Homework for Hackers: Discover Cutting-Edge Trends in Pentesting and Bug Bounty Hunting

00:00:49:00 – 00:01:04:16
Dan DeCloss
And thanks for joining us on the webinar. A couple a couple housekeeping items. If you have any questions or comments or want to, you know, learn more about anything, just just leave them in the chat and, and we’ll get to them as soon as we can. There is going to be a survey at the end of this webinar.

00:01:04:16 – 00:01:23:23
Dan DeCloss
So we really encourage you to take care, and, fill that out. And, we will announce the Amazon gift card winners, at the end., sorry we’ll announce that actually on LinkedIn we will announce those on LinkedIn. So make sure you kind of stay tuned, to see if you won the gift card. But we really appreciate you joining us.

00:01:24:01 – 00:01:37:02
Dan DeCloss
As you know, as I mentioned, I’m Dan DeCloss, founder and CTO. Mike is our head of AI. Ben do you mind just kind of giving, a brief introduction to yourself because, for those that may not be aware or just, you know, learn more about.

00:01:37:04 – 00:02:03:16
Ben Sadeghipour
So. Absolutely. Hi. I’m Ben. Most of you probably know me as NahamSec. I’ve been doing, ethical hacking and bug bounties, for over a decade. And I can claim that finally, it’s happened, for over a decade professionally. Currently, I work, I do bug bounties on the side and have my own pentesting going on. And also, I’m CEO and co-founder of Hacking Hub where we plan on, training and educating the next generation of hackers.

00:02:03:18 – 00:02:15:16
Dan DeCloss
Awesome. And, Mike, I mean, well, while we’ve had you on on several, the marketing events before and webinars and things like that, please just do another brief round of intros for those that may not know who you are.

00:02:15:18 – 00:02:39:20
Mike Bell
Yeah. Hi. I’m, I’m Mike Bell, head of AI right now at Plex Track. And, yeah. Background in penetration testing and exploit development, that kind of thing. Big data and, you know, eventually AI hacking, things like that. But then, you know, building the AI for Plex track, kind of infusing my, my domain knowledge with what we’re trying to do here.

00:02:39:22 – 00:02:44:01
Mike Bell
So, yeah, just a lot of, a lot of hacking, breaking into places, having fun.

00:02:44:03 – 00:03:07:19
Dan DeCloss
Yeah, yeah. Well, super excited to have everybody here today. And so here’s kind of general, the, the general agenda for today, we’re going to talk about AI and the impact that is that it has both on Pentesting. Attacker advantages or disadvantages. And then also maybe how you hack, AI or just learn just learn a little bit about how it’s transforming the landscape.

00:03:07:21 – 00:03:27:04
Dan DeCloss
Dive into some cutting edge trends that we’re going to see and just discuss and some of the latest advancements and and how people can really start to get into pentesting and, and learn more about Bug Bounty and what are some strategies to keep upgrading your skills and, and because we all know, like like I said, I kind of joked at the beginning of a little out of practice, but I’ve been in this space.

00:03:27:04 – 00:03:45:21
Dan DeCloss
I know how much you have to kind of stand on top of, like, the latest exploits and the latest techniques and and even trying to find, additional vectors for, for, whether it’s in a web app or a pen, mobile app or, you know, you’re more traditional network pentesting, just understanding the new techniques and things that people are using.

00:03:45:21 – 00:04:05:01
Dan DeCloss
So, so that’s our that’s our goal for today too, is just to really help educate, educate the audience and have some fun doing it. So so I’m going to exit out of the slides here. And let’s just, let’s just dive in. First off, like, so for both of you, and maybe we’ll start with Ben.

00:04:05:03 – 00:04:25:02
Dan DeCloss
You know what what what what impact has AI are you seeing AI have, you know, in the in the landscape, you know, since, I guess, like, you know, there’s different forms of AI, but I think probably everyone’s kind of more curious about the GenAI landscape and what impact it’s having on both, you know, pentesting and and bug bounty in general.

00:04:25:04 – 00:04:51:09
Ben Sadeghipour
Yeah. I think with, starting with the bug bounty side of things, one, I guess having a affect in a lot of different ways, one from like the doing things like as a hacker wanting to do stuff, it’s become, I no longer really do Google searches, if that makes sense. And just more going towards like, what about whatever, model I have in the CLI and just typing into my command line because it’s just easier to, you know, just open up CLI, type it in and get an answer for it.

00:04:51:11 – 00:05:13:16
Ben Sadeghipour
That’s one of them. And I also think from like a bug bounty perspective from a bug bounty program perspective, you see a lot of the companies that are super focused on their new AI, you know, chat bots that they want to get tested. And, there’s a huge shift in almost every company you go to. You know, you go to banks that have a new AI assistant, you go to, shopping sites that have an assistant.

00:05:13:16 – 00:05:30:18
Ben Sadeghipour
Right. And I think there’s a shift also in the the trend that it’s become in bug bounties, you know, with the original bug bounty thing was web. Hey, give us your website, hackers are going to find stuff and then. Then I was like, oh, we have mobile apps. Oh, wait, there’s like IoT in cars. And then it was blockchain.

00:05:30:18 – 00:05:52:15
Ben Sadeghipour
And then now you have AI, right? So that’s that trend is happening. And this year I think AI is going to be the biggest trend for it all. And I think it’s probably one of the more I want to say fun trends. Then, you know, you saw blockchain being massive. ASM becoming massive. And I think AI just has more to it than anything else.

