Cube Talks: May 15th, 2026
Disclaimer: This transcript was generated with AI assistance and has been manually reviewed and edited. Despite best efforts, some inaccuracies may remain — please use your best judgement when referencing specific statements.
TL;DR / TL;DL: Session discussing Android pentesting, AI’s impact on bug bounty, walkthrough usage, red teaming, career transitions, and space security.
Listen on Spotify: Cube Talks – May 15th, 2026
FalconSpy: Hi, everyone. Welcome to this week’s Cube Talk. I am your host, FalconSpy. This is the opportunity to ask our panel of staff and volunteers any questions you might have about Hack the Box and the services we offer, as well as any InfoSec questions you might have in general. You can use the forward slash cubetalk command to ask your question to our panel. You can use that same command to also upvote questions at the top of the queue. Questions are first in, first out. I’ll sound like a broken record in a little bit just to explain how the questions work again. But we’ll introduce everybody here on the panel, who they are, what they do, and then I’ll be a broken record and go to the questions. So in no particular order, we will start with Goblin.
g0blin: Oh, Christ, put me on the spot here. Hey, I’m Goblin, James, co-founder and on board for Hack the Box since 2017. And yeah, now suddenly it’s nine years later and we’re a little bit bigger. And yeah, crazy ride. Love Discord and just here’s a shit talk. And well, no, don’t shit talk. I’m here to be nice and make friends.
FalconSpy: And we got McKernal.
McKernal: How you doing? My name is McKernal. You can call me Pete. But yeah, I’m just someone that has been hanging out around Hack the Box for probably way too long. And they finally noticed that I loiter after hours and like to hack boxes and do things on the Enterprise Leaderboard. I do AI and red teaming stuff. I’m just like living in local model land all day now. But always thrilled to be here and talking to you folks. It’s a privilege.
21y4d: Hey, everyone. I’m Zeyad. I’m from the Academy team and I’m here for any Academy questions.
FalconSpy: And then next we have IPSEC.
ippsec: Hey, I’m ippsec. I’m a lab architect. I just float around departments trying to bring value where I can. Also do a lot of YouTube videos.
FalconSpy: And then we got Idna.
idna: Hey, so Idna. I look after the defensive content engineering.
FalconSpy: And then Ryan.
0xRy4n: I’m Ryan. I’m the head of tech ops. I do a lot of like the internal tooling and automations and integrations and that stuff. And nowadays a lot with AI.
FalconSpy: And then Jexx.
Jexx: My name is Jexx. And I make stuff for the marketing team and work with creators and the community.
FalconSpy: Yeah, I am FalconSpy, the host, and also one of the community specialists here at Hack the Box. And a full-time red teamer at Oracle. All right, broken record time. Use the forward slash keep talk command to ask your question to our panel of staff. You can use that same command to outvote questions to the top of the queue. First in, first out, unless outvoted. Going into the questions now. What are the prerequisites for starting Android pen tester skill path? Is it someone with someone who has their CPTS or CWS good to start it?
g0blin: I don’t know directly for the Android pen testing side, but I mean for myself, I’ve done some of it. I’ve done some looking into apps, how they’ve worked using Freeda and that kind of thing. But as a start, I would say being able to understand and read through code. Obviously, being able to search code bases and go through the usual steps of extracting Android applications. Direct prerequisites linking back to Hack the Box. I believe we have some prior retired Android content. And of course, the content on Academy. Yeah, I think the biggest thing to start looking at is the common methods for obtaining, extracting, and then decompiling or converting from DEX into plain Java source code. There’s many different ways to do that. Some of them don’t work so well with the obfuscators that are used when compiling production APK files anymore. But yeah, my two cents.
ippsec: Yeah, it’s a tough question just because everyone starts at a different point. Like, obviously, like Linux command line internals are needed to go into Android pen testing. But in reality, like, I think if you go to the, like, academy that gives you a good roadmap, I’m sure that’s what Zyad’s going to say right after I stop talking. But outside of that, you kind of just need to know, like what Goblin said, like, how to get a APK, how to extract it, how to basically read source code, and then some Frida magic in order to, like, bypass things like SSL pinning, things like that. We do have content on our labs that kind of show that. But I guess the biggest skill is curiosity because there’s not a lot of information out on that. So when you start doing this, you’re going to run into a lot of roadblocks. You have to have the curiosity to know, oh, I’m getting this error message. How do I troubleshoot to get past it?
Jexx: Speaking of Frida, too, keep an eye on our YouTube channel in the coming months because you might see something on there about it, too. Vague posting.
21y4d: For this path specifically, because it is a skill path, we do not have, like, a clear prerequisite list for it, since, like I said, it is not a job role path. I think CJCA should be enough. So if you have CPTS and CWVS, you should definitely be able to do it. In each module in this skill path, we do mention what other modules we expect you to finish before starting it. And if you go to the first one, I think it’s just a few modules that are in CJCA. So I’d say just CJCA should be enough to be able to do this skill path.
McKernal: And just one thing that I’ve noticed just about Hack the Box training and skill paths across the board is, like, they all have an excellent gradient, right? Like, you are really well-equipped to solve the challenges that are coming in front of you if you follow the path, if you really pay attention to the material, and you master the lessons that are being put before you. So I, me personally, I say go for it. Like, find the thing that you’re interested in that you have passion for, and just start doing it on Academy. Find the skill path, and you can reel in wins. But I’m also a cube addict, so keep that in mind. Like, I need my cubes, and I’ll do whatever I can to get them.
