Post

Cube Talks: April 24th, 2026

Posted
By FalconSpy
61 min read

Cube Talks

Disclaimer: This transcript was generated with AI assistance and has been manually reviewed and edited. Despite best efforts, some inaccuracies may remain — please use your best judgement when referencing specific statements.

TL;DR / TL;DL: Various special guests join to discuss the XP/ranking system, AI, and more community topics.

Listen on Spotify: Cube Talks – April 24th, 2026

FalconSpy: Hi, everyone. Welcome to this week’s Cube Talk. I’m your host, FalconSpy. This is your opportunity to ask our panel of staff and volunteers any questions you might have about Hack the Box and its services that we offer, as well as InfoSec in general. We’ll do the best we can to answer as many questions as we can within the next hour. You can use the forward slash Cube Talk command to ask your question to our panel of staff and volunteers. You can use that same command to upvote questions. Questions are typically first in, first out, unless upvoted to the top of the queue. We’ll introduce everybody here on the panel, so if you have any targeted questions you want to ask them, you can. With this particular part of the segment, the first 15 minutes or so, we will be taking questions about the XP and ranking system, and then we’ll jump to the standard format. So without further ado, we’ll start off with Fonsde.

Fonsde: Hi, guys. Yeah, I can introduce myself. I’m the product manager for the Labs team, so we just launched the XP stuff. It’s been something that we’ve been discussing for quite some time. I mean, the primary goal there has been to, you know, touch on the, more on the beginner side. That’s why we don’t have a leaderboard and we don’t plan to have a leaderboard around the XP. So that’s the main, you know, the main reason behind the XP. We know that a lot of people grind on retired content. They also, you know, we also have academy users playing there, and we didn’t have some sort of a consolidated system to, you know, to showcase what people

0xdf: are doing there. And then we got OXTF. Hey, OXTF. I used to work at Hack the Box for about four and a half years, and where I was a lab architect, and now I work in AI safety. And we got Chadby.

ChadB: Good morning, everyone. Chadby Noob here. Former blue team pin tester turned red team operator, and I’m, my first assignment is literally Hack the Box Genesis. So I’m, I’m, I’m always a noob one way or the other.

FalconSpy: Then we got Jex.

Jexx: Hey, what’s up, everybody? My name is Jex. I make cool things and listen to the things that you all have to say to make cooler things. That is my job. If you want the technical part, I’m on the marketing team, but sometimes I feel like I’m on the community team too.

FalconSpy: And then we got Zeyad.

21y4d: Hey, everyone. I’m Zeyad. I’m from the academy team, and I’m here for any academy-related questions.

FalconSpy: And then Ryan.

0xRy4n: I’m Ryan. I’m the head of TechOps. I do automation and internal tooling and business-y stuff that helps keep the company going.

FalconSpy: And I am FalconSpy. Like I said, I’m one of the community specialists here and the host for these CubeTalks. Also a full-time red team or Oracle. So broken record part, use the forward slash CubeTalk command to ask your question to our panel of staff. Volunteers, you can use that same command to vote questions. For now, please just ask your questions if it’s related to the XP and ranking system, since we just released that. And then once we’ve either ran out of those questions or we’ve hit the 15-minute mark, we’ll switch to standard questions. Yeah. So we’ll go to any of those questions if there are any. And there are currently none for the XP ranking system right now. So I think everyone gets it. In the meantime, I guess, while we’re waiting for those to come in, you know, Dan, do you want to talk about the XP and ranking system and like how they might differ? Which one is the preferred one to look at to determine how well you perform?

Fonsde: Sure. Yeah. I tried to give an intro earlier. So the whole idea behind the XP system is to, first of all, to motivate people to, you know, play easy. Because, you know, when you start, you probably start with retired content, you look at write-ups, etc. So that’s not depicted anywhere on the platform. And we do have a lot of beginner users, right? So before you can actually showcase something, you know, compete on seasonal, you start from there. So the whole XP system is based on that to keep you engaged, motivated to, you know, give you that dopamine of achieving something. And also link it to academy. So right now in academy, we never had anything there apart from, okay, obviously if you managed to get the certificate, there would be something to showcase. But so far, we didn’t have anything to, you know, well, we had the sticks and we actually took that and made it a consistent component, a common component between labs and academy. So I think this joins together the learning part. So basically, the way we see things forward is you kind of have the XP progression, which is more like the personal fun side and, you know, thing you can check how you progress your CyberSec progress on the platform. And we, of course, have the main thing for the hardcore players, the seasonal stuff. So that remains the most, I guess, the prestigious thing you can claim on the platform, right? So being, achieving hollow and, you know, top positions on the seasonal is still the main thing.

21y4d: If I may add one thing here, you know, to what Dan said, one of the main differences between academy and labs is the competition part of it. So in labs, there’s a competition and leaderboard and everything. And obviously, this does not apply to academy or to any, let’s say, university and so on. But the gamification part of it is definitely there in both the labs and academy. And I would say that XP is a big part of the enhancing gamification on academy, which makes it much more fun to learn and much more fun to progress in addition to giving you milestones so you can easily tell how much you have progressed in the past, you know, few months or so.

FalconSpy: All right. We had a couple of questions come in while you guys were talking about it. So the new XP system is cool and all. They do miss the clear indicator of progress of legacy rankings. Is there any plan to show a small progress bar of showing where someone might be

Fonsde: towards the next rank? Is he referring to the legacy ranks or the new ranking system?

FalconSpy: Yeah. So I guess the legacy ranking system, as you were trying to level up from hacker to pro hacker, there was the progress bar. They’re stating or asking, will some type of progress bar be added for the new ranking system?

Fonsde: Yes. So all the functionality about the legacy rank is still in place. We’re just not showing it anymore on the dashboard. So you can still see your legacy rank as a label on your profile. Of course, we don’t visualize that. And it’s kind of an open door of what we’re going to be doing in the next couple of quarters. So I think, you know, we’re going to go down, check on feedback. We’re probably going to be running surveys next few months, and then make a decision as to what we’re going to be doing with this.

FalconSpy: All right. Next question here was cool stuff with unifying everything in terms of ranking. How does it make sense? This individual says they are currently a level 55 professional, but a script kiddie with the old legacy system at the same time. Not very intuitive for them. So how does it work?

