Chat with a White Hat

The conversation covers different approaches to code reviews, the importance of setting up and running the code, and how time constraints impact the approach to code reviews.TakeawaysCode review approachesSetting up and running the codeTime constraints impact approachChapters00:00 Code Review Approaches

The conversation covers the impact of AI on security and the integration of AI optimization into normal operations.TakeawaysAI's impact on securityIntegration of AI into normal operationsChapters00:00 AI and Security

The conversation covers a quick hack experience during infrastructure testing and the importance of checking for vulnerabilities. It emphasizes the need for thorough security checks and highlights the lessons learned from the experience.TakeawaysInfrastructure testingImportance of checking for vulnerabilitiesChapters00:00 The Quick Hack

The conversation delves into the topic of SAML hacking and the exploitation of audience attributes in service provider initiated scenarios. It highlights the significance of audience attributes in SAML requests and the potential security vulnerabilities associated with them.TakeawaysSAML hacking involves exploiting audience attributes in service provider initiated scenarios.Audience attributes in SAML requests can lead to authentication vulnerabilities if not properly checked.Chapters00:00 SAML Hacking and Audience Attributes

The conversation covers the discovery of a well-secured application called Black Creek, the exploration of a prison management system, and the acquisition of network credentials to access a server.TakeawaysBlack CreekPrison ManagementNetwork CredentialsChapters00:00 Black Creek Application

The conversation covers the use of AI in quick development and automation, as well as its impact on cybersecurity in offensive and defensive applications. IQimpz discusses the ways in which AI is utilized for rapid code development and automation, as well as its role in offensive and defensive cybersecurity strategies.TakeawaysAI in quick developmentAI in cybersecurityAI in offensive and defensive securityChapters00:00 AI in Quick Development and Automation

The conversation delves into the unforeseen growth of the internet and the challenges it presents for cybersecurity. It also explores the future of the internet and cybersecurity, the pace of change in cybersecurity, and the need for progress in cybersecurity.TakeawaysInternet growthCybersecurity challengesChapters00:00 The Unforeseen Growth of the Internet

The conversation delves into the importance of reporting in offensive security, highlighting the need to convey the impact of work and balance hacking with reporting responsibilities.TakeawaysReporting is crucial in offensive securityBalancing hacking and reporting is essential for effective penetration testing.Chapters00:00 The Importance of Reporting in Offensive Security

The conversation covers the early exposure to computers and the influence of family on the interest in computers.TakeawaysEarly exposure to computersInfluence of family on interest in computersChapters00:00 Early Exposure to Computers

Discovering a critical security flaw in infrastructure testing led to the realization of the importance of thorough checks and vigilance. The incident highlighted the need to verify all aspects of the system to uncover potential vulnerabilities.TakeawaysThorough checks are essentialVigilance is keyChapters00:00 Infrastructure Testing and Security Flaws

The conversation delves into the use of AI in security, addressing concerns, optimization, bug discovery, code generation, and its role in penetration testing. It also highlights the need for human guidance in AI-driven security testing.TakeawaysAI is being used in security for reporting, password cracking, and bug discovery.AI is seen as a force multiplier for pen testers, making good pen testers better and bad ones worse.Chapters00:00 AI in Security

The conversation delves into the significance of the technology being discussed, particularly its impact on the financial industry and the associated vulnerability concerns.TakeawaysImportance of the TechnologyVulnerability AwarenessChapters00:00 The Significance of the Technology

The conversation delves into the early days of computer security and the transition from Perl to Python, providing insights into the tools and techniques used during that time.TakeawaysEarly days of computer securityTransition from Perl to PythonChapters00:00 Early Days of Computer Security

New episode of Chat with a Whitehat is live.In this Episode, Ed Williams shares his journey from early BASIC programming to leading modern red team operations. We dive into real-world penetration testing stories, offensive security insights, and how AI is reshaping the field—while fundamentals still remain the key to success.00:00 – 00:32 | Introduction & Ed Williams’ background00:32 – 02:56 | Early interest in computers (BBC Micro & BASIC)02:56 – 04:05 | Getting into cybersecurity & university experience04:05 – 05:48 | Early tools, Perl vs Python, and learning to hack05:48 – 07:09 | Building projects (mini kernel, remote bash, Unix systems)07:09 – 08:30 | Fastest hack ever (domain admin in seconds)08:30 – 09:59 | Real-world red teaming & social engineering stories09:59 – 12:42 | Bank engagements & physical security testing12:42 – 14:45 | Favorite type of security testing (infrastructure vs web)14:45 – 17:09 | Importance of planning in penetration testing17:09 – 18:07 | Time management & lessons learned during tests18:07 – 19:33 | How to get better results in security testing19:33 – 23:43 | How AI is being used in cybersecurity today23:43 – 27:32 | AI’s impact on offensive & defensive security27:32 – 29:33 | Biggest misconceptions about penetration testing29:33 – 30:41 | Most underestimated attack vector (passwords)30:41 – 32:41 | Why fundamentals matter in cybersecurity32:41 – 35:19 | Advice for breaking into cybersecurity (2026)35:19 – 36:10 | Where to find Ed Williams & closing remarks