FalconSpy: All right, this next question is enough of a question. So what’s your take on AI taking over the bug bounty scene? They’ve seen this to be pretty successful for bug bounty over the past two years, but lately starting to feel demotivated in that field due to AI. And they’ve started seeing bug bounty mostly from a money perspective, and with current AI wave, it doesn’t really feel fun or exciting anymore to do bug bounty.
ippsec: Me, personally, I think it’s demotivating right now. And I think right now we’re in this really odd state where AI is extremely cheap. We’re starting to see AI, the Frontier models, start increasing the price. Like, starting in June, I think, like, the claw-p is going away on the subscription plan. You’ll still get credits, but it just won’t be unlimited usage as it is now. And I think other Frontier models will kind of follow that, and that’s going to break a lot of the orchestration that people have set up that are, like, abusing bug bounty right now. That being said, no matter what, bug bounty has always been a, like, scripting automation game. So if you’re ever going into bug bounty and doing things manually, you’ll probably get frustrated anyways. So use AI to help you build orchestration platforms and automate things. And right now, I think, for the next six months, it’s going to be really tough because you’re going to compete against a bunch of AI models that have just unlimited tokens. But I’m guessing sometime next year that’ll slow down just because AI is expensive.
Jexx: Yeah. And programs are… Oh, do you see…
g0blin: I mean, a lot of them go to models like Clawed, OpenAI, Gemini, et cetera. What’s your take on these toolings utilizing local models that are accessible to consumer-grade hardware? You know, like the… The Gemma 4 release, you know, the 31 billion model, that kind of thing.
ippsec: I think the local models aren’t really nearly as good as the Frontier, and that game is, like, humans can kind of compete at that level.
g0blin: Yeah, I’d agree with you on the AI side. It’s a very competitive field. It always has been with the utilization of AI. It’s another tool at your disposal. It’s not something that’s going to replace everyone, but utilizing tools to the best of your ability to provide the advantage that others get out of them. It’s the same as utilizing any other tool to automate a task, apart from this one can, I think, be a bit more creative. But, yeah, it’s a matter of using it to accelerate and help you to improve your automation with a hint of thought in there.
Jexx: There’s also two other ways to look at this. It’s great for analyzing data, you know, code review and that kind of thing. Oh, that’s what’s happening. Now I understand. So, if you go to the top of, like, HackerOne’s all-time bug bounty leaderboard, you’ll see today is new. He’s been up there forever. He’s, like, one of the lords of automation, like Ip was saying before. Like, that’s always been part of the game. Jex, you’re muted if you’re talking.
0xRy4n: No, he’s not. You’re not, Jex. Goblin, you must have him muted. That’s why you were talking over him earlier by accident.
g0blin: Oh, my God. Why the hell do I have you muted? Oh, yeah. I don’t know.
Jexx: What did I do to you, man? It’s all good. Why the hell? Sorry. So, basically, like, automation has been a big part of the game. The thing that I’m seeing change the most is, like, how programs are doing payouts for lower bugs. Like, a lot of programs are changing because of AI, and it seems like the low-hanging fruit is just sort of, like, disappearing, which makes people have to find more clever ways to do their automations to start chaining vulnerabilities, which then means that there is a higher skill ceiling for bug bounty hunters. But it’s being able to, like, provide you with the ability to, I don’t know, it puts you in a perspective where you have to start learning how to chain exploits. It’s making you a more advanced by proxy. I think that the payouts that I’m seeing on programs that are shifting towards this, it’s, like, really, really low. But who knows if that changes in the future. And, again, like they said before, like, credits are going to matter. Frontier models are going to have the same access to things. So, it just really depends on how it all, like, lands in two to three years based off of, like, a program perspective, too. But, yeah, it’s always, always has been automation.
FalconSpy: How much should individuals be using walkthroughs or guided mode when doing retired machines? How can they wean themselves off of using these features? Are they still improving their skills even if they are using guided mode or walkthroughs instead of just blindly struggling?
McKernal: Well, I mean, if you’re going to use the answers, it really depends on how you’re going to use it, right? Like, have you tried nothing and you just need to advance towards the stage of the problem that you think you can understand? Because you will lose value just going over that. But it’s just with anything, right? Like, these exercises, the labs, the things that Heck the Box provide, they’re all excellent training opportunities where you can actually develop real-world skills and build your TTPs and methodology and get good at what you’re doing. But if you bypass that by using a walkthrough, and I just mean, like, the one with the answers on it, like, guided mode, I’m a huge fan of that. And I like sending people to it as they learn when they need those incremental wins that get them to the flags. But, yeah, I mean, it’s just like college, right? All the answers are in the back of the book. And if you just go there, you’re not going to learn anything in the class. So, you know, restrain yourself. I still think that the best way when you get stuck to handle a problem is step back from it. Think about it. Because once all the pieces kind of fall in place with your head, you will know what to do. And if you’ve ever used a walkthrough to solve something, it’s very dissatisfying to, like, the answer that you thought was right was just syntactically incorrect, right? Because those are really important lessons to learn. And, like, for me, those are the ones that stick. Like, minor errors that I spend a lot of time just because I’ve missed a detail. But once I correct that, it’s pretty much galvanized in my mind. So, again, respecting everyone’s learning methodology. They are very helpful when you’re just getting going. But, yeah, I wouldn’t say get too reliant on it. There’s so many good resources out there that you can use to kind of nudge yourself along. But as soon as you get the answer, it’s just, like, where do you find the training, like, event where you can learn that thing elsewhere in an area where you don’t know?
