We think we know

“Not everything works as configured. Not everyone behaves as trained.”The reality of this statement makes it possible for us, the people in offensive security, to have a job. It also highlights how unpredictable our work can be and how never-ending our learning process is.We work in a space where things are so complex that we need to combine big-picture, higher-level thinking with boost-on-the-ground practice.And our guest today is brilliant at doing just that. Pete Herzog has spent over two decades distilling the fundamental principles of security testing, turning them into a decade-defining manual - the Open Source Security Testing Methodology Manual (OSSTMM). Pete brings offensive and defensive security concepts together to break down important misconceptions.  Listen to this conversation to uncover:Why you can’t do security without understanding the process behind it [08:23]How automation can help but, at the same time, hurt the ones using it [11:00]Why you can’t rely only on automated security tools in your pentests [19:10]The importance of implementing security controls to change the environment [28:22]Pete’s perspective on "Zero Trust" and how they tackled this ion OSSTMM [35:18]Why he thinks there are “too many parrots, not enough pirates” in this space [43:42]The excitement of researching for OSSTMM v4 and exploring new technologies [51:40]  From the expert systems behind AI-driven tools and their blindspots to generalizations that hurt offensive security outcomes, we explore key elements that shape today’s problems - some of which you’re probably wrestling with as well. Let’s explore them!

In this episode, we continue to ask the meaningful questions:What makes a great pentester? How can you balance the art of manual testing with the efficiency of automation?What is the unique value that pentesters bring to offensive security? And what can't be commoditized in this craft?Gabrielle's mantra, “action for cyberpeace”, resonates through her work, and today, she shares her journey, experiences, and the lessons that shaped her career so far. Key highlights from this conversation:What specific skills do you need to be a great penetration tester [02:45]How self-learning and consistency help you achieve your goals [07:55]Why she values team collaboration to deliver the best work you can do [13:57]How she got into cybersec and why she strives for cyberpeace [24:35]How to find balance between your personal life and your work [28:37]When automation is effective in pentesting and where that ends [32:02]How to set healthy boundaries to protect your personal life and health [41:11]Which hobbies juggle her curiosity and broaden her horizons [51:59]  Give this episode with Gabrielle a listen if you want to level up your ethical hacking skills and challenge your modus operandi. 

With 20+ years of cybersecurity work, Tom unpacks the complexities of penetration testing, discussing the roles of vendors, practitioners, and technological advancements. He also shares his perspective on what makes a good pentester, the value of mentorship, and the ethical challenges in this line of work. Explore this conversation to learn:How pentesting changed over the years and who’s shaping it [03:02]How to avoid burnout and deal with imposter syndrome [09:13]Why he seeks and values mentorship for personal and professional growth [19:44]The importance of constant learning and networking with your peers  [23:23] How compliance brings down the value of pentesting and what to do about it [30:04]How cultivating range can help you in your pentesting career [37:24]How to set healthy boundaries to protect your health [41:11]This episode with Tom is a must-listen if you want to learn how to showcase your work and elevate your thinking and tactics.Resources from this episodeTom’s personal websiteTom on LinkedInTom on TwitterThe Shared Security podcastThe People Hacker book by Jenny RadcliffeTom’s journey from offensive security to leadership at the Phillip Wylie ShowEthical hackers and the legacy of the hacker manifesto for Cyber EmpathyTib3riusJason Haddix Dave Kennedy

Stay tuned as we explore how tools like Nmap and sqlmap have shaped penetration testing over the last two decades, and stick around to discover which aspects make pentesting predominantly a craft - and which parts have become standardized (and what that means for your work).Unpack this conversation to discover:The depth of the work involved in crafting offensive security tools [04:45]What you can learn only by developing and maintaining tools [08:03]How Villain evolved and key learnings from building it [17:00]The challenges of finding balance in deep offensive security work [21:30]How Panagiotis uses automation to make his work smoother [25:35]How building his own tools shaped his thinking [32:00]What makes penetration testing a craft (with hands-on examples) [38:12]Why (and how) he finds the motivation to do meaningful work [48:16]What kind of projects keep him energized [50:55]Venture with us into the evolution of hacking tools, as T3l3machus shares his journey from admiring early toolmakers to becoming a pioneer, creating tools like BabelStrike and Villain. Resources from this episode:Panagiotis on LinkedInPanagiotis on GitHubHis YouTube channelHow to create your own GitHub projectsJohn Hammond about hacking using VillainVillainToxssinHoaxshellBabelStrikeKerberos

