Cube Talks: May 29th, 2026
Disclaimer: This transcript was generated with AI assistance and has been manually reviewed and edited. Despite best efforts, some inaccuracies may remain — please use your best judgement when referencing specific statements.
TL;DR / TL;DL: Panelists discuss cybersecurity topics, Hack the Box resources, malware dev, AI tools, career advice, resume gaps, and cloud engineering.
Listen on Spotify: Cube Talks – May 29th, 2026
FalconSpy: Hey, everyone. Welcome to this week’s Cube Talk. I’m your host, FalconSpy. This is your opportunity to ask our panel of staff and volunteers any questions you might have about any of the services we offer here at Hack the Box and any infosec questions you may have in general. We’ll do the best we can to answer as many of those questions as we can within the next hour. You can use the forward slash Cube Talk command to ask your question to our panel. You can use that same command to also upvote questions. Questions are first in, first out. We’ll introduce everyone here on the panel so if you have any targeted questions towards any of them, you can do that. And then I’ll be a broken record again and we’ll go to the questions. So we’ll start with Chad B.
ChadB: I’m Chad B. Noob. I’m a red teamer, a new red teamer, formerly a pen tester and a SOC analyst. I’m glad to be here. Thank you.
FalconSpy: And we got control zero.
control zero: Yep. Control zero. Content engineer for Hack the Box. Hater of AI.
FalconSpy: We got idna.
idna: Hello. I’m idna and I look after the defensive content engineering.
FalconSpy: And we have Ryan.
0xRy4n: I’m Ryan. I’m the head of technical operations, lover of AI.
FalconSpy: We got Zeyad.
21y4d: Hey everyone. I’m Zeyad. I’m from the Academy team. I’m the head of training development and I’m responsible for Academy modules, paths, exams and certifications.
FalconSpy: And FalconSpy, the host and one of the community specialists here, also a full time red teamer at Oracle. So here’s the broken record part. You can use the forward slash cube talk command to ask your question to our panel. Same thing with that command — you can also use it to upvote questions. Questions are first in, first out, unless they’re upvoted where they then take priority. So without further ado, we’ll go straight to our questions here and we’re starting off with an upvoted one. I guess this one’s for me. People have heard I have access to mythos. What do you think of it? Is it all marketing hype or truly a good AI? I do have access to mythos. The NDA is finally removed so I can talk about it. But it is some marketing hype, but it is actually good at what it does depending on what you task it to do. Depending on if you want it to actually go and exploit a system, depending on the exact ask, it will tell you it won’t do it regardless of whether you’ve provided the model or the AI enough proof that you were authorized to do it. So the guardrails for it, for touching actual production hosts, are extremely strict. It takes a lot of litigating — you basically have to become a lawyer to make it do the thing you want it to do if you want it to touch a production host. That being said, you should definitely never run mythos in YOLO mode. So definitely when I use mythos, you have to treat it like a junior red teamer. You are basically babysitting the AI model. You’re saying yes or no on what it can and can’t do. But it’s really good at writing exploits. It can definitely do exploitation. It’ll definitely find the vulnerabilities. So the hype I think is definitely warranted. All right. The next question here is upvoted as well. What is the best machine to do before doing the CPTS to practice for the exam?
21y4d: Um, there’s a path that covers what needs to be done, which is the CPTS track — sorry, a track, not a path. Yeah. So we recommend doing this one.
FalconSpy: I’ll jump right into it. What is it, attacking enterprise networks? Cause I can see them thinking that. Yeah. That was a good warmup. All right. I guess we’ll move on. And today is hair Friday. All right. Next question here. Any advice for starting out with malware development? Don’t we have some Academy courses that touch on that? No, we have some binary exploitation. Well, Zayad has disappeared at the critical moment. Yeah. It’s your chance to shine. If memory serves, I think we do have a couple of malware development modules. And I think if I remember right, they’re going over using Ghidra and other things.
0xRy4n: Hold on. I can find out. We have SmartFox in the chat. SmartFox, you’re in support. You should know everything about every question possibly asked ever.
FalconSpy: Uh, do we have Maldev content?
ChadB: Yeah. There’s a buffer overflow course in Academy, which I guess falls in line with malware development, cause you’d have to write an exploit for it.
idna: Yeah. The Ghidra module — I’ve looked at it and it’s more like malware analysis kind of thing, but that’s a different thing from development.
FalconSpy: I’ve asked the AI. I’ll see what the AI says when he finally responds to me. When in doubt, ask AI. Hey, Zayad’s back. Zayad, I don’t know if you’ve heard the question or not. If not, I can repeat it.
21y4d: Um, yeah, no idea. Here’s.
FalconSpy: Okay. Do we have any advice for starting out with malware development? And I think Cody said we might have some modules in Academy, but then I started saying stuff that I think we did too, but you can definitely correct us if we’re wrong.
21y4d: Yeah, we don’t have any content on maldev yet. We do have the blue side of it — digital forensics and detection engineering — but not actually developing malware. Binary exploitation — we have some basic stuff, but yeah, malware development and binary exploitation isn’t an area we have largely explored yet at Academy.
FalconSpy: All right. Don’t listen to me. I was spreading false information by saying we had some stuff about Ghidra and stuff on there.
21y4d: I think we do cover Ghidra, but from the defensive side, not actually offensive.
