. We’d play CTFs together, stay up way too late talking about cybersecurity, and just geek out about tech. It became my escape after long days working as a mover. I mentioned my welding plans to them, and they were like, “Hey, you clearly love computers, give cybersecurity three months and see how you feel.”
That’s all it took. I dove in, and within weeks, I was hooked. Hacking turned out to be the perfect mix of creativity and problem-solving.
What advice would you give to an aspiring penetration tester or bug bounty hunter?
I would say to really stay curious and embrace that you’re just going to fail so much more often than you succeed in both pentesting and bug bounty. I would also say that engaging and interacting in the communities can help you out so much more than you ever think, so be willing to go out, be uncomfortable and shake hands and meet everyone you can.
Recommended Resources
Special shout out to Jason Haddix and his Bug Hunter's Methodology Live course. It has helped me tremendously on my cybersecurity career and I'd highly recommend it to anyone looking to get started in offensive security or bug bounty.
I love web apps, so big shout out to Critical Thinking Podcast if you want to get deeply technical web app hacking information.
Critical Thinking Bug Bounty PodcastWhat are your favorite tools to use on an engagement? Have you utilized AI at all in your role?
I think since I love web applications the easy one to say is Burp Suite Pro, but besides that one I’m a massive fan of using https://www.jswzl.io/ its really expensive but it helps so much when going through Client-Side JS.
jswzl
I use AI every single day that I’m testing and learning. I have it open on my phone and just have back and forth communications about what I’m seeing / what I'm thinking and how I might be able to take better approaches to what I’m hacking or clarify one of the millions of things I may not understand perfectly.
How has being active in the infosec community impacted both your personal and professional life?
Being part of the cybersecurity community has been so rewarding!
It allowed me to put myself out there and get in contact with some amazing minds in the industry. It has allowed me to work with people like Jason Haddix, Daniel Meissler and Justin Gardner. I have to reiterate how important connections have been for me.
Surround yourself with the smartest people possible, have conversations, and volunteer to help out. I currently help Jhaddix run his classes for Arcanum and that actually led me to getting the job I have now!
Outside of work, what hobbies or interests help you unwind and maintain a healthy work-life balance?
Outside of work, I’m an active boxer. I also love spending time with my two rescue Weimaraners, Koda and Daisy. They’re still in training, but they’re a big part of my life now. I am also an avid hunter and shooter.
What is the origin of your handle?
Nothing terribly interesting. I think my original name was ‘badatcomputers’ but I felt I needed a name change a couple years back. I was getting ready to play my first session of Dungeons & Dragons and plays always say things like “roll for initiative” and "roll for x". So I was like, whatever, Roll4Combat it is - it sounds cool and it has stuck.
Lastly, where can people connect with you or follow your work online?
Hi! Can you introduce yourself and describe your current role?
My name is Makayla Ferrell. I currently work as a penetration tester for a leading government contractor. I perform penetration tests, red teams, and vulnerability assessments on government systems. These tests can range from physical assessments to web applications to
Show full content
Hi! Can you introduce yourself and describe your current role?
My name is Makayla Ferrell. I currently work as a penetration tester for a leading government contractor. I perform penetration tests, red teams, and vulnerability assessments on government systems. These tests can range from physical assessments to web applications to networks with over 10,000 hosts. I like to joke that as an ethical hacker, I can hack the government and not get arrested.
What’s your backstory and how did you first get into cybersecurity?
During my first summer of college, I did like most computer science majors and applied to all the internships I could. I got an internship as a cybersecurity analyst for a credit union in my hometown. I was doing mostly firewall rules, SIEM reporting, and some inventory management. I did not find the work interesting and decided cybersecurity was not for me. However, I did meet some great people and obtained my Security+ during the internship.
During sophomore year of college, I received the DOD SMART scholarship. As part of the scholarship, the DOD pays for your education and in exchange, you agree to work at your matched DOD facility after graduation. I requested and was matched as a software engineer with the Army Software Engineering Center. My work focused on programming embedded systems and web applications. During my time as a software engineer, we had regular code reviews and penetration tests. I was interested in how the security team found vulnerabilities and decided to do more research into cybersecurity. I found BlackGirlsHack, which is an amazing nonprofit that helps people get into cybersecurity. They sponsored me to go to DEFCON and introduced me to more cybersecurity professionals. At DEFCON, I participated in a few big CTFs, and realized that I enjoyed the problem-solving of hacking more than I enjoyed programming.
Luckily, you can easily move around at the Army Software Engineering Center, so I requested to switch to our penetration testing team. I started with writing scripts for the team and helping to automate their process. It was an easy way to use my programming background while I learned more about the penetration testing process. After scripting and shadowing a little bit, I became a penetration tester.
How has your software engineering background benefited you in your current role as a penetration tester?
One of the things I learned during my transition into cyber is how much cybersecurity is left out of the computer science curriculum. Most programs don’t include secure coding courses, so as a programmer, you are taught to think about efficiency and passing test cases but not security. Code reviews on most development teams focus on efficiency, (i.e. time and resources). If I were a programmer now, I would write way more secure code because I have been exposed to security training, but the everyday programmer has not. I hope this changes in the near future, but I always keep it in mind in my penetration tests.
I think my background in software engineering provides me with more perspective and things to think about during a penetration test because I know how a programmer would approach an issue. When doing a pentest, especially on new systems, I always think about what I would do if I was a programmer just trying to make it work efficiently to pass a peer review. Once I have thought about that, then I think about how that would create security flaws. For example, a developer trying to update customer data will just call the update API and not think about whether to sanitize the data or authenticate the user again.
🗣️As an attacker, thinking like a developer always helps me find new ways to test and discover vulnerabilities.Makayla and her cheerleading team volunteering at Toys For Tots
In my opinion, aspiring penetration testers do not need to learn to code or computer science fundamentals. However, they should learn a scripting language and understand how to execute commands like PowerShell. I think the more knowledge, the better, so if they have the time and are interested, then 100% go for learning to code and computer science fundamentals. However, if I were an aspiring penetration tester, I would get a firm grasp on a scripting language like Python and make a port scanner before I would learn to code applications or learn Dijkstra’s algorithm.
I have noticed an overlap between software engineering and penetration testing, but I think it is role-specific. I was in an application security role that did a lot of manual code reviews and pre-production tests, so I would use my programming background a lot. However, in my current role, which is not specific to application security, I very rarely see the overlap.
What advice would you give to an aspiring penetration tester?
My main advice would be:
Join a community!BlackGirlsHack was the main reason I made the transition into cybersecurity. They introduced me to amazing people who helped advance my career, free certification programs, and job referrals. Find a cybersecurity community that aligns with you. There are many great ones out there! The people you meet in these communities are likely in a similar position and can help support you through your journey. These communities also have mentors who can offer even more personalized support.
I always say TryHackMe before HackTheBox. I think it's better to start with a guided introduction than to do HackTheBox and feel defeated because you couldn’t get a flag. I would recommend doing some walkthrough TryHackMe rooms or a learning path, then doing a CTF room in TryHackMe and reading the writeups only when you get stuck. Then when you feel comfortable, test your skills in HackTheBox.
Don’t cram for the certification. The information from the certifications will be useful so try to really learn the material rather than cramming and forgetting it a week after the exam. They really do use those questions in interviews.
As for certifications I recommend, I think eJPT is often forgotten about, but it is a great beginner certification with detailed course material. Actually, all of the eLearnSecurity exams are very realistic, in my opinion, to things you might encounter in a pentest, and the relaxed time frame compared to OSCP makes it more accessible for people just starting out.
What are your favorite tools to use on an engagement? Have you utilized AI at all in your role?
My favorite tool to use for engagement is Burp Suite. It’s so powerful! Other than Burp Suite, EyeWitness, BeEF, Nuclei, and Cobalt Strike are my goto tools. Eyewitness is a tool to screenshot a large group of webpages and create a report to easily see what's on each of the webpages. This is especially helpful for large pentests when you probably don’t have time to check each individual host to see what kind of webpage it is. Beef is an exploitation framework where you can inject a hook.js script into a webpage and then have a persistent callback from the user's browser. If you have an injection vulnerability, BeeF can raise the severity and is a lot of fun to use. The hook can be used for a bunch of stuff, like turning on a user's webcam or logging their traffic. Nuclei is a web application vulnerability scanner with templates for common vulnerabilities. It's a very useful tool on a web application test, and saves a lot of time. Cobalt Strike is another great and powerful tool, but it has a learning curve if you are used to Metasploit.
As for physical tools, a WiFi Pineapple and a Hak5 rubber ducky can get you very far. If you have ever heard a security professional say, “If you leave a USB on the ground, someone will pick it up and plug it in,” sadly, that is true. Especially, if you put the company logo as a sticker on the USB.
I use AI mostly for writing reports and finding flags for Linux commands. When I am not sure of a good remediation recommendation or which flags will give me the desired output, ChatGPT is great for coming up with those. Unfortunately, I cannot use AI for much more than that, because of my work with the government.
How has being active in the infosec community impacted both your personal and professional life?Makayla teaching at a community event
Being active in the InfoSec community has helped my professional life through networking and learning from others. I have learned many new methodologies or exploits from being active in the community. There are so many different ways to reach the same goal in hacking and learning other people's approach is always interesting. Most of the open-source tools I use are from someone at a conference or CTF who shared their tools with me.
Being in the InfoSec community has also given me a lot of opportunities to advance my career. It has given me speaking opportunities, the chance to coach a CTF team for a community college, and access to certification programs I never would have known existed.
It has helped my personal life by showing me there are more diverse people in the profession than I see in my workplace. At the Army Software Engineering Center and at my current position I am the only woman on my team. Meeting other women in the field through the infosec community has made it so much easier to feel like I belong in my workplace.
Congratulations on earning your advanced computer science degree from Georgia Tech! What inspired you to pursue this degree, and how was your experience in the program?
I was a peer tutor and teaching assistant in undergrad and loved it. I was also in an undergraduate program with very few women or people of color in the teaching staff and computer science graduating class. I decided to become a professor in the future, so I could help the diversity gap and make computer science more accessible for people like me. Since I was a DOD SMART scholarship recipient, I had to start working after graduation and needed a part-time graduate school program.
I was accepted into two MS in Computer Science programs: Columbia and Georgia Tech. The deciding factor that pushed Gtech over Columbia was the class offerings. Georgia Tech has AI for robotics, natural language processing, machine learning for trading, and so many other interesting electives that I was able to take as a part-time student. It was also considerably cheaper.
🗣️If I were to give any advice to a working professional thinking about going to school, I would say to make sure you pick something that interests you so that when it’s been a long day, you look forward to doing the course work as opposed to it being a chore.Outside of work, what hobbies or interests help you unwind and maintain a healthy work-life balance?
I love robotics. I have a bunch of robots that I have built around my house. I have a spider named Spidey, and he actually understands commands in ASL using a machine-learning model I built for one of my graduate classes.
Spidey
I teach programming and robotics to middle school and high school girls through BrownGirlsCode.
I love traveling. I’ve been to over 25 countries, and have lived in the UK for a bit. My favorite places are Switzerland because skydiving over the Swiss Alps is beautiful, and Thailand because I love elephants.
I am currently re-learning Mandarin Chinese and meeting with a group to practice twice a week. I originally learned mandarin in middle school and then stopped speaking it until a few years ago. I am currently preparing for the HSK5 exam.
Makayla attending a Mandarin language exchange
I was a cheerleader in college, and after graduation, I wanted to keep performing, so I auditioned to be a professional cheerleader for the Baltimore Blast soccer team. I was a professional MASL cheerleader for two seasons and had a fantastic time. Now, I am retired from cheer and regularly attend dance classes for fun and to stay active.
Lastly, where can people connect with you or follow your work online?
Thanks for reading! We are always looking to improve the platform and love receiving feedback from readers. Feel free to send a message on LinkedIn or Twitter.
We sell mugs and comfy clothing guaranteed to please your inner hacker. Check it out at https://shop.jasonturley.xyz/
Hi! Can you introduce yourself and describe your current role in cybersecurity?
Hi, I’m Jen and I am a pentester and a senior consultant on the offensive security team at Deloitte. We are called “Adversarial Simulation” and the team conducts penetration testing and red teaming on
Show full content
Hi! Can you introduce yourself and describe your current role in cybersecurity?
Hi, I’m Jen and I am a pentester and a senior consultant on the offensive security team at Deloitte. We are called “Adversarial Simulation” and the team conducts penetration testing and red teaming on clients in the commercial sector.
I have been in the offensive security field for less than 5 years. Deloitte is my 2nd employer within it. So far I have experience in infrastructure pentesting including Windows Active Directory and a fair amount of web application testing. Lately, I have been focusing on infrastructure pentesting on a large financial sector client, and learning as fast as I can on AI; both in terms of its vulnerabilities as well as what it can do to augment current pentesting methodologies.