Fonsde: So, yeah. So, so, so the legacy rank was very much a competitive thing, right? So you, you had to solve active content to progress the ranking system. So essentially the percentage of the active content. For us, competition now is seasonal. So that’s kind of what we see forward, right? So we give the opportunity for everyone who wants to be competitive to compete on seasonal. You know, if you, if you, if you focus for 12, 12 to 14 weeks and you achieve a very good rank there, it’s something you can showcase forever on your profile. So this is like the, the, the go-to thing for competitive stuff. Now, when it comes to the, the XP stuff, it’s definitely something you should be showcasing because you’ve been grinding to reach to that level. It shows commitment. Probably you might have done also stuff on academy. So this is still an important thing, but of course, it’s not, it’s not something to compare against the seasonal and the competitive runs.

FalconSpy: All right. The next question is, is there currently a webpage available for people to see all the current levels and how the new grades work?

Fonsde: Yes. So the new system is quite simple. So there’s no decay in terms of the XP you accumulate. The link should be somewhere on the, on the blog post. So if you go on the blog post, I think there’s a, you know, it’s probably one of the latest blog posts we made. It should have everything in there about, you know, the next, all the, all the ranks that they exist, how much XP you need and how you can get XP. So everything is pretty much straightforward. It’s not, it’s very much, it’s very much simpler than, you know, the legacy system with the points and how you would, how we were computing them.

FalconSpy: So for those actively here, it’s in the, it’s in the chat, but for the recording later, it’s hackthebox.com slash blog slash XP minus points.

Multiple Speakers: I think in the chat is both the, um, the blog post and also the help article. So if you’re listening to this help that hackthebox.com search XP, you’ll find the help as well.

FalconSpy: All right. The next one here. Are there any considerations for making lab ranks, uh, such as script kitty hacker more prominent on profiles again? Uh, and then they say they do like the new XP ranks.

Fonsde: Yeah. So as I said earlier, this is like a, you know, an open question, what we’re going to be doing with the legacy runs moving forward. So, you know, we going to be, you know, getting feedback. Uh, we’re going to let this run for some time as is, I mean, I mean, the legacy runs are still visible on the profile, right? So they might not take the same real estate as they used to, but they’re still visible. Uh, but when it comes to what we do with the legacy, uh, ranks moving forward, then the leaderboard, you know, it’s an open question, but, uh, we, you know, I, we plan to collect feedback and take some decisions based on, uh, taking community’s feedback into consideration.

FalconSpy: I think we have one or two more current XP ranking system, and then we’ll switch back to our normal things. Our normal, you know, any type of questions we have going, but, um, how are teams and points ranking calculated on the labs now with the new system?

Fonsde: So the XP is completely personal. So we don’t have team XP. Uh, I’m not sure if we’re going to be doing team XP to be honest. Uh, yeah. So nothing has changed when it comes to team rankings. And, you know, as I said, we haven’t touched any of the old mechanics. It gets more, they get less visual, uh, real estate, but nothing has changed. And, uh, yeah, there’s no plan to do team XP, for example.

FalconSpy: Uh, how does the ranking system balance beginners versus experienced players to keep it fair?

Fonsde: That’s the thing. It shouldn’t be looked at, uh, from that angle. Like, you know, uh, linear ranking or, uh, leaderboard systems for that reason.

FalconSpy: Can you, can you repeat that a little bit? You just, uh, Yeah, you became robotic at the beginning.

Fonsde: I’m sorry. Uh, so yeah, since we don’t plan to do any sort of leaderboards around XP, I think people shouldn’t be looking from that angle. So if you’re a competitive player, uh, you know, I wouldn’t look at that. I would, you know, just check what’s going on with seasonal, right? So imagine you, you go into a game and you have like two modes to play, right? You, you’ve got the, you know, play solo type of thing or play competitive. Right. So that’s kind of how I separate those two.

FalconSpy: Uh, if a personal account is linked to an enterprise account for Academy, when they request to have the personal account disconnected from enterprise after switching jobs, what happens to the rank?

Fonsde: So it’s not actually, we did have a similar issue today. Am I breaking?

FalconSpy: I know you’re good. You’re, you’re good, Den. Keep going.

Fonsde: Okay. Yeah. So we, I think we did have a similar issue in the past that we need to look into. Uh, but essentially the XP goes along with the, the, the, your main account, right? So the XP is calculated for the HDB account. So it doesn’t really care where you got the XP from, right? So even if you, let’s say you leave a company, you know, the XP stays on the, on the HDB account, as long as, you know, you still have access to it. And that’s kind of how it’s meant to be used, right? So you have the HDB account used with your personal email, and then you try to join it with some enterprise account. But yeah, but any XP, any owns you, you do with your HDB account stays with your HDB account. So you don’t lose any of that.

FalconSpy: All right. Uh, so we’ve hit the 15 minute mark. So that concludes the special segment about the XP and ranking system. That doesn’t mean you can’t keep asking questions about it, but we’re going to open things up to the standard format of whatever questions you have. Feel free to ask it to the bot using the forward slash Q talk command. And we’ll go from there. Um, that being said, there is still another XP ranking question. So we’ll just go answer that. Uh, what specific actions or achievements give the most XP with the new system? What behaviors are you trying to incentivize?

Fonsde: Yes. So we’re trying to incentive. One of the things I forgot to mention is that, uh, we never, uh, added Sherlock as part of the legacy ranking. So for those who, you know, do blue stuff. So the reason was that, that we always plan to have some, uh, new system come in place. I mean, it came, but I guess it was a bit late. Since the launch of, uh, Sherlock. But what we’re trying to incentivize basically people to look at all type of scope, all type of content, right? So, you know, all type of content will reward XP. Right now we are working on adding Sherlock’s and problems into the mix that will reward XP. Uh, but yeah, so incentivize, incentivize, look at any type of content, labs, academy, you know, everything. And also, yeah, I think that’s mainly it.