ippsec: Yeah. There’s a blog post we wrote a long time ago saying it’s okay to use write-ups. So, like, to get started, I would highly recommend just, like, watching the video or using a write-up and walking through along with it. And then once you start getting that fundamental down and you can start doing it, then kind of, like, read the write-up after you read the write-up, then do the machine, then, like, read the write-up or watch a video, do the machine the next day, and then kind of, like, ease yourself off of it. And then you get to a point where you’re solving the machine. And then after you solve it, you still want to go back and look at the write-up and watch the video just because there may be things that you missed, optimization techniques, things like that. But in reality, like, I think a lot of people are worried about, like, spoiling it and getting spoiled. I wouldn’t worry about that because we do new machines every week. If you can actually complete every single machine on the platform, kudos to you. You probably don’t mind spoiling anyways because you’re at a good skill level. So, like, I would use them. I wouldn’t worry about it. And, like, naturally, like, ease yourself off of them.
Jexx: I like to go through them just to see how everybody tackles the beginning of a problem each time. That’s kind of fun because not every user solves the beginning of any machine the same way. Instead, I mean, like, maybe an NMAP scan, sure, but even, like, the processes of what scripts they’re using or, like, if they actually just start using manual tooling off the bat and it gives you different, like, options to go off of based off of individual frameworks, which I think is really fun, too, to see, like, where somebody’s mind’s at. That’s kind of where I take it from.
FalconSpy: Ipsack, link the blog post in the chat. And then I guess for everyone listening to the recording later, just look up, is it okay to use write-ups and then put Hack the Box on your Google search. All right. If there’s no one else, TJ join. TJ, who are you? What do you do?
Tjnull: I’m TJ Nall. I’m a blue teamer in disguise. Well, really, what I focus on is red teaming. You guys have probably seen me for a lot of tools and lists and other resources that I try to get back to the community where I can. But I appreciate being on with you guys. This will be a fun time.
FalconSpy: All right. Back to the questions. How do you feel about using AI to fully automate pen testing?
21y4d: I feel about it the same way I feel about Vibe coding, which is, I mean, if you are a beginner, then it’s okay to do. Obviously, like the guys said, soon enough, these tokens will be very expensive. So you most likely will not be able to do it as much as everybody is doing it right now. But if you are not using Git at all, then you are definitely missing out and you will be behind in the game, whether it’s in software engineering and coding or obviously in pen testing. So you have to know what to use and what kind of AI tools to use to assist you in pen testing or, you know, red teaming or blue teaming or obviously in coding as well. So TLDR, you have to use it, but not to fully automate everything.
ippsec: Yeah, it’s just like using write-ups. Like you want to use, if you’re starting Hack the Box and you’re a beginner, you don’t use write-ups and you’re just struggling for eight hours a day trying to understand how to root a machine, not reading a write-up because you’re worried about being spoiled, like you’re wasting a lot of time. Use the write-up, learn the techniques and like start progressing. Same thing with AI. Like if you’re trying to do anything and you refuse to use AI completely, it’s just going to hold you back. That being said, like if you try to overuse it, you’re going to like plateau. And it’s even more dangerous and red teaming just because like you have a third party you’re sending data to. That company may not want you to send data to that third party. Additionally, like we see developers accidentally wiping production almost every single week a company does that. And if a developer is doing that internally by mistake, you can imagine what would happen when like a red team just throws it at a company and says, go ham, like there’s a high risk of you causing a major outage and I would not want to be responsible for that. So like use it responsibly. Don’t try to automate everything is my opinion.
McKernal: Just underscore that. Yeah. Use it responsibly. You can watch it do some insane things when you let it go unsupervised. I’m sure you guys could do a whole block on just what it does when it’s left alone. So I have stories.
Tjnull: You’re probably going to spend more time trying to troubleshoot things that you’re working with AI than actually trying to complete some of the boxes. So my recommendation is try to go through things manual first, see how things work, and then use AI as like a guidance, try to help you maybe try to understand some things. But just keep in mind, it’s not going to solve everything. It’s good.
FalconSpy: This person’s having issues solving Linux machines. They have no issues with Windows, but for whatever reason, they just struggle with Linux. Any tips?
ippsec: I have no idea how that’s possible. I guess learn the Linux command line and like try to translate it to Windows functions. Like most priv-esque is kind of the same. Like you look at what’s running as root, look at the processes, think of ways to it. I guess with Windows, maybe you’re really good at Active Directory and things like that and those type of exploits. Um, but I think with Linux, like you may be just trying to overcomplicate it.
0xRy4n: The only way I can see this like being true is that you just have a lot of experience with Windows and using Windows and using like Active Directory and you just have like not ever touch Linux. Because this is like truly the only way I can imagine that Linux is somehow harder. So my recommendation would be just switch to Linux as your daily driver for like a month or two and then just get used to using Linux. And then you’ll probably find that you’re, once you like know how to use Linux, that like the pervesque and dealing with Linux is easier.
ippsec: I would switch to Ubuntu. Don’t try to install Arch if you’re not familiar with it.
0xRy4n: Don’t, don’t hate. I mean, unless you hate yourself, like some, or I mean, maybe you’re a masochist, but like other than those two scenarios, yeah, don’t, don’t switch.
Jexx: Do you want to learn package management? Because that’s how you’ll learn package management.
ippsec: No, they’ll learn how to throw Claude at a problem and then just like not understand what happened six months from now when they can’t.