I really love the field and am constantly upskilling and trying to learn more than I did yesterday. If offensive security was not challenging, I would find something that was.
My motto is: Learning is my drug. The cybersecurity field is my dealer.
What’s your backstory and how did you first get into cybersecurity?
I think my story will challenge every kind of stereotype. I did not grow up as a ‘hacker’ and we didn’t have a computer at home. I was a band kid and a straight A student. My mother was a calculus teacher and my father was an engineer, so I guess I was protected from the weird biological imperative our culture has that “women don’t like math”. When I went to college at the University of Michigan, I chose Electrical Engineering because that major offered the most math.
Upon graduation, I was interested in biomedical engineering and the United States Air Force offered compelling opportunities in that field at the time. I took a risk and got my commission. I really enjoyed my time in the military. Later on, I met my husband and he and I were having difficulty getting stationed together so we opted to leave military service, and found work in San Diego. My career transition out of the military was not smooth, and the new job was a poor fit. I knew I needed a different career, but I did not know what.
We then had 3 kids in 5 years, all planned. All 3 boys are neurodiverse which was unplanned. Someone needed to pay attention. This type of thing is not in anyone’s career plans. We couldn’t really afford for me to quit my job but we couldn’t really afford not to. So I quit. After a long while, the kids were doing okay and I was looking for something else to do. The boys were in middle school by then. It had been so long since I’d worked … and I had forgotten the person I used to be.
There still was not some grand plan to be a hacker. I was making peoples’ lunches and driving carpools. My resume was as good as blank because of the career gap. I had done so much volunteering, I got a community award and my picture in the paper, but I knew nobody would hire me as an engineer of any kind. I knew I had to start over from scratch. I did not know anyone who had gone back to work in a technical field after a career break like mine. For that reason, I did not think I could do it, so I set my career sights very low.
I decided I’d work at the help desk at the school district because I had done so much volunteering at the boys’ school, I thought they’d at least hire me for $20 an hour and it sounded like fun to fix things. I did not want to spend any money. After the A+ class though, I kept taking IT classes because the learning made me weep, as weird as that sounds. I was so happy. I realized I had been starving. I mean, I was terrified most of the time and felt like a total impostor, but I was also starving to death. It was like I was in a hot dog eating contest. I kept getting certs; as soon as the class was over I’d take the dumb test.
I had zero interest in security. I took the Security+ class as a filler because I had time before the CCNA class started. I knew nothing. The professor announced a CTF, the National Cyber League. I said, “I can’t do it, I don't know what that is, I am not supposed to be here” and “What is a CTF? What is Kali? What is Linux? What is Bash? What is sudo? What is anything…”.
I fell down the rabbit hole when I did that CTF. Like I was made of lead. I am still falling.
You mentioned discovering your passion for pentesting during your journey. Can you share more about how you developed your skills and what resources were most helpful?
SANS offers scholarships for women, underrepresented groups and veterans. They offer something called The Womens’ Immersion Academy. The requirement is that you must not already be working in cyber. I still had not worked, still driving carpool, still making lunches and looking out the window wondering who on earth I was. I did have Net+ , Sec+ and CCNA. The SANS scholarship is very competitive, you have to take a test and conduct an interview with SANS. The applicant pool for my cohort was 800+, and they only chose 13 women. During the interview I had the chance to tell my story, expressing frustration that I did not qualify for cybersecurity internships because I was neither a new college grad nor a newly transitioning veteran. I said I was trying to work help desk, but they wouldn’t call me back.
The SANS scholarship was life changing. SANS also offers mentoring to the scholarship recipients and help with resumes. We met weekly as a group to support one another. Every 8 weeks you take a certification test, and you do that 3 times. I took GSEC, GCIH and GPEN. The training was excellent and I had excellent instructors.
Other things: The Cyber Mentoroffers some practical and reasonably priced classes on hands on pentesting, web app testing, API testing, Hardware Hacking and more. I found TCM on Youtube during my first pentesting job. This was before he developed his full platform. I wish he had been around sooner because the Practical Network Penetration course closely matched the skills necessary, in my experience, of pentesting a small company. Heath is very calm and I really like his teaching style. He does not overcomplicate things and emphasizes practicality. It is not some hazing thing where he thinks you need to “try harder” or go figure it out by yourself endlessly. He kept saying, "don't worry, we are going to do this together”. I felt pretty freaking alone during most of my journey, so that helped.
Currently I am really enjoying HTB Academy, and am on their CPTS path. I love any kind of learning and especially enjoy HTB. Academy makes the HTB platform a little less intimidating and it is more structured. I highly recommend it.
How did your background in electrical engineering and your experience in the U.S. Air Force influence your approach to cybersecurity?
EE majors are taught binary math, it is pretty much hammered into your head. That knowledge had lain dormant and was easily resurrected when I needed it. It was like riding a bike. Learning subnetting was not difficult. Lately I am exploring hardware hacking because I still remember circuit theory.
I took one coding class required by my major, which was Fortran. I hated every minute. I took Python during my time at the community college and I really enjoyed it. I did not find it difficult to learn. I picked up Bash scripting along the way. My coding is getting better as I need to learn it. I can learn anything but I cannot learn everything. I learn as I need things. I wish I’d had a better introduction to coding than Fortran.
USAF taught me how to manage multiple technical projects at the same time. I also learned client service skills because I had a lot of internal clients with a wide variety of backgrounds during my USAF time. I had multiple layers of management to report to, so I learned to tailor my technical messages to the different audiences. I learned how to be flexible and deal with changing priorities that ride upon the whims of management.
What were some of the biggest challenges you faced while re-entering the workforce after your hiatus, and how did you overcome them?
At first, the demons come. Despite 7 certifications and a technical degree, I was plagued by self doubt. My resume was so bad. My resume was as good as blank except for my degree and certs because it had been more than 10 years since I’d worked. I knew it would fall down the HR black hole.
For that reason, I had to get out and network in person. Terrifying. I remember the first time I went out at night to a local OWASP meeting. It took pure courage to walk in the door and of course the room was all men. They were having a career panel and there was one woman on it, and that helped enormously. One of the audience asked what would be asked in a pentesting interview. One panelist started to answer, and then said, “tell you what, after the meeting we all go to the pub. Meet me there and I will tell you.” There was not enough money in the world to get me to go to a pub with bunch of strange men. I went home after the panel. I never got to hear what he had to say.
You must battle those demons first.
Eventually, I landed some offers. This is because I interviewed everywhere and battled my deer-in-the-headlights demon. The first time someone asked me what ran on port 80, I froze and my internal voice whispered only, “What…what is a computer?” I am proud of none of this, but this is my story. If you want some perfect story of someone who had all the answers and everything was nonstop winning in a straight line, maybe you should read someone else’s story.
Mostly I have stumbled around like a kid with her shoelaces tied together. I fall down a lot.
Leverage your network.Our super power is we know a lot of people, plus the people your spouse knows. That is how you get your resume seen by a human.
All of this got better with practice and I found a junior pentesting job through a classmate that I stayed in touch with. I did well on the interviews, and started working remotely on the cusp of the pandemic. Normally, we would have traveled and shadowed the senior engineers in person, but we could not do that so we went straight to screen sharing instead. I felt like I was learning how to swing a hammer by watching people build houses on TV. I was a nobody from nowhere. I began to learn in galloping bursts like I always do, but it was a tough year.
That would have been challenging for anyone, but also I was on two different large teams of all men. We’d be in these big Zoom calls, and I remember really struggling mentally with feeling weird and the odd person out. Have you EVER been the “only one” of something in a room? The only man? The only white person? Most white males have never experienced this. Now imagine it is your job every day.
I finally wrote "THEY ARE NOT BETTER THAN YOU" on a sticky note and stuck it to my monitor. I needed to see that. I needed to see it every day. One day, after about a year, I stood up to get some water and my foot hit something. I looked down and realized it was the sticky note. It had fallen down and I had not noticed. I figured that meant I didn’t need it anymore, so I wadded it up and threw it away. I haven’t needed it since.
I am well supported in my current company and role, and my work place is fine and my managers are wonderful. It is all sustainable. But… if you don’t fall down, it means you are not doing anything. So I still fall down. But, I have a bright future and I love offensive security because I love a challenge. I get excellent work reviews and recently was promoted to senior consultant. But what I am most proud of is: I didn’t stay down the last time I fell.
As a mother of three, how do you balance the demands of your career in offensive security with raising a family?
Haha I did not have balance at all! Let me rephrase the question: “As a mother of three, how can you do two full time jobs simultaneously?". There, fixed it for you! 😄
I feel like we are not talking about why moms get these questions and not dads. Please ask the fathers working in offensive security the same question! And you will see how much their career success depends on the unseen labor of their spouse. Which often goes completely unacknowledged and unseen, because nobody asks and it is simply assumed.
I took time away, more than 10 years, from paid employment to do the unpaid labor of raising children. If we had to pay someone to do my job instead, the salary would have been $150K+ per year. Instead, I am (big air quotes here) “NOT WORKING” aka “ON A BREAK” (lol) and then had a blank resume. Yay moms.
How can we as a community solve this challenge?
A gig based economy would have helped. Faced with the choice between a 40-hour-a-week remote job or nothing, I chose nothing. I could have managed smaller, piecemeal work, but not a full-time schedule. I had pockets of time – not 40 hours.
Flexible working from home is a game changer. Especially now it has crossed the gender divide and we’re not weird if we WFH.
We need more technical career paths that are more accepting of career “relaunchers” or “returnships” (internships designed for people returning to work after a break). If your company doesn’t have one, advocate for one!
I think the more restrictive a workplace or industry is, the less diverse it will be. For a lot of the STEM fields, you have to have a spouse who has a very flexible job where they can be home for the kids. I did not have that in my first career so I had to leave engineering. One thing I really like about my current employer (Deloitte) is they are very supportive of work from home and flexible work hours. I have seen more women at Deloitte balance their work and parenting life than anywhere else I have worked in my life. They are thriving and Deloitte is thriving as a company and in the marketplace.
If your own mother means anything to you, hire one returning to work.
How has networking and being part of the infosec community helped shape your career, especially after returning to work?
I go to OWASP meetings all the time now and always go to the pub!
I joined WiCys San Diego because I was looking for moral support during my job search. WiCys aka Women in Cybersecurity is a national organization dedicated to the recruitment, retention and advancement of women in cyber. We have a national conference. I am in leadership now at the local level. We have won some neat awards from the city! Also, I help run a WiCys San Diego Cyber Career Day at the community college where my story first began. We are gearing up for our 3rd year.
I am also a member of Women's Society of Cyberjutsu (WSC), which is an amazing organization with a lot of training resources. They do amazing work. Plus….Women In Security and Privacy, aka WISP who does amazing work and gives amazing scholarships to worthy individuals for conferences and more.
San Diego has a wonderful group of welcoming established security professionals. We started a quarterly happy hour between WiCys, OWASP, ISSA, ISC2, ISACA, CSA, Raices Cyber, and more. The first time we met, we broke the restaurant!
Veterans groups were of limited benefit to me because I was not a newly transitioning veteran when I started in cyber, and most of the resources are designed for that group. SANS was the exception. I even lost my Montgomery Era GI Bill because it expired while I was raising my kids. I quickly realized employers want to hire veterans because of their security clearance, and mine had expired. Again I see this as a diversity issue. We don’t all have the perfect predictable lives and careers and some of us have different needs. Veterans as a group are also diverse within. I try to be grateful for whatever help people have given me.
What advice would you give to women or other professionals who are considering a return to work after a career break?
First, you can do it. Call me if you need a pep talk.
Leverage your network. Our super power is we know a lot of people, plus the people your spouse knows. That is how you get your resume seen by a human. It is not about who you know, it is about who they know. Do not leave a networking conversation without another name of someone they think you should reach out to. “Who hires junior people around here?” or “What do you look for in a junior xyz?”
Don’t submit your resume online, that is fighting the battle of the resume and you will lose. What is the rule in the Art of War, where you want to take your battle to where you have the advantage? For a career changer that is the interview. Leverage your network to get that interview. If I get to an interview and my competition for that job is a 22 year old new college grad, I will bury them. Career relaunchers are a PHENOMENAL bargain with advanced social skills. Take the battle to the interview chair. That is where it belongs anyway.
Apply for jobs that say 2-3 years experience. That means 0. The money will come, don’t worry. You will progress faster than most. Or you can bounce after a year for a huge raise and a signing bonus like I did.
Consider technical roles first. They pay well, garner more respect, and you will give you power. I used to hate when people would say to me, without knowing anything about me other than I am a woman, “You should try xyz in cybersecurity, because it is not technical” What? Why are you saying that automatically?