FalconSpy: Yeah. So the, we, we could, we, well, I guess you said it. So yeah, the XP system will eventually incorporate the Sherlock’s and instead of it being awarding on completion of a Sherlock will be per question. Um, so I don’t know if you want to share when that’s going to be available. Then typically our disclaimer is we don’t share things. Um, just because we don’t want to give anything away or if we miss a deadline, but, um, if you want to talk about it, you can, you are the primary shareholder or stakeholder for it.

Fonsde: Um, yeah, I mean, our goal is to get this done this quarter guys. So, I mean, we’re out actively working for it. So, uh, you know, I think first we’re going to be having the prolapse because it’s already in progress. And soon after we should also have, uh, Sherlock’s into the mix. Uh, and as, uh, as Falcon said, the reason we didn’t launch with Sherlock is because of the technical constraint. We do want that each task to give, uh, XP. Because right now we could launch with, you know, getting, uh, you know, a bunch of XP at full completion, but I thought it would be a lot nicer to discuss this with Andy, uh, to reward XP every time you solve, uh, an individual task.

FalconSpy: Uh, next question here, uh, going back to standard stuff here. Will there be translation for module content on Academy? Uh, the automated browsers translation is quite terrible.

21y4d: Um, yes. When? Soon.

0xRy4n: A definitive answer. We rarely see those.

FalconSpy: TBD. Okay. So typical disclaimer for anything Academy or whatever, like I was saying, uh, we typically don’t disclose things we’re working on or give deadlines in case we miss them. People aren’t angry with us. We don’t give anything to competitors. We typically fall back on that disclaimer, but I asked the questions anyway, and it’s up to the major stakeholder if they want to answer it. So there you go.

21y4d: And it looks like the bot crashed on us.

FalconSpy: There we go. All right. There we go. Uh, this individual’s college is, uh, they have an email for their college and their website where they are attending. Um, but it doesn’t look like they can add the student discount to their current, uh, account on Academy. How can they go about making sure that they get the student discount?

0xRy4n: Yeah. So it’s real simple. Um, go to Academy. Open up the support chat. There is a button. There’s a specific button for this for student subscriptions. You’re going to click that button. It’s going to ask you some questions. Um, basically it’ll go to our support team. Um, if you have an academic email, so you have an, you have an email that can receive emails because not all, not all institutions actually allow you to receive emails. Um, if you have an email that you can receive emails too, um, we will validate that, um, domain that it’s a real academic institution. You will be able to add to your accounts that will then unlock the, um, the discounts. Um, if you’ve already done that and you don’t have the discount, you still have to contact the support team because it just means it’s not in our database. If you don’t have a academic email, um, our support team can verify your status as a student through other means. They will, they will find, they’ll work with you to find a way to verify that you are, um, an actual student. So either way, open up the support chat, click the, the student subscription button, and they’ll sort you.

FalconSpy: All right. This is an upvoted question for someone starting in cybersecurity today. What learning path would you recommend to progress efficiently?

21y4d: Um, if they are starting with Academy, we highly recommend the CJCA path. We created, uh, we created it specifically for this, uh, and it does not require or expects any kind of skills before you start it. So you can just create an Academy account, finish the intro to Academy module. So you know how to use the platform and then just start this path. And hopefully by the time you finish it, you should be able to do CPTS, CWES, and those CDSA, the, the intermediate level certifications.

FalconSpy: All right. This next one, the individual has been a software engineer for the last 20 years or so. They are considering taking a, uh, changing careers to join the off stock field, mostly towards malware development, engineering, and red teaming. Any advice, uh, that you can provide to ease or speed up this career switch. Is this realistic considering they’re in their mid forties?

21y4d: Yes.

ChadB: I am in my early fifties. It is absolutely realistic. Uh, and I am not the oldest person in my shop.

21y4d: W Chad. Don’t want to.

FalconSpy: Do you want to elaborate more, Chad, or you want to just.

ChadB: I don’t think anyone else. The, the, the, the movies and the TV and, and, and, and popular opinion says hacking is a young person’s game. I strongly disagree specifically going to conferences. You, you will absolutely see that that is, is not the case, but, um, there, there is no age restriction. There’s your, your, your ambition and willingness to, to, to, to, to, to learn and, and to get started and maybe also to talk to young people. You know, you guys are hilarious, but, um, that’s one of the, the, the, the, um, artificial blocks that I see people putting in front of themselves. Like, oh, I don’t have enough time. Um, maybe I’m too old. Maybe I’m too young because I’m still in high school. Um, you know, I don’t have enough money. Uh, all of these are, are, are artificial roadblocks. Don’t think about it. Just go. Like if you can, as, as our friend Al Hazard says, if you can take your hands and put them on the keyboard, you will find a way to get there. One way or the other academy over the wire, under the wire, you know, whatever, there’s always a route to get there. You just, you just literally have to take that first step and stop thinking about it. Cause you can plan. I, I myself, I’m guilty of this. I planned for over a year. You know, I created, I have notebooks back here with all of these routes that I planned. And then I went to a conference and I started meeting people. I’m like, let me, let me just take my hands and I’m going to put them on this keyboard and we’re just going to go. And that, that’s all there is to it. Uh, stop thinking about it. Just go, just do it. Yeah. Yeah.

Jexx: Oh, I was just going to say, just kind of seeing this consistently. A lot of the questions is everybody’s looking for the fastest way to do X thing, like fastest way to get XP fastest way to get into the industry fastest way. I don’t, it doesn’t matter. Every single person that’s been in the industry has got there at their own speed and just trying to overwhelm yourself with the idea that there is a fastest way to do something is going to like break you. You are going to figure out your own pace. You’re going to figure out your own interests. You’re going to figure out how to get there, but trying to like mid max your way into like having your career is never going to work because you’re going to miss so much. Just enjoy what you’re doing. And like Chad said, meet people, you’re already in a discord with a bunch of other people. You’d like to have conversations about security with you have them, but like the looking for the fastest way is never going to give you the most rewarding option.

0xdf: Right. Right. And then we’re both racing to quote if sec to you all like, but, but like, you always like telling people to stop, uh, planning things out and just like start doing something because you can waste a lot of time. Um, the other thing I would say is like, anytime you do a career change, it’s hard. Like it’s going to be hard work. You have to be ready to do it. And like, you might have to take a step back on your seniority. Like if you’ve worked your way up in some other career and now you’re stepping into a new one, like you might go back to being a noob and like, that’s fine. Um, I just think if you are moving from a technical field, I think the question was someone like, you want to move into app pen testing, like there can be, make sure you’re like using the skills you’ve already developed because that can really get you a head start when you’re trying to pivot.

