Reflecting back on 17 years of pentesting and Infosec

The end of this month marks 17 years for me in the pentesting and infosec space and 30 years total in IT, its a big milestone, and its made me reflect on just how massively the world has changed since I started my career all those years ago, here is my professional story {queue old man tales}.

My career started way back in 1997, working out of a computer shop near home while in high school and doing the odd IT jobs here and there, because frankly, I loved it, I loved everything computers and technology, I grew up in a world of mainframes, 286's, 386's, 486's, commodore 64's, tandy trs-80's (followed by the 1000), mainframes, Apple II and Apple III, modems, gaming platforms like Atari and Nintendo v1, listening to music on my sony walkman, coax and token ring internal computer networks and of course the mainstream birth of the internet for consumers.

I remember spending every recess and lunch at high school in the library playing around on the apple computers, or in the IT room playing around with command line, old school VB coding and playing games, yes I was a nerd, didnt have many friends, didnt really care TBH. I was also an avid musician (sax player). In those days we all used floppy disks 5 1/4 followed by 3 1/2 inch, it took 13 floppies to install Win95!, (as well as cassette tapes for tandy consoles) and I was lucky enough to be there for the birth of the early Windows OSs (windows 2.0 and 2.1) and then the mind blowing Windows 3.x way back in 1990.

Prior to this real birth of the computing era, this was my first computer, the electric typewriter that dad would bring home from work sometimes, it was heavy as heck and a pain in the butt to use, but it was as close to a computer as we had, in those days, all school work and assignments was not really typed.

Back around this time, my old man after saving for a long long long time, managed to finally get us a computer at home, it was very similar to this beast here, and it set him back many thousands of dollars (I think if i recall right about $5000!) people also used to go door to door in those days selling computers to people as well.

Having this machine at home transformed my world, now I was no longer limited to the 45 mins here and there at school each day, I had something I could use all the time! It even came complete with a dot matrix printer (later upgrade to the first inkjets). The internet back in these days was also relatively non-existent, all we could do was use locally installed/run apps and games, such as word processors and calculators, and play amazing games such as doom. For information for assignments, we used to buy the Encarta encyclopedia set (we also had the large books) which came out on cd-rom (from stores like Tandy) and was very limited in terms of what content it had vs traditional books, so for the most part everything was still paper based.

Then came the birth of the internet, the first dial-up modems became available, and Telstra (and later Optus) were really the only suppliers, we started with a 14400 baud rate modem (or bits per second), then upgraded to 28800, and finally to the 33.6Kbps and the beast 56k modem as years progressed. Back then our household was cutting edge, as of 1997 only 8.6% of the Australian population were internet users (~1.6 million users). It would take a good 5-10 mins (minimum) to dial in and connect to the internet. (We had to get a separate phoneline as mum was getting pissed off that whenever she picked up the phone all she would hear was data signals and no-one could dial through! the main number)

I would spend from morning till late at night in the blue light haze of my PC. Way back then the internet was super small (nothing like today) and nothing was restricted, you could access anything, from photos from Area-51 to the CIA "Blackbook" which was an improvised explosives guide that provided detailed instructions on how you could make explosives using household items/ingredients (I remember kids sharing this particular doc out at high school on floppy disks, some kids lost limbs, true story), and with the internet brought about connectivity, we used to use web browsers like Netscape Navigator and IE, use 'newsgroups' and chat over AOL Messenger, IRC, MSN Messenger and ICQ (which was huge!), and of course download music with Napster and listen to MP3's with Winamp.

Most games were still shared via CD-Rom media and floppy, not via the internet like it is now.

Being a teenage lad and filled with hormones, myself and nearly all of my mates would spend nights trying to meet girls on these platforms, and in between that, playing multiplayer games like red alert, doom and quake with an almost constant flow of modem disconnections. When we were forced off by our parents, we were usually off skateboarding and bike riding or playing sports like basketball (and trips to the milk bar for Lollie's) until we could get back on it.

Towards the middle of my high school years I was working at a supermarket and at the local computer shop around 10 mins from home. The work I did at this shop was mainly cleaning up viruses from PCs (the internet was absolutely filled with them as well as physical media) upgrading hardware, programming EPROMs (e.g TL866) and putting PC's together, yes we used to use good old IC (Integrated Circuit) removal tools and leg straighteners, picks, erasers, soldering irons and all that old school stuff. This is what a typical machine looked like back then, anyone remember the turbo button? that used to apparently change the CPU clock speeds to give you different performance for apps (never seemed to make a difference IMO)

Back then you used to buy games on floppy and cdrom from the local markets that were often filled with viruses.