Don’t let people tell you what you want to do. It happens a lot when you are female. As soon as they realize you have people skills too, they will try to push you into sales or project management. Stick to your guns. They stereotype us, they can’t seem to stop.
Outside of work, what hobbies or interests help you unwind and maintain a healthy work-life balance?
Being outside and exercising help my brain and stress a lot. I run, go to the gym, hike, and bike. These things are a required activity for my health, akin to brushing my teeth. Not optional or a luxury. I hang out with my family, with 3 sons there is always something going on. I play pickleball, read, cook, go to concerts and plays, and play the guitar badly. Your brain doesn’t need a break. Your brain needs a change!
Lastly, where can people connect with you or follow your work online?
Thanks for reading! We are always looking to improve the platform and love receiving feedback from readers. Feel free to send a message on LinkedIn or Twitter.
We sell mugs and comfy clothing guaranteed to please your inner hacker. Check it out at https://shop.jasonturley.xyz/
Hi! Can you introduce yourself and describe your current role?
Hey, my name is Malik Girondin! I currently work as a Defensive Content Engineer at Security Blue Team. This role consists of creating content (e.g. certifications, labs), upskilling, researching, and teaching students. For a more detailed day-to-day insight, check
Show full content
Hi! Can you introduce yourself and describe your current role?
Hey, my name is Malik Girondin! I currently work as a Defensive Content Engineer at Security Blue Team. This role consists of creating content (e.g. certifications, labs), upskilling, researching, and teaching students. For a more detailed day-to-day insight, check out this article I wrote: Day in The Life of A Content Engineer.
What’s your backstory and how did you first get into cybersecurity?
My journey began as a cashier at a grocery store, where I honed my customer service skills and attention to detail. Driven by the Colonial Pipeline cyber attack in May 2021, my focus switched from healthcare to cybersecurity.
You can learn more about that with my interview with Day Cyberwox here and with Greg Greenlee here. In this interview, I want to offer new information not previously told.
You’re an active contributor to the cybersecurity community and consistently share engaging content. What drives your passion for this?
Back in 2022, I consumed a multitude of free content—content about cybersecurity. From the student's perspective, this is a huge plus! From the creator's perspective, this not only makes them visible as a thought leader but helps build their brand simultaneously helping others.
This drives me the most. But check this out, have you ever heard of the P.I.E. Theory? In my blog regarding it, I talk about the benefits of EXPOSURE. You will be surprised how many opportunities arise from getting your name out there.
I do want to talk about one community that I like the best (not that I am a moderator or anything). The community is the Security Blue Team Discord. Shout out to all the Community Heroes reading this!
Circling back to your question, I am also driven by the different people I meet. Having the pleasure of speaking to professionals across the world, I have learned much about life and career tips.
Recently, at DEFCON 32, I linked up with a few members from our Discord for a casual chat. This would not have been possible if I had not been an active contributor to the cybersecurity community and EXPOSED myself. You can find the complete vlog here.
What advice would you offer to someone aiming to become a content engineer or course creator?
This is a good question!
First, I do have a course that covers this: Blue Team Content Engineer: The Complete Career Guide, but I have since evolved from making that course a year ago—not saying the content is bad. I have experienced much knowledge which I will be sharing with you below:
Understand your audience: At Security Blue Team, we focus on defensive content; we have a defensive audience. Would it make sense to start introducing the hacking concept of exploiting vulnerabilities in a computer system? No. Knowing this, tailor your content right to avoid confusion.
Hearken to feedback: I have the pleasure of making lessons for students. Once these lessons were aired on their respective platforms, I would observe the feedback from students. I make it a habit to implement necessary feedback and learn from my mistakes.
Learn from the best: Anybody can make a course. With the lists of LLMs, what is stopping someone from spitting out some robotic course? The thing is this: is the course good or bad, and whom am I learning it from? This is where you can differentiate yourself from the competition.
I launched Introduction to Python earlier this year. This is an entry-level course that teaches beginners how to write basic code in Python.
“But wait, you are not a Python developer, why should we learn from you?”
Let’s look back at my advice again: Understand your audience. I made this course originally for my classmates in my Python class back in college. “Huh, why not utilize the course material, the hell!?”
Well, here comes the second tip: Hearken to feedback. The course material was not loved by students. This was prevalent on Reddit, the internal course chat, and Discord. I, too, had issues with it which led me to external resources I used to pass the class. I found it strange, like many students, so I decided to make a course that would have benefited me during the class. The launch went extremely well with many students using it to supplement the learning material.
This leaves us with the final advice: Learn from the best. So this all came from a student (myself) who passed the class with flying colors, and the course was high quality. In cases like this, it makes sense as it is needed. This won’t in all cases.
Can you share your creative process at all? How do you design a curriculum/lesson plan?
For the lessons and courses, it is quite simple. I look up an existing course, model its syllabus, then I put my spin on it. Don’t act shocked, everyone does it.
For the cybersecurity labs, I have a little bit more fun. Let’s talk about my two most popular labs: BTLO - Sukana and BTLO - Anakus.
My thoughts are vivid, and I am always pondering. When it comes to the Story/Scenario, that is the first thing I work on. For example, Sukana is based on a young man who lost his father, causing him to get into cybersecurity to find the killer. His mother then moves him to Australia to be safe. He becomes drug dependent and they are struggling to afford the rent. This leads him to look for work and increase his income, should he pass this technical interview; he will earn more income to afford stronger medication, afford rent, and do other things.
For Anakus, it takes place years later. His sister tries to get into cybersecurity, so her brother (who eventually got the job, spoilers!) gives her a referral. Now, she must pass this technical OA to gain employment.
DISCLAIMER: NONE OF THESE STORIES ARE REAL. I received many comments telling me to stop “putting people’s” business out there. These stories are not based on one person. If it happens to correlate with you, then it is what it is. As mentioned before, my thoughts are vivid. In my course, I talk about consuming a large medium of content to expand your thoughts. These stories are a combination of many things. If you want to experience a crazy story, check out my lab BTLO - Cipher on Blue Teams Labs Online. It is rated as one of my best story-based labs, and very underrated.
Let’s jump to another aspect of the design portion for these labs. One tool that I utilize for this is Notion. Welcome to the Playground!
In the playground, we have fun! Make yourself at home, please. Let’s move to one example of how I structure a lab, with Cipher as our example (you should really try that lab):
The page consists of possible tools I want to implement in the lab, sources for inspiration, and files (kind of like version control for me). Let’s take a look at one of my favorite pages: feedback. On this page, I add all the feedback post-launch to see how the audience likes it. Learning from it would make me the best. Ha, I am having fun playing with this advice.
What tools do you use to create cybersecurity content?
Tools, tools, tools! The best tool I have used thus far is the Arc Browser. I fell in love with this ever since I saw a YouTube video on it. It has a sleek design, does not consume much CPU, and allows me to split the screen like this:
The second tool would be the Parallels Toolbox. Now, this is not free, sadly. It helps me with recording audio, managing storage space, and other stuff.
As mentioned previously, Notionis the go-to for writing blogs, lessons, or planning. Once these are done, I import them to our proprietary tools at Security Blue Team. Other than that, I am pretty tool-agnostic. I will utilize anything to get the job done. But the ones listed above are great for productivity boosts!
Lastly, you need the infrastructure to generate logs, and data, or stimulate attacks. For this, I use our cloud infrastructure at Security Blue Team and/or my Windows 10 PC with VMWARE.
One last thing that helps is DO NOT DISTURB. Yes, it is not a tool per se but what an amazing feature. I have this turned on for all devices (obviously family can bypass this).
As Dr. Cal Newport mentioned, deep work can help you become successful in this distracted world. As the young kids say nowadays, you just need to lock in and get stuff done.
How do you stay current with the latest trends and developments in cybersecurity?
At Security Blue Team, we do have an RSS feed that allows us to stay current with news from multiple websites. Aside from that, co-workers are a great resource as well. We have weekly meetings, and within them, members might introduce something cool they saw on LinkedIn or showcase an exciting project they’re working on. All of this keeps us in the loop when it comes to information.
Outside of work, what hobbies or interests help you unwind and maintain a healthy work-life balance?
I don’t believe in WLB… just kidding! Now, that is something I need to work on seriously. I can get lost in the grind sometimes and just focus on getting better to secure my future. But nevermind that, let’s get into one hobby!
Reading: I like to learn from the best. Why not pick up a $10 book, gain some insights, meditate on the words, and try to implement them in your life? Reading also goes into articles online as well. My main category is self-development. Here is my current collection:
Another hobby I just picked up again is gaming. I am more of a single-player, story-first, JRPG type of guy. I like using strategies to defeat my enemies (in-game).
I guess the third one is a hobby if it is paid for? Joking, but sometimes I like to travel with family, my team, or by myself. Here are some pictures from the last 15 months. I visited the following places: Guadeloupe, New York, Boston, Portugal, London, and Las Vegas.
Yep, that is pretty much it—that I am willing to share (insert evil laugh). I look forward to implementing more hobbies in the future. If I can give any words of wisdom, spend some time with family/friends.
Speaking of family, I had the pleasure to graduate with my aunt two weeks ago in Fort Worth, Texas. This was very emotional for her. It is moments like this you treasure.
Do you think certifications are essential for advancing in a career?
Ah, the certifications. I totally agree that these are necessary for advancing your career. Heck, the Blue Team Level 1 changed my whole career aspects in 2022. If you are looking for SOC roles, this will help you a lot when it comes to training. Take a look at the ISC2 Cybersecurity Workforce Study: out of 13,103 cybersecurity professionals, 51% of them got a cybersecurity certification before getting into the field. I think certifications are a great way to stand out and spice up your CV. Heck, I decorated my wall with some of my favorites:
Now, as I tell everyone: there are many factors when it comes to getting a job. If you want to hear more about certifications, check out my blog So You Want to Get Into Cybersecurity. I believe you can increase your odds by having the following: Experience + Certifications + Education.
Yeah, yeah, you will hear of stories where someone got in with one of the three, but those are outliers. The market is harder than when I got into it back in 2022. My blog Ebb and Flow: Navigating the Ups and Downs of the IT/Cybersecurity Job Markettalks about the true reasons, which many won’t cover, on the layoffs and the lack of jobs—speaking of America.
Please, make sure your soft skills are on point! You will be surprised how being likable and clear can propel you in your career. Network, build bonds with others, provide value back into the market. Ask yourself questions like “are my skills in demand?” and “can I solve problems?”.
My story consists of three years of hard work—and I am not done. What I have showcased in this interview are the highlights. You are seeing the events, but you are not seeing the processes that lead to it. It’s hard work, believe me. But I am choosing to sacrifice now for my future self.
Lastly, where can people connect with you or follow your work online?
Yep, you can connect with me on LinkedIn, subscribe to my on YouTube, shoot me an email, and/or follow my work on my portfolio site. Thank you!
Hi Lola! Can you introduce yourself and describe your current role in cyber security?
Absolutely. My name is Lola Kureno, I’ve been married for 10 years, no kids, only one beautiful cat, we live in Tokyo, Japan, and I am 37 years old.
My current role is
Show full content
Hi Lola! Can you introduce yourself and describe your current role in cyber security?
Absolutely. My name is Lola Kureno, I’ve been married for 10 years, no kids, only one beautiful cat, we live in Tokyo, Japan, and I am 37 years old.
My current role is Cyber Security Engineer and I work for an industry leader in the cyber security, cloud and networking training realm. I wear many, many hats in the organization but amongst my responsibilities, I am responsible for the company’s security compliance and ensuring we fulfill all our compliance requirements so all our B2B and B2C clients rest assured that our product adheres to the highest security standards.
What's your backstory? How did you first get into cyber security?
I had retired from a lifetime dedicated to classical ballet and I really didn’t know how to do anything else, profession and skill wise.
I am fast forwarding the story telling, since it took me quite a while to realize that I might have a future in the tech world, but I always enjoyed being on the computer and in the internet in the rare moments I had free time, and even though I had never had any formal training, I had always been quite good at getting things done on the computer and had colleagues and family members coming to me for computer solutions, instead of going the obvious computer repair route.
I decided to start looking for computer oriented careers that one can start later in life after many conversations with my husband and taking his advice to search for what would be available to me.
Just saying “a career in computers” is immensely vague, but for a complete layman, that’s how I approached my first search.
Then one day, while watching a video on YouTube, the algorithm must have picked out that I had been searching for careers related to computers, a video came on my recommendations about being a hacker for a living. The first thing that came to my mind is that I was simply looking for something new so I could look for a job, I wasn’t interested in a life of crime (because of course, all I knew about hackers was what I had watched in films, and they were the criminals). But I decided to watch the video nevertheless, and by the end of it, I became VERY interested in this field!
You made a unique transition from being a professional ballerina to working in cyber security. Can you share more about that journey and what motivated the switch?