ChadB: Yeah. And, um, I have to re quote all has read just to make sure everyone’s heard it. Take your hands, put them on a keyboard. If that one doesn’t work, find another keyboard. If that doesn’t work, find another keyboard, just start doing it. Like juggle them now thinking about it. Uh, that’s not going to happen, but, um, like legitimately just stop thinking about it and start doing it. Go find a YouTube video. Uh, and if you don’t like that, we’ll find another one and copy it. Just, just start doing it. Stop thinking.

FalconSpy: Go insert Shia LaBeouf meme. Yeah. I wish I could. There you go.

ChadB: Um, so I just dropped a keyboard. Sorry.

0xRy4n: I wish I could do soundboard sounds and a stage because I have so many of Alhazra just screaming.

FalconSpy: You could. I know. Like, like if it drops them, but, uh, why, why haven’t we brought Al onto the stream or the, he’s not available or whatever. Someone go message him.

Jexx: And I’ll, all right. I don’t know.

FalconSpy: Do the thing. Do the thing. Jax. You’re the person who works with our, our, our content and influential people. All right. All right. This next question is an outvoted question. Uh, or before I go to this question, does anyone else have anything they want to add to that or let’s move on, moving on. All right. The current ranking system works on active machines only for leveling. As I can see the experience system works on retired and active machines. Don’t you think this can give a wrong indication of experience or skill if the old rank gets terminated since write-ups are available for retired machines?

Fonsde: Yes. I guess, I guess it’s, it’s, uh, it’s ranking system has its place, right? So the XP is not meant to be used as a comparison or, you know, as a, and that’s why there’s not going to be any leaderboards for it. Right. Uh. As I said earlier, the whole strategy is to have, you know, two kinds of modes, kind of the relaxed mode where you can, you know, grind and build your experience at your pace by starting with retired, doing academy, et cetera, and then moving to more competitive stuff and joining the, you know, the seasonal competition. So, you know, it’s like comparing, you know, somebody achieved hollow and somebody is like, uh, you know, professional on the XP rank that totally different. Right. That’s kind of, that’s kind of how we see this and how we, we want to move forward. I’ll take a step at this.

0xRy4n: Oh, sorry. Go ahead.

FalconSpy: Oh, there was a follow up question to like, I guess that new thing of how it relates to our jobs board. Right. When companies are asking us to, um, post positions for them. So, you know, some positions say, Hey, you need to be pro hacker. So how does that work with the new system?

0xRy4n: Um, I want to, I want to squeeze in before we transition to that. Cause my, my thing won’t be relevant to that. I just want to say, does any, does any, is anybody here to generate who plays like overwatch or some other similar game? Yeah.

FalconSpy: I know where you’re going with this.

0xRy4n: I was going to do the call of duty, but, but yeah. So like, if you play, you’ll notice that there are, there are progression levels, which have nothing to do with your ranked matches. Those are just like how much, how many, how much time have you played? Um, you know, like what were your statistics during the games that you played? Like, but you can never play a single game of competitive and you can still go up to, you know, level 1000 or whatever, and get your fancy little badge. Um, and it’s a personal journey. That’s more equivalent to the XP system. It’s a personal journey journey for you versus something like seasons, which is the competitive side. So you should not be, you should not be thinking about XP as a competitive system because it is personal to you.

Jexx: Um, this is what Ryan, Ryan, Ryan scan the audience. There is a person here.

21y4d: Um, this is what, uh, I talked about earlier. The differences between, uh, competition and gamification. Gamification is mostly for you personally. Um, so you can, um, I mean, take it as milestones or getting courage to keep going, but, uh, competition is obviously against others. So that’s why it matters that you don’t have write-ups or walkthroughs, but for gamification, since it is mainly for you and you are completing the modules and the retired boxes and so on. Uh, I mean, if you want to go read all the walkthroughs and just grind, uh, just to get up to the level that that’s completely up to you, but that’s the main reason. So that’s why it’s completely fine to have walkthroughs, uh, or, um, you know, uh, write-ups and so on.

Jexx: The lobby just got a lot more chill.

ChadB: Oh, I can’t wait. I was good. Okay.

FalconSpy: So I was going to put it from the other side of like Ryan’s overwatch. Right. If you’ve, if you sat there and played call of duty world at war back in the day or like modern warfare, like the OGs, even any of the new call of duties, right? Like you apply for your rank that shows just up on the scoreboard. And then like, you can prestige your ranking at like some new stupid badge. It’s the same thing, right? It’s, it’s just saying that you’ve been on this system for a while. You’re playing the real side of where the rank actually truly matters is when you play the seasons.

0xdf: So I think there’s also something to think about. Like, I don’t think the, the old system was created in when do we, when did hack the box get created? Like 2016. Right. And it was when there was a really small set of people who are like competing with each other. I don’t think anyone really believes that a box that’s been published for eight, that you can’t find a write-up for a box that’s been out for 18 weeks. Like maybe like, I know hack the box tries to take them down off of Google, like when they’re going to join communities, you can, there’s all sorts of places you can go where you will like it. So like, I think what worked in 2018 for like a scoreboard doesn’t really apply in 2026. And like, I think this, I mean, I love the old scoreboard. I grew up on it. Right. But like, I also think it just doesn’t, isn’t really practical anymore. Like anyone who wants, we talk about like, Oh, could someone cheat? Like, yeah, someone could cheat the old scoreboard too. It was pretty easy. Like if your whole point is just a grind, meaningless internet point, not meaningless, super meaningful internet points. Like right here, man. Come on. You know, back to what Dan was saying, like either if you’re here to learn, like avoid the write-ups. And I still think it’s critical that there be boxes that aren’t supposed to have write-ups because you, that way, if you Google things, you don’t accidentally stumble upon the write-up because that, that experience sucks. But like for the most part, if you don’t go hunting for write-ups, like it’s good to have those things so you can train, but then like, if you want to be competitive, go, go play in seasons.