In the early to mid 1990's is when I first started to learn about hacking and attack stuff, I created my own trainers (cheats) for games and activation bypasses for games and Windows (and keygens), I created my own viruses and trojans and played around with the earliest versions of netcat. My mates were my unsuspecting test victims (sorry guys!) and us teenage kids used to launch non-malicious comedic attacks at each other such as "porn bombs" that would change wallpapers and dump porn images on a machine so that the target would get in trouble with their parents.

A great time to be alive.. around this time the first mobile phones were also released, but no internet abilities really, only basic GPRS which was next to useless. This was my first for many years.

Fast forward to the end of high school and I was planning the next phase of my career. I went to Box Hill Institute which at the time also held the Cisco Networking Academy run by cisco guys. I completed an advanced diploma of computer systems (3.5 year course back then) in just over 2, with some days running from 8AM till 10PM at night. While completing this, I obtained a stack of industry certs from Cisco, Microsoft and CompTIA as well as working for myself doing pc support, small business and SOHO network setups, websites, computer builds and typical IT jobs for businesses and individuals, before branching into the workforce full time.

I was lucky to obtain my first role in a half IT / half admin role for the law enforcement side of the Victorian Government. I was based with the sheriff's office, as well as providing wider support to the courts and traffic camera office (speed cams). Some days I was issuing batons and uniforms and arranging fleet car servicing, the next, building servers and supporting Windows (NT) and lotus notes and domino infrastructure (terrible!) and supporting and maintaining networks, like ISDN, T1's, E1's etc and core apps across the business units like Citrix. I also won a bunch of Government employee awards during this time, for customer service and project delivery amongst other things. I'll forever be grateful to a gentleman called Perry who gave me my first shot in a professional job and who's managing style and support cemented me for the years to come, and how I base managing my own team now, with compassion, guidance, support and giving non-experienced people a go at growing and becoming awesome.

Back in those days the internet was starting to grow at an exponential rate, myspace and facebook were the main social platforms and we were often supplying PDA's (Personal Digital Assistants), like palms and HP devices to officers, no smart phones then, and blackberries hit the scene. These were the devices we typically send out and managed.

Through the years I continued to expand my knowledge and gain certifications while performing support for organisations. A lot of new people to infosec these days, don't understand how much amazing foundational knowledge you can obtain from doing years in other IT roles, its a must IMO to be a good pentester. Interestingly, no-one even talked about cyber security back then, the most that got talked about is passwords, it didnt even register really from an organisational risk perspective.

My specialization for many years was in Active Directory and Windows and then into virtualization. Then I decided to do the whole working holiday thing, my plan was to work in the UK and travel from there to visit other european destinations. For 2.5 years I was based in the UK (from 2005), I landed my first role within a month of landing (luckily) and I worked primarily for a Social housing and community support organisation which was called origin housing at the time, performing everything IT, from implementations, through to support and projects, I was also there for the london terror attacks. I was based in Euston square where the first bus was blown up only 100 metres away from me. During this time, I worked with stacks of tech like cisco gear, APs, VMWare (was just starting to become a big thing), SANS, NAS and Storage technologies like iscsi, supported Novell networks, lotus, Citrix, standard windows, AD and Office and other apps i'd never heard of before, I was also doing a little VMWare consulting on the side for some small to mid size uk organisations. Lots of travelling, lots of fun, if you are young, the working holiday is a must!

In those days mobile data was starting to get a bit better but was still slow and super expensive and blackberries became the new norm across most organisations, as well as ADSL for connecting remote sites. Smart phones were not really a mainstream thing at this stage either, but at this point I started to think that I wanted to get back into security and hacking after a long time away, and started leveraging hacking tools which were becoming more mainstream, like password crackers (l0phtcrack, 0phcrack), network snifffers (mitm attacks), scanning tools like nmap amongst others. Learned them all inside and out (there was no real documentation back then really) and used them in my day to day job to get around restrictions, for example bypassing a lost password to regain access to a system, cracking lost passwords for devices and accounts, identifying clear text passwords and protocol usage etc. I also started learning the ins and outs of L8 attacks, (now known as social engineering) and human manipulation from pioneers in the field, such as Steve Riley.