The conversation delves into the nuances of database exploitation and vulnerability, emphasizing the importance of understanding the type of SQL and backend used. It also highlights the significance of database documentation and fingerprinting in the context of cybersecurity.TakeawaysDatabase exploitation depends on the type of SQL and backend usedUnderstanding database documentation and fingerprinting is crucialChapters00:00 Database Exploitation and Vulnerability

The conversation delves into the impact of AI on cybersecurity, both in offense and defense. It also explores the accessibility of pen testing for small businesses and individuals, highlighting the changing landscape of cybersecurity.TakeawaysAI impact on offensive and defensive cybersecurityAccessibility of pen testing for small businesses and individualsChapters00:00 AI Impact on Cybersecurity

Ed Williams shares some of the coolest hacks he has pulled off, including a quick domain admin password discovery and social engineering tactics for gaining access to secure buildings.TakeawaysVulnerability enumeration is crucial in infrastructure testing.Social engineering can be used to gain physical access to secure buildings.Chapters00:00 Quick Domain Admin Hack

The conversation covers the exploitation of SAML authentication and the vulnerability related to the Audience URI. It also delves into bug bounty and pen testing strategies for identifying and exploiting these vulnerabilities.TakeawaysSAML authentication exploitationAudience URI vulnerabilityChapters00:00 SAML Authentication Exploitation

The conversation explores the impact of AI on software development and testing, highlighting the evolution of development processes and the challenges and opportunities presented by AI in testing.TakeawaysAI in software developmentImpact of AI on testingChapters00:00 The Evolution of Software Development with AI

The conversation covers the discovery of HTML to PDF vulnerabilities, uncovering CSS injection vulnerabilities, and exploiting zero-day vulnerabilities to demonstrate significant security impacts. It highlights the importance of thorough security testing and the potential impact of zero-day vulnerabilities.TakeawaysHTML and CSS injection can lead to significant security vulnerabilitiesUncovering zero-day vulnerabilities can have a substantial impactChapters00:00 Discovering HTML to PDF Vulnerabilities

The conversation delves into the misconceptions and realities of cybersecurity, highlighting the lack of glamour and the monotonous, meticulous nature of the work. It also touches on the unsocial and frustrating aspects of the field.TakeawaysCybersecurity is not as glamorous as people thinkIt can be unsocial and frustrating at timesChapters00:00 The Monotony and Meticulousness of Cybersecurity

The conversation covers Neil Kettle's favorite testing methods, the challenges of pen testing, and the application of first principles in security testing.TakeawaysFavorite testing methodsChallenges of pen testingFirst principles in security testingChapters00:00 Favorite Testing Methods and Challenges

The conversation covers the importance of articulating the impact of vulnerabilities and the use of AI for quick development and automation. It emphasizes the significance of understanding and communicating the impact of vulnerabilities and the benefits of using AI for rapid development and automation.TakeawaysArticulating the impact of a vulnerability is crucialUsing AI for quick development and automationChapters00:00 Articulating the Impact of Vulnerabilities

The conversation covers the journey from gaming to cybersecurity, the future of red teaming and pen testing, learning from previous engagements, and the impact of AI on security operations.TakeawaysEarly exposure to gaming led to an interest in cybersecurityImpact of AI on red teaming and pen testingChapters00:00 From Gaming to Cybersecurity17:34 The Future of Red Teaming and Pen Testing24:58 Learning from Previous Engagements33:32 AI's Impact on Security Operations

The conversation covers the importance of understanding the backend code for hacking and the value of documentation in dealing with SQL injection vulnerabilities.TakeawaysUnderstanding the backend code helps with hackingDocumentation is super helpful for SQL injectionChapters00:00 Understanding the Backend Code