00:05:52:17 – 00:06:18:14
Dan DeCloss
So you’re so yeah that’s a that’s a good point. So you’re seeing a trend in not only utilizing AI but also the bounties around it. So as companies are launching their new AI, capabilities, you know, opening up bounty programs around that, are you seeing have you seen any bigger payouts related to those yet or, or what’s, I guess, maybe what’s some of the more substantial findings and reporting?

00:06:18:16 – 00:06:36:09
Ben Sadeghipour
I can’t specifically say, like, the company name, but I’ve been doing a lot of these, different, like, events and private, you know, bug bounties. And you see some of these events, there is an entire category of just AI. You know, the last 3 or 4 events that I’ve gone that are the competitions that hacker one hosts and they pay the millions.

00:06:36:09 – 00:07:00:23
Ben Sadeghipour
The I have always has a bigger bonus, has a bigger payout. And also it’s, you know, fairly done because it’s like it’s a more niche knowledge. You either know how to prompt injection or you don’t. It’s just very hard to find the talent that wants to do in it. It’s just a lot of, it’s like a, I don’t know, it’s a puzzle because, like, I feel like almost every aspect of hacking is a puzzle, but this is a genuine, like puzzle that you have to find ways around it.

00:07:00:23 – 00:07:24:12
Ben Sadeghipour
Right? But yeah, there has been an increase in payouts. And you also have like, you know, the AI companies like OpenAI, who’s got a massive bug bounty program that they’re even, spending thousands of dollars to secure their, their products and their models, too. So, yeah, when I say there has been a massive increase in, those bounty payouts and hopefully this is one of the trends that, sticks, every year with cybersecurity, those change.

00:07:24:12 – 00:07:29:21
Ben Sadeghipour
But I think this one is probably going to be the the one that doesn’t go away after a few years.

00:07:29:23 – 00:07:51:02
Mike Bell
Yeah. Yeah. And I see a lot of even just from the flip side of that, the governmental and the regulation, you know, a lot of companies are putting this stuff in and they want to have, you know, the regulatory framework around it. And so those bug bounty programs and even just the Pentesting, you know, from a consulting side, there’s, you know, it’s increasing.

00:07:51:02 – 00:08:12:05
Mike Bell
And in terms of requirements and with how much it’s proliferated around, like, you were saying, Ben, everybody’s got a chat app. I remember back when I was at Ford, one of the Ford dealerships got it and they said something about, can you sell me a car for a dollar? And the, you know, th AI. Yeah, yeah.

00:08:12:07 – 00:08:17:15
Mike Bell
I definitely I see it as a huge vector for a lot of things. Going forward.

00:08:17:17 – 00:08:28:13
Ben Sadeghipour
Yeah. It also becomes really like interesting to see how it works that compliance. Right. Like, are we going to have AI training in compliance like we did with phishing and.

00:08:28:15 – 00:08:30:12
Dan DeCloss
Things like that?

00:08:30:14 – 00:08:55:05
Ben Sadeghipour
That’s one that I really, I think is going to be big guy if someone’s going to do it, you know, how do I get that trademarked? But I genuinely think there is going to be a need because, I have friends of mine that work in, you know, other industries, and, they are not allowed to use any form of AI at work because, the employer is afraid of them leaking information in there, but people are going to find a way around it.

00:08:55:05 – 00:09:03:03
Ben Sadeghipour
Right? So I’m just curious to see also if there’s going to be a trend of like compliance with AI for, yeah. Companies and trainings, right?

00:09:03:05 – 00:09:26:07
Mike Bell
Yeah, yeah. And I definitely saw that too. You know, where companies knee jerk reaction is to shut off AI don’t allow any access to it. And you know obviously, I’m head of AI, but I do advocate you know, control your AI. Like if you’re going to have it, people are gonna find a way around it. It’s out there. Pandora’s box is open.

00:09:26:08 – 00:09:42:12
Mike Bell
So if they’re going to use it, use it in a way that the organization controls and owns that data that’s being sent to AI, you know, and I see that as like the only way to get it, you know, usage across those environments and the value delivered.

00:09:42:14 – 00:10:05:11
Ben Sadeghipour
Yeah for sure. It’ll be interesting to see how it all plays out. I think it’s just super, super like early stages for a lot of these things. I think like AI itself is progressing very fast, but it’s still from like a consumer. I want to say, you know, like that the individuals that are using it, not everyone’s taking it in, and we don’t know how to train these people that are maybe in cybersecurity, folks make mistake with AI a lot of times.

00:10:05:11 – 00:10:20:19
Ben Sadeghipour
Right. But then what are we going to expect from, folks that are not in cybersecurity, or even like somebody like my, like my mom and my dad that are the older generation that are intrigued by AI, you know, I just introduced my mom to using ChatGPT to translate things, right? I’m like, mom, just speaking to this.

00:10:20:19 – 00:10:27:11
Ben Sadeghipour
They will do it for you. It’s like, oh my God. Like, how do I get this on my phone? Right? But how do we protect those people too? So I think we’re going to see where that goes.

00:10:27:13 – 00:10:49:16
Dan DeCloss
Yeah, I know I think it’s like any technology, you know, I mean it’s always going to stay ahead of like it’s always going to keep a faster pace than any kind of any kind of general regulations can provide. But I think also I think we’re kind of seeing that it’s probably to a degree, I think, you know, self will have some self regulation, you know, as we kind of learn learn more about it in the newer technology.

00:10:49:18 – 00:11:07:13
Dan DeCloss
I mean, so that’s fascinating. You mentioned that like, you like that not only, you know, is it a big craze, but there’s a lot of focus on like, hey, how are we securing it? How have you seen it maybe assist or like, has it has it given you more opportunities as part of like, your bounty hunting and pentesting?