There was also little to no security certs around this time, there was the CISSP (from isc) and the CEH had only just been released a few years earlier in 2003 but no-one new anything about it. Amazingly back then cybersecurity was only just starting to get talked about and even then it was few and far between, most places still were not even using SMS for any validation (an sms costed 10-25c per message back then) and a pentest was nothing anyone had heard about, and back then, most organisations were still using sub 8 character passwords and focusing on operational productivity.

2007 my time was up in the UK and I headed back to Australia, it was good to be back, but I had to find another role and it was a bit of a challenging year to find jobs that year in IT.

3 months of interviews and applications and I finally ended up at a boutique all things IT firm called Kiandra System Solutions (changed to Kiandra IT later on), they hired me in a 2nd/3rd line support role.

Small team of sub 20 staff, everyone at the time (even the directors) were quite young, it was a little bit the wild west and it was an organisation that still seemed to be finding its feet IMO, lots of big personalities and definitely a boys and mates club. To give you an example I was the first one in the company to have a child. That being said cam and chris the 2 directors I primarily dealt, with were amazing, as was marty the director for the other side of the business. Within a short period with the company I started to become the go to man, all of the support team would hit me up with the impossible faults to sort in Windows, Citrix and AD environments, I became the go to person for VMWare and they would put me onto complex implementations, as well as hit me up for security guidance. I worked with some amazing guys and talent there over the years and made a lot of friendships along the way. I was also fortunate to be exposed to all sorts of new and strange technologies while working at Kiandra, for example we had a law firm on our books, and the partners there engaged us to secretly deploy custom security-company built spyware and malware (like pegasus) on to a large number of key personnel's machines, which gave them the ability to view and record every movement, key and screen (in a video!) all day everyday, to assess their productivity, and to ensure they were not slacking off, as time is money in a law firm, a massive invasion of privacy you could never get away with these days and it was kept confidential from the employee which is even worse. I dealt with malware outbreaks at mining companies and other orgs which gave me a really good exposure to incident response and DR, I had the odd jobs which gave me some further exposure to forensics.

After only a few years, I was at the top of my game, I earned the nickname the general as I held about 18 industry certifications to my name, I had hit that threshold, and I was given the choice of 1 of 2 paths to take, I could move into a management type role, or I could do something else, I chose the latter and told them, I want to do security full time.

I started in a hybrid role with a mixture of standard IT stuff and security. Security Certs were starting to become a little bit more widespread at this stage, with certs now available from ISC, SANS, CompTIA and EC-Council. EC-Council and SANS were considered the top tier certs way back then. I started doing certs, completing my Security+, and enrolling in the CEH. I was fortunate enough to get into the first class in the world for the CEHv7 (the launch class), the CEH v6 had been around for a long time before that and it was a big deal getting into this class. Before the class had even started, I had already revised and read every book from EC-Council on pentesting and earlier CEH courseware and forensics, went through all the SANS courseware as well, everything I could find really, this combined with my already obtained knowledge from my career set me at the forefront of the class. My teacher (and later friend and mentor) was the infamous Erdal Ozkaya, an absolute amazing and mind blowing trainer (and person in general), holder of a mountain of certifications, no words can describe how amazing and engaging his class was, and this was his first time seeing the v7 curriculum as well. And I can say with absolute certainty, that his class (and him directly) gave me the drive and ambition to be amazing at what I do, and cemented my love for security and hacking. As I was far ahead of the rest of the class, I would often finish before everyone else and help others, Erdal and I would stay after the class officially finished (and before class too) chatting all things hacking and infosec, while class members were playing catchup from the day. (There was pre-requisite material of about 20-50 pages each night students were required to review to cover all content in the 5 days).

Erdal was super supportive both in and out of the classroom and we kept in touch often. 7 days later I was the first one in my class and 1 of the first 10 people in the world to take and pass the CEHv7 exam. I received a fancy plaque (I still have today) and a congrats letter from the CEO. From there I started the security practice at Kiandra and started pushing the message out to the world about why cybersecurity matters, why you need to consider this within your organisation and your risk appetite, as well as what organisations should be doing like pentesting, audits etc. Back then not a single company that I was working with was doing or even considering pentesting, that was a US or big-business thing, not an Australian and/or SME thing in their minds. Even back then there was so much pushback, directors would often say to me "why would anyone want to hack us", "were only small fish, were not a target" the head in the sand was amazing.