The conversation covers advice for individuals looking to break into cyber security and pen testing, emphasizing the importance of showcasing expertise through a blog or YouTube channel and considering automation with AI.TakeawaysStart a blog or YouTube channel to showcase expertiseConsider automation with AI in cybersecurityChapters00:00 Breaking into Cyber Security and Pen Testing

The conversation covers the exploitation of SSRF and LFI vulnerabilities, leading to an account takeover and unauthorized data access. It also highlights the recognition received for the impactful zero-day vulnerability and its real-world consequences.TakeawaysSSRF and LFI vulnerabilities led to account takeover and data accessImpactful zero-day vulnerability led to significant consequencesChapters00:00 Recognition for Impactful Zero-Day Vulnerability

Dylan Lahan, a full-time bug bounty hunter and independent security researcher, shares insights on ethical hacking and cybersecurity.TakeawaysEthical hacking as a careerImportance of bug bounty programsChapters00:00 Introduction to Ethical Hacking and Bug Bounty Hunting

Dylan Lawhon (aka iQimps) shares his journey from gaming to bug bounty hunting, including real-world hacking stories, zero-day discovery, SAML abuse, and advice for breaking into cybersecurity in 2026.00:00 – 00:25 Intro & background00:25 – 01:44 Getting into computers (gaming era)01:44 – 03:44 First cybersecurity interest (game hacking & PSN breach)03:44 – 08:30 Early hacking mindset & CTFs08:30 – 13:44 First major live hacking event (bug bounty experience)13:44 – 19:12 CSS injection → SSRF → account takeover case study19:12 – 23:54 Favorite type of security testing (code review)23:54 – 27:22 Bug bounty vs pentest time management27:22 – 30:32 Improving vulnerability impact communication30:32 – 33:41 Using AI in cybersecurity & automation33:41 – 38:52 Future of AI in offensive & defensive security38:52 – 45:48 Underestimated attack vector (SAML abuse)45:48 – 48:48 Breaking into cybersecurity advice (2026)48:48 – 51:11 SQL injection + documentation mindset51:11 – 52:10 Where to find Dylan + closingWhether you're a beginner in cybersecurity, a bug bounty hunter, or a seasoned pentester, this episode is packed with real-world insights from the front lines of offensive security.

The conversation emphasizes the critical role of planning in cybersecurity testing, highlighting the need for thorough preparation, open source intelligence, and understanding the environment. It also emphasizes the importance of reflection and different planning approaches for various types of tests.TakeawaysThorough planning is crucial for cybersecurity testingDifferent types of tests require different planning approachesChapters00:00 The Importance of Planning

The conversation covers the importance of hands-on experience in cybersecurity, the value of starting at the foundational level, and the overlap between offensive and defensive cybersecurity roles. It also emphasizes the need for a strong foundation and the potential risks associated with inexperienced consultants and pen testers.TakeawaysHands-on experience is crucialStart at the foundational levelOverlap between offensive and defensive rolesChapters00:00 Risks and Responsibilities of Consultants and Pen Testers

The conversation covers the importance of network diagrams in pen testing and the need for a partnership approach in security testing. It also highlights the challenges of security testing and the need to work collaboratively with organizations to improve security.TakeawaysPartnership approachChallenges in security testingChapters00:00 Network Diagrams and Pen Testing

Neil Kettle discovered a bug in 2010 that became public in 2015. He was contracted to create government malware that could key log on Mac OS X without informing the user. He reverse engineered Apple's method and completed the task in 20 minutes.TakeawaysBug discovery in 2010Creation of government malwareReverse engineering Apple's methodChapters00:00 Reverse Engineering Apple's Method

The conversation covers advice for breaking into cybersecurity in 2026, emphasizing the importance of fundamentals and contributing to projects.TakeawaysFundamentals are keyContribute to projects and have a body of evidenceChapters00:00 Breaking into Cybersecurity in 2026

Dylan Lahan, a bug bounty hunter and security researcher, shares his journey from gaming to cybersecurity. His interest in computers was sparked by gaming, leading to his exploration of programming and technical skills. Additionally, early exposure to game hackers influenced his interest in cybersecurity.TakeawaysGaming sparked interest in computersEarly exposure to game hackers influenced interest in cybersecurityChapters00:00 Interest in Cybersecurity and Game Hacking

Nick Aures, a senior pen tester at Sprocket Security, shares his journey from childhood fascination with computers to his entry into the field of cybersecurity.TakeawaysEarly exposure to home computing sparked Nick's interest in technology.Nick's interest in cybersecurity began in the mid-2000s with the use of Backtrack, a predominant hacking OS at the time.Chapters00:00 Entry into Cybersecurity