FalconSpy: All right. Next question. Zayad, this is entirely up to you if you want to answer it since it’s an exam question. So I guess I’ll just throw this out there now for the general disclaimer. We typically don’t discuss anything that it’s related to exams or any upcoming modules on Academy or try to give deadlines as we don’t want to miss those deadlines and people get angry at us. I’ll ask the question anyway, but Zayad and anyone else might just fall back on this disclaimer, but here it is. For the CPTS AEN module specifically, is attacking it completely blind, no walkthrough, no hints or anything, the real way to build skill to pass the exam?
21y4d: Yeah, like you said, we cannot comment on the exam itself, but this is definitely not the only way to prepare for the exam. As we always say, for any job role path and certification, the way to prepare for the exam is to complete the job role path, all modules. For CPTS, this is one of the modules, but it is not the only way, so doing this module to be able to, you know, set the exam and pass it. As long as you have completed all of the modules and have a good understanding of all of them, and you are able to complete the skills assessments of every single module, then you should be able to finish the exam, even if you have not done this module blindly. If you have done it blindly, then obviously it increases your chances, but this is not the only way to do it.
ippsec: I don’t think you should do any module blindly. Like, there’s the material for a reason, and then like after the module, you can look at machines and other things that relate to it and do those blindly. But if you have a guide and there’s a guide before the lab, I would highly recommend like at least reading the guide.
21y4d: Yeah, this is kind of a different, like an exception module. We made it like a practice for the exam, and you have the option to do it with the walkthrough or without the walkthrough. But like I said, you can do it with the walkthrough. There’s definitely no issues with doing that. I mean, this is the way it is intended. That’s why we wrote the module as a walkthrough. But if you can, then that’s okay. If you try and you cannot, then this does not mean that you will not be able to pass the exam.
FalconSpy: The next question here is asking about the machine queue for submissions. When can we expect potentially seeing a machine that has actual web exploitation and not just a CVE?
ippsec: I feel like we’ve had those, but I’m not positive. I feel like most of our boxes have been actual web exploitation, not CVEs.
g0blin: I mean, some may have been recreated from situations that included CVEs. But I mean, what’s a CVE box? What different is that to something that’s been created with a believable workflow apart from the fact that a CVE has been assigned, right? I mean, there are vulnerable workflows in custom apps people might make in boxes and such, which are set in a believable web workflow. And, yeah, I’m sure we’ve got many of those. I’m sure we may have many based on CVEs as well. But I think that’s understandable, demonstrating the current situation of security and vulnerabilities that are, you know, truly being found and used out there that I think is an important part of the creation.
ippsec: I think one of the key points is also playing machines closer to when they launch. A lot of times when you do CVEs, we make sure it’s not like just find the CVE, run the exploit script. There’s normally some type of modification, something you have to do to make it work. But obviously, like once the box gets released, then people like go to GitHub, post new proof of concepts, make better modules for the CVE. So if you’re playing it like a month after release, then it may just seem a lot easier than like when it was at release.
0xRy4n: I explicitly remember, I think I want to say it was Laboratory, where when it came out, it was one of the GitLab ones. When it came out, it was quite hard to do because there was no like POC for it or anything. And you had to do like manual marshalling of like the cookie and such with Ruby and bubble and figure all that out yourself. So it’s quite difficult at launch. And then like two weeks later, someone wrote a POC scripts for it that just turned it into like basically run one line of code and then instant get a shell. And it completely like trivialized it. But when it came out, it was it was much more difficult because you didn’t have that.
FalconSpy: All right. Up to Zayad and Idna, if they want to answer this, as it just falls on the general disclaimer. But when are we getting more extensive blue team content and or certifications?
21y4d: I mean, for Academy, we have been releasing at least one advanced blue teaming module throughout this year. So I think we have been doing those. You can check by filtering on tier four and defensive. Most of those have been tier four because they are very advanced and niche, you know, detection engineering modules. But yeah, we have been releasing those and we will have a few coming soon as well.
idna: Yeah. And on the lab side, we release new content, defensive content weekly. So there’s something in the word where you say extensive. You’re looking for something specific there. So I’m not sure we’ve got a steady flow of things coming through the same on the Let’s Defense side as well.
FalconSpy: All right. Are we possibly getting any modules or certifications that can compete with Offsec’s OSED? Similar to how we have the CPTS that competes with OSCP. Again, this probably falls under a general disclaimer, but I’ll let Zayad answer this if he wants to.
21y4d: Yeah. I mean, we cannot talk about neither the competition or upcoming content if I mean, if it is upcoming. But we have discussed the topic of binary exploitation and, you know, export development in the past. And I think at this day and age, binary exploitation is only really beneficial for state actors and really high end. Let’s say, red teamers are probably not even red teamers. So for us to be able to justify the amount and effort we have to put for it to be useful for students. You know, this is something we are thinking about, whether it’s there or not. But like I said, because it has gotten to a level where it is really advanced. I mean, for you to be able to create an exploit that, you know, exploits an iPhone or an up-to-date, even Windows PC. It is, let’s say, a kernel driver for Linux. It is not that easy. And who would be able to benefit from it versus, you know, the amount we would have to spend to create all of this content. This is something we have to think about. The course that you did mention, I don’t think it is applicable today. It is quite outdated, to be honest. And it may, you may be able to use it to build the foundations, but not to create something on up-to-date hardware or software.