I remember talking with one food and diet organisation about a pentest in the early days, they said they were not at risk of cyber attacks because they were running an old AS500 mainframe for all of their customer data which was so old most hackers wouldnt even know how to interact with it.. that made me chuckle, but while in that meeting I hacked their WEP-based wireless network in 7 minutes providing me access to their non isolated corporate network and I still remembered the old school mainframe commands :), they then understood the risk and why this was a big deal.

At the same time I continued to increase my hacking and pentesting skills, and, I earned my ECSA certification from EC-Council which gave me the option to apply for my pentester license via the Licensed Penetration Tester (LPT) certification. EC-Council at the time were the only ones who could issue a license, and this all came about from their joint arrangements with US defense and their selection by the Pentagon to oversee training of the Department of Defense employees who work in computer security-related jobs.

The application process was actually quite demanding, it took me close to a month to prepare everything for the application and I must admit it was good at weeding out certain characters and ensuring that the tester (licensee) had adequate industry experience (these days anyone can get the cert). Back then (were talking 2010/2011) I had to provide in my application:

• Proof of security skills and a minimum of 2 years in a security role (before you could even apply)
• 7-10 years of previous IT or software dev experience
• Police Checks and transcripts (proof) from both Federal and Local Police
• No criminal convictions or arrests whatsoever
• Character references, 1-2 personal, 2-3 professional from different organisations, with a security focus.
• Copies of all my certs and education experience including scores
• Letter from employer complete with proof of employment and experience
• Signed agreements (basically say you will do good not evil)
• Any other documents to assist the board in their decision, such as awards, certificates etc.

6 weeks later I had my license in hand, and I went straight to work pushing pentesting services.

It wasnt until a year later that Offensive Security came out with the OSCP cert, it wasnt really widely known back then, but it tipped the cert industry on its head, and has been the most widely known mainstream pentest cert since. This was also the year that Office 365 was released and everyone started talking cloud, although O365 was released, there was quite a slow uptake here in australia, so it wasnt really a main avenue being leveraged for exploitation on our engagements at that stage, it took another few years before we would really start leveraging it. 2010 was also when bitcoin went big (was officially launched in 2009) and everyone was mining all over the place for coins, and a lot of malware out there was designed just for this task.

2011 was also when mobile apps became a "thing". Smart phone adoption had taken off astronomically and we started to get requests to test mobile apps.

Over the years I presented at a tonne of events like breakfast events/presentations, webinars, conferences, created and pushed out social content, it was a hard slog and a hard sell due to the current landscape, nearly all businesses didnt really care about cyber, and then there was the whole head in the sand approach from most organisations, I think If I recall right I only had 2 paid engagements that year, I also did a bunch of pro-bono jobs for clients to build awareness and build my skills.

I would work all day from 6am till 3pm, head home, give the family a bit of time, then be up till midnight every night honing my skills, there was no hack the box back then, there wasn't even cloud, everything was on prem the "cloud" was something only a minimal number of people were starting to just talk about, so I built my own lab environments, downloaded vulnerable vm's from others, built my own scripts and tools, and spent hours hacking stuff and honing my skills at pentesting every night, everything from network, wireless and webapps through to physical access and social engineering.

During this time, I also completed other certs like CHFI, sans GPEN etc amongst others. I also travelled to Kuala Lumpur to take the advanced pentesting Masterclass (CAST 611) from EC-Council run by the amazing Joe McCray, which mind you was bloody tough, even with my skillset, with lots of reverse engineering, code development stuff and exploit rewriting and host bypassing, these sort of dry but essential areas, and was all about pentesting and breaching the worlds hardest environments, there was only 6 people in the class to give you an idea. Took me a while to get my head around everything I learnt, but I got there in the end, and erdal was also delivering a preso at that conference so we hung out for a few days nerding it up and enjoying the sights and sounds.