00:11:07:13 – 00:11:13:15
Dan DeCloss
This is for both of you, right? In terms of like adapting it into your engagements and whatnot.

00:11:13:17 – 00:11:14:15
Mike Bell
I would say.

00:11:14:17 – 00:11:16:15
Ben Sadeghipour
I would say, Mike, kick us off.

00:11:16:17 – 00:11:57:01
Mike Bell
Oh, sorry. Yeah. I would say for some of the stuff, it it lowers that barrier to entry. You know, pentesters are hitting all kinds of environments all the time with thousands and thousands of technologies at play. And so an error message or a log message from a random technology that they’ve got a pen test, they think there’s a vulnerability there, but they’re not exactly sure, you know, so the natural language processing and stuff like that about lowing lowering that barrier to entry, I think is really kind of, giving the pentesters and the practitioners a new tool in their tool bag.

00:11:57:02 – 00:12:15:21
Ben Sadeghipour
Yeah. I want to say, similar to you, I think it’s, for like just contextualizing things has been really, really fun. And also so I, I live in the terminal a lot of times. Right. Being able to just pipe my, you know, kernel, for example, I can output from a website that I’m seeing. Maybe I can make sense of it.

00:12:15:21 – 00:12:29:15
Ben Sadeghipour
Right. And just having somebody else, I could get a second look. That is not me and it’s not my friend enough. Have to ask somebody a question of like, hey, do you know what this is? It gives you a really good way to get context of what you’re doing. Say it goes hand-in-hand with what you were saying, Mike, about before.

00:12:29:15 – 00:12:51:07
Ben Sadeghipour
There’s a vulnerability there and things like that. Also, it goes beyond like, I think, context, too. It’s, coming from idea generation and or extending your, your ideas of what you can do with it. It’s really interesting. There’s been a couple of instances of like, I get some file name that I can’t figure out what the the rest of this path could be.

00:12:51:07 – 00:13:08:05
Ben Sadeghipour
Right? And I go, hey, I have this thing, can you guess it? Or, I’m hacking a site that it’s a different language and I need some information in that language because of the endpoints. And I give it a list and I go extend this. And it could do that for me without me having to use a Google translator that doesn’t know the context of what I’m doing.

00:13:08:05 – 00:13:24:13
Ben Sadeghipour
Right. So I think a lot of that as, been massively helpful and honest is becoming like a second nature. You know, 4 or 5 years ago, the first thing you would do is copy paste, copy an error code into Google the quotation marks, and hope somebody else has done it right. I don’t have to do that anymore.

00:13:24:13 – 00:13:38:19
Ben Sadeghipour
Second nature to just pipe it into a tool, give it a question and say, make sense of this for me. And it’s becoming so much easier. And I don’t, I don’t I’m just excited, genuinely excited to see like how much more we can do, especially with the new models that are coming up, not just from like applying AI, right?

00:13:38:21 – 00:13:42:17
Ben Sadeghipour
Just like so much more things you can do with it yeah, yeah.

00:13:42:19 – 00:14:11:04
Mike Bell
Yeah, I saw a post I think this morning, based off of the new 01 preview from OpenAI, and there was a CTF happening and the Docker container actually failed to start, and so on its own, it recommended, you know, starting the Docker container with this command and then typing in cat flag dot txt, which started the Docker container and put in the docker logs the flag.

00:14:11:07 – 00:14:27:21
Mike Bell
So, you know, there was it’s interesting to see the, the different workarounds, you know, that we may not think of all the time that, I’ve seen a lot in CTFs especially, you know, brute forcing the flag instead of actually going to find it, but.

00:14:27:23 – 00:14:29:18
Dan DeCloss
Right. Yeah.

00:14:29:20 – 00:14:46:21
Ben Sadeghipour
Or even that code reviewing stuff, like a lot of times some of these like CTFs, it’s a stack that I’m not familiar with that can just be like, hey, they gave me the source code, like, here’s a code, and I’ve had it give me some really good ideas. I think the last CTF I played, when I got discord, we were looking for something like vulnerability.

00:14:46:23 – 00:15:03:01
Ben Sadeghipour
We had no clue what it was, and they gave me the source code. Finally, they feed it to the AI and it’s like, this could be vulnerable to like, path traversal X, y, and Z. And it turned out to be a path traversal. So it was very cool to see, that quick, like something else. I don’t have to read, you know, massive amounts of code.

00:15:03:01 – 00:15:20:16
Ben Sadeghipour
Give me some idea for especially someone that likes that’s like me that a lot of black box testing. Right. I made it very, very interesting to see like, wow, you were actually off to something good. Like, you actually help me figure this out, and I don’t think there was any other way of doing that besides AI that could get an answer like that, right?

00:15:20:18 – 00:15:42:19
Mike Bell
Yeah. Yeah, I’ve seen it really work. really well, it’s fun to, you know, passing it a payload and saying, oh, obviously this is obfuscated but can you help me break this down and not even say, just decode it, but say, well, it methods were used to obfuscate this. Can you backtrack or reverse what was used? And then you can just go and do those things yourself or have it do it.

00:15:42:19 – 00:15:54:18
Mike Bell
But I think, you know a lot of that. Yeah, it’s really making it. A lot easier for people to kind of not be scared to approach these technologies.

00:15:54:20 – 00:16:10:19
Dan DeCloss
Yeah. No, I mean, it’s it’s it’s fascinating. And I think, but I mean, what’s exciting and also, you know, a little bit nerve wracking is how, how much how accurate it can be in like, writing exploits and, and stuff like that. So it can definitely speed up your engagements and use it to use it to your advantage.