ippsec: Yeah, I think this is one of those fields that’s really tough now to maintain motivation and learn. Because mainly of AI right now, like, it’s very tough to make a kernel exploit, even if you know the kernel vulnerability. But if you give Claude or any, like, GPT 5.5 or whatever, if you give it that kernel patch diff notes, it can build the exploit for you. So, like, it’s very tough to make beginner content in that field that is not solvable by AI. So, like, if we made that competitor, like, I would imagine, like, there’s no good way for us to ensure that students aren’t just passing with AI and just getting the certification illegitimately. Like, it’s a weird issue. And I think most exploit devs now just, like, find the vulnerabilities, point it at, like, point AI at the vulnerability, and it’s relatively good about building the proof of concept. What it’s not good about is, like, bypassing all the exploit mitigations right now. So, like, Nginx has a big vulnerability. All the proof of concepts right now, I think, are just based upon ASLR being off of Nginx. But there are exploit primitives you can use in order to make that not, like, exploit a production instance. For example, if there’s a file disclosure, you can chain that file disclosure, read proc self-maps, get the memory addresses, and now your Nginx exploit will bypass ASLR. AI is not really that great at finding that exploit primitive. If you try to do that, sometimes you hit guardrails or it just fails. So that’s what it’s not geared at, but I imagine it will be in the next, like, 6 to 12 months.
FalconSpy: Go for it, Pete.
McKernal: What was this? So exploit development was something that I trained for. It was something that I was in demand on one of the teams that I was on in 2019. And, like, even since then, just as red team operations have matured and expanded, I just saw the actual want for it fall off, right? Because, like, so many things, and maybe you guys are seeing the same thing, but so many things, so many missions are enabled just with social engineering. The phishing email, finding the person that’s going to click, making sure that that is, you know, a good vector. And, like, my exploit development cycles that I had actually turned more into payload development cycles, just making sure that we were evading detections and, you know, not giving ourselves away immediately. But, no, even today, I think that 90% of the work that I see come across my desk, it’s all just prime vector is going to be social engineering, phishing, talking to someone, getting the access to be given.
ippsec: Yeah, I think exploit dev was, like, it’s pretty much just nation state. And then the companies that do it, like, IBM, X-Force Red, like, they just do it for publicity reasons. Then, like, IBM’s X-Force team is freaking amazing. But everyone I talk to, like, we don’t throw these exploits on our engagements. This is really just, like, our hobby. We enjoy doing this. And then IBM reuses it to get publicity because when customers see we’re capable of this, they come to us. But just because we’re capable doesn’t mean we need to throw that exploit because nine times out of ten, we can get in with a weak password, reading your documentation, things like that. And a lot of that, like, type of publicity has kind of shifted away from, like, what we’re most capable of to, like, AI, which a lot of teams, like, they’re doing, like, expo, like, we’re really good at this automated AI thing. But those teams aren’t really throwing automated AI at their customers because of liability reasons. So, like, I just think exploit dev, unless you’re a nation state, isn’t a big high demand thing. And social engineering is becoming even more important in the day of AI because of how quickly companies are moving. They’re just making a lot of just basic mistakes because they’re moving too quickly. And you don’t have to get to the exploit dev level still in order to find vulnerabilities.
FalconSpy: As someone who is near their mid-40s, is a career switch to cybersecurity still reasonable? They are currently going through the CPTS and then planning to do the AI red teaming after that. Their background is mainly operations management with software development on the side to complement it.
g0blin: I mean, I’ve heard some testimonies of people going through exactly that kind of path that you’re going through now, even as close to the backgrounds you’ve mentioned going through CPTS and then getting into the field. And it’s very, it depends, of course, on your locality, job demand, that kind of thing. Short answer, I would say yes, with a big butt.
ippsec: Yeah, I just linked something in chat. If you’re listening, like, Google Hack the Box Chuck, C-H-U-C-K. There’ll be an interview, like, from Marine Jarhead to Hacker that’s very similar to this. Like, I see people pivoting into security in their 30s, 40s, 50s, all the time. And a lot of people that pivot, they go from absolutely zero tech experience and they’re successful. And you coming from a tech background, like, you even have more chances. So I would not worry.
0xRy4n: Yeah, we used to have a guy here at the company who was in his late 30s, mid to late 30s, who was a bartender. That was his primary job, was he was a bartender. He made drinks. And then he took a boot camp for pen testing. He got hired here in success and then studied some more. And then he left and went to another company. And now he is a pen tester at a company that I shall not name, but is very, very, very large company that does very, very, very serious pen tests. He is living his best life. So, yeah, it’s never too late. But certainly, you can transition much later than that.
Tjnull: I think anyone can really get into cyber at any point, any time. I knew a guy who started out as a dentist and was working in a dentist office for 30 years, right?
FalconSpy: I was just about to say that story.
Tjnull: So Falcon and I knew him and he went out, started getting more technical on things. We work on the PowerShell Empire project and then got into pen testing as well, too. After that, got a few certifications and now he’s a full time pen tester living out in the UK. So as long as you put the time and effort into it, make it happen. It’ll be very rewarding in the end.
Jexx: And XSS doctor is literally a cardiologist. Crazy. You do come from anywhere to just like doing this. And it’s awesome.
0xRy4n: This is an industry that rewards critical thinking over anything else, isn’t it? So as long as you can see a problem and figure out a way to solve it, then maybe you can be a pen tester. Because that’s a factory, what pen testing is, or exploiting, or whatever it might be. It’s just that if you can do that, there’s no reason why not have a go.
ippsec: There’s so many skills that just translate into security. I know a lot of people are joking like, oh, so be a bartender, then I can join Hack the Box and learn security. Like the bartending skill actually did help him a lot. Because what that taught was like socialization and talking to people. And he could sweet talk absolutely anyone. So that’s kind of why he joined Success. It’s customer success. So that’s the department that talks to clients and makes sure they’re having a good time on Hack the Box. So he just talked to the clients, smoothed them up, find out what their problems were, try to help them. Oh, they’re having a problem with this module. He’s going to play this module, find the problem. I kind of understand it. Give it to the back-end people. Improve the module. He used that socialization skill as a way to motivate to keep learning and learn the pen testing thing. And now he knows the tech. And he’s probably a darn good social engineer just because he’s such a good people talker.
