Chat with a White Hat

Ed Williams shares some of the coolest hacks he has pulled off, including a quick domain admin password discovery and social engineering tactics for gaining access to secure buildings.TakeawaysVulnerability enumeration is crucial in infrastructure testing.Social engineering can be used to gain physical access to secure buildings.Chapters00:00 Quick Domain Admin Hack

The conversation covers the exploitation of SAML authentication and the vulnerability related to the Audience URI. It also delves into bug bounty and pen testing strategies for identifying and exploiting these vulnerabilities.TakeawaysSAML authentication exploitationAudience URI vulnerabilityChapters00:00 SAML Authentication Exploitation

The conversation explores the impact of AI on software development and testing, highlighting the evolution of development processes and the challenges and opportunities presented by AI in testing.TakeawaysAI in software developmentImpact of AI on testingChapters00:00 The Evolution of Software Development with AI

The conversation covers the discovery of HTML to PDF vulnerabilities, uncovering CSS injection vulnerabilities, and exploiting zero-day vulnerabilities to demonstrate significant security impacts. It highlights the importance of thorough security testing and the potential impact of zero-day vulnerabilities.TakeawaysHTML and CSS injection can lead to significant security vulnerabilitiesUncovering zero-day vulnerabilities can have a substantial impactChapters00:00 Discovering HTML to PDF Vulnerabilities

The conversation delves into the misconceptions and realities of cybersecurity, highlighting the lack of glamour and the monotonous, meticulous nature of the work. It also touches on the unsocial and frustrating aspects of the field.TakeawaysCybersecurity is not as glamorous as people thinkIt can be unsocial and frustrating at timesChapters00:00 The Monotony and Meticulousness of Cybersecurity

The conversation covers Neil Kettle's favorite testing methods, the challenges of pen testing, and the application of first principles in security testing.TakeawaysFavorite testing methodsChallenges of pen testingFirst principles in security testingChapters00:00 Favorite Testing Methods and Challenges

The conversation covers the importance of articulating the impact of vulnerabilities and the use of AI for quick development and automation. It emphasizes the significance of understanding and communicating the impact of vulnerabilities and the benefits of using AI for rapid development and automation.TakeawaysArticulating the impact of a vulnerability is crucialUsing AI for quick development and automationChapters00:00 Articulating the Impact of Vulnerabilities

The conversation covers the journey from gaming to cybersecurity, the future of red teaming and pen testing, learning from previous engagements, and the impact of AI on security operations.TakeawaysEarly exposure to gaming led to an interest in cybersecurityImpact of AI on red teaming and pen testingChapters00:00 From Gaming to Cybersecurity17:34 The Future of Red Teaming and Pen Testing24:58 Learning from Previous Engagements33:32 AI's Impact on Security Operations

The conversation covers the importance of understanding the backend code for hacking and the value of documentation in dealing with SQL injection vulnerabilities.TakeawaysUnderstanding the backend code helps with hackingDocumentation is super helpful for SQL injectionChapters00:00 Understanding the Backend Code

The conversation covers the exploitation of SSRF and LFI vulnerabilities, leading to an account takeover and unauthorized data access. It also highlights the recognition received for the impactful zero-day vulnerability and its real-world consequences.TakeawaysSSRF and LFI vulnerabilities led to account takeover and data accessImpactful zero-day vulnerability led to significant consequencesChapters00:00 Recognition for Impactful Zero-Day Vulnerability

Dylan Lahan, a full-time bug bounty hunter and independent security researcher, shares insights on ethical hacking and cybersecurity.TakeawaysEthical hacking as a careerImportance of bug bounty programsChapters00:00 Introduction to Ethical Hacking and Bug Bounty Hunting

Dylan Lawhon (aka iQimps) shares his journey from gaming to bug bounty hunting, including real-world hacking stories, zero-day discovery, SAML abuse, and advice for breaking into cybersecurity in 2026.00:00 – 00:25 Intro & background00:25 – 01:44 Getting into computers (gaming era)01:44 – 03:44 First cybersecurity interest (game hacking & PSN breach)03:44 – 08:30 Early hacking mindset & CTFs08:30 – 13:44 First major live hacking event (bug bounty experience)13:44 – 19:12 CSS injection → SSRF → account takeover case study19:12 – 23:54 Favorite type of security testing (code review)23:54 – 27:22 Bug bounty vs pentest time management27:22 – 30:32 Improving vulnerability impact communication30:32 – 33:41 Using AI in cybersecurity & automation33:41 – 38:52 Future of AI in offensive & defensive security38:52 – 45:48 Underestimated attack vector (SAML abuse)45:48 – 48:48 Breaking into cybersecurity advice (2026)48:48 – 51:11 SQL injection + documentation mindset51:11 – 52:10 Where to find Dylan + closingWhether you're a beginner in cybersecurity, a bug bounty hunter, or a seasoned pentester, this episode is packed with real-world insights from the front lines of offensive security.