Well, continuing from where I left above, I used every minute of my awake time to learn about this field and how to become somehow proficient in it. This didn’t only include actual skill learning and training, but how to enter the work force in this world.
In the beginning it all seemed quite strange and VERY foreign to me, however I have certain character skills that certainly come from growing up and spending my life dedicated to the art of classical ballet, which are dedication, consistency, discipline and patience, and I’d say these helped me more than anything.
What advice would you give to someone aspiring to become a security engineer?
Don’t make the same mistakes I did. If one is considering a career in cyber security, the first big step is to extensively research all the fields that are available in the cyber security/information security realm. When I see new people who wish to enter this world, I see a tendency to believe that cyber security equals hacking and red teaming and nothing could be further from the truth.
Hacking and red teaming might be the most famous areas of the security realm due to films, and internet “influencers” so present in all social media. Until I had the privilege to encounter a very wise mentor who changed how I viewed this security world, I was one more of the aspiring hackers/red teamers who couldn’t see myself doing anything else.
There is something for everyone in cyber security and if I could mentor someone, I would tell him/her that being influenced by what one sees in social media might not be the best idea.
I’m thankful to that certain video I saw that day, about hacking for a living, but I really wish I had just extensively researched what careers are available.
My other advise is that the role “cyber security engineer” and what this role entitles may highly differ from employer to employer. Choose a company or a brand that you like and are interested in, say, Apple, or Nintendo, or a cool startup near you and look for a job description of a cyber security engineer working for these companies, to have an idea of what responsibilities the role entails.
Have an open mind. This is also one of the best pieces of advice I can give and one that was given to me and I am so glad I took it, when I was just starting my first job.
Do you like hacking and pentesting? Excellent, but do not close your mind to other skills you may have the great chance to learn on your job. You might even realize you like so much better a new skill you learned on your job, you’re very good at it, and it even fits your personality better.
Don't think of cyber security/information security as something alienated and completely different that anything else you’ve done especially if you wish to transition from another corporate role. Another mistake I see some newcomers make is thinking everyone working in security is a highly technical and skilled programmer typing a million commands on a terminal and coding 24/7, when so many security professionals would say that a good part of their day is spent in Zoom or in person meetings, and reviewing or writing documents.
Law, sales, financing, marketing, customer support … are all valuable skills that can be brought from a career transition.
And last but not least, soft skills are as, if not more important than any technical, specialized skill one may have, especially during job hunting.
Who are some of your role models or sources of inspiration in the security community?
While I would love to specifically name names of people who were and are extremely kind to me and helped me so much when I needed the most, I feel that I would probably leave out someone who had a wise advice at the right time, or gave me an answer I was looking for, or gave me needed encouragement when I was feeling a little down.
I have a good list of seniors who are my role models and sources of inspiration in the security community.
Amazing mentors who I am most happy to call friends too. They know who they are, if they ever read this.
And I recommend to anyone starting to seek such seniors. Having a mentor can make a world of difference in one’s career. It did to mine!
How has being active in the infosec community impacted both your personal and professional life?
Networking (as talking to people) is and has always been VERY out of my comfort zone.
I’m extremely comfortable being on stage dancing for a huge audience in a huge theater, very few things can be as exhilarating and give me so much happiness as performing on stage, but put me to talk to more than 1 person at a time, and I always feel extremely out of place.
But the security career has helped me to overcome and improve my lack of communication skills. From being absolutely terrified of having more than one person in a Zoom meeting, to some years later traveling overseas and presenting in front of a company audience, I think I’ve come a long way. Still not my favorite thing to do at all, I still very much dislike speaking to more than 1 person at a time, but I feel that I have kept an open mind to little by little becoming more eloquent and less nervous.
Good communication is a must, especially for those seeking career advancement to leadership positions.
Outside of work, what hobbies or interests help you unwind and maintain a healthy work-life balance?
To be completely honest and transparent, I thought that this work/career would fill the immense emptiness I felt when I was forced to retire from ballet due to a nearly fatal car accident. But it didn’t. This work and career fulfills my brain and makes it work to its maximum capacity, but once one was raised and grew up doing beautiful things and art with her body, very few things in life will replace this feeling.
So I started figure skating. As an adult, from zero. I guess one can say I like such challenges!
These days I practice figure skating with a private coach and even moved to another apartment to be closer to the rink. Obviously I will never reach the level in figure skating that I once reached in ballet, a skill I was raised into, and starting as an adult is perhaps the hardest challenge I’ve ever had, but seeing progress, being able to compete, and being back to performing in front of an audience has finally made my life complete again.
I have a very challenging job in cyber security that incredibly challenges my brain and I have figure skating which is one of the hardest sports to perform. Life is perfectly balanced! :)
The job requires time and dedication, so does the sport, so I don’t really have much free time to have any hobbies! The few I have are: I love watching films (horror, action, sci fi are my favorite genres) and all kinds of documentaries. I love animals and love playing with my cat. My husband is an excellent skier, Japan is quite amazing and cheap for skiing so I accompany him on several ski practices during ski season and quite enjoy it as well. I love Pokémon and Sanrio characters!
Lastly, where can people connect with you or follow your work online?
Betta is an accomplished application security penetration tester at Coalfire, a dedicated cybersecurity mentor, and a true leader in the community. I had the privilege of speaking with Betta about her inspiring story and adventurous career.
Read on to hear her thoughts about:
Transitioning from web development to application security
Show full content
Betta is an accomplished application security penetration tester at Coalfire, a dedicated cybersecurity mentor, and a true leader in the community. I had the privilege of speaking with Betta about her inspiring story and adventurous career.
Read on to hear her thoughts about:
Transitioning from web development to application security
Mentoring and cybersecurity education
Certifications and degrees
Artificial Intelligence
And more!
Hi Betta! Please introduce yourself and share a bit about your background
Hello! I'm Betta and I'm currently an Associate Application Security Pen Tester at Coalfire. I specialize in web, cloud, AI, and API hacking. And my journey started all the way back when I was 13.
I started teaching myself to code. And for some reason, I chose JavaScript as my first language. I think I thought it sounded cool, the name maybe.
But I got into web development that way and I started building apps too. I got my Android developer license when I was like 15 and I made a very silly little app. But in high school, I started building websites for small businesses.
I got involved with a group of women entrepreneurs in my hometown of Montana. And they all wanted me to help with their websites. And that kind of grew into my own little web development business that I did through high school and college.
Eventually though, they started asking me security related questions like, “how do I keep bots off my website?” and “how do I make my passwords better?” And I was like, I don't know.
I always say that cyber security, especially hacking, is like a superpower.
So I started learning these things and also looking back at my own code and being like, actually, I don't think I know what I'm doing in terms of application security. I began teaching myself and discovered ethical hacking and even tried to hack some of my own things. And I was like, this is way more fun! And once you've gone offensive, you can never go back because you start doubting everything you build and you're like, oh no.
You know, you start thinking so much about the attacks that you can't build anything. So I also went up, I interned with a hacking firm and I was like, this is definitely what I want to do. And I found out I was pretty good at hacking websites because I’ve seen the other side.
Fast forward to today - I just finished my master's in cybersecurity from Georgia Tech. I got into a program through the NSA where they paid for a bunch of certifications. I did an internship with KPMG and another as a learning assistant in graduate school. And then, yeah, I'm in this current job and still learning, getting very involved in AI and doing some projects around that as well.
A very happy Betta at DEFCON That's super exciting! Speaking of web development and coding, was that a pretty simple transition going from development to application security or were there any obstacles you encountered?
It was kind of natural for me because everything has been mostly self-taught, following my own curiosity, and doing what was needed in order to learn. And I think it was just the way I learned coding because I was curious and I started learning about websites because I was curious. I also started learning about security that way.
It was just a matter of Googling things, watching videos, finding tutorials, and learning things. But I think it also kind of broke up some misconceptions about coding because it's like, oh, it's just easy. You can just do this.
But honestly, it made coding so much harder now that I had to think about security every single time. I'm like, oh, my God. Now I have to research this.
Every single line of code that I write, I have to think about if it is secure? And in my computer science degree in my undergrad, also realizing that a lot of stuff I was being taught in class wasn't secure and having to be able to speak up in class and be like, actually, this is not the way you should do this.
Cybersecurity is so broad, you can't specialize in everything.
And also realizing that most developers out there aren't taught anything about security. It's not necessarily people's fault that they write insecure code. They just have never had that education.
Fortunately, I think it's really easy to educate yourself. It just takes time and motivation because unfortunately, no one’s going to hold your hand and teach you. You kind of have to teach yourself.
So, that was sort of the moral there :)
Jason: Nice! That's a really good point. I went through an undergrad computer science program as well. And yeah, I didn’t know anything about security. It was all low-level programming.
Speaking of teaching, I know you're very active online. You're an active mentor and advocate for cybersecurity. What motivated you to give back to the community and join all these groups?
I'm super involved with getting more girls and women into technology because I want to be the mentor that I didn't have when I was thirteen and trying to get into this. I didn't even know ethical hacking was a thing until I was far into my tech journey. And I just want to be a role model and mentor to anyone who's trying to get into this.
Also, I really believe in placing myself in a chain of mentorship. Having people that I can look up to and learn from and understand how to get to the next place in my career and then pass that information on to others.
For eight years now, I've been a mentor in the Technovation Challenge, an international competition where teams of girls build apps or AI models to solve community problems. I've had two teams make it to the international semifinals!
I think as AI gets smarter it'll be just as if you were social engineering a human.
Recently, I spoke at the global celebration this summer to kind of encourage everyone to keep on their projects. And it's something I really care about. I'm really involved.
I always say that cyber security, especially hacking, is like a superpower. It can be used for good or for evil. And we need people from everywhere and all backgrounds and all types of people to have that power to protect their communities.
If it just stays in the hands of a few people, we're not doing the most good. So, I think it's really imperative that everybody learns about cyber security. Because when you learn about it, you go teach your friends and your family some basic stuff that makes them more secure.
Betta and colleagues at a Women in Cybersecurity Event Do you recommend people learn how to code before pursuing a cybersecurity role?
I think it really depends. I think you don't have to, but if that's where your background already is, it'll help you. I think one thing that I always try to teach people is that cyber security is so broad, you can't specialize in everything.
You have to have a specialization - especially when you're talking about finding a job.
You have to be able to say, “I'm good enough at a specific skill to do that every day professionally”. And if you've just done a tiny bit of everything, something from incident response, something from policy, something from application security, I think it's not enough.
So, I think picking your specialization early and being able to say, I'm really good at secure coding. Or I'm really good at reverse engineering. I'm really good at analyzing cyber laws.
Whatever it is, it doesn't have to be any one thing in particular. But whatever's of interest to you and whatever you're willing to put that much time into and get good at, it's all good. For me, that was secure coding, application security, because I already had that background.
But it could be anything. Whatever interests you.
How can cybersecurity professionals utilize artificial intelligence in their day-to-day career to be more productive?
AI is something I’m super passionate about and I'm trying to incorporate it into everything I do.
I recently did a research project where I used AI to improve our secure code review process at Coalfire. Being able to use a LLM, such as generative AI, to analyze code review results, they usually have a ton of false positives and are not very specific. It just takes us a lot of manual time to go through them.
Assisting my team more information about what to focus on, being able to chat with an AI about specifically, tell me more about this, and then generating text like, provide some remediation instructions for the report, or give me some examples of CVEs that might apply to this, or explain the severity of this. And I think that's what AI has to be able to do - those manual things that we do as pen testers that are kind of wasting our time, such as writing reports, copy pasting things, searching through lists of output - the AI can do that so much faster. We're just going to have to evolve to do that.
So I'm excited to see what everybody else comes up with. I did a presentation at my company about how I built this, and everybody had so many more ideas, like, I want to do this when I'm looking through logs, or I want to do this, look through all my notes of all the tips that I've written down. And I think everybody knows there's that one thing that you do and you hate, and it's really manual, and you just want to speed it up.
Do that with AI. And it's actually much easier than I thought. I'm studying right now for the AWS AI certification, and learning about all the different AI services that they have.
They made it super easy. You don't even need to know how to code. You can just basically drag things together, kind of like the app builders that I use for the girls that I teach.
I want to be realistic with people that cyber takes a really long time to get into. It's not something you can just do for a couple months, buy a course, and then suddenly you have a high-paying job.
You can essentially place the puzzle pieces together and now you have an AI application! I would encourage anyone, if you're even curious about it, just go look at it, and there's so many different levels of depth and customization.
I’m also really invested in learning how to attack AI and I've been doing a lot of prompt injection testing. And for that, what's been interesting is to find that the really malicious, obvious prompts are usually blocked, because most people are starting to add filters and other defenses, so you have to be a little bit creative with your bypasses.