00:16:10:19 – 00:16:29:10
Dan DeCloss
But also knowing that, that the, the attackers and the threat actors are also going to have the same, the same, if not more resources at their disposal. So, so we we’ve talked a lot about AI. I’m curious, you know, what have you guys seen? I mean, are there any other trends, you know, that are that are.

00:16:29:12 – 00:16:44:03
Dan DeCloss
Yeah. That you’ve been seeing kind of the bug bounty and, you know, Pentesting realm. What what are some of the other, things that you may have been seeing recently or, you know, quote unquote, cutting edge. And, and we’d like to kind of see what you think in there.

00:16:44:03 – 00:17:01:11
Ben Sadeghipour
So, yeah, I can talk about that a little bit. I think before we, I think, we met, I was doing some of my report writing with AI. I use cloud for a lot of, so I have this, like, client of mine, and it’s like, hey, we need you to have this report. It’s like Tuesday and like, hey, we need this report by Friday.

00:17:01:11 – 00:17:26:20
Ben Sadeghipour
I’m, like, waiting for the deadline. I’m like, guys, like, I have ten more days. they are like, no, no, no,, we moved our deadline we need it to be done by Friday. Honestly, I never thought it would be doable by giving Claude, like, just a, the topics of each one that appeared anyways, out the endpoints, villain types, and then like the it’s giving those like ten, 15 bullet points and saying, hey, write me an executive report or an executive summary, actually not the report.

00:17:26:22 – 00:17:44:19
Ben Sadeghipour
And then spitting it out was like I looked at it like, oh my God, that just saved me so much time. Because I have to think about like, okay, how do I write this? First of all, because like, every report has to be, you know, it’s different, right? You can’t just give the same summary to every client. So it’s like I just save time not having to worry about the structure of it.

00:17:44:23 – 00:17:59:06
Ben Sadeghipour
I didn’t have to write a single word of it. And you know, you start with that and then you go to the next section. If you go, I wonder if we could give me some good like remediation step, like based on this, once you give it that, it’s like and this is like by the way not it’s a, it’s a model that’s trained for everything.

00:17:59:06 – 00:18:15:16
Ben Sadeghipour
Right. Not it’s not even cybersecurity. They just blew my mind. I wrote this like 30 page report in a matter of like Friday, 9 to 2. And it was like one of the best reports I wrote. And and the client was amazed by it. And, I walk into my buddy’s office and he’s like, dude, you wrote that really quick note.

00:18:15:16 – 00:18:30:19
Ben Sadeghipour
I was like, AI for you buddy, but you know, his immediate reaction is like, did you share the vulnerability? I’m like, nope. All I have to do was give it exactly the vulnerabilities we found, and it just picks up the trend really very easily. And then when I heard from you guys, I’m like, oh my God, where were you guys a month ago?

00:18:30:19 – 00:18:44:11
Ben Sadeghipour
I think I said that to you guys in Vegas. I’m like, oh my God, where were you guys a month ago? And I had to I could do this with Claude. So that’s one of the other ones. It’s it goes beyond that. It’s just, you can give it, something to write and then just someone like me who’s not really.

00:18:44:11 – 00:19:05:06
Ben Sadeghipour
As you know, I don’t practice writing as often anymore. It’s just quick to do that for me. And, you know, again, it’s a model that trained on everything. And it could do that. So that has been a really, really cool one. As far as, like report writing goes, but also with hacking, it’s like you have this tedious task when you do bug bounties that’s like, hey, give us like a profile summary for your for your page.

00:19:05:06 – 00:19:12:12
Ben Sadeghipour
I’m like, I don’t know what I want to write with this. Write one for me. So there’s like writing has been a really cool one with AI. Both ends of it.

00:19:12:14 – 00:19:34:23
Mike Bell
Yeah. And that, you know, that was my big, big desire too. I was like, how can I shorten my report writing? You know, time is money, right? And so, yeah, that was that was a big driving factor behind, behind our integration with, with PlexTrac and AI and just yeah, I noticed like how much time I was spending writing out my own stuff.

00:19:34:23 – 00:19:59:20
Mike Bell
And, not going to say that hackers or pentesters are bad at writing. But I’m going to, but, no, I mean, it’s, it was it was a natural trend, especially for, for PlexTrac to, to kind of have it. So yeah, it’s I probably more than anything the generative stuff I really, I really like because it’s, it really helps me not to have to write those things.

00:20:00:01 – 00:20:18:03
Ben Sadeghipour
So like the number one question, usually when we launch a pentest with us, it’s like, who’s writing this report? And then the bigger the report gets to less like the people that do it. But yeah, that’s, I think it’s just again, like applying I like I love the term I like applying AI has been one that I’ve exploded.

00:20:18:03 – 00:20:32:14
Ben Sadeghipour
on. I’ve really enjoyed it with like different aspect of things. I could write a recommendation letter for somebody not to write one. And I was like, I don’t I’ve never like, I haven’t done one of these like years. And I was like, what do I like about this person? I don’t get boom, boom, boom. There’s like the five six things that this person is great at.

00:20:32:16 – 00:20:40:10
Ben Sadeghipour
And I was like, hey, write a recommendation that came out like, oh my God. Yes. The thing that sounds like you guys sounds way better than I do.

00:20:40:12 – 00:21:11:06
Mike Bell
Yeah. And then like on the flip side of that, cutting edge trends for like the negative, not negative, but the, you know, the attack vectors, it’s like I saw one a couple weeks ago where they were able to get an RCE from an email. They sent an email that had a prompt injection in it. And because, the systems AI, recall, was reading all the emails and, you know, the built in, I was reading all the emails that initiated that prompt injection and then ran that RCE that it was it was told to take.