At this point in time, I can say that the infosec industry was small (there was no ACSC back then as an example) most organisations and people knew each other (there was very few testers (or good testers at least) in Australia) and the people in the industry were toxic and frankly assholes. Testers and "hackers" would go out of their way to put people down, to make themselves look and feel better, you would post say a blog about some new hack or method you found that worked well for you, they would pick the crap out of it, troll it and you and share it to every other site out there saying this guy is shit, he's using stuff others have used for ages, dont use them, these sorts of things, It was hard and taxing on my mental health and after only posting a few public blog posts, I ended up spending most of the early stages of my career not sharing anything technical, which I found hard as i'm a person that loves to educate and teach people, and I hate seeing organisations breached when its completely avoidable, I kept my network small and the information I shared confined to my own locked down blog (invite only).

I continued to present at countless events trying to spread the message about cybersecurity.

It was slowly changing, within a few years everyone was talking about this new "cloud" (adoption was slow) and security was slowly moving to the forefront of IT managers minds, hacks were becoming mainstream, lots of big-name breaches like Yahoo, Adobe, eBay, Equifax, Sony, Target anthem, were happening at this time and of course we had the infamous Stuxnet attack and Verisign breach.

State-Sponsored attacks were sky rocketing, Anonymous was very active, websites were defaced daily around the globe, it was an interesting time...

These breaches and attacks combined with the reputation for my work started to propel our engagements list, I was now working full time on pentests, I had another person join my team, my good friend rich who was an amazing tester and my equal if not better, on a lot of fronts and we were the A team.

With this increase in engagements, flowed into an increase in my skills and experience, for 3 years I had a 100% breach rate on every engagement from the perimeter and for the next 5 after that, 96%.

Our client base grew as organisations were more and more accepting of cyber risks and adopting pentests. At the time there was only really 2 big vendors doing most pentesting in Australia which was sense of security and hacklabs, (later they merged), what set us apart from them was that we were using techniques the others were not, they were doing standard network testing, vulnerability scanning and reporting, we were doing red team engagements, using Command & Control Infrastructure (C2's), domain fronting, Sniffing, leveraging hacking hardware like Hak5 WiFi pineapples, advanced social engineering and phishing, password spraying, post-exploitation using frameworks like empire, covenant and custom shellcode, we were popping clients and shells left right and center, they loved us, we loved them and we were having a bloody good time along the way.

Our client list soared from 2 in the first year to more than 60 in 5 years (most via word of mouth and my presentations) and continued to grow to this day, my team currently service around 80 regular and another 20 or so irregular clients.

Around this same time, Erdal had invited me to present at some of his CEH classes (which i did), and I was engaged by defence to train some of the earliest cyber offensive operators, things were good and exciting.

Another interesting point about this time was that pentesting and infosec in general was still a bit of a dark art, the government wasnt really investing much in cybersecurity at this stage, the ACSC wasn't formed for another 3 years yet, that collaboration wasn't there at that stage, and the eSafety Commissioner wasn't yet established either, this only happened in 2015.

Not much sharing or collaboration was going on at all from industries and organisations, especially security firms, most firms were silo'd and kept their Techniques, Tactics and Procedures (TTPs) close to their chest, MITRE ATT&CK had only come out 3 years earlier, no-one was using it or referencing it, everyone was still based off CVSS.. there was still much to come.

Each and every day I was finding new ways to get into the easiest and toughest organisations around the globe, from getting in through recruitment platforms (applying for job applications), through to physical access (delivering doughnuts), web attacks and exploiting vulnerabilities, advanced social engineering, my arsenal was extensive, i'd seen it all by this stage, had worked with most (if not all) industries and sizes, had seen the best of the best and the worst of the worst. I had worked with and compromised high profile clients and systems, for example I managed to breach a major australian political parties entire donation system, through their webapp via SQL injection, i'd breached into databases and systems containing thousands of health records for hospitals, breached systems containing celebrity addresses and contact details, for a job at a very widely known sports organisation i'd managed to hijack the phones in the player and staff cafe gaining credentials for high profile sporting superstars, it was just so exciting each day.

Every day there was something new, admittingly it was much easier to breach organisations in these earlier days compared to today (due to the advancement of security controls in play nowadays). In 2016 I got my first 0day for a vulnerability I had discovered in a SCADA Process Control System software for Siemens allowing you to take over the hosting server/workstation through the software, another proud moment for me.