For example, what's something that a company might not want their AI to say, but isn't totally malicious? Like, say something bad about the company in an indirect way, or reveal some information about the model: how it was built, how it was developed, what kind of things it was supposed to not talk about. I think that's usually where people go with prompt injection.
You have to be a little more tricky about it sometimes.
Jason: Okay, so it's a bit of an art?
A little bit. Kind of like social engineering. I think as AI gets smarter it'll be just as if you were social engineering a human. For instance, normally people will not just give you their password when asked. Sometimes that works, but sometimes you have to be creative about it.
What do you do outside of cybersecurity? Are there any hobbies or interests that you like to partake in?
Yes, I have quite a few! I'm from Montana, and I love swing dancing. That's like a big part of something we learned growing up.
I do like country swing, but I also do enjoy vintage dances like jitterbug. I also know a little bit of salsa and bachata. Yeah, I definitely love dancing, but I also love reading.
I'm on the 10th book of the Wheel of Time. There's 15 books, and so I'm making my way through a very massive series, so I love reading sci-fi and fantasy. And I love cooking.
I just got a cat a few months ago, so I'm really loving just playing with my cat and cuddling with my cat.
Jason: Is it like a rescue cat?
Yes, yeah, a shelter cat. She's a tiny black cat, and I named her Jiji after the cat from Kiki's Delivery Service. It's an animated movie.
Jason: Nice, yeah, I'm a big Studio Ghibli fan as well.
Oh, yay! I wanted the black cat to feel like a witch cat, because hacking is kind of like witchcraft. So I have to be a witch with my cat :)
Jason: Nice. Have you read the book as well?
I haven't actually. No, but I read the book Howl's Moving Castle, so I've been meaning to get through those.
Jason: Yeah, I bought the book Howl's Moving Castle, but I haven't opened it up yet. It's on the list.
It's very good. It's short, so it didn't take that long, but it was really, really entertaining. Very different from the movie, though.
Do you think pursuing certifications and degrees are necessary in order to have a successful cybersecurity career?
Yes! I'm actually giving a talk on this exact subject tomorrow through Rewriting the Code, which is like a women in tech organization. I want to be realistic with people that cyber takes a really long time to get into. It's not something you can just do for a couple months, buy a course, and then suddenly you have a high-paying job.
Unfortunately, it takes a lot of time. You can't always buy your way into knowing this stuff.
It's almost like learning a language. If someone said you can become fluent in Japanese in two months, then it’s likely a scam. That just is not going to happen.
You have to take the time to actually learn. And it can be really hard for people that are already working, or are in school, or have family to take care of. You have to just be realistic with your expectations.
I think for most people it might take like two to three years if you already have a lot of other obligations to go from zero to being employed.
Fortunately, you can teach yourself. Yes, you could get a degree. I always say don't pay for things. If you're able to get scholarships, then go for it. I got all my degrees covered by scholarships.
Pretty much everything you need to know is available for free online.
TryHackMe and Port Swinger Web Security Academy are both great resources. Additionally, volunteering is a great way to get experience. If you already have enough knowledge, you could teach a class at your local library about cyber security awareness.
Or you could start volunteering with local non-profits and advise them on cyber related things. This way, you can start building out projects and developing your professional network.
Overtime, you can say you have a certain number of years of experience based on your projects, community involvement, capture the flag competitions, and bug bounties.
Unfortunately, the entry level job market in cyber is really, really competitive.
You really have to stand out. And they'll say they want three years of experience, but you can show them that you’ve been actively studying and applying the concepts for three years. You can show them your portfolio of things you’ve done in the community.
I believe this will significantly improve your chances. And once you're in, it's like you have job security for the rest of your life, but getting that first job can be really hard for people. So don't give up! Just know that it's like a really long process.
If you are a student who is recently about to graduate college, make sure you have a plan. Don’t wait until the end of the semester and think you will magically have a job waiting for you.
Jason: Nice. Are there any specific offensive security penetration testing certifications that you recommend?
Honestly, my advice for people is before you pay for any certification is to look at some job descriptions. Make sure you see that certification listed, like, at least 15 times or something.
And then you'll know that it’s something employers are actually looking for. There's so many certifications out there that you could pay for, but no recruiter would even know what they are.
Thanks Betta!
Jason: You're very educated. Very well spoken. So, thank you for taking the time out of your busy schedule to sit down and do an interview!
You can follow Betta on her LinkedInto stay updated on her professional journey!
Dr. Irene Anthi is a senior lecturer at the School of Computer Science & Informatics at Cardiff University. With a PhD in cybersecurity, Irene Irene combines her passion for teaching with cutting-edge research on the security of Industrial Control Systems and Internet of Things devices. She leverages Capture The Flag
Show full content
Dr. Irene Anthi is a senior lecturer at the School of Computer Science & Informatics at Cardiff University. With a PhD in cybersecurity, Irene Irene combines her passion for teaching with cutting-edge research on the security of Industrial Control Systems and Internet of Things devices. She leverages Capture The Flag platforms to provide her students with a hands-on, interactive approach to learning essential cybersecurity concepts. I had the pleasure of interviewing Irene to explore her insights on lecturing, her experiences as a PhD student, and the unique challenges of IoT security.
Can you share the moment or experience that sparked your interest in computer security? What motivated you to transition from industry to teaching?
My journey into cybersecurity began about 14 years ago during my undergraduate studies in Computer Science at Cardiff University. It all started when I came upon the digital forensics module —it felt like being a detective, piecing together clues in a virtual world. The challenge of uncovering hidden information was so exciting, almost like solving a complex puzzle, and that’s what first drew me in. This initial spark led me to explore Capture The Flag (CTF) events. At the time, I had no idea what they were or how to get involved, but I was determined to figure it out. The more I dug into these challenges, the more hooked I became. CTFs were not just games; they were a hands-on way to learn and apply cybersecurity concepts in real-time, which is why I’m so passionate about organising them for my students. It’s incredibly rewarding to see students, even those from non-technical backgrounds, catch the cybersecurity bug and switch their career paths after participating in our events.
Dr Anthi at a Data Science x Cybersecurity Hackathon
In my final year, I was committed to dive deeper, so I chose to focus my dissertation on a cybersecurity research project. My professor suggested a project on smartphone security, investigating where sensitive data goes, which opened the door to network security and cryptography for me. This project was pivotal—not only did it lead to published research, but it also confirmed that my passion wasn’t just limited to cybersecurity. I loved the process of discovery and the intellectual challenge that comes with research. This naturally led me to explore related fields like IoT, OT, and the role of machine learning in protecting these systems.
As for teaching, it feels like it’s always been a part of me. I come from a family of educators—my grandmother was a teacher, and many of my uncles were too. One of them introduced me to computers when I was about seven, sparking a lifelong fascination. Academia is where my passions for teaching and research intersect. I’m naturally curious and driven by a desire to innovate and improve, and academia provides the freedom to explore and experiment in ways that align with who I am. That’s why transitioning from industry to teaching felt like a natural progression for me. It allows me to share my knowledge and enthusiasm with the next generation while continuing to push the boundaries of what’s possible in cybersecurity.
In your experience, what are the key differences between securing IoT/ICS environments and traditional IT systems? Are there any unique challenges or vulnerabilities that stand out?
Securing IoT and ICS environments presents unique challenges compared to traditional IT systems, largely due to their complexity and criticality. With IoT, the challenge is threefold: the number of devices, which continues to grow exponentially every year, their incredible diversity, and their limited computational power. We’re dealing with countless devices from different vendors, each using different protocols and serving different functions. This diversity makes it ztye board. Additionally, many IoT devices have limited computational resources, which makes it challenging to incorporate robust security mechanisms. In addition, these devices are often deeply embedded within our networks and have access to sensitive data, which raises the stakes even higher. The potential consequences of a breach in these environments can be severe.
On the other hand, Operational Technology (OT) systems, such as Industrial Control Systems (ICS), were never originally designed to be connected to the Internet. However, with the push towards digitalisation, they’ve been brought online, introducing new vulnerabilities. These systems often rely on legacy equipment and software that hasn’t been updated in years, sometimes because of the risk of causing malfunctions. This outdated technology can be a breeding ground for vulnerabilities, and given the critical nature of these systems, the implications of an exploit can be devastating, even life-threatening. The stakes are incredibly high, and defending these systems requires a deep understanding of both their operational intricacies and the potential cybersecurity risks they face.
Best Academic Programme award at the 2022 FinTech Awards in WalesReflecting on your journey as a PhD student, what were some of the most significant challenges you faced, and how did they shape your approach to research and teaching?
Pursuing a PhD was one of the most challenging yet rewarding experiences of my life. It truly felt like a rollercoaster of emotions, where I had to navigate through rejections, criticism, and even my own self-doubt. The journey was like climbing a mountain, with each turn presenting a new obstacle to overcome. My journey may have been more challenging than expected, but by the end of it, I had accomplished far more than what is typically expected of a PhD student.
One of the first big challenges was securing funding. Before I could get the support I needed, as I started my studies being self-funded, I took on a lot of teaching to support myself. Looking back, this turned out to be a blessing in disguise. It gave me the chance to discover my own teaching style, and I became passionate about creating a classroom environment that students actually enjoy. I wanted to be the kind of teacher who students don’t find boring, someone they’re excited to learn from. This led me to experiment with gamified teaching techniques, something I still love to use.
Another pivotal moment was getting a research position at Airbus; which became my main source of funding for my PhD. This opened up so many opportunities—industry experience, networking, attending events, and even travelling around the world to present my work. I’ve always been nervous about public speaking (and to be honest, I still am), but I had to push through that fear. I realised how crucial it is to be able to communicate your work to people from all kinds of backgrounds. It’s a skill that can open doors, and I’ve seen many brilliant researchers struggle because they couldn’t clearly explain their ideas. This exposure to some of the best people in the field significantly shaped my research ideas and methods.
Balancing my responsibilities at Airbus with my PhD work was another big challenge. I had to learn how to manage my time effectively and, more importantly, believe in myself. Battling imposter syndrome was tough—I constantly questioned whether I was "good enough" for the role. Keep in mind, I had just graduated from my BSc degree. As I completed my studies with a First Class Honours, I decided to skip doing an MSc and went straight for a PhD.
Automotive cybersecurity project
Then there was the challenge of handling rejections and criticism for my work, which seemed relentless at times. As someone working in applied cybersecurity, my work was often scrutinised intensely. It was hard not to take it personally, but over time, I learned to see feedback as an opportunity to improve. This was a tough lesson, but an essential one. Academia is demanding, and you have to constantly push the boundaries of knowledge while competing on a global stage. It can be overwhelming, but I learned the importance of resilience—never giving up, always improving, and trying again.
In the end, I managed to publish all my work in top journals, and one of my papers even won two awards—one for its impact and another as the best paper in the Journal of Information Security and Applications.
These experiences have shaped not just my career but also how I approach life. They taught me the value of persistence, how to take criticism in stride, and the importance of believing in myself, even when it’s hard.
Looking back, what advice do you wish someone had given you at the beginning of your career in cybersecurity?
Looking back, I wish someone had told me early on in my cybersecurity career to embrace the learning curve and not be afraid to get my hands dirty; something which I was also scared to do to begin with. Cybersecurity is a constantly evolving field, and the best way to learn is by diving in—experimenting, trying new things, and even breaking things along the way. It’s through those mistakes that you really start to understand how things work. I’ve seen many students shy away from technical challenges because they’re afraid of messing up or because they don’t understand it straight away, but I’d say that’s exactly how you grow.
Another piece of advice I wish I’d heard sooner is to be brave. Don’t hesitate to ask for help, seek out resources, or request funding to attend conferences. You’d be surprised how often people are willing to support you if you just ask. Whether it’s advice from a mentor or an opportunity to present your work, being proactive can open up doors you didn’t even know were there.
For aspiring researchers, lecturers, and professors, I’d emphasize the importance of balancing persistence with adaptability. Research can be tough, with plenty of rejections and setbacks, but sticking with it is crucial. At the same time, be open to changing your approach based on feedback or new information—it’s all part of the learning process!
When it comes to teaching, be the teacher you always wanted to have! Make things interesting, challenge your students in a supportive way, and don’t just rely on constant lectures—nobody enjoys that. Use a variety of methods to communicate the material, and whenever possible, incorporate hands-on labs. Engaging students through practical exercises helps them connect with the subject matter and builds their confidence in tackling technical challenges.
Lastly, never underestimate the power of communication. Being able to clearly explain complex ideas to different audiences is a skill that will serve you well throughout your career. Whether you’re presenting research or teaching a class, effective communication can make all the difference in how your work is received and how you connect with others.
For those just starting out in cybersecurity, particularly in IoT security, what foundational skills or knowledge do you consider essential?