FalconSpy: Next question here is one of our upvoted questions. So how can an individual maximize their productivity and avoid overlapping work when leading a small three-person red team?
ippsec: I don’t think we have enough information to answer that question.
Tjnull: Yeah, I’m trying to find that question.
FalconSpy: I mean, it’s very far back in the queue that, like I said, first in, first out.
McKernal: I’ve run small cell operations before. And kind of the way that we would do that was, well, we did want a certain degree of overlap because you want to have something called two-person integrity in certain situations. Meaning that you just want someone checking what you’re doing and making sure that things are going, you know, as planned. Or if anything does happen, you have someone else to kind of, like, troubleshoot, problem solve, just bounce ideas off of. The thing that I think is the most important in red teamwork is the stopping and collaborating, especially when you don’t know what to do. Because when you can reframe problems through other people’s kind of perspective, you’re usually able to get the best possible action or decision or execution step that there is there. If you do have, like, a thin operation, you can basically, like, you can have a reconnaissance open source intelligence role and just have someone cover down on that. But, again, they’re going to want help. They’re going to want input. You can have someone that runs just, like, operational and administrative tasks. So that’s making sure that the infrastructure is performing. If anything, it’s got to get updated mid-flight. Like, something that I like to use is Mythic. I like that it’s Dockerized. Someone that kind of stands back and is the operational playbook caller, making sure that they’re talking to the customer or whatever defensive element. But you have, like, one communicator, one person managing the active operation, one person that’s out there looking for just more opportunities, different targets, different vectors to get in. That is not prescriptive. That is just the way that I’ve done it with three people. If you have more than three people, great. If you have less than three people, it still works. It’s just making sure that you’re organizing tasks and not getting ahead of yourself. Like, you don’t want to go down an unplanned route with at least having group visibility on it. Because if that unplanned route turns into the hot vector, then everyone’s going to have to get spun up on what’s going on, and you’re going to be executing on those lines.
Jexx: Sorry, I just saw that Adobe just updated their bounty tables for AI-related products, and they are putting lots of money into that.
FalconSpy: Just a little bit of timekeeping. We have a little over 15 minutes left. We’ll try to get through as many questions as we can within the remaining time. This next question is an upvoted question. Have any of you accidentally done something Black Hat-related on a pentest or operation?
21y4d: It must be someone from the FBI trying to get us into trouble.
g0blin: Yeah, I mean, to find that, what do you mean? Going off of scope by mistake? Doing something Black Hat, it’s not something you do on a pentest, right? That suggests something malicious.
Jexx: Is our FBI agent in the room with us? Is our Fed in the room?
FalconSpy: About the Fed. TJ has a fun story about getting detained. Detained? Oh.
Tjnull: Yeah. That’s a story that’s already on the Cube Talks, so I won’t share that. I do have some other stories for things I’ve done, but I’ll let it go. It’s had something.
ippsec: Yeah, Black Hat indicates there has to be malicious intent, and that’s never happened. Has there been times when a company says something is authorized and they have a subdomain that’s in their domain, but they’ve really hit and redirected to a software-as-a-service company, and you start accidentally attacking that company? That definitely happens from time to time, but I don’t think that’s really Black Hat. That’s just like, you were told by this company to hack things. They kind of didn’t tell you they didn’t have full ownership over that, and nothing really bad happens in that case. I even think the U.S. infamous cyber law has been updated to account for things like that. That’s also like the whole thing around coal-fired security years ago where someone got arrested or two people got arrested for breaking into a federal building because they want to floor that technically they weren’t supposed to, but technically their scope of engagement said they were allowed to go up there, but it’s owned by two people. Weird things happen. So I don’t think anyone’s intentionally done something bad, but there’s definitely times where the scope is not accurate and you accidentally go off scope. That’s where keeping a record of what you do is very, very important. If you have absolutely zero notes and you go off scope and get in trouble, it becomes very tough to explain you’re in the right. So take good notes.
Tjnull: For most pen tests, we usually establish a rules of engagement with the client or a program in regards of what we’re going to do. So if anything, we go out of scope, like Ips says, we get in trouble for it. It’s not going to look good. There’s times where I’ve disabled and I’ve locked out user accounts by accident. I have one funny story I could share where I didn’t know this was supposed to be out of scope, but we had access to a system in one of the environments we were in. And we were trying to figure out how can we escalate our privileges going up from that. And so what we did was we modified the SSH deconfiguration to go ahead and prompt another SSH prompt that would show up. So think of it like this, right? When you SSH in a system, you would SSH user, and then you’d go ahead and put the IP address, and it would say enter password. Well, when the user would enter the password, the next prompt shows up. If you failed it, it would show enter password. We found a way to fake that and actually show the enter the password prompt. And so what it was was a web request that would go out, call back to our system, and we could see the password for the user they typed in a clear text for us to use.
ippsec: Was that using my PAM module?