00:21:11:06 – 00:21:21:23
Mike Bell
And so, yeah, the cutting edge trends in that space to making sure, you know, that, however you’re implementing AI is, is secure and there’s always going to be no attack vectors.

00:21:21:23 – 00:21:41:06
Dan DeCloss
So are there are there are there trends you’re seeing outside of AI? You know, just in general, like in terms of like new techniques or tactics within Pentesting and bug bounty that that are kind of shaping how engagements are moving forward. Or I mean, is, is that is the buzz pretty much all around AI today?

00:21:41:08 – 00:22:01:13
Ben Sadeghipour
I think a lot of it is AI. I think of when you go to like RSA or like Black Hat, you can see where that trend is headed. You see that keyword repeating itself so much throughout the halls. I think with this time it’s it’s very much AI because it’s not like, let’s just say like not to, you know, talk down on blockchain.

00:22:01:13 – 00:22:19:00
Ben Sadeghipour
I know, but let’s just say blockchain, right? I was one of the recent ones, a company that’s, you know, in hospitality, let’s say, I don’t know, like an Airbnb doesn’t make sense for them to get into blockchain. But does it make sense to have AI like help you with like booking things and telling you things about your booking and things like that?

00:22:19:02 – 00:22:45:19
Ben Sadeghipour
Yeah, it makes more sense, but I think there is a lot that could be done with AI. That’s become a bigger trend. And I think a lot of it is shifting that way. It’s not to say, you know, they’re not any new web hacking techniques coming out. No, there aren’t a lot of them coming out. I think, every everything that we see, though, with web is an extension of previously done research with AI, however, or with blockchain, when these trends happen, you get a reset.

00:22:45:21 – 00:23:00:12
Ben Sadeghipour
You get a reset of research that could be happening based on this new trend. So with AI, it’s just there’s so many things that you can do that it just, it was just like similar to where you have your, your, your server side that you have your database format. But if you have your client side, what that is.

00:23:00:12 – 00:23:16:22
Ben Sadeghipour
Right. And what happens also with AI. And then I think this is just giving us a reset into what we can research wise, whether it’s in cybersecurity, whether it’s, you know, the impact of AI in our lives and everything like that, right? With with social studies and things like that. I think it gives us a really good reset of starting brand new research.

00:23:17:12 – 00:23:20:21
Dan DeCloss
Yeah. No, that’s I mean it’s fascinating. So

00:23:20:23 – 00:23:31:14
Mike Bell
That was unfortunately I heard one of my kids refer to it as just ask chat not even chatGPT. It’s not AI, just ask chat like yeah yeah.

00:23:31:16 – 00:23:56:03
Dan DeCloss
No I mean it’s definitely going to continue to have an impact and everything or everything that we do. Let me shift gears a little bit and maybe get into a little bit more hands on, or just kind of like, even more in-depth on some of the technical stuff, you know, the whole, the whole notion of this webinar was to, to kind of talk about some of the cutting edge trends and, you know, learn a little bit more about how AI is making that impact in Bug Bounty and Pentesting.

00:23:56:03 – 00:24:19:19
Dan DeCloss
But how would how would we, encourage someone to A) get started in Pentesting and bug bounty and then, you know B) kind of continue to level up their skills? What are some tips and tricks that, that you can share that you guys can both share kind of with the audience? And if there’s anything that we wanted to demo or I don’t, I, you know, if there’s anything you wanted to share that there would be kind of like, hey, this is these would be some great resources here.

00:24:19:20 – 00:24:24:16
Dan DeCloss
Like, would love to learn a little bit more from you guys.

00:24:24:18 – 00:24:36:22
Ben Sadeghipour
Yeah. I mean, you want to kick us off with pentest? I think the two approaches are different with pentest and bug bounties. I mean, maybe yourself with Pentesting and then I could talk about bug bounties. There are similar, but I think they’re different some ways to.

00:24:37:00 – 00:25:08:14
Mike Bell
Yeah, yeah. I mean, from a resource perspective, there’s, you know, a bunch of companies that are putting out courses and stuff to to get spun up on it and, you know, just I can say the, the best way to go after it is just ability yourself. And you can see where the, the vulnerable points are. But you know, companies like, SECOPS group and, you know, a few other ones are offering LLM and AI hacking courses.

00:25:08:16 – 00:25:30:12
Mike Bell
And so, you know, there’s great resources out there for that looking on, Hack the Box and things like that. I think they’ve got a couple coming up that are going to incorporate that. So, and then, you know, the, the hub of all knowledge YouTube. So, but, yeah, I would say there’s, there’s a bunch of information out there right now and it’s just, just got to get after it.

00:25:30:12 – 00:25:33:05
Mike Bell
Like everything else in cybersecurity.

00:25:33:07 – 00:26:02:06
Ben Sadeghipour
Yeah, I think the days of like not having enough resources for learning is like a day like long gone, you know, eight, nine years ago and now ten years ago, when I first started, you had like, your DVWA, you know, damn vulnerable web app. But then these platforms weren’t out yet. I think, most of the platforms that you mentioned, they are so in like the late 2016, early 2017, I want to say, there’s, there’s still, you know, practically new, so, yeah, I mean, YouTube is a great one.

00:26:02:06 – 00:26:17:03
Ben Sadeghipour
You have all these, you know, great content creators that are out there. You have your John Hammond, you have, cyber mentor, you have stoke, you have the insider, you have all these different people think you can I can just name I in my industry at least, you can go and watch and learn from with Bug bounty.