First and foremost, a solid understanding of networking is crucial. IoT devices rely heavily on network communication, so knowing how networks operate, including protocols, IP addressing, and how data flows through a network, is fundamental. This knowledge will help you understand how IoT devices communicate and where potential vulnerabilities might lie.
Next, a strong grasp of basic cybersecurity principles is key. This includes understanding common threats like malware, phishing, and DDoS attacks, as well as knowledge of encryption, authentication, and access control mechanisms. These concepts are foundational across all areas of cybersecurity, and they’re particularly important when dealing with the diverse and often resource-constrained devices found in IoT environments.
Programming skills are also essential. You don’t need to be an expert programmer, but being comfortable with scripting languages like Python or Bash will allow you to automate tasks, analyse data, and even write simple exploits or security tools. Additionally, some familiarity with embedded systems and the basics of how software interacts with hardware can be very beneficial, given the nature of IoT devices.
Dr Anthi with colleagues at Blackhat Europe
Another key area is understanding the specific challenges and limitations of IoT devices. As mentioned above, unlike traditional IT systems, IoT devices often have limited computational power, memory, and energy resources. This makes it difficult to implement traditional security measures, so you need to be creative and resourceful in finding ways to secure these devices.
Finally, I’d recommend getting hands-on experience as much as possible. Try setting up your own IoT lab with various devices, experiment with securing them, and participate in Capture The Flag (CTF) competitions or online challenges related to IoT. This practical experience will solidify your understanding and prepare you for real-world scenarios.
Outside of cybersecurity, what hobbies or interests do you pursue to unwind and maintain a balanced life?
Outside of cybersecurity, I have a lot of hobbies and interests that help me keep a balanced (and somewhat interesting) life - I have to say, I am never bored! There is a popular saying that says; have three hobbies—one for the mind, one for the soul, and one for the body—and that advice has stuck with me.
For the body, I’ve always had a natural talent and passion for sports. Growing up, I was involved in everything from track and field—100m sprints and long jump—to team sports like football (yes, I was also part of a boys team when I was young), handball, volleyball, and basketball. But my real love has always been racket sports like tennis, badminton, and ping pong. Without much formal training, I was able to win a few medals and trophies along the way. My love for sports even led me to pursue a BSc in Sports Science at the National & Kapodestrian University of Athens (with a specialisation as a tennis coach) before I decided to study Computer Science. Given my background in sports and my dedication to taking care of my body, I also took up cooking. My friends and family insist I’m a great cook, so I’ll let their opinions speak for me—but I do really enjoy preparing tasty and healthy Mediterranean dishes.
For the soul, music plays a big role in my life. My grandmother introduced me to music at a very young age, specifically the guitar, and I've been playing it ever since—classical, acoustic, and electric. Over time, I developed a deep love for composing and writing new songs in pop, indie, and soul styles, which led me to learn how to record music at home. Since I didn’t have anyone else to play with, I also taught myself to play bass, basic drums, and keyboard, so now I can pretty much record complete songs on my own!
For the mind, I love to travel and explore new places. I’ve been lucky enough to visit many parts of Europe, Asia, and America, and each trip brings new inspiration for both my work and personal life. Travelling also lets me indulge in another hobby—photography. I enjoy capturing the essence of the places I visit, and if you’re curious, I’m happy to share my Instagram!
Lastly, I’m a bit of a bookworm. I always carry a book with me, no matter where I go—otherwise, I feel a bit lost! I tend to read about psychology, spirituality, and entrepreneurship, as they help me stay grounded and keep learning new things.
I noticed from your LinkedIn that you have a background in coaching tennis. Do you still find time to play or coach, and how do you think sports coaching has influenced your teaching style in cybersecurity?
To be honest, I haven't played tennis properly in a few years, mainly because I haven't found many people to play with and I think I got my fill when I was younger. These days, I’m really into badminton and have been training consistently with the goal of starting to compete soon. Staying active through badminton, yoga, and strength training at the gym helps me stay both physically fit and mentally balanced—I try to train almost every day. Occasionally, I also do some personal training for others, which I find incredibly rewarding.
My background in sports coaching has definitely influenced my teaching style in cybersecurity. The active and interactive approach that's essential in coaching translates perfectly into the classroom. Just like coaching athletes, I believe in engaging students through practical, hands-on experiences that not only teach them the theory but also how to apply it in real-world scenarios.
Moreover, coaching has taught me the importance of tailoring my approach to meet the individual needs and skill levels of each student. In sports, you have to recognise that each athlete has their own strengths, weaknesses, and learning styles—the same goes for students in cybersecurity. I make an effort to understand where each student is coming from and adjust my teaching methods accordingly, whether that means breaking down complex concepts into more digestible parts or providing extra challenges to keep them engaged.
Another aspect I've carried over from sports coaching is the emphasis on building confidence and resilience. In both athletics and cybersecurity, facing and overcoming challenges is part of the journey. I encourage my students to view obstacles as opportunities for growth and to persist even when things get tough. Celebrating small victories along the way is also important—it keeps motivation high and reinforces the progress being made.
Thanks Irene!
Thank you Irene for sharing your story and thank you for reading!
Hello Ricardo! Please introduce yourself and share your background.
I have been doing IT/Security work now for 20 plus years. I started out in a big blue box store doing computer setups and malware/virus removal. During my time in the retail store, I moved into doing in-home PC
Show full content
Hello Ricardo! Please introduce yourself and share your background.
I have been doing IT/Security work now for 20 plus years. I started out in a big blue box store doing computer setups and malware/virus removal. During my time in the retail store, I moved into doing in-home PC setups and Repairs. This is what got me into wireless setups for homes in the DFW area. I did wireless home setups all over the DFW area for your average family and for current and past NFL players. I moved from doing retail services into doing tech support for a local area school district. This is where a lot of my troubleshooting skills were tuned and where I learned a lot of soft skills, probably one of the most underrated skills anyone in this industry should be learning early on.
During the next decade, I spent my time supporting kids (students), teachers, administration, and others. I managed to learn everything from the wall to the ceiling and all the things in between. I moved from desktop support to Network Administrator within my first two years. I managed servers, switches, routers, firewalls, phones, wireless, and anything you could really think of that makes a school district function in today's world. My passion was more on the wireless side, so I learned to automate all the server and active directory management. Once I felt like I had learned just about all I could with our wireless setup, I moved over to firewalls and hunting within our network. This is where my passion for threat hunting really took off, and eventually led me into cyber security and learning how to become an ethical hacker.
I never really became an elite hacker that I saw in the movies, I just became more curious about learning more and having an understanding of how most things work. In the most general sense. Never an expert but a master of many things. I really leaned into my hunting passion more and found open source information gathering often referred as OSINT. OSINT became the one thing that I found myself never really getting bored of and that led me into Intelligence.
After my nearly decade in the school district, I moved over to the sport entertainment industry for a brief 2 years and did some support and security work for a well known NFL franchise in the DFW area, I bet you can’t guess who. After my brief stint working for a Star franchise, I went back to retail for 5 years and worked as a Security Analyst, Security Engineer, and Security Operations Manager. I learned so much in those 5 years and I was hungry for more, so I ventured into the vendor space for 3 years for a Digital Risk Protection/Threat Intelligence Provider. After those 3 years I found myself back at my previous employer I was at for 5 years, as a Security Engineer again, with a goal to build out a Cyber Threat Intelligence program.
What advice would you give to an aspiring security professional?
The one thing I tell all aspiring security professionals that I mentor, is stay passionate and hungry. This is an industry that is never slowing down and always changing. There is always something interesting happening and never a bored or dull moment.
If certifications are your jam, go get all the certifications you can. This shows potential hiring managers you are always learning and staying up to date. I am not a hater towards college and degrees as they have their value as well. This is another place folks could potentially pick up those soft skills that are so valuable in the business world we all work in.
If you want to stand out, have a well structured resume, and work on building your own lab at your house if you are able too. You can always find cheap old hardware that will run some flavor of Linux. If you network and find security meetups or groups in your area, this is also a good place to pick up hardware others may be trying to part with. These meetups are also a good place to meetup hiring managers.
You have earned several cybersecurity certifications throughout your career, which is an impressive achievement! How do you view the role of certifications in building a successful career in cybersecurity?
I tell anyone getting into cybersecurity, to look at CompTIA and their certification track. Most people can skip the A+, and start with the Network+ and Security+ certifications. This is a great start and will allow you to either continue to other CompTIA certifications or move into others like Practical Junior Penetration Tester (PJPT) from TCM security. Or if you are like me, focus on getting all the OSINT training you can and get the Open Source Intelligence Profession (OSIP) by Intel Techniques.
Open Source Intelligence Professional (OSIP)Speaking of certifications, you have completed a few Open Source Intelligence (OSINT) courses. How can people use OSINT principles to protect themselves online?
When it comes to learning OSINT and how to use those skills to protect yourself, I tell folks to Google yourself. Pretend you do not know anything and all you have is an email or vanity/username. Learn the art of the Pivot and think like an attacker. How could you use the information you find to create a good phishing email or potentially access your online accounts due to bad password practice. Do OSINT on family members that are willing to allow you to pry into their lifes a little, but leave them better off than they were prior. Always find a teaching moment to show the risk around the data you are finding.
The most important thing I tell people is to not overshare on social media, and let your family and friends know if you are not comfortable with having your image shared or loaded on their post as well. For parents I tell them to communicate, so often we hear stories that would have been avoided if there was communication and some sort of parent involvement. Parents please don't put the family stickers on your cars or that “I married a trucker” sticker. This is the same as oversharing on social media, but now the threat actor can follow you home.
What has your experience as a co-host for the DEFCON Group 940 been like?
Being part of a group of individuals that want to help others get into the industry and be successful is amazing. It has also allowed some to get over their fear of presenting. But the best part is to see the success of others. I have always enjoyed sharing what I am passionate about and teaching people.
DEFCON Group 940What hobbies or interests do you pursue to unwind and maintain a healthy work-life balance?
My hobbies are mostly into wireless communications still, I dabble with wireless or RFID some still. I also like to storm spot/chase during the severe weather seasons when I can. Outside of technology and cyber, I play basketball. I am not as quick and can't jump as high anymore, but I still have a decent shot for an old man.
I also like to learn more about how to help those in need. Mostly things like CPR, and how to properly triage a wound or broken bone. This led me into going through my county's Community Emergency Response Team or CERT training. This also allows me to volunteer for things like search parties when looking for missing people. This eventually became something I do on the side in trying to help with missing person cases and public service announcements asking for assistance. Another great way to practice and work on your OSINT skills.
Thanks for taking the time to answer these questions! Please link any social media you’d like below.
Hi Suman! Please introduce yourself and share your background.
Hi everyone! I am Suman Roy, a Security Researcher at LoginSoft from India. Before getting into cybersecurity, I spent four years in IT, working mostly as a back-office executive and technical support, providing services for clients in the United States of
Show full content
Hi Suman! Please introduce yourself and share your background.
Hi everyone! I am Suman Roy, a Security Researcher at LoginSoft from India. Before getting into cybersecurity, I spent four years in IT, working mostly as a back-office executive and technical support, providing services for clients in the United States of America, New Zealand, and Australia.
I love doing Capture The Flag (CTF) competitions and hacking scammers. I also did some bug hunting for the Indian Government, finding some Remote Code Execution (RCE) and SQL Injection vulnerabilities. I'm a big time fan of horror movies and long rides, and love to share motivational reels 🙂. I also have a unique interest in geopolitics and national security.
Can you share the moment or experience that sparked your interest in cybersecurity?
To be honest, cybersecurity wasn't my first choice. After 10th grade, I wanted to pursue science in 11th and 12th grades so I could join the Indian Air Force.
Unfortunately, I wasn't strong enough in math 😛, though I was good at all other subjects.
So I never got into the science track, so I chose the Arts track, majoring in English, Geography, and more. I was a bit of a geek back then, and I had the option to take computer science as a subject in the Arts stream under certain conditions. I enrolled in it, and one day after returning from school, I watched Die Hard 4. The scenes involving signal intelligence and satellite hacking really inspired me.
I realized that while I couldn't serve in the armed forces, I could definitely develop skills that would help my country in other ways.
However, I didn't have many resources from 2013 to 2019, so I learned mostly from YouTube until I discovered TryHackMe and Hack The Box. That’s when my real journey began.
You are an avid TryHackMe user who has completed over 230 rooms! How has the TryHackMe platform helped you develop your cybersecurity skills?
Yes, I have completed more than 230 rooms! For readers, I'd like to mention that a subscription is not necessary. There are plenty of free rooms available for training purposes. I wasn't a premium user for a solid year.
I used the free rooms, and if I got stuck, I used the notes and references from other users. You cannot learn everything on your own, so it's important to ask for help when needed. Have a student-like mentality and be humble. “If I don’t know, I don’t know, and I will ask for help”.