Tjnull: You have something like that in your PAM module. I know that. We did something like that for CCDC as well two years ago. But that was something I did on an environment for fun, and the client was not happy with that.
ippsec: And this is also one of the reasons why I always show like Chisel over something like Ligaloo, because whenever I get on a network, I’m very specific about my forwards. I really hate just uploading something that’s going to do all that auto-routing for me, because who knows what’s going to happen. I have so many stories of people like uploading Ligaloo, proxying their internet traffic through a corporate environment, and then getting blocked by the web filter because they went to a malicious website to download a module, and that’s how they get caught. So I’m always very, very specific. If a client says, you can talk to these IPs, my VM where I hack that company, I have an IP tables rule that only allows my box to talk to those IPs. And then I have a different VM for research. I try to stay within the scope as much as I can.
idna: I once ended up on a shell on a supplier’s web server as a blue teamer, following through a malware alert that took me into sort of investigating the Chrome cache, and there was something strange in the Chrome cache. So I checked that out, and then I realized, hang on, this is a PHP web shell, and I’m on their server. So not technically allowed to be there, but it was benign in nature. Well, my activity there was benign in nature, but they had been popped.
ippsec: Yeah, and again, take notes, because two months down the line, FBI investigates that. They see Andy’s IP hitting that web shell. Now they’re going to come to him. They’re like, I don’t know what I did. Hopefully he has notes. So he’ll be like, yeah, it was part of this investigation. This is where it landed on our computer. This is why I accessed it, because it’s in this history of this Chrome thing. So if you don’t have notes and don’t log your activities, bad things can happen.
FalconSpy: We’ll go ahead and move on here. This individual is having trouble, I guess, not falling into the rabbit holes and finding the correct attack path when working on the machines. Based on all the evidence that they have from their enumeration phase, they see some people just have the intuition to find the right path out of the gate, and it’s a bit discouraging to them. So what can they do to help build their solving skills to not fall down rabbit holes? Should they do more? Can they do more retired boxes with guided mode to help with that? An example would be Cypher Injection was in one of the recent insane retired boxes.
ippsec: I think always have recon running in the background. And the easiest way to get out of rabbit holes is when you’re exploiting things. Think of three different paths and failure cases in each path. And then when you’re completely out of ideas of paths to take, then look at your recon, see if anything pops up. Most rabbit holes are only rabbit holes because you don’t understand what the program is doing. There are a lot of times when you’re like, oh, I don’t know of any feasible way I can exploit this one thing, so let me move on.
0xRy4n: I think you need to think of it when who it is that you’re watching go immediately to the solution as well. Because if you’re taking that from a video or something like that, the chances are they haven’t just gone straight to that. That’s just the bit they’ve recorded.
idna: So yeah, you need to take some context there around what is actually being shown.
FalconSpy: Next one is for you, Ipsec. They’ve heard in previous Kube Talks that you like to use AI in full send YOLO mode. What are you doing?
ippsec: Questions like, what am I not doing? A lot of time when I go in YOLO mode, I have a skill set up to talk to Proxmox. Proxmox clones it, copies my .auth files from Claude into that VM so it can auth automatically, and then just runs it in YOLO. What is it doing? Maybe some type of research, maybe updating a script I have. Like, it runs in YOLO, but every time it runs in YOLO, it’s in its own VM. So if it does a rm-rf slash, I’m not too upset. So I have some type of weird sandboxing thing. I have, like, horrible, like, distractions. So, like, if I run it without YOLO mode, it’ll prompt me for a question. I’ll find it prompting me for a question, like, 30 minutes after it did. Then I answer it, move on. And then, like, it prompts for a question another minute. And it takes me 45 minutes to get back to that darn window. I’m like, oh, man, why’d you ask another question?
0xRy4n: So not only full YOLO mode, full YOLO mode with a loop set up that just continuously tells it to just continue and keep going every five minutes.
ippsec: You don’t have to do that anymore with goals.
FalconSpy: Goals is a new thing.
0xRy4n: I’m behind the time. I still have, like, Ralph loops set up.
ippsec: So, like, when I’m doing programming with it and I try to have it one-shot programming, what I end up doing is telling AI to write a unit test for the functionality I want and give it, like, three or four ways to fail. And then give it a goal, essentially, to say, hey, make sure this unit test pass. And then it goes and writes the function for me that satisfies the unit test. I’ve had most success doing it that way.
FalconSpy: All right.
ippsec: Which is a weird way to think about it.
FalconSpy: If only I was able to run things in YOLO mode, I have access to some of these models that I shouldn’t be running in full YOLO mode, and I have to babysit this thing and hit yes a million times. As much as I would love to YOLO mode, it’s touching production servers.
ippsec: Why don’t you just create, like, a whitelist and then give star to the whitelist so it can still do everything? Technically, it’s not YOLO mode, but…
0xRy4n: Or just have a second instance of it running that evaluates what the first instance wants to do and then makes the decision for you about whether or not it’s to hit yes or no.
FalconSpy: No. So I’m going to let AI make the decision.
0xRy4n: And then you state a panel of judges’ multi-vote approach to have them vote on whether or not it should say yes.
FalconSpy: All right. Well, I’ll run it. I’ll let Gemini and DeepSeek and all the other ones evaluate and move on.
ippsec: It’s a democracy. If four of the five frontier models accept it, it runs. Yeah.
FalconSpy: All right. We’ll move on. It’s pretty niche, so this user doesn’t know if we’ll have the answer, but how would you get started in space security? I’m guessing they’re referring to satellites, all the free courses and resources they found along the lines where what are space systems and why do they need to be secured?
ippsec: If only we had someone that did satellite hacking on this Cube Chat.