2016 was also the year that Cyber Insurance became "a thing". prior to this it never really existed, no-one knew or considered it, (there was some coverage in ML products for cyber only) and most insurance companies launched their cyber insurance products in this year. I was asked by Zurich to do a roadshow with them presenting all around the country to insurance professionals on what cyber insurance is, why companies need it and how to understand cyber risk and resilience. It was an amazing and super fun experience, we travelled to every major city and a bunch of regionals, I met an unbelievable number of amazing people, and I became a bit of a celebrity within the insurance space that year and for the next few years, I was the go-to person for everything cyber. I presented at a number of NIBA events in 2016/2017 including the keynote at their infamous annual conference, brokers and insurance providers were teaming up with me left right and center over the next few years to help them sell cyber and insurance services to their clients.

Also in 2017 we started to get more training and development providers popping up, Hackthebox had started this year, and tryhackme started early in 2018.

2018 was a very busy year for me, by this stage I was quite heavy on the speaker circuit, the CEO institute was getting me to speak to stacks of their syndicates, companies were bringing me in to present to boards all over the place and I was discovered by ICMI Speakers and entertainers, a professional speakers and entertainers organisation who are amazing to work for. Before I knew it I was getting contracted out left right and center, presenting on everything Hacking, Cybercrime, cyber security, data breaches, hacking, the darknet, pentesting etc. there was still this massive knowledge gap for both organisations and individuals and I was there to fill it, I won countless presentation of the day awards, met a mountain of amazing people and cemented my position within the industry and organisations alike, as someone that knew their stuff. In 2018 my professional reputation was also gaining strides, ABC radio were interviewing me (everyone was fascinated with the 'paid hacker' and no-one knew these roles even existed), I was on channel 7 on sunrise, invited to present and speak on/at countless online media, blogs, posts, webcasts and podcasts.

By this stage the world was firmly moving to cloud and everyone was starting to talk cybersecurity, there was a mountain of certs now available for people as well, (still no official courses at university at this stage), with OSCP still pushing ahead, and CEH was far surpassed and became a bit of an ongoing joke in the industry.

in 2018, Industry and government security bodies were also formed, such as the ACSC, eSafety Commissioner and IDCare the industry had changed massively within 1-2 years which was amazing, information was being shared, it seemed that FINALLY the world had woken up to infosec, the industry had finally woken up as well and realised there was enough security for everyone, everyone could get a piece of the pie, and everyone had a responsibility to share and stop people and organisations from being hacked, and those trolls of the past were slowly slipping into the shadows. I think if I had to choose the most mind-blowing period for change in the IT world and specifically the security industry, it was 2017-2018 where cybersecurity went from nothing to everything in my opinion.

This was the same year that Erdal asked me to write a chapter for his new learn social engineering book, as I had a vast amount of experience in that space. I gladly contributed; my chapter is chapter 12 in the book if you have it.

In late 2018, TAFE started offering the Cert IV in Cyber Security and Then in 2019 cybersecurity and pentesting made its way to mainstream universities, deakin put out their Master of cyber security, I had a number of TAFE's and universities reach out to me to help them develop their course content and this is when things (IMO) got easy for individuals. The cyberskills shortage was there (still is now), but no longer were individuals having to have experience in IT before moving into the pentest industry, IMO I found this frightening, frustrating and high risk. What makes a good tester is foundational knowledge and experience in all parts of IT, to make you efficient and effective at bypassing any system and not affecting a client's BAU, and being able to answer any cybersecurity question a client could throw at you.

People no-longer had or needed this foundational knowledge, there was no longer vetting for certs, they were doing uni courses and/or certs like OSCP but had zero knowledge of basic concepts like installing windows, working with technologies of the past, networking protocols, communication and presentation skills, personal org etc and were getting thrown into the industry to fill resource gaps.

2018 was the start of a very long drawn out messy divorce for me (which wasnt finalised till 2019), and I needed to pull back on all my mountain of presentations and other out of work activities to focus on family.

2019 also saw the release of my first book, Hack Proof Yourself! the essential guide to securing your digital world. Publishing a book was always on my bucket list, and it was an easy way for me to educate individuals on cyber security concepts, i'd presented at stacks of community events and conferences, but I couldn't educate the masses, and the book let me do just that.

This was also the year that Altered Security really started to become main stream for certs, it was started the year before, but like offensive security, took a little while before it became mainstream.