Inti not only sheds light on what happens when expectations meet reality, but he also shares his unique approach to problem-solving with real-life examples you can add to your own process. With 12+ years of experience in this space, Inti De Ceukelaire is a Belgian ethical hacker and cybercrime investigator. He currently works as the Chief Hacker Officer at Europe’s largest vulnerability disclosure platform Intigriti and is also a founding member of the Hacker Policy Council.Inti also excelled in various bug bounty competitions, where he’s been rewarded by companies like Google, Meta, Yahoo, The US Department of Defense, or Amazon for identifying critical vulnerabilities in their systems.Dive deeper into this conversation to learn:Why the best hackers started their career by running scripts and trial and error [03:47]Why bug bounty hunters need to nurture their creativity when looking for particular vulns [07:37]What the main differences between bug bounty and pentesting are [09:46]How to impersonate developers as a bug bounty tactic [13:42]Why bug bounty often looks like a rabbit hole [25:24]Why it’s important to define your own success and appreciate your failures [30:33]How AI helps ethical hackers eliminate repetitive and boring tasks [34:19]How deep research can lead to unexpected wins in ethical hacking [43:55]Join us as we explore the intricacies of bug bounties, the crucial role of mindset in hacking, and how to turn every failure into a stepping stone to success.

Today’s guest, Willa Riggins, talks about how “every small piece contributes to the larger picture” in pentesting and explains why “it's about understanding the intricacies and appreciating the craftsmanship."From the mindset behind excellent pentesting work to the (difficult) things that are never going to change in this space, we glide through Willa’s experiences, hard-earned know-how, and thoughtful approach. Dive straight into the convo to learn:Why you need to get comfortable with trial and error to enjoy pentesting  [03:43]The key lesson Willa learned from working in app security [09:45]How to focus on your craft when reporting vulnerabilities [13:14] The challenges pentest teams face in making their work count [19:07]The realistic, reasonable way to use automation in pentesting [24:28] Two aspects of the hacker mindset worth cultivating [28:36] Why (and how) having a hobby outside pentesting makes you more productive [33:33]How to set realistic expectations around developing a career in the field [36:42]What will be the key differentiating factor in penetration testing [42:40]We believe you’ll get wisdom and inspiration from this kind and generous conversation. Willa will help you get a broader understanding of this field highlighting the fundamental role of people and teamwork. Just hit play! 

There’s a constant loop of learning, doing, and improving in offensive security. And one way to develop the “muscle” to tackle complex security challenges is through hands-on training. That’s what IppSec, our guest, does with kindness, passion, and in the community’s best interest.IppSec helps us bust a couple of common myths which, if left unquestioned, may alter learning, distort results, and, ultimately, create big gaps in understanding, all of which can undermine your future success. Press play to listen to IppSec explain:Why recon requires constantly "reading between the lines" [03:20]Why AI can’t find business logic vulnerabilities [08:23]Why genuine communication with clients is essential [12:48]How rewarding and valuable it is to invest in the open-source community [17:35]How discipline makes a difference and how to develop it [24:00]How pentesting and bug bounty hunting complement each other [27:00]How you can build specific skills that differentiate you in the community [35:36]How to develop your own learning system [38:04] Why it matters to make constant learning a positive experience [44:48]IppSec’s generosity to share so many practical, valuable examples will help you get a better understanding of this discipline and enhance your knowledge. 