FalconSpy: Chad has something. And then.

ChadB: Who, me? Sure. I was just going to say I’m 100% taking credit for the Cthulhu summoning. I’m just going to leave that right there.

FalconSpy: Okay. So speaking of which, welcome Al Hazred to the panel here. They’re one of our cross community contributors. Al, I’ll let you introduce yourself and then we’ll go back to our questions.

Alh4zr3d: Yeah. Hi, my name’s, my name’s Al Hazred, often shortened to Al. Uh, I was pulled in randomly, uh, and, uh, I intermittent, I, in an increasingly intermittent basis, do enjoy streaming hack the box. Uh, and in general, uh, teaching people how to, uh, do the dark magics and so on and so forth on my Twitch stream. Thank you for the invites.

FalconSpy: Back to the questions. Thank you for joining us. All right. I’ll put a question. What can one do besides bug bounty to make money in the cybersecurity field without a regular job?

21y4d: Besides bug bounty? Nope.

Alh4zr3d: Make money. I don’t recommend it. Besides bug bounty, besides a bug bounty or a regular job. So besides all the ways that people make money, uh, in cybersecurity, uh, how could someone make money in cybersecurity? Well, I could say ransomware gang. I couldn’t say that, but I’m, I’m just not, that seems ill, that seems ill advised. No, don’t, don’t do that. Don’t do that.

Jexx: I’m going to throw a, throw one out here. Honestly, you can, you know, set up your own it business. And then from there, try and be like, Hey, another offering that I have is setting up this particular type of security. Um, I don’t know.

FalconSpy: All right. I’ll, I’ll do the, the ethical way, right? Like if you’re good or, you know, a very particular part of the field, like your niche in something, start mentoring people. There’s definitely, I’m sure people who would love it. Um, obviously being paid, a paid mentor kind of gets weird, but there are people who create their own courses and they publish them on various things like Udemy and whatnot. And then people will either pay to have access to their courses or whatever. So, I mean, that is another route. You could do.

Jexx: You e-girl streamer solving HTB is already taken though. I’ve seen this. This exists. Ryan has made it very clear. Ryan was the one who showed me.

0xRy4n: I have a sticker from her right here. I have a sticker that says, um, this sticker proves that I willingly gave my full name and address to a hacker on the internet from Pinnacle Panko. Anyway, um, I’ll throw out another option, which is that, um, I’ll do, I’ll do a shout out to a partner company. There’s, uh, companies like Cobalt, Cobalt Core, which, um, are effectively pen testers as a service. So you’d be, if you don’t want a regular job, you can try to do effectively like contract pen testing.

Jexx: Um, if you’re curious about that, I know the entire, how we do the onboarding for that. If you want to ask a personal question about those two, I worked over there and it’s, they do test each individual that comes in.

0xRy4n: So they’re, they are selective, but that would allow you to do like pen testing in a, maybe

Alh4zr3d: I think they do the Sinek red team still do a thing. Is that still do a thing?

FalconSpy: Sinek also has pen testers now too.

Alh4zr3d: Yeah. You can do that too. Um, uh, I mean, that’s, but I want to like rotate back to like being a mentor. I fully endorse that by the way, I fully endorse that, but, uh, I’m going to, I’m going to head off like a thing that typically goes unsaid, but we all feel it that when we think about being a mentor, there’s that specter of imposter syndrome that comes into your head, that little whisper that says you don’t have anything to offer the world that says that what, like, why even try? I guarantee it that when you said like, Hey, be a mentor, everybody in the, like a lot of people in the chat were hit with their imposter syndrome all at the same time. Uh, you gotta, you gotta, you gotta get over that, man. I promise you, you got something to say. I promise you that if you’re, if you have any expertise in this field whatsoever, if you’ve even have even a basic level understanding of things, you have things to teach to people. Your, your perspective is valuable. So I just wanted to throw that in there for the, so that it wouldn’t go unsaid.

Jexx: I’m going to, I’m going to throw out the also, we, we don’t need more, more courses. There are so many courses, people who are coming up with courses. I think that it’s important to teach over just like selling a course, but I’m not trying to take shots, but I, I see too much of it everywhere all the time. I think that that would be cool to like solidify your own methodology. What’s up?

0xRy4n: So this obviously doesn’t apply to our courses. Our, ours are the exception to this.

FalconSpy: Yes. Come to our courses. All right. All right. Uh, anyone else? Most others will move on. All right. Are there any perks to getting higher levels? Or is it all for sure?

ChadB: Bragging rights. Professional recognition, but we all know it’s bragging rights.

Fonsde: Not yet, but I mean, that’s the plan, right? So the whole leveling system, you know, it creates a lot of opportunities to gamify more. Right.

Jexx: So, you know, that’s kind of the, I want to just kind of like touch bases on like this in general, because I think that doing this allows us to do like events differently too, because that’s something that I would be throwing is I’d be able to throw more public events for our community, um, that surround just being able to like do particular releases in a certain way. Again, this isn’t on like a roadmap or anything, but I want to say that it’s something that I’ve been waiting for for like a very long time. So I’m happy that it’s here because there is more ways for us to be able to interact with you as a community, um, that we just didn’t have before. So.

FalconSpy: All right. Uh, the next one here. What’s so special about the new ranking system? Uh, they just go on to say that they’re more interested in the knowledge and continuous practice. So anything special about the new ranking?

Jexx: I like the symbols.

Fonsde: Gamification, you know, classical gamification. Strix. I mean, we haven’t spoken about Strix, right? So clearly big, uh, motivator for a lot of people, right? To, you know, to grind every week and get that, uh, that learning in. And, you know, clerics that will be associated in the future with achieving higher streaks.

0xRy4n: Okay. So it’s important. No, this is very early days guys. So like future things might come. Um, you have to keep that in mind. Very early day.

FalconSpy: All right. Next one here. This individual grind a lot of academy and was able to solve some of the boxes on their own for a few months. They still don’t think they got the hang of things. Uh, they’re curious. When does it make sense to join a team on the platform? They don’t think they can add any value yet. Uh, what are, are your experiences with joining a team or adding value to one?