2020 was an interesting year for me (and for everyone else too), I had been with Kiandra for almost 13 years by this stage, and in this year kiandra sold off my part of the business, the pentest practice, (as well as other tech divisions) to Nexon Asia Pacific. For anyone that's been through an acquisition, you will know that its a stressful time (especially if you have been with a company for so long from its humble beginnings to a large firm), there is a massive amount of uncertainty, a lot of people leave, no-one knows what's next for them, is their head on the chopping block? I then became the security services lead at Nexon, I was the point of call for all things cyber, I looked after the SOC at one stage as well as my own pentest practice, I was doing incident response, security guidance and consulting, presentations, Nexon were and are an amazing company to work for, and lots of changes and growth continued for nexon during this period, kiandra were 1 of 3 organisations acquired in that year. This was also the year that covid came to town, that wasnt a pleasant experience :)

I'm always looking for ways I can give back to the industry, and over the years I have mentored a number of professionals in the infosec space. In 2020 I decided to take this to the next level. I created the Cyber Mentors, which was focused around connecting both mentors and mentees in the infosec space to help drive the industry forward, there was a massive need for it, it seemed. I had over 66 submissions in the first day my website went live, 7 experienced infosec professionals in the industry agreed to be mentors (thank you guys!), Myself included, and we mentored close to 20 developing professionals, which made me really proud, and even more proudly, a lot of the mentees from this program I see are now in amazing roles and being awesome in general within the industry and contributing themselves. The mentorship program ran for about a year and was taken over by larger mentorship and training programs that came about from the cyber security industry.

From a work front, As Nexon built their SOC, IR and other security capabilities I was slowly able to step back and just focus on my business unit. In this year I also had a bunch of health issue pop up, and other family issues which saw me have to pull back from all presenting gigs and opportunities. Preparing for an event was extremely time consuming firstly, from generation of content to revision and preparation through to flying around presenting, I was a single dad now and trying to get some grips on my health, by early 2021 I finished my last presentations with ICMI and was 100% off the speaking circuit, it was time to give some others the limelight and focus on myself and my family.

For the next few years my focus was on building my team and capabilities, the world had changed greatly, webapps overtook network testing, as the world shifted to mobile devices, APIs and apps, and on-prem infrastructure testing was becoming rarer as opposed to cloud, everyone was on M365 by this time, my team grew to 5, (Now 7, I have no desire to grow large super fast) and our engagements and numbers of clients, continues to climb to this day.

By 2021 pentests were now the norm industry wide for both big and small businesses, nearly all insurance policies relied (or atleast were affected) by having pentests performed, cyber risk in general is cemented into all industries and discussed at board levels often. I continued to obtain more certs and experience in these years, with certs from CREST, AttackIQ and others and even to this day, i'm still on the tools.

2022 is really when AI and language models took the world by storm, although AI had been around for a long time (e.g deepfakes) it never really took off main stream until this year. This is when ChatGPT was formed and everyone started to take notice that this was the next big thing. This is when we started to use technologies like ChatGPT in pentesting. We used this for reviewing our code and finding issues in scripts as well as finding ways to automate tasks and streamline activities.

In December 2023 Gemini was released mainstream by google (I had been in the beta group since august) which was even better at working with scripts and code!

Now every website out there is using AI driven bots, we are engaged to test language models and AI is now built into all mobile devices, I now see cybersecurity tips on the TV nightly, targeted at individuals, arranged by the government, its unbelievable how much things have changed, finally everyone knows what MFA is! ha ha. Of course with any new technology comes new risks and threats, from kids at school using AI to create nude images and bully other kids, through to AI being used in advanced phishing campaigns, deepfakes and used in political misinformation, but on the same token its revolutionising the world allowing defenders to be better at what they do.

I'm very blessed to have the career that I have had so far, like everyone I have made a tonne of mistakes along the way (probably more than most), learnt even more than I could quantify, i'm still spending many hours each and every day staying ahead of the latest cyber risks, threats and pentest tactics and I cant wait to see what's to come in the next 10 years. I'll also note that my new book has been completed for a few months now, its going through the motions with publishers before its being released to the world so stay tuned, and as always, if you need a team of amazing pentesters to test your organisation's security posture, please reach out.

I hope this post gives you some sweet sweet nostalgia from all those years past and makes you stand back and think, bloody hell, so much has changed!

#danweis #hackproofyourself #nexon #cybersecurity #pentesting #blastfromthepast