Ready to excel in offensive security this year? Delve into the mind of Vivek Ramachandran, a cybersecurity virtuoso who’s seen (and learned) a lot in this field. He's a force that fuels both his current company and the broader cybersecurity landscape with original thinking, educational and actionable insights.And there's more to Vivek than just technical savvy. He's on a mission to revolutionize how we view ethical hackers and infosec pros, using his captivating comic books to challenge cliches and spark a new wave of enthusiasm in the next generation.Tune in for this insightful episode with Vivek to find out:Why people mistakenly equate offensive security with functional testing [04:36]How (and why) the Hackers: Superheroes of the Digital Age comics came to be [07:13]Why first principles are essential in mastering and elevating security concepts [12:31]How to build your career on curiosity, gut feeling, generosity, and perseverance [19:33]Why we need human ingenuity as the nature of what we automate changes [29:10]What an entrepreneurial adventure will teach you about yourself - and others [43:45]How being part of the infosec community changes your work, thinking, and career [51:00]Vivek’s vast career is a rich source of inspiration if you’re ready to practice extreme ownership, radical candor, and achieve the kind of alignment between your principles and actions that will propel your work and life to the next level. Resources from this episode:Vivek on LinkedInVivek’s story in cybersecurityComic books - Hackers: Superheroes of the digital ageVivek on the Philip Wylie ShowAdvanced Wi-Fi security with Vivek at DEF CON 23Training courses on Pentester AcademyOSI model layers

If you have questions that boggle your mind about penetration testing, Jayson is the person to learn from. In the fourth episode of our We think we know podcast, we delve into the world of ethical hacking with the legendary Jayson E. Street. As an icon in the penetration testing community, Jayson brings a unique blend of wit, wisdom, empathy, and a true understanding of the hacker mindset.He has a unique talent for breaking down penetration testing into fundamental ideas, using memorable stories you'll want to tell others (and actually remember!).Dive into this special episode with Jayson to learn:Why every hacker needs to define and focus on their vision of changing the world [04:28]How (and why) his unique, creative approach helps him tackle security issues [16:20]Why automation can’t work as a defensive model for solving puzzles [25:05]How to mitigate risks and explain them to clients in terms they care about [43:58]Why AI won’t replace pentesters’ job, but enhance them [49:40]Don’t miss this episode that packs so many practical, real-world examples you can learn from and apply in your life and work.Resources from this episode:Jayson on LinkedInWired Tech Support: Jayson answers penetration test questions from Twitter Jayson’s websiteJayson on the Darknet Diaries - Ep 6Documentary: Penetration tester Jayson E. Street helps banks by hacking themBook: Dissecting the hack: the f0rb1dd3n networkJayson on the Cyber Empathy podcast - Ep 34, season 4 

“There is no end goal in this industry. You're always going to keep moving forward.”This quote from our guest does a great job at capturing the conversation we explore in this podcast: the love for the process, the hunger for knowledge, how to add value for clients, and become a better penetration tester. For the third episode of We think we know, we welcome Tim Connell, an enthusiastic penetration tester and the Director of Cybersecurity Services at Pulsar Security, to explore the most common security testing myths and misconceptions.Tim shares some practical tips and examples that spotlight his commitment to continuous learning and community contribution. His enthusiasm and genuine dedication to this space are so inspiring - that we hope will lift you and get better at what you do.So join us on We think we know, as we unpack the layers and narratives shaping offensive security work.Listen to the new episode to find out:Why it’s essential to really understand what each customer needs from their pentest [08:31] How to improve your workflow by making some of it replicable [21:33]Why it matters to learn as much as you can and use that to deliver better work [33:05]How to speed up your learning process by building stuff and looking deeper into vulnerabilities [41:21]Why (and how) visual representations boost clear communication in penetrating testing [46:31]The perks of being more involved in the community, being resourceful, and keeping your motivation to move forward [50:05] At the end of it, you’ll walk away with many valuable lessons to use in both your life and career. Let us know which hit home for you!  Resources from this episode:Tim on LinkedInHis journey from Sales to Director of Offensive Security on the Cybersecurity Recruiter podcastTim on hacking a Wi-Fi network password in 2 seconds on the Pulsar Security blog 