00:26:17:04 – 00:26:36:17
Ben Sadeghipour
The cool thing is, you know, with with with a pentesting gig or you want to become a pentester, it requires you to get a job as a pentester, right? You have to apply, become a pentester, or you launch your own firm, you get a client and then you you can do that on your own. The beauty of bug bounties is that you don’t have that barrier to entry anymore.

00:26:36:19 – 00:26:53:21
Ben Sadeghipour
You can start doing bug bounties right off the bat if you’re. I do not want to glorify and encourage people to go work for free hacking on a program where they don’t pay you. But if you really want to learn how to hack, you have these real companies with a real infrastructure that they’re asking you to look for vulnerabilities.

00:26:53:23 – 00:27:07:03
Ben Sadeghipour
They’re less than your bug bounty programs because, you know, people like myself and the hackers are doing this for a living and for their wages, they’re not going to go look at these MDPs. But that’s how I started. You know, there’s a couple of VDP programs and a couple of bug bounty programs that I hacked on. All of them.

00:27:07:03 – 00:27:24:09
Ben Sadeghipour
The the bug bounty was to, you know, make some extra cash when I was in college so I can pay my bills. And then the VDP is where like the CTF, like, I just want to learn how to look for explainability. You know, why? Method, whatever that is. Do you have that. And it’s, it’s it’s very much more hands on and it’s just, you know, up to you to go ahead and do that.

00:27:24:09 – 00:27:46:17
Ben Sadeghipour
But I think the, the key to all of it is the consistency of staying consistent. Whether you are learning, whether you’re hacking, whether you are taking a break from hacking, but you have to stay consistent with it. It’s really hard to grasp it, you know, a method or, a vulnerability type if you do it on a Monday to learn the basics and then you go back to it like on Friday or Saturday into, like practice it.

00:27:46:17 – 00:28:07:08
Ben Sadeghipour
Right. So you got to stay consistent with, you know, I’m not saying burn yourself out. I’m not saying, you know, spend eight hours, nine hours a day doing it, but just make a schedule for yourself or, you know, make a goal for yourself. Having a schedule. Set a goal for a set that I want to learn this and I want to find this one, that ability and then go after, a lot of those different, you know, the resources that are out there.

00:28:07:08 – 00:28:36:15
Ben Sadeghipour
I actually do have a, free, you know, completely free, resource. And I can’t share on Zoom, unfortunately, it’s not available for my permission. It won’t let me do it because I just reinstalled Zoom. But I can put it in the chat. Maybe, one of you guys could show it on here, but if you go to GitHub and you look it up on there, my, under my, GitHub repos, it’s called, you know, NahamSec’s bug resources, and it’s beyond bug bounty is it just allows you to just look at everything that’s out there.

00:28:36:15 – 00:29:01:09
Ben Sadeghipour
It goes from talks or YouTube channels, you know, to different platforms, to courses that are free to resources that are free, that have been created. And I curated that with a bunch of people in the past. Yeah. There we go. That’s just absolutely for free. If you scroll down, it’s categorized at the bottom. It’s, you know, you can you have your books, you have your blog posts, you know, it breaks down into different, categories as well.

00:29:01:09 – 00:29:15:04
Ben Sadeghipour
I think this is a really good place to start. And I also pointed to labs that you can learn, there are a couple of really good ones out there that you can pick. It just comes down to what you like, you know, how you absorb knowledge on your own and just picking that out and choosing it, right?

00:29:15:06 – 00:29:22:02
Mike Bell
Really recommend HackTricks. Good, good resource list.

00:29:22:04 – 00:29:24:11
Dan DeCloss
As anything. Yeah. Oh go ahead.

00:29:24:13 – 00:29:40:22
Ben Sadeghipour
No. That’s like a bug bounty. And then there’s like a second step of it is like to I have this like four step, my kind of four step plan. It’s like, I think it’s anything you do. It’s one it’s like you learn things, you know? You know, you get started, you learn to get better, you get good, then you start contributing.

00:29:40:23 – 00:30:01:05
Ben Sadeghipour
Another the third tip is the biggest one, you know, you first, you start absorbing everyone’s content. You go on Twitter, you read their blog post their research, you go on, you know, hacker one, and you look at the schools reports from other hackers. And then the third is like you actually contributing to that. And that’s something that really helped me in my career was okay, I know how to do all these ones.

00:30:01:05 – 00:30:24:19
Ben Sadeghipour
Where can I do research? I started doing, you know, the my have my biggest and most favorite time. It was I really dug into SSRFs, server side request forgeries. We realized like PDFs are vulnerable to them. You know, you find all these different libraries that are going on with different techniques to exploit them. And I spent a year researching that that was not only helping me learn, but also had contributed to the entire ecosystem of bug bounties because other people are.

00:30:24:19 – 00:30:46:19
Ben Sadeghipour
I know we’re using that research to find vulnerabilities for themselves. And when you start to explore, research or just learn things in a deeper, level, it becomes easier to explain to people. And I think, you don’t know, technical content until you can break it down so you can explain it to, a 9 or 10 year old who’s on a computer like, hey, what is, what is XSS?

00:30:46:21 – 00:31:02:12
Ben Sadeghipour
It’s kind of hard to explain that if you don’t know it in depth. Right. So that was the thing that, like, really helped me not only teaching people and doing research, it just really helped to understand them in a deep, way. It’s I can also understand it better for myself.