FalconSpy: Yeah. If only someone who does hack the sat can speak up.
Tjnull: So if you want to get into space or satellite hacking, look into the SpaceWire protocol. There’s a lot of documentation that talks about how that works. You can then look into the different devices and infrastructure that’s used for them. There is a couple new books that just came out on NoStarchPress. I think 0xAndy is one of the guys that just released one on satellite hacking that I think is really good. I’ll see if I can find that book. But he covers a lot of good stuff about how to interact with ground stations, play with the software that’s built for them. But that’s really it. I mean, mostly just when it comes to satellite hacking, there’s just a whole other different level of knowledge and things that you will learn. Kind of like reverse engineering and exploitation. There’s a whole other different category and aspect of things to learn, but they don’t coexist with each other, if that makes sense.
ippsec: Yeah, at the end of the day, satellites are computers. But in order to interact with the satellite, there’s not a lot of programs documentation around that. So you just have to get really good at protocol analysis.
idna: It’s very old. 100% very old. And they don’t change too often. It’s very hard to update a satellite.
FalconSpy: All right. A little under five minutes left. Try to get through as many of the remaining questions as we can. How can a level one SOC analyst use AI to upgrade themselves?
idna: I think if you’re, it kind of depends on your availability to tools and what you’ve got in front of you as an L1, because I’m aware that L1s don’t always have access to everything. But let’s just assume, I would say a lot of the tools that would be based in a SOC right now will have a lot of AI features built into them. So to start with, use what’s in front of you. Make sure you know how to use that and take the best advantage of everything that might be there in front of you and already enabled. Additionally, if you’ve got access to do things such as pull logs from hosts or get packet captures and stuff like that, you could start to build up a repository of good prompts that will help you to, or prompts or gems or automations or whatever they might be, to extract key information from those logs, whether you’re doing some proactive threat hunting or responding to an incident, something like that. So if you can start to build up some chops in doing that kind of thing, in addition to the alert that’s in front of you as the L1, that will take you far, I think.
ippsec: Yeah, AI is really good at understanding your machine. Like if you use Tmux and you tell AI to go read a Tmux pane, it actually can do that. So I think the key thing is, if you’re trying to learn, create a skill, hook, whatever model you’re in, or harness you’re in. Create a hook so all your prompts say, don’t give me the answer, ask me questions. And then you can start doing challenges. And then when you go to AI, you can say, read this pane, what am I missing? And then it will go because you have a hook set up saying, don’t tell you the answer. It’ll ask you questions that you can go down and then learn it naturally. I think like if you have an easy button where it just tells you the answer, it’s too easy to hit that. And also you’re not really retaining information if you don’t go and do some research yourself. Like if you’re following a write-up and you just copy and paste something off that blog, chances are you won’t remember that command. If you try to type that command and make five different typos, you’re definitely going to remember that command the next day because you were pretty frustrated with it. So that’s my take.
0xRy4n: Proct idea. Physical easy button that just takes a screenshot of your screen and then sends it to AI. That would be my next thing. I have that on my stream deck.
FalconSpy: Wait, hold on.
0xRy4n: No, but I want the actual physical big easy button.
FalconSpy: Hold on. Did I? I wasn’t sure if I heard that right. You want to just let AI, like it’ll take a screenshot and just send it to AI?
0xRy4n: Yeah.
FalconSpy: Just go install Windows 11.
0xRy4n: You’re looking at logs? Easy button. And it just tells you like, oh, this is blah, blah, blah, blah, blah. Great. 10 out of 10 idea. I’m going to make so much money off of this, guys.
g0blin: Invest now. This is something along that line that was, you know, quick proof of concept. Can I do this? When they released some audio processing and visual processing features, ages gone GPT, with the thought of, okay, what if a blind person wants to know what’s going on on a website? Sure, there are tools out there that enable blind people to operate and use websites if they use the right tags. But, yeah, it’s a fun use case to try out those new features.
FalconSpy: I think we have time for one last question. It’ll be a very quick question. And up to Zayad if he wants to answer it. Can we use AI to do the AI cert?
21y4d: Can you use AI? I mean, you have to use AI. If you don’t use AI, how will you be able to pass the exam? But if you mean use AI-assisted security to be able to pass the exam, then, yeah, by all means, there are no restrictions. In all of our certifications, we do them in a way where it would be similar to a real engagement. And in a real engagement, it depends on the company, but you may be able to use at least local AI with privacy to do that. So go ahead.
ippsec: So I could just have Claude read the Academy module and then, like, set up the local model itself and, like, feed Claude.
21y4d: I’m not sure you will be able to pass the exam, but you are free to try.
FalconSpy: Someone out there is, like, challenge accepted.
0xRy4n: As long as you don’t violate our Terms of Service. Read our Terms of Service. If you don’t violate that, then you should.
ippsec: Everyone reads the Terms of Service, right? Everybody. Everybody reads. Yeah.
FalconSpy: All right. Thank you, everyone, for joining us for this week’s Cube Talk. We hold a Cube Talk every week unless stated otherwise in the announcements area channel. You can take a look at the top of Discord. You can see all the events that are happening here on Discord or anywhere else. These are hosted at the same time every week. You can hit the interested button. You’ll see an alert whenever these go live. We do have a CTF going on right now, Project Nightfall. It’s for one of our global CTFs, so feel free to join. The link to join that is on the Discord event there. This will be posted. The recording will be posted at a later time for this episode of Cube Talks, and we hope to see you next week.
g0blin: Thanks very much, everyone. Thanks, everyone. See you, everybody.