It’s not just penetration testing, just like today’s guest is not just an offensive security pro. If you’re the ambitious type who’s always up for new challenges, then you’re most likely going to resonate with today’s guest and his approach.  Experienced penetration tester and Volkis co-founder, Alexei Doudkine joins us in the second episode of the podcast to debunk pentesting misconceptions. With 10+ years of offensive security experience under his belt and his learnings as a business owner, Alexei challenges the status quo to get other hackers to walk a mile in their clients' shoes. You’ll also hear Alexei unpack the skills and mindset it takes to deliver quality in penetration testing and become a better ethical hacker. Some of these ideas may make you uncomfortable - and that’s why we believe they’re worth listening to. Whether it’s about absorbing technical complexities like a sponge or developing an intuitive perception of vulnerabilities, this conversation highlights the aspects of penetration testing that make it a true craft. So, come along with us on We think we know, as we unpack the layers and narratives shaping offensive security work.In this episode, you’ll learn:Why it’s not about data, but how you use it and the human impact behind it. [12:24]What it takes to develop your hacker intuition that tells you there’s something there - even before you have proof [15:25]Why automation is not the problem, but using it as a standard checkbox in your engagements is [19:00]How to use learning to also stay humble, rooted in the here and now [27:30]Why it’s worth prioritizing people over security testing during tougher economic times [44:45]The perks of being uncomfortable, hungry for learning, and doing your best work [49:20]By the end of this episode, you'll look at your work - and the infosec community - with fresh eyes.  Resources from this episode:Alexei on LinkedinAlexei’s hacker origin story on the Volkis blogAlexei on the Cyber Empathy podcast - Ep. 5, Season 1The Volkis Independence PolicyListen to this episode on:SpotifyApple PodcastsAmazon PodcastsGoogle Podcasts

Welcome to the kick-off episode of the We think we know podcast! Whether you’re looking for a fresh perspective, to learn about and from our guest, or just to see if this podcast is worth your time, thanks for choosing to spend some time with us! We don’t take it for granted.Today, we've got the fantastic Alethe Denis with us. Wearer of many hats and a generous contributor to the cybersecurity community, Alethe’s work covers a broad range of offensive security, from pentesting to social engineering, and red teaming, including tabletop exercises. In 2019, Alethe took home the top prize at the prestigious DEF CON Social Engineering CTF. She later snagged a DEF CON Black Badge, becoming a go-to social engineering expert and cybersecurity ally for companies around the world.Sharing examples from her real-world experience, Alethe helps us break down a stubborn misconception: that penetration testing is merely a commodity, another box to tick off for compliance. By all means, this is not a new issue in offensive security. But it is a persistent one.When seen as a commodity, pentesting undervalues expertise, it lowers pay, leads to superficial testing scopes, and reduces the satisfaction penetration testers get from their work.That’s why we’re talking about it.Alethe offers very practical tips and language you can use to highlight the value of your work and the nuances it involves. You’re in for a treat!  Hacker's toolbox from this episode:Alethe on TwitterAlethe’s websiteAlethe on the Darknet Diaries - EP. 107Social engineering adds depth to red team exercises

🤩 We’re launching a podcast!On Nov. 7, the first episode of We Think We Know will be in your headphones! Here's the low-down:🤔 What is it about?Learning how to be better hackers by challenging assumptions and digging deeper into the why, how, and what of offensive security. In the 1st season, we're unpacking why #penetrationtesting is a craft and *not* a commodity.🎤 Who’s gonna be on? Some of the best #offensivesecurity professionals, who joined us to reveal their unique skills, traits, and real-world experiences in a way that directly fuels your growth.😎 What’s in it for me? Thought-provoking ideas, practical advice you can use straight away, battle-tested advice on how to present your work and develop your career. 👉 Why are *we* doing this? Because we care deeply about the people in this community and the work they do. Because we believe that learning from each other is what made #ethicalhacking what it is today - and what it keeps it evolving. Because there are a lot of hackers whose stories can educate and inspire others, both new to this field and already committed to it.📌 If you want to find out the moment We *Think* We Know comes out, subscribe to our Youtube channel: https://www.youtube.com/@PentestToolscom/podcasts