The conversation emphasizes the critical role of planning in cybersecurity testing, highlighting the need for thorough preparation, open source intelligence, and understanding the environment. It also emphasizes the importance of reflection and different planning approaches for various types of tests.TakeawaysThorough planning is crucial for cybersecurity testingDifferent types of tests require different planning approachesChapters00:00 The Importance of Planning

The conversation covers the importance of hands-on experience in cybersecurity, the value of starting at the foundational level, and the overlap between offensive and defensive cybersecurity roles. It also emphasizes the need for a strong foundation and the potential risks associated with inexperienced consultants and pen testers.TakeawaysHands-on experience is crucialStart at the foundational levelOverlap between offensive and defensive rolesChapters00:00 Risks and Responsibilities of Consultants and Pen Testers

The conversation covers the importance of network diagrams in pen testing and the need for a partnership approach in security testing. It also highlights the challenges of security testing and the need to work collaboratively with organizations to improve security.TakeawaysPartnership approachChallenges in security testingChapters00:00 Network Diagrams and Pen Testing

Neil Kettle discovered a bug in 2010 that became public in 2015. He was contracted to create government malware that could key log on Mac OS X without informing the user. He reverse engineered Apple's method and completed the task in 20 minutes.TakeawaysBug discovery in 2010Creation of government malwareReverse engineering Apple's methodChapters00:00 Reverse Engineering Apple's Method

The conversation covers advice for breaking into cybersecurity in 2026, emphasizing the importance of fundamentals and contributing to projects.TakeawaysFundamentals are keyContribute to projects and have a body of evidenceChapters00:00 Breaking into Cybersecurity in 2026

Dylan Lahan, a bug bounty hunter and security researcher, shares his journey from gaming to cybersecurity. His interest in computers was sparked by gaming, leading to his exploration of programming and technical skills. Additionally, early exposure to game hackers influenced his interest in cybersecurity.TakeawaysGaming sparked interest in computersEarly exposure to game hackers influenced interest in cybersecurityChapters00:00 Interest in Cybersecurity and Game Hacking

Nick Aures, a senior pen tester at Sprocket Security, shares his journey from childhood fascination with computers to his entry into the field of cybersecurity.TakeawaysEarly exposure to home computing sparked Nick's interest in technology.Nick's interest in cybersecurity began in the mid-2000s with the use of Backtrack, a predominant hacking OS at the time.Chapters00:00 Entry into Cybersecurity

The conversation delves into a security incident involving infrastructure enumeration and the discovery of a critical security vulnerability. The incident highlights the importance of thorough infrastructure testing and the potential risks associated with security vulnerabilities in network infrastructure.TakeawaysInfrastructure EnumerationSecurity VulnerabilitiesChapters00:00 Infrastructure Enumeration and Security

The conversation covers the topic of computer performance and memory optimization, highlighting the impact of memory on overall performance.TakeawaysMemory optimization is crucial for improving computer performance.Maxing out memory can significantly improve a computer's performance.Chapters00:00 Impact of Memory on Computer Performance

The conversation covers the process of gaining access to the mail server and the challenges faced with the EDR (Endpoint Detection and Response) system.TakeawaysGaining access to the mail serverChallenges with EDRChapters00:00 Gaining Access to Mail Server

The conversation covers a story about a cool hack and the favorite type of security testing, focusing on web application security testing. The hack involved a simple and elegant approach, while the security testing preference is based on the eye-opening factor and the prevalence of web applications in modern life.TakeawaysSimple and elegant hacksFocus on web application security testingChapters00:00 The Coolest Hack