As I went through the notes, I became more comfortable with Linux shell scripting because I was trying to automate tasks, sometimes using Python. I also made notes on what to use, when, and why, depending on the situation. I created my own checklist and tried different known methods before jumping to walkthrough articles.
Automating exploits helped me become a better developer as well. My team and I have automated TryHackMe Advent of Cyber 2023 challenges. Find them on my GitHub.
I do have a Hack The Box account, but I'm not very active on it. My last rank was “Hacker”. You can find my profile here: HackTheBox
The reason I use TryHackMe more than Hack The Box is simple: Hack The Box is much tougher and wasn't suitable for me in the early stages. I found it exhausting with very little help and few articles at that time. TryHackMe is more user-friendly for beginners, while Hack The Box is better for sharpening existing skills once you have some experience.
You can navigate through the rooms easily in THM and not get frustrated about it, while in HTB it's like banging your head against the wall.
Who are your role models in the security community?
John Hammond, David Bombal, Occupy the Web, and Ryan Montgomery. These four have been incredibly inspiring, and I've learned a lot from them throughout my journey. Additionally, the TryHackMe Discord community has been very helpful and collaborative. I haven't met them in person, but I’d love to someday.
What advice would you give to a student interested in becoming a Security Engineer?
If you’re just starting out, try using TryHackMe. Begin with the introductory and easy rooms, and then level up as you learn more. Use YouTube and other resources, like ChatGPT, to understand and clarify concepts.
You don't need a degree to get into cybersecurity or software development. There are many opportunities for those with the right skills, and I'm a prime example of that. I never wanted a degree and left university to get into tech support, which helped me develop a problem-solving mindset. I believe practical experience is more valuable than classroom theory. However, I left university mainly due to financial reasons, so if you have support, pursue a degree, but also seek practical experiences.
Taking notes early on will definitely help you a lot. Cybersecurity has a steep learning curve, and you won’t see quick results at first. Make Google and ChatGPT your best friends. There's also another AI model called PentestGPT.ai which could be useful.
Please remember that, unlike in CTFs, you should not expect to gain root access on public servers. Vulnerabilities can range from simple information disclosure to remote code execution. Some targets may only be vulnerable to XSS, so don't get discouraged; every target is different.
Don't hack unauthorized targets; instead, hack scammers or hunt down bad actors and report them 🙂
Remember, it's a journey, not a race. You are your own competition and no one else. If you ever feel unmotivated during tough times, remind yourself why you started and believe that God gives the toughest battles to His strongest soldiers.
What are your career goals for the future?
I would love to hack into Microsoft and become CEO for a day at least 😛
My goal is to become 1% better every day. I also aspire to start my own cybersecurity firm.
Do you have any non-cyber related hobbies?
Not really, unless watching and sharing motivational reels count as a hobby.
I'm very interested in geopolitics.
I enjoy horror movies like The Nun, The Conjuring series, and Insidious. I also love listening to paranormal research and stories – some podcasts provide real-life insights into these other dimensions.
I enjoy long rides on my scooter and going to the gym to stay fit. As you can see, I have many different interests 🙂.
Thanks for taking the time to answer these questions! Please link any social media you’d like below.
Richard Dubniczky is a Lead Security Architect at Zeiss, a PhD student, and a self-taught programmer. I had the pleasure of interviewing him to discuss his journey and hobbies.
What first drew you to the field of computer security, and how did that early interest evolve into your current focus
Show full content
Richard Dubniczky is a Lead Security Architect at Zeiss, a PhD student, and a self-taught programmer. I had the pleasure of interviewing him to discuss his journey and hobbies.
What first drew you to the field of computer security, and how did that early interest evolve into your current focus on cybersecurity architecture?
To be honest, I was quite unsure what to do when I was in high school. I tried out a few things, including finance, photography, and tinkering with computers amongst other things. Eventually computers won the race so to speak, and my journey into the depths of Computer Science has begun. I started off as many other students, learning basic languages such as C, C#, Python and immersing myself in the details of each, alongside a particular interest towards web applications and servers.
As I started understanding how servers work, I also started seeing the mistakes I’ve made and how they could have a serious impact if someone found them. Quite quickly I figured out I wasn’t alone in making mistakes and I started playing around with other peoples’ “broken” services. I hacked into random websites on the internet, gained admin privileges on school computers, and I started amassing an arsenal of tools I could use. I still have the git repository of over 500 tools that I collected, wrote, or modified to my liking (this one is private, sorry). My biggest catch so far has been a critical vulnerability in Coinbase’s authentication flow.
At this point I had some experience with both blue and red team activities, which helped me secure a security engineering role at Prezi. I learned a lot there afterwards about massive scale AWS systems, completed certifications, took on more and more responsibility of owning services onto myself. Eventually I became Technical Lead of Security Engineering. As a technical lead, my job was not too dissimilar from an Architect, and I enjoyed the work that came with it. I’m definitely a more extroverted personality than most developers I know, so I didn’t mind the organizational duties next to the technical that comes with a leadership role. Eventually I joined Zeiss as their Lead Security Architect for everything to do with customer interactions.
This has been my journey in my last 10 years, so it definitely didn’t come quick or easy. I view the Security Architect role as a career that you prepare for, rather than “just a job” that you take up after leaving school.
What key advice would you offer to aspiring security professionals, particularly those interested in specializing in cryptography or architecture?
I believe my main superpower is curiosity. I’m deeply interested in everything to do with programming, services, technologies, exploits and tinkering. These are, however, not enough to be a good architect in my view. You also need the people skills and the drive for leadership.
I spent countless hours deep diving into technical topics, but I also spent a lot on working on social skills, understanding business needs and how the management and business oriented people think about issues.
Being an architect is just as much about selling your vision to people both above and below you as much as it’s about executing on it.
So my advice to You is diversification. You should be good at the technical, as well as the personal and the organization aspects of business. Security is never “just a priority”, you have to make it be the priority! If you have the drive to do this, then you’ll be a successful architect!
As a security architect, what are some of the most complex challenges you've faced in designing secure systems?
Nobody wants to write insecure software. This has been a general trend I’ve noticed over the years and whenever a gaping hole was pointed out to one of my colleagues, they often rushed to correct it as soon as possible. What’s the issue then?
People also always prioritize features over bugs. There is much more recognition on being the one who completes the shiny new features management asked for on time, rather than fixing five security bugs “many of them would never have been exploited anyways…”
The abundant use of external packages also makes this worse. Developers are usually easier persuaded to fix their own mistakes, rather than spend hours trying to migrate to a newer version of an obscure package that “we are barely using anyways.”
If pushing security into the spotlight is a constant fight, then the architect role also feels like a constant fight. My tactic was to get buy-in from as many of the developers as possible. Write our own shared security guidelines where everyone participates and they feel like these rules are their own! We are securing software according to our shared principles, so people are not forced into a system they feel does not take into account their perspectives enough.
There are plenty of challenges from a technical point of view as well, though I feel like they are much easier to manage. You are most likely pivoting to Security Architect from a Security Engineering role, so you’ve likely spent years tackling them before. Though, I’ve been thinking much more about the “why” of things rather than the “how”. It’s a difficult balance to be viewed as the person to turn to when in doubt rather than the one that always halts progress.
Congratulations on starting your PhD in Cybersecurity and Cryptography! How has the experience been balancing your research with your work as a security architect? Have there been any unexpected challenges or insights so far?
I’m relatively at the beginning of this journey, so my answer will definitely evolve in the upcoming years. I always enjoyed sharing my work in as much detail as possible (mostly through my GitHub repositories), so writing about them in an academic manner seems like a logical next step. It will get my ideas challenged and brought in front of the security community much more!
Doing a full time job and a Ph.D. at the same time is not something that’s for people who enjoy work-life balance. It comes with a lot of sacrifices that I had to clearly discuss with my family beforehand. One thing that helped me a lot in managing my time has been reading the books of brilliant thinkers and scientists of our time. Some of the ones that had the most impact on me are:
The 7 Habits of Highly Effective People, by Stephen R. Covey
Deep Work, by Cal Newport
Never Split the Difference, by Chris Voss
Why We Sleep, by Matthew Walker
One unexpected result from me starting my Ph.D. has been the tremendous amount of support I received. Both from family and friends, but also from my colleagues, many of whom expressed interest in joining in and helping with some papers, as well as the opportunity to publish some of my work. Working on papers at the cutting edge of technology is a cooperative venture, and one that yields many unexpected connections to great people!
What are your non-cyber related hobbies?
It might come as a surprise to You, but despite spending most of my time working or sleeping, I do have quite a few hobbies I enjoy doing with friends and family:
Scuba diving & water sports: I always enjoyed being on the sea. Above it, on it, in it, or just around it are all great ways for me to turn off in the summer. Diving, swimming, surfing, and water skiing are my favorite outdoor activities of the year. In fact, I’m no more than 50m away from the sea as I’m writing this in August.
Escape rooms: Going to neatly crafted escape rooms and eventually escaping and the timer slowly running out is one of the most fun activities I’ve participated in with friends or family. I already have 30+ under my belt easily.
Photography: I demoted photography from a career aspect to a hobby, and it made it all the better! I travel a lot and making a couple of great pictures I will remember are super fun and make me pay attention to the beauty of my environment a lot more.
Where do you get your cybersecurity related news from?
Aside from the occasional “holy sh*t something’s on fire” from my colleagues? My main source of news is The Hacker News, IT Brew, as well as some blogs, YouTube channels and private forums I frequent.
I wouldn’t necessarily give anyone a list of these, as they should evolve over time depending on your interests and specialization. Staying up to speed is as crucial as ever from the technical to the regulatory side of security as well.
Thanks for taking the time to answer these questions! Please link any social media you’d like below.
When did you first find yourself interested in computer security? What inspired you to pursue penetration testing specifically?
The first time I tried to learn about cyber security was during university. I had a cyber security module in my third year, which was a great introduction to the field. This
Show full content
When did you first find yourself interested in computer security? What inspired you to pursue penetration testing specifically?
The first time I tried to learn about cyber security was during university. I had a cyber security module in my third year, which was a great introduction to the field. This included learning about some common tools such as nmap.
I enjoyed this module and decided to continue learning about cyber security in my free time using TryHackMe.com. I was inspired to try penetration testing because the idea of getting paid to tinker and break into systems sounded fun. I was happy with my support role but thought pen testing would be a good challenge and more exciting.
Mobile application penetration testing is more niche than web or network penetration testing. What motivated you to choose this specialization?
I was working on a small team of testers (around 8 people). We only have one team member able to pentest Android and iOS applications, which wasn't an ideal situation to be in. What if they left the company? Realizing this issue, I volunteered to become the second mobile app tester for a couple of reasons:
I could learn from the current mobile tester who was very experienced.
Mobile apps are common and used by many people for critical purposes such as banking.
It was something new - I think it is important to try many different areas to see which ones you enjoy and which you don’t!
You recently earned the GIAC Mobile Device Security Analyst (GMOB). Congratulations! What was that experience like?
The SANS course was fantastic! I took it live online. This really helped me with my iOS testing as this was my weakness before the course.
I created an index for the exam, which was a big help. Creating the index was very time-consuming, but necessary due to the vast amount of content covered over the 5 day course. The exam experience was okay and I fortunately passed with 86%.
Personally, I think a practical exam is better than multiple-choice. The SANS course did have a CTF that my team won (out of the online attendees).
Any plans for your next certification? What are your thoughts on the abundance of certifications in the cyber security realm?
As I am based in the UK, my next certification will likely be the Cyber Scheme Team Leader (CSTL). This is a must have over here as it allows you to lead work within the public sector. This will either be a web app or infra-focused.
I think there are a lot of certifications in the industry as there's a lot of money to be made off it. I think it's worth taking some of them as you will learn a lot and they might help you get your foot in the door. However, when I landed my first role I didn't have any certifications so they are not a must have.
I would recommend TryHackMe and Hack The BoxAcademy to people who are new to the industry as it is much more affordable than the expensive certs.
Who are your role models in the security community?
I look up to the directors at SecQuest. They have been in the pen testing industry for decades and understand what clients want and how to deliver. I also like that they are unafraid to invest in their employees and can see people's potential.
For example, when I started working at SecQuest, I had no certifications or industry experience and they offered me a job, put me through Cyber Scheme Team Member (CSTM), and the SANS SEC575 course and exam in two years.
What are your non-cyber-related hobbies?
My main hobby outside of cyber is bouldering! It's a good way to stay fit and have fun.
What advice would you give to someone interested in becoming a mobile penetration tester?
I would recommend starting with Android apps, as you can use an emulator to do your testing. I used the Hack The Box mobile challenges and Uncrackable CTFs.
If you enjoy that, you should check out Corellium to get into iOS testing or buy a secondhand iPhone that you can jailbreak.