00:31:02:14 – 00:31:24:09
Dan DeCloss
Oh that’s fantastic. Yeah. And and I’m just sitting here thinking like, wow, there’s, you know, this is what’s this is what’s fun about our community. Is that like, the people are just are willing to share share the knowledge and share the resources. You know, we did a we did a separate podcast with, a gentleman where, you know, thier credo was like, hey, you know, the knowledge that we learned, we want to share with the world.

00:31:24:09 – 00:31:46:15
Dan DeCloss
And I think that’s I feel like that’s fairly unique in a, in the security space, but but, I mean, such a big part of who we are as an industry and so like one appreciate this, all that, all the resources you just shared. But but I think also what’s important like this was this was kind of where I was early on in my career was, well, I’m just learning all this stuff.

00:31:46:15 – 00:32:14:02
Dan DeCloss
I don’t I’m not sharing anything new, like, you know, like I don’t you kind of get that imposter syndrome was like, I don’t have anything really to share. And, I think it’s an important, like aspect to focus on that. That’s not true. Like anything that you’ve learned, there’s probably somebody else that still wants to learn that too, you know, and, and, and even the, the veterans or the, you know, the folks that have been around a long time still have to find ways to learn new things.

00:32:14:02 – 00:32:32:11
Dan DeCloss
And so so it is it can help perpetuate the cycle, like, you know, even more, even more new and, emerging talent, can identify research in, in elements that they think is not novel, and may not be novel, but it still is a benefit to everybody else. Right?

00:32:32:11 – 00:32:48:05
Mike Bell
So yeah. And I mean, what I found too is like, sometimes the best time I learn is when I’m mentoring somebody, you know, and I’ll be walking them through something and have a light bulb go off and say, oh, I didn’t even think to do it this way. Let me write that down and try that out later, you know?

00:32:48:06 – 00:32:58:05
Mike Bell
So yeah, they’re giving back to the community and mentoring and it’s, it’s a great community for that. And I think it’s unique as well in that respect.

00:32:58:07 – 00:33:16:13
Ben Sadeghipour
And I can relate to watching this like, oh, well, I don’t have any like cool research or bug bounties. I’ve done that. I can write honestly, like even going and solving a CTF, whether it’s an easy, medium, you know, hard people are still going to look for those, you know what you were saying earlier than I’ve like, even though you have solved it, maybe somebody else wants to learn from it.

00:33:16:13 – 00:33:39:23
Ben Sadeghipour
Honestly, that contributes. And it’s also just such a good place to showcase your talent, what you put on your resume and showcase your research, showcase your your skills or soft skills not only as a hacker, you know, technical stuff, and also being able to write that out and give it to other people to absorb and learn from. And I think it could even be that, there’s so many times that I, I’m looking for a technique that there’s two ways that I search for things outside of using AI.

00:33:39:23 – 00:34:01:03
Ben Sadeghipour
It’s like, I want to look for this specific research. I type in whatever research name bug bounty, but then I like whatever research way CTF, because there’s a CTF or a real scenario out of this thing that somebody has solved. And there are times when it’s like the super simple CTF that people just index on their blogs. So people that I watch and it’s like it doesn’t, I don’t it doesn’t have to be discouraging.

00:34:01:03 – 00:34:18:01
Ben Sadeghipour
Like I encourage you to write down your, your CTF that you find that you you solve, that you participate in, you know, CTF for a conference, for example, or whatever platform that you have hacked on, write those down. It just helps other people. And also you realize like, how did I come to this conclusion? How do I explain it to someone else?

00:34:18:01 – 00:34:31:00
Ben Sadeghipour
Right? Because we just come up with random thoughts and sometimes it works. Right? You just it’s whatever sticks, whatever you throw out the wild sticks. That also helps to tell people like your perspective, too. So I think perspective is a big deal, especially in our field.

00:34:31:02 – 00:34:48:10
Mike Bell
Yeah. And consistency, you know, there’s plenty of people out there that I’ve seen go from zero experience. And, you know, they’re putting Twitter posts out there every day saying I hit the Hack The Box box. I think there was one guy named Jacob Crowell. He, you know, I saw his post for a year before he even got a job.

00:34:48:12 – 00:35:01:11
Mike Bell
And it was that consistency. You know, it’s it’s, setting out to do something and doing it continuously. You’re going to learn how to do it, at the end of the day. So, yeah, I really echo what you’re saying.

00:35:01:13 – 00:35:22:08
Dan DeCloss
Yeah. Well, and I think, you know, all that and then just continuing to stay connected to the community, you know, I mean, you know, getting involved in local, local chapters of, you know, whether it’s like Defcon chapters or even like the science behind things like that, you know, and, and almost every one of those events is putting on CTFs too, right?

00:35:22:10 – 00:35:43:08
Dan DeCloss
I mean, so, so opportunities exist all over the place to kind of keep, keep testing your skills. And then and then being able to take advantage of some of the courses that are new and emerging. You know, we mentioned some of the other resources, but, you know, we had Jason Haddix on awhile back, you know, related to AI and some of the work that he’s doing.

00:35:43:08 – 00:36:12:15
Dan DeCloss
And he has an he has a new course, you know, all around purple teaming and using AI for that. And so so that’s what’s fun is like you just continue to see, everybody continue to contribute to helping us learn so that we can accomplish the mission. Because I think what I think what’s fairly unique about our space is that regardless of who we work for or like, you know, in what industry, we’re all we’re all on the same mission of of helping those organizations be more secure.

00:36:12:16 – 00:36:24:13
Dan DeCloss
Stay safe against, you know, you know, the modern threat threat actors and threat techniques and, and, so you always have to kind of stay one up and you can only do that, you know, through the community that we have. Right? So.