Jexx: Yeah. Yeah. I was going to say the same thing. Go down. There is a place where, uh, I believe it’s in, where did it move to? I don’t know if Emma moved it or not, but there is a place where you can join teams here. It’s find a team in HDB seasons. Go there. There are people who are just looking for people. They’re looking to like mentor. Um, I don’t think that you should feel like going into a team, you have to provide value. You’re still learning. And there are plenty of like teams who are starting up with just like new people who, well, there has to be one hacker rank person to start a team, but that’s, that’s a good thing.

ChadB: Uh, just being there is a value.

Jexx: Yeah.

ChadB: Like your motivation for joining that team. You’ve, you’ve provided the value. They’re happy to have you.

Jexx: Yeah. Go in with like the expectation that you’re going to solve everything for them. Just learn with them.

0xdf: I’ll throw, I don’t know if this is a counterpoint, but like, I mean, you should definitely build a community, like find yourself a community. I don’t know. Like when we say team, like I always worry. We’re talking about like, like if I, if you go and join a team, that’s really, really good. And now you’re in there like private slack and you’re just watching all the messages fly by as they’re solving things and you’re not learning anything like that’s not going to be useful for you. Um, so like if you join a team of people who are like roughly the same level as you, and you’re like talking through challenges and bouncing ideas off each other, like that is amazing. Um, or if you join a peak, if you make friends with like people who you like, for me, a real formative thing was having friends who I can message and say like, I’m stuck here. Uh, and they wouldn’t just be like, Oh, go run this command. They would be like, well, what have you looked at? And they’d ask me questions and they, they would never actually tell me anything other than ask questions until I, and then I’ll be like, Oh crap. I I’ve made an assumption here. I gotta go fix it. And it would come free. Right. Right. But that kind of learning is so much better than someone just telling you the answer. Um, so like, look, definitely community community is super helpful. Um, beginning on the right team is probably important if your goal is to learn.

21y4d: Um, we actually apply both of the, these things that David, uh, Xerox, they have touched on. Uh, number one is that, um, for you to learn, you have to, to get a challenge that is slightly above your current level. If you get something that is way below your level, you will not learn. If you get something that is way above your level, you will also not learn. So you need something that is slightly above your level. And this is a concept or a principle that we use in all of our modules. Uh, for example, if it’s a medium module, the question will be slightly more different than what is in the section. If it’s a hard module, it will be much more different than what’s in the section. And the second thing, uh, is, uh, yeah, not telling you, not giving you the answers. Basically, uh, some competitors in the field or some, uh, other academies, they just provide you the answers, uh, through their, their course. So you don’t actually learn because you just copy and paste. And if this was the case, you, by the time you get to the exam, you will not be able to solve a completely new challenge. So that’s why even, uh, during the modules and the skills assessments, we have this in mind. And this is something really important for us throughout the entire, uh, catalog of modules within Academy.

FalconSpy: Just some timekeeping. We have a little under 15 minutes left. So we’ll try to get through the rest of the questions as we can. Uh, this next one is targeted, uh, uh, you, OXDF. How are you feeling about the future of security? Do you think traditional paths into offset will still exist in the next few years or should people be focusing more heavily on testing AI systems and less traditional pen testing?

0xdf: I mean, I think anyone who can knows who has an idea of what the world’s gonna be like more than two or three months out is, is guessing. Um, cause the world’s changing so fast. Um, we are certainly seeing AI get better, faster and faster. Um, whether it’s growing exponentially or whether it’s just growing fast, you can, we can debate. Um, you know, we still have, you know, AI, like it’s not clear to me. I don’t have a good answer for you about like, will AI replace pen testing? Like I can make an argument either way. Um, I think there’s certainly, it’s going to change. I think, I think you need to be familiar with AI. You probably need to be using AI or you’re going to fall behind. Um, but I don’t know what to tell you about as far as like, well, I guess in a world where AI replaces pen testing completely, it’s probably going to replace like a shit ton of jobs and like there’s not many jobs left. So like, then there’s something else must come into place and everything’s going to change. So maybe I’d say go for it and then be ready, but be ready to pivot if things change. I’d be curious the rest of the, you know, I’m not uniquely qualified to answer this question, though, but here’s what everyone else thinks.

Alh4zr3d: We’re trying to roll it out at work. Um, I think a lot of people in there, uh, I mean, I work a corporate, I work a corporate red teaming job, like, uh, and the, all of the corporate executives have the same stupid, like, uh, FOMO feeling like we have to implement AI yesterday, or we’re going to be behind everybody else and they’re pushing it on all of us. So that’s trickling down to the pen testing team about how can we use AI more? And the issue is that it’s not safe. Uh, customers don’t want it on their networks because it’s not safe. Um, to, to, to just be turned loose everywhere. Um, and it’s not robust enough to find a vulnerability. Like you’ll see very credulously written blog posts about how, oh, I set up an AI agent that ran responder and then cracked a hash that cracked to the word password. Uh, and then logged in as domain admin. Uh, it got domain admin on its own guys. AI is doing penetration testing. Now. I don’t buy it, man. I’m not, I’m not there. I don’t think it’s anywhere close. I don’t think AI as it currently exists is anywhere close to replacing penetration testers. I think that is a stupid FOMO fueled, uh, idea, uh, like idea. I agree with what was said before that it needs that you probably should be using it. It does speed up your workflow. It does help you in that. Hey, I need a quick script to organize my targets. Uh, and yeah, I need, or I need a quick script to do this or, Hey, what can, what else can I do for OSINT? I be, I use it for like reminding myself what OSINT things to do like, Oh, I haven’t checked GitHub yet. Let me pull GPG keys, you know, things like that. When I’m on external, when I’m, uh, like poking at external perimeters. Uh, it’s, it’s very useful like as an assistant, but I don’t think it’s replacing you anytime soon. Um, not only because it’s not competent enough and it won’t be until something new past LLMs comes. Uh, and also because it’s not safe and customers don’t want it on their networks.