The conversation delves into a security incident involving infrastructure enumeration and the discovery of a critical security vulnerability. The incident highlights the importance of thorough infrastructure testing and the potential risks associated with security vulnerabilities in network infrastructure.TakeawaysInfrastructure EnumerationSecurity VulnerabilitiesChapters00:00 Infrastructure Enumeration and Security

The conversation covers the topic of computer performance and memory optimization, highlighting the impact of memory on overall performance.TakeawaysMemory optimization is crucial for improving computer performance.Maxing out memory can significantly improve a computer's performance.Chapters00:00 Impact of Memory on Computer Performance

The conversation covers the process of gaining access to the mail server and the challenges faced with the EDR (Endpoint Detection and Response) system.TakeawaysGaining access to the mail serverChallenges with EDRChapters00:00 Gaining Access to Mail Server

The conversation covers a story about a cool hack and the favorite type of security testing, focusing on web application security testing. The hack involved a simple and elegant approach, while the security testing preference is based on the eye-opening factor and the prevalence of web applications in modern life.TakeawaysSimple and elegant hacksFocus on web application security testingChapters00:00 The Coolest Hack

Neil Kettle discusses his early interest in computers, starting with his introduction to them at the age of seven and his progression from the Commodore 64 to an interest in logic and mathematics. He then shares his introduction to cybersecurity during his undergraduate studies and the impact of a specific exploit on his understanding of the field.TakeawaysEarly exposure to computers can shape a lifelong interest in technology and problem-solving.The transition from reverse engineering to cybersecurity can be a pivotal moment in a professional's career.Chapters00:00 Early Interest in Computers

The future of penetration testing involves the use of AI to test faster and better, allowing for increased testing frequency due to the rapidly changing landscape of technology.TakeawaysAI in penetration testingIncreased frequency of testingChapters00:00 The Future of Penetration Testing with AI

The conversation covers the topic of AI as a new programming language, the experience of working with AI, and the importance of being comfortable with AI technology.TakeawaysAI as a new programming languageComfort and familiarity with AI technologyChapters00:00 AI as a New Programming Language

The conversation covers the topics of authentication and redirection, as well as code execution vulnerabilities. The first chapter explores the challenges of authentication and redirection in web applications, while the second chapter delves into the issue of code execution vulnerabilities and the challenges of addressing them.TakeawaysAuthentication and RedirectionCode Execution VulnerabilitiesChapters00:00 Authentication and Redirection

The conversation delves into the importance of understanding the premise rather than memorizing the antecedent. It emphasizes the natural progression of learning exploit coding and the significance of understanding the core premise. Practice and understanding are highlighted as key elements in the learning process.TakeawaysLearn the premise, not the antecedentPractice and understanding are keyChapters00:00 The Importance of Understanding the Premise

The conversation covers the impact of agentic pen testing on accessibility for small businesses and individuals, as well as the advantages it provides to enterprises in terms of security testing and bug detection.TakeawaysAgentic pen testing has made security testing more accessible to small businesses and individualsEnterprises now have pen testers with superpowers to keep up with bad actors and bugsChapters00:00 Agentic Pen Testing and Accessibility

The conversation delves into troubleshooting issues with EDR integration and the challenges faced in accessing the EDR web console.TakeawaysTroubleshooting EDR integrationChallenges with EDR web console accessChapters00:00 Challenges with EDR Web Console Access

The conversation covers the underestimated vulnerability of execution after redirect and the importance of AI in cybersecurity. It also provides advice for breaking into cybersecurity and pen testing, emphasizing the significance of showcasing seriousness and considering the automation of pen test activities with AI.TakeawaysExecution after redirectImportance of AI in cybersecurityChapters00:00 Underestimated Vulnerabilities and Attack Vectors

The conversation delves into the innovative business model and the concept of turning the pyramid scheme upside down. It explores the implementation of this model and its successful outcome.TakeawaysInnovation in business modelsUpside-down pyramid scheme successChapters00:00 Upside-Down Pyramid Scheme

The conversation covers the use of AI in pen testing, the role of cloud code in finding exploits, the balance between autonomy and human-in-the-loop, the impact of AI agents on testing, and the need to test faster and better in a changing landscape.TakeawaysAI is transforming pen testingCloud code is crucial for finding exploitsBalancing autonomy and human involvement is keyAI agents enable faster and better testingThe testing landscape is changing rapidlyChapters00:00 AI in Pen Testing