00:36:24:15 – 00:36:43:10
Ben Sadeghipour
Yeah, I would also mention, like, you kind of talked about the CTFs that happen at other conferences. A lot of times those CTFs are also available if you don’t attend a conference. And B) there are so many cool like Discord communities now out there that you can join and do CTFs where, you know, I know my my Discord has that.

00:36:43:10 – 00:37:10:14
Ben Sadeghipour
I know Johns discord does that. There’s a couple of them that do it. There is a bunch that you can just join and they have their own, like, quote unquote teams that you can join and join. The cool thing about this is, like, you either find you make friends to do CTFs is one of the things that really helped me with my bug bounty hunting was I just created my own community because there wasn’t a community back there, but I found a couple of people that were like about the same level, maybe a little bit higher than I was when I was first starting, and I was showing them things that I thought

00:37:10:14 – 00:37:29:10
Ben Sadeghipour
everybody knew, and they’re like, no, how did you think of this? And then they were doing the same thing for me, right? So just a collaboration of finding someone that you can hack with and, you know, maybe you’re doing the same, you know, a web CTF or the same like level on the CTF and you can collaborate with just making that friend, making those connections and also just bouncing ideas off of each other as like massive.

00:37:29:13 – 00:37:38:03
Ben Sadeghipour
So I recommend if they’re looking for a subcommittee somewhere or, you know, if it’s not local in person, discord is a great way to, you know, to go after it.

00:37:38:05 – 00:37:38:23
Dan DeCloss
Yeah.

00:37:39:01 – 00:38:00:06
Mike Bell
And I mean, back to being an open community. Like, I know hackers look scary, but we generally want to talk to people. So reach out and make that connection because I have not met really anyone, since coming into this industry that has ever been like, no, you can’t do it. Everybody wants to help. Everybody wants to help the next person out.

00:38:00:06 – 00:38:01:06
Mike Bell
So, yeah.

00:38:01:09 – 00:38:07:15
Ben Sadeghipour
Yeah, I think we’re a very inclusive, community. And the other thing is, I think we’re all like, at some point we’re misfits in our lives.

00:38:07:17 – 00:38:10:19
Mike Bell
But I’m not going to comment on that one.

00:38:10:21 – 00:38:29:19
Ben Sadeghipour
I think you just I think we just all misfits at some point our lives, but we always want to find our, our people that we want to, you know, to hang out with. And we always want to fit into a community. And I think that’s what makes our community so, welcoming is because you have all these different subcommunities, all these different villages that, you know, like Defcon that have their own communities.

00:38:29:19 – 00:38:40:14
Ben Sadeghipour
And, and each of those people, each of those communities at defcon have their own sub communities. And it’s just I think there is a place for everybody. We just have to find your, your friends.

00:38:40:16 – 00:38:45:02
Mike Bell
Yeah. And with a new venue, there’s more space.

00:38:45:03 – 00:39:08:03
Dan DeCloss
Yeah, yeah, yeah. Well, this has been great. You know, I mean, I think I think, you know, we kind of set out to kind of talk through, the impact that AI is having on this, on the industry had it, you know, in any in the cutting edge trends that we’re seeing in the space, I think, you know, we talked a lot about, you know, what what AI, the impact AI is having on those on those trends and what we’re seeing in Pentesting and bug bounty.

00:39:08:05 – 00:39:28:18
Dan DeCloss
And then also how to continue to keep your skills up level and, and the resources that are available. So, I mean, I really enjoyed the conversation. I also I think we kind of plugged it in, you know, throughout the conversation. But obviously, you know, PlexTrac, you know, we can really assist you in your report writing capabilities and aggregating data across your tests.

00:39:28:20 – 00:39:49:08
Dan DeCloss
And we do have an AI module that helps automate the report writing process. So, it’s shameless plug, but, definitely, if you’re interested in that, you know, please, please give us a holler. Check us out at a demo. Ben is there anything, anything you want to share with the audience or about other resources and things that you’re working on that that, that you wanted to grow?

00:39:49:10 – 00:40:05:08
Ben Sadeghipour
Yeah. I mean, the resource that I shared on that page has almost everything that I’ve collected over the years, hopefully is going to get a massive update soon. Other than that, I, that I mentioned, I’m, I have a company called Hacking Hub. Most of our resources are free. I think that 90% of it is free. There’s a lot of different modules, that you can try out again.

00:40:05:08 – 00:40:14:20
Ben Sadeghipour
You just have to sign up with an account and everything else is free. But that’s about, I think, a lot of our resources are, you know, for our community, it’s free. And it’s great to see everyone’s contributing to it. So.

00:40:14:22 – 00:40:37:19
Mike Bell
Yeah. Yeah. And I think I called it out last time I was on one of these, but, you know, infosec Black Friday, if you go look up that that GitHub repository, it has the last few years of different infosec deals, accounts and things like that during Black Friday. And it’s a great way to uplevel your skill set, you know, without impacting your wallet super hard.

00:40:37:19 – 00:40:40:07
Mike Bell
So I always recommend that.

00:40:40:09 – 00:41:01:04
Dan DeCloss
Awesome, awesome. Well, this has been a great, great, great conversation. Great webinar. I hope it was valuable to those that joined us today. Stay tuned for the winners of the Amazon gift cards. We’ll announce those on on LinkedIn. And just wish you guys the rest of the a great rest of your day and, happy hacking as you as you continue to uplevel your skills.

00:41:01:06 – 00:41:18:22
Dan DeCloss
Ben, thanks so much again for joining us. We appreciate your time and you know, all the knowledge that you have to bring. And and I look forward to, chatting with you all again soon.