0xRy4n: I’m going to, I’m going to actually go the opposite direction here. So I’m going to provide, I’m going to provide a counterweight to, to Al here. Oh boy. Which is, here we go. Which is, I’ve had some, I’ve had some, I’ve had some conversations with, um, some red teamers and some penetration, penetrationers recently who have gotten to use mythos, um, effectively with like unlimited mythos, just do, do whatever you can to do it. The, the feedback that I’ve gotten from them is that while yes, Anthropic has hyped this up, the hype is in some way earned that it is managing to find, um, you know, previously unknown vulnerabilities, previously unknown exploits, non trivial ones. It is managing, managing to exploit these in live environments. Um, and like it’s successfully performing full exploits. Now that said, I personally, I do think that the capability of AI is getting quite good to the point that it is capable of doing things that are non trivial, but I don’t think that means that you’ll see, um, it replacing pentesters across the board or some of the same reasons that you’ve mentioned, Delph, which is when it’s unsafe to just let this thing be loose. So even in these environments where people I know have been using this, they’ve been sitting there hitting enter every minute to accept like, yes, you’re allowed to do this. Yes, you’re allowed to do this. Yes, you’re allowed to do this. Um, so you still are paying somebody who has enough knowledge to determine if the action is okay to sit there and babysit the AI. Um, and two, in a lot of like cases, you’re going to have a legal arrangement that says you’re not allowed to use some sort of third party, um, except processor or LLM on a client’s environment. So like from a compliance standpoint, this will be out of scope. Um, so I don’t, I don’t think you’ll see that it goes away completely, but I imagine

FalconSpy: depending on how mythos is being used, I am sure they can run it in YOLO mode if they really want it to, but then that opens up a whole new can of worms.

0xRy4n: Well, this is the thing. Nobody, no, no professional is probably going to run it in YOLO mode, particularly against any sort of production environment. Um, I have to leave it.

ChadB: Sorry.

Jexx: Oh, it’s okay. Well, it’s fresh. Go. This has been sitting on my mind.

ChadB: I agree that, uh, most clients you run across in any serious business is probably going to say, you’re not putting that on my network or don’t do this on my network. I, I think we, I don’t think we’re going away. I don’t think the humans are going away anytime soon.

Jexx: I was talking to, uh, Pete McCrannon at, uh, Specter Ops yesterday, and he had a lot of different varied points about like utilizing, uh, AI and his, uh, red team engagements. And I feel like there is a couple of really cool things that we got from that. One is like, how do we figure out how to like, uh, make it unfeasible to have content using like sucking people’s tokens instead of it. Just like being an auto complete thing that somebody can just send because that’s like, we’re thinking about doing another, uh, well, I can’t talk about that yet. We’re in the future for challenges that we, we have. We want to be able to make it almost got me. Yeah. Almost got myself. Um, challenges that aren’t just going to be something that you can feed into an AI. So like, how do we figure out that? That is something that he was talking to me about. And I was like really excited about it. Cause there are ways to do it. The end, you are still using money to do these things. Like when like the cost comes to shove, like really are how expensive is it going to be? And is that threshold ever going to change?

0xRy4n: Um, another thing is on one, one small thing real quick, which is that also based on the things that I’ve been told by these same people, I am very much not convinced it was actually cheaper to run the model than it would have been to hire a pentester to do the same thing. It’s being subsidized by anthropic. I’m not convinced that if it wasn’t being subsidized, that it would actually have been cheaper to discover these same vulnerabilities.

Jexx: And the second point, second point, most important point that we had talked to about, like talk to each other about is that atrophy, I would never want to atrophy my skills or my abilities to do something or understand something and give it away to somebody else or something else. I think that there is a possession of skills that will never like should never go away. Load balancing. Sure, whatever. I want to get things done faster, but I don’t want to give up my ability to know how to do the thing. And I feel that that, that can’t really be relinquished in some ways. Um, and I, I know that there are, there are like bug bounty hunters that I have talked to that are using like fully like, um, autonomous like agents. They’re going and they’re, you know, getting whatever, like highs and mids, but they still have to deal with a triage or they still have to understand and explain to them what the bug was instead of it just getting like, uh, like completely rejected. And I don’t know. I think that’s another problem that we’re running into is that people aren’t understanding what they are completing with AI when it comes to hacking. So yeah, I don’t give up your ability to learn things for something else to take it. Just load balance it. Again, you go ahead.

Alh4zr3d: Go ahead. No, go ahead.

Jexx: I want to know what David has to say about this.

0xdf: I will. So I, I want to make sure it’s like, I completely conceived that, uh, for the most part, it’s not there today. Um, I don’t think I’m spoiling anything. If I say even mythos is not, uh, there today. I think, I think the thing that is going to be really hard to follow and something I didn’t really appreciate until I having worked at Anthropic for eight months now, like the difference over the last eight months is the difference from like when I started at Opus 4.5 and Sonnet 4.5 up through mythos and it, and what is coming in the next couple of months, like is, is, is growing at a speed I did is very hard to appreciate. Um, so again, this is why I’m like, I, you know, like absolutely today for the most part with one caveat, I’ll come back to it in a second. Like you’re not going to just like, most companies aren’t just going to take AI onto their on, you know, say, Hey, do an AI pen test. Um, but man, it is changing so fast. And I like it. So you just, this is something we all kind of got to, we got to scrap into and just like be ready for it. And maybe again, maybe it’ll peter out. Like I’m not going to, I’m not, I’m probably the most, one of the most Luddite people at Anthropic, but like it, it could certainly peter out, but like it might not. And like, we just, the best thing you can do is be flexible and be ready. Um, the other thing I’ll say is like, there’s a company out there called Expo that is like doing AI pen tests today and they’re doing successfully and well and making money. Um, and I think, you know, everyone’s, I often hear the thing about like, Oh, well, it’s all very, you know, it’s all VC capital is funding this and it’s all subsidized and stuff. Um, you know, all technology starts off that way. So like, I don’t think, I think, I think you’re probably right. Like the true costs, uh, I don’t even know. I’m not involved in this stuff, but the true cost of like finding these vulnerabilities is probably very high. I totally am on board with Marcus Hutch’s point of like, yeah, they, they spent $20,000 to find this vulnerability. Like if you paid a researcher $20,000 and said, go find a vulnerability, they probably would have found the same one. Like, I think this is all not wrong. Um, but it doesn’t, it also is like faster and maybe, and it’s only going to get better. This is only, this is the worst it’s ever going to be where we are today.