Neil Kettle discusses his early interest in computers, starting with his introduction to them at the age of seven and his progression from the Commodore 64 to an interest in logic and mathematics. He then shares his introduction to cybersecurity during his undergraduate studies and the impact of a specific exploit on his understanding of the field.TakeawaysEarly exposure to computers can shape a lifelong interest in technology and problem-solving.The transition from reverse engineering to cybersecurity can be a pivotal moment in a professional's career.Chapters00:00 Early Interest in Computers

The future of penetration testing involves the use of AI to test faster and better, allowing for increased testing frequency due to the rapidly changing landscape of technology.TakeawaysAI in penetration testingIncreased frequency of testingChapters00:00 The Future of Penetration Testing with AI

The conversation covers the topic of AI as a new programming language, the experience of working with AI, and the importance of being comfortable with AI technology.TakeawaysAI as a new programming languageComfort and familiarity with AI technologyChapters00:00 AI as a New Programming Language

The conversation covers the topics of authentication and redirection, as well as code execution vulnerabilities. The first chapter explores the challenges of authentication and redirection in web applications, while the second chapter delves into the issue of code execution vulnerabilities and the challenges of addressing them.TakeawaysAuthentication and RedirectionCode Execution VulnerabilitiesChapters00:00 Authentication and Redirection

The conversation delves into the importance of understanding the premise rather than memorizing the antecedent. It emphasizes the natural progression of learning exploit coding and the significance of understanding the core premise. Practice and understanding are highlighted as key elements in the learning process.TakeawaysLearn the premise, not the antecedentPractice and understanding are keyChapters00:00 The Importance of Understanding the Premise

The conversation covers the impact of agentic pen testing on accessibility for small businesses and individuals, as well as the advantages it provides to enterprises in terms of security testing and bug detection.TakeawaysAgentic pen testing has made security testing more accessible to small businesses and individualsEnterprises now have pen testers with superpowers to keep up with bad actors and bugsChapters00:00 Agentic Pen Testing and Accessibility

The conversation delves into troubleshooting issues with EDR integration and the challenges faced in accessing the EDR web console.TakeawaysTroubleshooting EDR integrationChallenges with EDR web console accessChapters00:00 Challenges with EDR Web Console Access

The conversation covers the underestimated vulnerability of execution after redirect and the importance of AI in cybersecurity. It also provides advice for breaking into cybersecurity and pen testing, emphasizing the significance of showcasing seriousness and considering the automation of pen test activities with AI.TakeawaysExecution after redirectImportance of AI in cybersecurityChapters00:00 Underestimated Vulnerabilities and Attack Vectors

The conversation delves into the innovative business model and the concept of turning the pyramid scheme upside down. It explores the implementation of this model and its successful outcome.TakeawaysInnovation in business modelsUpside-down pyramid scheme successChapters00:00 Upside-Down Pyramid Scheme

The conversation covers the use of AI in pen testing, the role of cloud code in finding exploits, the balance between autonomy and human-in-the-loop, the impact of AI agents on testing, and the need to test faster and better in a changing landscape.TakeawaysAI is transforming pen testingCloud code is crucial for finding exploitsBalancing autonomy and human involvement is keyAI agents enable faster and better testingThe testing landscape is changing rapidlyChapters00:00 AI in Pen Testing

The conversation covers the challenges faced during a six-month engagement, including initial difficulties, pivoting to internal assume breach, and the impact of a running password. It also delves into the preference for red teaming over pen testing and the stress associated with red teaming.TakeawaysEngagement ChallengesRed Teaming vs Pen TestingChapters00:00 Engagement Challenges

The conversation delves into the temptation to skip cybersecurity fundamentals and the importance of reconnaissance and attention to detail in the field of penetration testing.TakeawaysImportance of learning and understanding cybersecurity fundamentalsSignificance of thorough reconnaissance and attention to detail in penetration testingChapters00:00 The Temptation to Skip Fundamentals

The conversation covers the discovery and use of a backdoor in Mac OS X, as well as the exploitation of a vulnerability for trolling purposes. The speaker shares insights into the unnoticed exploitation of the backdoor and vulnerability.TakeawaysMac OS X backdoorVulnerability exploitationChapters00:00 Mac OS X Backdoor

Philip Peter Sir and Michel discuss their work experience at Spiralab and Philip's transition from EMEA to North America.TakeawaysWork collaboration at SpiralabTransition from EMEA to North AmericaChapters00:00 Introductions and Background