I often get asked how to get started with hacking and CTF competitions. So I composed this list of resources that I have found helpful.
Show full content
I often get asked how to get started with hacking and CTF (Capture The Flag) competitions. Here, I've compiled a list of resources that I’ve found helpful.
Start by choosing one topic that interests you and practice it hands-on through CTFs, wargames, or labs. Read write-ups or watch walkthrough videos to learn how others solved challenges. Rinse and repeat!
The CTF Primer - A concise resource that introduces Capture The Flag (CTF) competitions and provides strategies for beginners.
CTF Handbook - An open-source handbook for aspiring CTF players, filled with tips, tricks, and solutions to common problems.
The CTF Field Guide - A practical guide from Trail of Bits that dives deep into CTF techniques and tactics.
Wargames for Learning Linux, Web and Binary Exploitation
OverTheWire: Bandit - Focused on Linux command-line skills, Bandit is an excellent starting point for beginners to understand basic Linux commands and usage.
OverTheWire: Natas - A web security game that offers challenges based on various web application vulnerabilities.
OverTheWire: Narnia - Focused on ELF binary exploitation, Narnia helps you understand binary exploitation basics using different levels of challenges.
Additional Resources
Hack The Box Academy - A platform with interactive lessons and hands-on labs that range from beginner to advanced topics in ethical hacking.
PentesterLab - Offers a variety of challenges and labs focused on web application security and common vulnerabilities.
TryHackMe - Provides structured paths and guided learning environments tailored for beginners and intermediate learners.
VulnHub - A platform that provides intentionally vulnerable virtual machines for practicing penetration testing and security research.
OWASP WebGoat - A deliberately insecure web application maintained by OWASP for educational purposes, helping you understand common vulnerabilities.
PicoCTF - An online platform offering a wide variety of CTF challenges suitable for beginners, particularly high school and college students.
Hack This Site - A free and legal platform that provides challenges ranging from beginner to expert level, covering various aspects of hacking.
PortSwigger Web Security Academy - A free learning resource that offers labs, videos, and documentation to master web security and common web vulnerabilities.
Conclusion
These resources are just the tip of the iceberg. The key to mastering ethical hacking is consistency, curiosity, and persistence. Start with the basics, choose challenges that interest you, and never stop learning. Happy hacking!
This interview was originally conducted on 11 June 2022 on my personal site. Check it out here!
If you’ve ever used the TryHackMe cyber security learning platform, then you’ve likely come across the work of Muirland Oracle.
Over the last three years, he has
Show full content
This interview was originally conducted on 11 June 2022 on my personal site. Check it out here!
If you’ve ever used the TryHackMe cyber security learning platform, then you’ve likely come across the work of Muirland Oracle.
Over the last three years, he has created 30+ walkthrough and challenge rooms - ranging from the beginner friendly, to the downright difficult (I’m looking at you, Year of the Jellyfish). Tens of thousands of users have interacted with and learned from his content!
Furthermore, he provides support for over 136,000 users as TryHackMe’s Discord Community Manager!
As a huge fan of his work, I was super excited to be able to interview him!
How do you balance being a full time student with content creation and being a TryHackMe Discord Admin?
Believe it or not, it’s worse than that! I also work part-time as a pentester for a local company, and nearly always have a cert or training course on the go in the background. The short answer to this question is: with difficulty. I keep a very close eye on where and how I spend my time, and make sure to track and prioritise tasks based on urgency.
Sometimes that means short sprints where I end up effectively picking each task off individually one-by-one, but usually I just make sure to juggle tasks to maximise efficiency (i.e. when I get bored with one thing, I just switch to another so that I’m always doing something productive). Unfortunately, there are only so many hours in a day – so sometimes the items with no deadline get pushed back a bit – but it all gets done in the end! It’s certainly not a dull way to pass the time – I hate being bored, so I wouldn’t have it any other way.
What does a typical day look like for you?
I don’t really have a typical day just now – which is awesome for keeping life interesting! I usually spend about 90-120 minutes on exercise and try to take some time in the evening for down-time, but other than that it’s usually just a case of fitting whichever tasks need done that day in around meetings and university. In a sense, working from home over COVID has been helpful in that I don’t need to travel as much as I used to, but after a couple of years I almost miss it!
When did you first find yourself interested in computer security? What inspired you to pursue penetration testing specifically?
For a variety of reasons, I performed an in-person authentication bypass and privilege escalation on a MacBook when I was in in my early teens. The “hack” was extremely simple, but it introduced me to the intoxicating adrenaline rush you get from successfully breaking into stuff.
Thereafter, I started looking for ways to recapture that rush as a legal occupation – pentesting was where the research led. I didn’t really do or learn anything else until I went to university a few years later, at which point I became involved with the TryHackMe community and really started diving into security.
What’s your methodology for creating a TryHackMe room?
The answer to this is totally different depending on the type of room. Traditionally I have worked on CTF challenges and walkthrough tutorial content; more recently I have also been building vulnerability showcases (e.g. Pwnkit, Dirty Pipe, Spring4Shell, etc).
Teaching content tends to be the most intensive to write – it requires a lot of planning and usually starts with a vague topic or brief (e.g. “Write a Burp Suite module”); the scope gets developed from there. Once I know the topics I want to cover, I split them into tasks (or rooms and tasks if it’s a module) and put together a skeleton for the room(s) – basically just creating the room(s) and task headings ready to have the content added.
From there it’s just a case of writing the content. I usually try to build the interactive content (i.e., VMs and/or static sites) whilst I write as I find that the two aspects tend to influence each other; however, occasionally this isn’t possible and the interactive content gets developed either beforehand, or after the materials are written.
Vulnerability showcases are the complete opposite of tutorials – I take researched information about a vulnerability and use it to build a proof-of-concept lab for the vuln. Once I’ve built the machine, I have a much better “feel” for how the new vulnerability works, which makes writing the teaching material a lot easier. In other words, rather than starting with a vague brief and building inwards, I start very focussed and develop outwards from there.
These rooms all follow a similar format: introduction to the vulnerability, an overview of how it works and how you can remediate it, usually a slightly more in-depth technical explanation, and a practical using the lab I created previously (normally after tidying it up a bit!). This common structure means that I don’t really need to plan the room structure out – all I need to do is write each section then send the room out. Challenges are simultaneously (confusingly) both the easiest to build, and the hardest.
You obviously don’t need to write tutorial content for a challenge, which removes the hardest part of the equation (writing accessible teaching material is hard!) – that takes a lot of the pressure off. However, they require more planning than anything else. The best challenges need to make sense, be fun to complete, be relatively realistic, and not have a tonne of unintended paths through them.
Planning around those criteria can be tough, but the result is worth it! With challenges, I often start with a concept that I like the look of and build the rest of the box around it. Just to make life harder for myself, I’ve also built a few cross-over walkthrough/challenges (e.g., Hipflask), where I build a challenge box then effectively integrate a writeup into the room tasks. Interestingly, those are actually the most fun to build! Regardless of the type of room, you can be sure that there are a lot of notes and documentation involved.
Who are your role models in the security community?
There are quite a few! First and foremost, the man who pushed me into my OSCP and has been an awesome mentor and friend from almost the very beginning of my infosec journey: Ryan Montgomery (0day). A lot of my methodology and knowledge of the weird and whacky parts of hacking come from working with Ryan. Safe to say his determination and sheer stubborn inability to admit defeat have been motivational, to say the least!
Closer to home, a lot of my interest to really push myself into Infosec (including my initial introduction to TryHackMe) came from a friend from university: Samiser. Their passion for the subject – and especially for wonderfully niche aspects of cyber – really taught me from the get-go how much cybersec has to offer. Between that and their patience with a newbie’s questions, they were (and continue to be) an inspiration.
I also have a huge amount of respect for many of my friends and colleagues on the TryHackMe community staff team. A lot of my current infosec interests have come directly from them, and when I have a question about some weird edge-case, I can nearly always find someone who is likely to know the answer amongst them.
Speaking of TryHackMe, this list wouldn’t be complete without mentioning Jon Peters (DarkStar7471), who taught me about community management and has given me a lot of help and advice about starting out in cyber.
There are way too many folks to list here – I could spend hours writing down names and flitting between role models. Suffice to say there are many absolutely awesome individuals in this industry, and it’s a great privilege to share the space with them.
Out of the 30+ TryHackMe rooms you’ve created, which has been your favorite to develop and why?
Tricky question! Aside from some of my very early challenges (which I hate), most of my rooms contain aspects that I’m particularly fond or proud of. I learn more with every machine I build, so there are always things to remember fondly.
For example, my CVE-2021-3560 room was my first chance to deploy my dynamic flags system. The box used in the Burp Suite module (Bastion) was one of my first Flask applications; Flask is now my go-to backend web framework. Upload Vulnerabilities was my first introduction to NodeJS and Docker – the latter of which is something I now use day-in-day-out.
Every room that I have built has taught me something new, so it’s really difficult to choose a favourite. That said, I get the most enjoyment out of creating “guided challenges” (think Wreath, Hipflask, or Atlas). I find that building out what is basically a challenge box, then teaching a method for hacking it, is much more liberating than explicitly designing a box to demonstrate a walkthrough – not least because it lets me challenge myself to stuff as wide a range of content in there as possible!
With that in mind, I’m probably going to go with either Wreath or Hipflask for my favourite. Wreath because of the sheer number of topics I was able to cover with it, and Hipflask because I really liked being able to include a source code review tutorial, as well as covering some of the more realistic aspects of pentesting (as opposed to just teaching isolated techniques).
You have earned the OSCP and CRTO, congratulations! Any plans on your next certification? What are your thoughts on the abundance of certs in the cyber security realm?
I have been working towards my OSEP for a while now, with the aim of obtaining the trifecta (OSCE3) in the not-too-distant future. From there I would like to move into SANS, so fingers crossed for a grad job with a big enough training budget!
To summarise my thoughts on the abundance of certs: there are a huge number of the things, many of which are useful for different purposes, in different areas, which can be really confusing for people entering the industry. In many ways it would be good to have a more standardised set; however, given how chaotic the entire industry is, I very much doubt that will happen.
That said, it’s well worth doing your research and filtering through the noise to pick out the certs that are most useful for you and the career you want to make for yourself. The benefit to having so many available is that you have many good options, so research well and choose wisely!
What advice would you give to a student with no experience interested in becoming a penetration tester?
Be curious. Knowledge can be learnt; curiosity cannot. Hacking is all about asking “what if…?”, so question everything and surround yourself with supportive, passionate people who love what they do and who embrace the philosophy of sharing knowledge for the collective good.
Equally, research is (and always will be) the most important skill for anyone in the infosec space. It is a massive world out there – it’s impossible for anyone to know everything. We all Google, and we all spend hours poring over documentation. Research is, without a doubt, the most important part of the technical side of hacking – if it’s a weak point for you, then that should absolutely be your focus (both for your own sake, and the sake of the people around you).
On the subject of research, what should you do when you learn something new? Make a note of it! Again, you’re never going to remember everything – the space is just far too vast. Get yourself some notetaking software (e.g. Trilium or Obsidian) and start writing. Every time you solve a problem or learn something new, write it down! You never know when you might need that information again, and it is great practice for documenting pentests in the real world.
Speaking of which, loathe though I am to burst the bubble of hacking being all technical, report writing is (unfortunately) easily the most important job in pentesting. Your clients are paying for the report – that is your product. If you’re not comfortable writing reports, get practicing!
Finally (and arguably most importantly): remember that everyone starts somewhere. Imposter syndrome affects almost everyone in infosec. We all look around and see people who are better than us, who know more than us, who have more experience, or more accomplishments. They don’t matter. The only person who you should be competing with is yourself – your journey is your own, and it’s okay to do it at your own pace, starting in your own time.
Where do you get your cyber security related news from?
Honestly? Mainly Twitter. You can argue about the merits of this RSS feed or that news site all you like; chances are that news will pop up on Twitter extremely quickly with a big enough network of infosec professionals. It’s a small industry, relatively speaking, and news spreads very fast on social media.
What are your non-cyber related hobbies?
Global pandemics unfortunately make many hobbies difficult, but I’m very outdoorsy and love taking a day to go out kayaking or hiking. I used to swim a lot as well, but COVID makes swimming pools a bad idea for the time being, more’s the pity.
Aside from exercise-based hobbies, I still love to read for enjoyment, and get a lot of fun out of messing with new tech / building out my home and cloud infrastructure. Like most people in tech, I can occasionally also be convinced to play a game or two, although I’m not a huge gamer so that’s a relatively rare occurrence.
More of Muirland Oracle
Thank’s again to Muirland Oracle for the interview and for providing such detailed responses!
Check out his links below to get in touch with him.
Discord
Security Blue Team
