Chat with a White Hat

The conversation delves into the speaker's role in preparing the environment for hackers and the importance of mentoring and advising. It then transitions to the speaker's interest in understanding system integration and making different systems work better together.TakeawaysMentoring and advising hackersUnderstanding system integration and traffic directionChapters00:00 Preparing the Environment for Hackers

The conversation delves into the misconceptions around security testing and penetration testing, highlighting the problem-solving nature of these practices and the focus on identifying and addressing vulnerabilities.TakeawaysSecurity testing is often misunderstood as something glamorous and dramatic, but it's more about problem-solving and finding vulnerabilities.Penetration testing is like QA with extra steps, focusing on identifying gaps and finding solutions.Chapters00:00 Demystifying Security Testing

The conversation covers the importance of effective testing practices, the significance of attention to detail, and the role of client communication and defense in the field of security testing.TakeawaysAttention to detail is crucial for better testing results.Effective client communication and defense require a strong understanding of the testing process.Chapters00:00 Effective Testing Practices

Ed Williams discusses the current and future use of AI in his work, emphasizing a cautious approach and the need for security considerations.TakeawaysCautious approach to AISecurity considerations for AIChapters00:00 Current Use of AI in Work

The conversation covers valuable advice for individuals looking to break into cyber security and pen testing, emphasizing the importance of personal branding and the integration of AI in the field.TakeawaysBuild a personal brand to demonstrate seriousness and commitment.Consider the integration of AI in pen testing for future career prospects.Chapters00:00 Breaking Into Cyber Security

Nick Aures introduces himself and provides a brief overview of his experience in pen testing and IT work.TakeawaysNick Aures is a senior pen tester at Sprocket Security.He has eight years of experience in pen testing and two years in defensive security.Chapters00:00 Introduction and Background

The conversation delves into the impact of AI on cybersecurity, discussing its influence on both offense and defense. It also explores the acceleration of change in cybersecurity and the necessity for professionals to keep up with new developments. The dialogue emphasizes the need for adaptation and the potential obsolescence of traditional compliance pen tests.TakeawaysAI is lowering the bar for cyber attacksThe rapid pace of change in cybersecurity requires constant adaptationChapters00:00 The Impact of AI on Cybersecurity

The conversation emphasizes the importance of passion and commitment in achieving success. Mike highlights the value of being passionate and committed, and how it can lead to significant progress and growth in one's career. He also emphasizes the need to consume as much information as possible and to be obsessed with learning and improvement.TakeawaysPassion and commitment are key to successContinuous learning and obsession with improvement are essential for growthChapters00:00 The Power of Passion

The conversation covers the importance of ongoing pen testing and the demonstration of Gentic Pen Test. It emphasizes the need for continuous testing to identify hidden vulnerabilities and make smarter security decisions.TakeawaysContinuous pen testingIdentifying hidden vulnerabilitiesChapters00:00 Gentic Pen Test Demo

The conversation delves into the misconceptions surrounding security testing, highlighting the meticulous and less glamorous nature of the process.TakeawaysSecurity testing is not as glamorous as people thinkIt requires meticulous attention to detailChapters00:00 Misconceptions About Security Testing

Mike describes his experience at a live hacking event where he was invited to participate in finding vulnerabilities in a critical financial application. The event provided an overview of the technology and emphasized the significance of the application's impact and the importance of finding vulnerabilities.TakeawaysLive hacking events provide opportunities to identify vulnerabilities in critical applications.Understanding the significance of an application's impact is crucial for prioritizing vulnerability identification.Chapters00:00 Live Hacking Event

The conversation covers the evolution of cloud code and its use with MCP servers, as well as the increasing power of penetration testing with AI agents and token budgets. The future of testing is discussed, highlighting the need for faster and more frequent testing.TakeawaysCloud CodePenetration TestingAI Agent and Token BudgetChapters00:00 The Evolution of Cloud Code and MCP Servers

The conversation delves into the importance of articulating the impact of vulnerabilities, emphasizing the significance of understanding the impact for classification, prioritization, and fixing of vulnerabilities.TakeawaysArticulating vulnerability impact is crucialUnknown impact requires further explorationChapters00:00 Understanding Vulnerability Impact

The conversation covers the impact of AI on code writing and pen testing, highlighting the potential for AI to accelerate in the wrong direction.TakeawaysAI is increasingly writing codeAI can be used to fight AIAI can accelerate in the wrong directionChapters00:00 AI in Pen Testing