The conversation explores the rise of AI in 2021 and the personal experience with Claude Code.TakeawaysAI technology gained popularity in 2021Claude Code has surpassed other available options for the speaker.Chapters00:00 The Rise of AI in 2021

The conversation delves into the differences between red teaming and pen testing, highlighting the stress and awareness involved in red teaming. The impact of AI on pen testing and red teaming is also discussed, with a focus on the future of these practices.TakeawaysRed TeamingAI and Pen TestingChapters00:00 Red Teaming vs. Pen Testing

The conversation delves into the art of bureaucracy and its impact on security testing, emphasizing the need to remove bureaucracy and reduce friction in user interfaces for effective testing.TakeawaysBureaucracy as an artReducing friction in user interfacesChapters00:00 The Art of Bureaucracy

The conversation emphasizes the importance of slowing down and conducting thorough reconnaissance in cybersecurity testing. It highlights the need to pay attention to details and avoid making assumptions based on incomplete information.TakeawaysSlow downThorough reconnaissanceChapters00:00 Importance of Slowing Down and Thorough Reconnaissance

Nick Aures discusses his fascination with web application pen testing, highlighting the enjoyment, eye-opening factor, and impact of reporting on vulnerabilities. He emphasizes the prevalence of web applications in modern life.TakeawaysFascination with web app pen testingPrevalence of web applications in modern lifeChapters00:00 The Fascination with Web Application Pen Testing

The conversation delves into the multifaceted role of a cybersecurity consultant, highlighting the responsibilities, client interactions, and report generation. It also explores the balance between pen testing and consultancy, emphasizing the importance of being a consultant as well as a pen tester. The discussion concludes with a reflection on the dual role of a cybersecurity professional.TakeawaysCybersecurity consulting involves client interaction and report generation.A cybersecurity professional must balance pen testing skills with consultancy responsibilities.Chapters00:00 The Role of a Consultant

The conversation delves into the impact of market economy on the visibility of remote system exploits, highlighting the concealment of such exploits due to economic factors. It also explores the influence of the highest bidder in the cybersecurity industry, leading to the secrecy and privatization of valuable exploits.TakeawaysMarket economy conceals remote exploitsTyranny of the highest bidder in cybersecurity industryChapters00:00 Market Economy and Remote Exploits

The conversation delves into the rising frequency of cyber vulnerabilities and its impact on defensive measures. It also explores the challenges in cybersecurity, defensive measures, and strategies, as well as the offensive side of cybersecurity with a focus on cyber attacks and offensive strategies.TakeawaysRising frequency of cyber vulnerabilitiesChallenges in cybersecurityChapters00:00 Rising Frequency of Cyber Vulnerabilities

The conversation delves into the discovery of exploits and the impact of reverse engineering on program modification and distribution.TakeawaysReverse EngineeringImpact of ExploitsChapters00:00 Uncovering Exploits and Reverse Engineering

The conversation highlights the importance of consulting in the day-to-day work of a cybersecurity consultant, emphasizing the need for pen testers to also act as consultants and not just focus on hacking tricks.TakeawaysConsulting is a significant part of a cybersecurity consultant's day-to-day work.Pen testers need to also be consultants and not just focus on showing off their hacking tricks.Chapters00:00 The Role of a Cybersecurity Consultant

The conversation delves into the impact of cloud code on penetration testing, highlighting the significant power it provides to pen testers. Additionally, the need for increased testing frequency is discussed, emphasizing the rapid changes in technology and the necessity for more frequent and efficient testing methods.TakeawaysCloud codePenetration testingTesting frequencyChapters00:00 The Power of Cloud Code in Penetration Testing

The conversation delves into the underestimation of vulnerabilities, the impact of the market economy on security, and the centralization of skills in the industry. It highlights the hidden nature of vulnerabilities, the influence of market economy on the visibility of exploits, and the decreasing number of skilled individuals in the field.TakeawaysHidden vulnerabilitiesImpact of market economy on securityCentralization of skillsChapters00:00 Underestimated Vulnerabilities

The conversation explores the impact of AI on security testing and technology, drawing parallels to the impact of cloud technology. It delves into the changes in offensive and defensive security testing due to AI and compares the initial hype and subsequent evolution of AI to that of cloud technology.TakeawaysImpact of AI on offensive and defensive security testingComparison of AI impact to the impact of cloud technologyChapters00:00 The Impact of AI on Security Testing and Technology