Alh4zr3d: So anyway. So I think, I think one, I think people have this bias in their minds, like when it comes to like all technology and not just AI that yes, we’re seeing these AI models get much, much more competent, like, uh, in a short period of time, uh, up until now, like for example, like there’s the, the Will Smith spaghetti eating video, uh, that everybody I think has seen that looked like complete crap, like, uh, like what, two years ago, three years ago, maybe. And now it looks, I mean, it still looks like crap, but it looks way, way better. Yeah. There you go. Someone posted the gif in the, in the chat there. There you go. Um, but like, it still looks bad, but it looks much more believable and better now. And people point to that and they go, Oh my God, AI is improving so much better. I want to emphasize that there is a cap here. Like there is only so good that an LLM can get. LLMs cannot become agentic. It is impossible. Like an LLM by its very nature is only regurgitating. It’s not doing any reasoning. It’s not doing any thinking of its own. It is using probability to guess what word should come next from the slop it was ingested. It, it ingested during its training. That is not reasoning. That is not agentic. That is not, um, that is not general intelligence. That is just regurgitating slop. There is only so good that the slop regurgitator can get before. And I, it has gotten way better. This has gotten very good at regurgitating its slop and it is useful. I’m not saying the mythos isn’t useful. I’m not saying that AI isn’t useful. I will confess. I use AI daily in my work. Um, I, I use it all the time. It is a useful tool. Uh, I, that, uh, that I, I, I use it within limits. Like, but I don’t, uh, I, they, the, it is not going to get better at the speed. We are seeing it getting better forever. That is not, that is a logical fallacy that people tend to assume things are going to progress doing the same thing that they have been at the same speed, uh, like for some indefinite time into the future. That is not the case. Uh, LL, we don’t know what’s going to come next after LLMs. Someone may come up with some other better way of doing AI that can actually do some thinking. Then we’re having a conversation, but about, uh, about being agentic, about being general intelligence, about being whatever. But LLMs are never getting there. It is not possible. It’s, it’s just a fundamental limitation of the, of the, of it. We’re only going to see the slop generators get marginally better from here. And as they, as the, keep in mind that as the slop generators get better, increasingly what they are in general, what they are ingesting for their training is slop that was pumped out by the previous generators. So they are like self-limiting themselves. Again, not saying it’s not useful. Um, not saying that mythos can’t find vulnerabilities. It certainly does. Um, I speak mostly as a red teamer. So finding like little vulnerabilities of little use to me, I want to find like the big ones that give me access to the domain, uh, and things like that. Um, so a little bit of a perspective change there from mythos just being turned loose on code bases. Um, but yeah, I don’t want to be, feel like I’m going on and on. I feel like I’ve made my point here, but yeah, they’re not the, the, the AI models are going to get better than this. They are going to get better, but there’s a, there is a cap to how good LLMs can get. There needs to be something else that someone’s going to have to come up with. A human being is going to need to come up with not AI to, to actually get beyond what LLMs can do.

FalconSpy: So anyone else for their last minute, say before we wrap things up, cause we’re definitely over on time.

ChadB: I, yeah, it’s not a lot. It’s a great tool. The hype is going to die down. It’s a great tool. Use it as such.

Alh4zr3d: And that’s just an anthropic has a vested interest in hyping up their tool by posting. Oh, we turned mythos loose on a bunch of code bases and it found 11 billion vulnerabilities. Like this is all hype. Okay. It’s I’m sure it found vulnerabilities, but come on. Like at a certain point, you have to see capital, like capital interest, just generating hype to make you feel like there’s some, there is a revolution happening. I’m not saying that AI is not, is going to go away or Peter out. It’s going to be a, it’s going to be a part of the future, but it’s not going to redefine the, everything about what we do.

ChadB: Okay. The hype is going to die down.

Alh4zr3d: Find some new thing. Remember crypto? Remember NFTs? Hey, how’s everybody’s NFTs?

FalconSpy: Don’t bring that back. We’re done.

Alh4zr3d: How’s it? Yeah. How’s everybody’s, how’s it? How’s everybody’s like, I don’t know. Like there’ll be some new thing that they’re going to hype you up about next. It’s all, that’s the way Silicon Valley works. They’ve made, they make a new thing and then they, they hype it really, really, really hard. And then it, and then it ends up and then, yeah. And then it ends up like doing something like NFTs aren’t nothing. They’re kind of nothing, but they’re, they’re not nothing. Not really. But they didn’t revolutionize art or change the way that we think about currency or collectibles. That just didn’t happen. It didn’t happen at all. And there’s, again, it’s the same thing is happening with AI and every other new tech thing that comes out.

Jexx: Me wanting to be like, I can say from like a marketing standpoint, as soon as the new technology gets to us, I will tell you it’s the end. It’s going to be something entirely different. The technology before you had a horse, but now it’s a horse with wings. Did you see that? It’s the biggest thing I’ve ever seen.

Alh4zr3d: It’s too big and heavy to fly, but it does have wings now. That’s true. It does. Now it has wings. Invest. Don’t get, don’t get FOMO and invest.

FalconSpy: All right. Anyone else for the last minute? Otherwise we’ll, we’ll close up for the week. Going once, twice. All right. Thank you everyone for joining us for this week’s QTalk. We hope you enjoyed the session regarding XP and ranking as well as our AI chat and everything else. If you’re interested in future QTalks, you can take a look at the top of Discord. You’ll see that these happen every time at the same week, unless it announced otherwise in the announcements channel. You can say you’re interested. You’ll see if an alert when they go live, it’ll show your local time zone. There’s one of the other Discord events that we’ll be hosting. These are recorded, so they’ll be posted on Spotify later. YouTube is still a thing that we’re working on, as I’ll keep saying and sound like a broken record week to week until it’s up there. But thank you everyone for joining us and we’ll have the after party shortly after. So this is the after party is basically just hanging out answering questions that we didn’t get to or whatever you have. You don’t use the bot. We’ll see you next week.

podcast, cubetalk
cubetalk podcast hackthebox
This post is licensed under CC BY 4.0 by the author.