The conversation delves into the significance of application penetration testing and the eye-opening factor it provides. It also highlights the prevalence of web applications in modern life and the security implications associated with them.TakeawaysApplication penetration testingWeb application securityChapters00:00 The Eye-Opening Factor of Application Penetration Testing

The conversation emphasizes the importance of learning to build things first and the significance of understanding in the field of cybersecurity. It highlights the value of programming skills and the impact of understanding on effectively exploiting vulnerabilities.TakeawaysLearn to build things firstUnderstanding is keyChapters00:00 The Importance of Learning to Build Things

The conversation explores the diverse types of security testing and emphasizes the importance of infrastructure testing in the field of cybersecurity.TakeawaysDiverse types of security testingImportance of infrastructure testingChapters00:00 Exploring Security Testing Types

The conversation explores the inevitability of AI integration in everyday life, drawing parallels to the adoption of computers. It also delves into the hope that AI will provide more time for leisure activities and creative pursuits.TakeawaysAI integration is inevitableAI may provide more time for leisure and creativityChapters00:00 Hope for More Leisure and Creativity

The conversation covers different approaches to code reviews, the importance of setting up and running the code, and how time constraints impact the approach to code reviews.TakeawaysCode review approachesSetting up and running the codeTime constraints impact approachChapters00:00 Code Review Approaches

The conversation covers the misconceptions about security testing and highlights the manual probing and hard thinking involved in the process.TakeawaysMisconceptions about security testingManual probing and hard thinking involved in security testingChapters00:00 Misconceptions About Security Testing

The conversation covers the impact of AI on security and the integration of AI optimization into normal operations.TakeawaysAI's impact on securityIntegration of AI into normal operationsChapters00:00 AI and Security

The conversation covers a quick hack experience during infrastructure testing and the importance of checking for vulnerabilities. It emphasizes the need for thorough security checks and highlights the lessons learned from the experience.TakeawaysInfrastructure testingImportance of checking for vulnerabilitiesChapters00:00 The Quick Hack

The conversation delves into the topic of SAML hacking and the exploitation of audience attributes in service provider initiated scenarios. It highlights the significance of audience attributes in SAML requests and the potential security vulnerabilities associated with them.TakeawaysSAML hacking involves exploiting audience attributes in service provider initiated scenarios.Audience attributes in SAML requests can lead to authentication vulnerabilities if not properly checked.Chapters00:00 SAML Hacking and Audience Attributes

The conversation covers the discovery of a well-secured application called Black Creek, the exploration of a prison management system, and the acquisition of network credentials to access a server.TakeawaysBlack CreekPrison ManagementNetwork CredentialsChapters00:00 Black Creek Application

The conversation covers the use of AI in quick development and automation, as well as its impact on cybersecurity in offensive and defensive applications. IQimpz discusses the ways in which AI is utilized for rapid code development and automation, as well as its role in offensive and defensive cybersecurity strategies.TakeawaysAI in quick developmentAI in cybersecurityAI in offensive and defensive securityChapters00:00 AI in Quick Development and Automation

The conversation delves into the unforeseen growth of the internet and the challenges it presents for cybersecurity. It also explores the future of the internet and cybersecurity, the pace of change in cybersecurity, and the need for progress in cybersecurity.TakeawaysInternet growthCybersecurity challengesChapters00:00 The Unforeseen Growth of the Internet

The conversation delves into the importance of reporting in offensive security, highlighting the need to convey the impact of work and balance hacking with reporting responsibilities.TakeawaysReporting is crucial in offensive securityBalancing hacking and reporting is essential for effective penetration testing.Chapters00:00 The Importance of Reporting in Offensive Security

The conversation covers the early exposure to computers and the influence of family on the interest in computers.TakeawaysEarly exposure to computersInfluence of family on interest in computersChapters00:00 Early Exposure to Computers

Discovering a critical security flaw in infrastructure testing led to the realization of the importance of thorough checks and vigilance. The incident highlighted the need to verify all aspects of the system to uncover potential vulnerabilities.TakeawaysThorough checks are essentialVigilance is keyChapters00:00 Infrastructure Testing and Security Flaws

The conversation delves into the use of AI in security, addressing concerns, optimization, bug discovery, code generation, and its role in penetration testing. It also highlights the need for human guidance in AI-driven security testing.TakeawaysAI is being used in security for reporting, password cracking, and bug discovery.AI is seen as a force multiplier for pen testers, making good pen testers better and bad ones worse.Chapters00:00 AI in Security

The conversation delves into the significance of the technology being discussed, particularly its impact on the financial industry and the associated vulnerability concerns.TakeawaysImportance of the TechnologyVulnerability AwarenessChapters00:00 The Significance of the Technology

The conversation delves into the early days of computer security and the transition from Perl to Python, providing insights into the tools and techniques used during that time.TakeawaysEarly days of computer securityTransition from Perl to PythonChapters00:00 Early Days of Computer Security

New episode of Chat with a Whitehat is live.In this Episode, Ed Williams shares his journey from early BASIC programming to leading modern red team operations. We dive into real-world penetration testing stories, offensive security insights, and how AI is reshaping the field—while fundamentals still remain the key to success.00:00 – 00:32 | Introduction & Ed Williams’ background00:32 – 02:56 | Early interest in computers (BBC Micro & BASIC)02:56 – 04:05 | Getting into cybersecurity & university experience04:05 – 05:48 | Early tools, Perl vs Python, and learning to hack05:48 – 07:09 | Building projects (mini kernel, remote bash, Unix systems)07:09 – 08:30 | Fastest hack ever (domain admin in seconds)08:30 – 09:59 | Real-world red teaming & social engineering stories09:59 – 12:42 | Bank engagements & physical security testing12:42 – 14:45 | Favorite type of security testing (infrastructure vs web)14:45 – 17:09 | Importance of planning in penetration testing17:09 – 18:07 | Time management & lessons learned during tests18:07 – 19:33 | How to get better results in security testing19:33 – 23:43 | How AI is being used in cybersecurity today23:43 – 27:32 | AI’s impact on offensive & defensive security27:32 – 29:33 | Biggest misconceptions about penetration testing29:33 – 30:41 | Most underestimated attack vector (passwords)30:41 – 32:41 | Why fundamentals matter in cybersecurity32:41 – 35:19 | Advice for breaking into cybersecurity (2026)35:19 – 36:10 | Where to find Ed Williams & closing remarks

The conversation delves into the nuances of database exploitation and vulnerability, emphasizing the importance of understanding the type of SQL and backend used. It also highlights the significance of database documentation and fingerprinting in the context of cybersecurity.TakeawaysDatabase exploitation depends on the type of SQL and backend usedUnderstanding database documentation and fingerprinting is crucialChapters00:00 Database Exploitation and Vulnerability

The conversation delves into the impact of AI on cybersecurity, both in offense and defense. It also explores the accessibility of pen testing for small businesses and individuals, highlighting the changing landscape of cybersecurity.TakeawaysAI impact on offensive and defensive cybersecurityAccessibility of pen testing for small businesses and individualsChapters00:00 AI Impact on Cybersecurity

Ed Williams shares some of the coolest hacks he has pulled off, including a quick domain admin password discovery and social engineering tactics for gaining access to secure buildings.TakeawaysVulnerability enumeration is crucial in infrastructure testing.Social engineering can be used to gain physical access to secure buildings.Chapters00:00 Quick Domain Admin Hack

The conversation covers the exploitation of SAML authentication and the vulnerability related to the Audience URI. It also delves into bug bounty and pen testing strategies for identifying and exploiting these vulnerabilities.TakeawaysSAML authentication exploitationAudience URI vulnerabilityChapters00:00 SAML Authentication Exploitation

The conversation explores the impact of AI on software development and testing, highlighting the evolution of development processes and the challenges and opportunities presented by AI in testing.TakeawaysAI in software developmentImpact of AI on testingChapters00:00 The Evolution of Software Development with AI

The conversation covers the discovery of HTML to PDF vulnerabilities, uncovering CSS injection vulnerabilities, and exploiting zero-day vulnerabilities to demonstrate significant security impacts. It highlights the importance of thorough security testing and the potential impact of zero-day vulnerabilities.TakeawaysHTML and CSS injection can lead to significant security vulnerabilitiesUncovering zero-day vulnerabilities can have a substantial impactChapters00:00 Discovering HTML to PDF Vulnerabilities

The conversation delves into the misconceptions and realities of cybersecurity, highlighting the lack of glamour and the monotonous, meticulous nature of the work. It also touches on the unsocial and frustrating aspects of the field.TakeawaysCybersecurity is not as glamorous as people thinkIt can be unsocial and frustrating at timesChapters00:00 The Monotony and Meticulousness of Cybersecurity

The conversation covers Neil Kettle's favorite testing methods, the challenges of pen testing, and the application of first principles in security testing.TakeawaysFavorite testing methodsChallenges of pen testingFirst principles in security testingChapters00:00 Favorite Testing Methods and Challenges

The conversation covers the importance of articulating the impact of vulnerabilities and the use of AI for quick development and automation. It emphasizes the significance of understanding and communicating the impact of vulnerabilities and the benefits of using AI for rapid development and automation.TakeawaysArticulating the impact of a vulnerability is crucialUsing AI for quick development and automationChapters00:00 Articulating the Impact of Vulnerabilities

The conversation covers the journey from gaming to cybersecurity, the future of red teaming and pen testing, learning from previous engagements, and the impact of AI on security operations.TakeawaysEarly exposure to gaming led to an interest in cybersecurityImpact of AI on red teaming and pen testingChapters00:00 From Gaming to Cybersecurity17:34 The Future of Red Teaming and Pen Testing24:58 Learning from Previous Engagements33:32 AI's Impact on Security Operations

The conversation covers the importance of understanding the backend code for hacking and the value of documentation in dealing with SQL injection vulnerabilities.TakeawaysUnderstanding the backend code helps with hackingDocumentation is super helpful for SQL injectionChapters00:00 Understanding the Backend Code

The conversation covers advice for individuals looking to break into cyber security and pen testing, emphasizing the importance of showcasing expertise through a blog or YouTube channel and considering automation with AI.TakeawaysStart a blog or YouTube channel to showcase expertiseConsider automation with AI in cybersecurityChapters00:00 Breaking into Cyber Security and Pen Testing

The conversation covers the exploitation of SSRF and LFI vulnerabilities, leading to an account takeover and unauthorized data access. It also highlights the recognition received for the impactful zero-day vulnerability and its real-world consequences.TakeawaysSSRF and LFI vulnerabilities led to account takeover and data accessImpactful zero-day vulnerability led to significant consequencesChapters00:00 Recognition for Impactful Zero-Day Vulnerability

Dylan Lahan, a full-time bug bounty hunter and independent security researcher, shares insights on ethical hacking and cybersecurity.TakeawaysEthical hacking as a careerImportance of bug bounty programsChapters00:00 Introduction to Ethical Hacking and Bug Bounty Hunting

Dylan Lawhon (aka iQimps) shares his journey from gaming to bug bounty hunting, including real-world hacking stories, zero-day discovery, SAML abuse, and advice for breaking into cybersecurity in 2026.00:00 – 00:25 Intro & background00:25 – 01:44 Getting into computers (gaming era)01:44 – 03:44 First cybersecurity interest (game hacking & PSN breach)03:44 – 08:30 Early hacking mindset & CTFs08:30 – 13:44 First major live hacking event (bug bounty experience)13:44 – 19:12 CSS injection → SSRF → account takeover case study19:12 – 23:54 Favorite type of security testing (code review)23:54 – 27:22 Bug bounty vs pentest time management27:22 – 30:32 Improving vulnerability impact communication30:32 – 33:41 Using AI in cybersecurity & automation33:41 – 38:52 Future of AI in offensive & defensive security38:52 – 45:48 Underestimated attack vector (SAML abuse)45:48 – 48:48 Breaking into cybersecurity advice (2026)48:48 – 51:11 SQL injection + documentation mindset51:11 – 52:10 Where to find Dylan + closingWhether you're a beginner in cybersecurity, a bug bounty hunter, or a seasoned pentester, this episode is packed with real-world insights from the front lines of offensive security.

The conversation emphasizes the critical role of planning in cybersecurity testing, highlighting the need for thorough preparation, open source intelligence, and understanding the environment. It also emphasizes the importance of reflection and different planning approaches for various types of tests.TakeawaysThorough planning is crucial for cybersecurity testingDifferent types of tests require different planning approachesChapters00:00 The Importance of Planning

The conversation covers the importance of hands-on experience in cybersecurity, the value of starting at the foundational level, and the overlap between offensive and defensive cybersecurity roles. It also emphasizes the need for a strong foundation and the potential risks associated with inexperienced consultants and pen testers.TakeawaysHands-on experience is crucialStart at the foundational levelOverlap between offensive and defensive rolesChapters00:00 Risks and Responsibilities of Consultants and Pen Testers