FalconSpy: Right. Okay. Partially don’t listen to me. All right. Next question here is an upvoted one. Next week, this individual is attending a screening for a cyber Academy with an analyst program. Do you guys believe that’s enough to break into the SOC analyst field? Is there anything usually needed in terms of joining? Do they need more? They’re nervous and curious about what it could be like to work actually in a SOC. And the Academy will be using Hack the Box as its main source.
idna: I would imagine if that is designed as a showcase of how to enter that kind of industry, yes, it will definitely help you out there. Also, if these are entry level SOC roles, generally they are designed like that — they are entry level and you will get there. And basically you will have a formulated process to follow. So there’s a lot of guardrails in place that will keep you on track there and get you in the door much more quickly. That’s assuming it’s that kind of environment. But yeah, I would probably say that would give you enough experience to get in there and to not be so nervous about it — attend it and enjoy.
0xRy4n: I’ll say, when people ask us what does it take to break into X industry, we tend to talk about the things you need in order to be ready to get into the industry. I’ll give you a little bit of a cheekier answer, which is that if you want to break into the SOC industry, the thing that you need is a job as a SOC analyst. So the question you should be asking yourself is, what are the placement rates for jobs for people that complete this program? I would straight up ask them — if they keep track — what is the placement rate for people who complete this program within six months? What does the outcome look like? Do the majority of people end up with a job in industry within six months of completing the program? If the answer is some high percentage greater than 50%, maybe that’s worth doing. If it’s basically a coin flip, I might say maybe find a program that has better placement rates or at least publishes placement rates.
FalconSpy: Take the silence as no one else. Oh, go ahead.
0xRy4n: That’s assuming this is like a proper academic institution that does this. Like most proper academic institutions will publish placement rates.
FalconSpy: Like private companies, not so much. We’ll move on. How would you explain a long resume gap if you used the time to build cybersecurity skills by solving Hack the Box challenges, machines, taking courses and so on and so forth?
idna: I would describe it in that kind of way — it wasn’t time wasted. You can showcase what you have learned in the meantime, what you could do now that you couldn’t do before that gap. Try and show the value in it rather than just focusing on the gap itself. In fact, just because you weren’t necessarily employed doesn’t mean you weren’t doing anything, and that’s still valuable time.
FalconSpy: Yeah. I don’t have anything to add to that.
ChadB: I would say the same thing. If there’s a large employment gap, build a lab while you’re looking for a job. Being able to show a certification or a provable thing you were doing with that time is always great. Of course, go to conferences. But basically show that you were not just sleeping during that gap — show that you were actively doing something. But I feel like I’m repeating what Idna said, so that’s all.
FalconSpy: All right. Well, we’ll move on then. Sorry — I had to load the next question here, it wasn’t loading. I think we answered this last week, but we’ll do it again. So every box seems to have a web service running and you have to visit it in Firefox or whatever, but it doesn’t load even if I’m connected. That’s not really a question. Uh, nevermind.
0xRy4n: Wait, can I take a guess? Can I take a guess? They’re saying that they’re connected to the VPN and the boxes don’t load on the web service no matter what.
FalconSpy: Yeah. And they added it to /etc/hosts. Yeah. They’re talking about Reactor.
0xRy4n: Cause yeah, the default thing is you just always have to add to /etc/hosts, right? This is not a spoiler for any box — just assume always that you have to add to /etc/hosts. If it has a web service, make the assumption. You ask, why do you have to do that? Why is it not done automatically? And I answer: reasons that are technical and difficult.
FalconSpy: Explain. Cause it’s not resolved publicly by DNS. Well, yes. We could host our own DNS — I’m kidding. All right. I mean, we could, but that’d be a pain.
0xRy4n: That gets into the reasons which are technical and hard to explain.
FalconSpy: Right. Although I think they were kind of asking about a specific box. Cause I know Reactor had people saying they’re having issues getting to it, but Reactor’s an active machine. I don’t think we can — if you need help troubleshooting like at least connecting — reach out to support.
ChadB: Try different browsers too. Specifically, I bring this up because the CTF box that I made for Biz CTF — Firefox had a serious issue loading an internal app that Chrome variants did not. And it had something to do with the way that Firefox handles multipart form uploads and content disposition and whatnot.
FalconSpy: Moving on. All right. Next one here is an upvoted one. Do you find the amount of information you need to hold in your head overwhelming? And how do you go about taking notes? Yes. And Obsidian.
ChadB: That is far too much for at least me to retain. Um, that probably says more about me than anything, but I normally use Obsidian. I’m forcing myself to learn a different platform at work right now, which I’m kind of struggling with a little bit. But yes, there’s far too much information to just simply remember and recall when you’re actively testing across different platforms. How to take notes — pick a note-taking platform: Obsidian, CherryTree, OneNote, whatever have you, Notepad — and just get good with that and stop arguing about it. I think my issue is note organization. Like I have so many notes scattered across so many different things that I know I’ve seen something before, I just can’t find it. And even like Obsidian has a great search utility, but even then it might be in a different vault or on a different machine. I need to figure out how to just aggregate all of my notes into one central spot and make it searchable in a way that makes sense.
0xRy4n: Do a vector DB. Do a vector DB with some semantic search. Do it. Just bite the bullet and do it.
idna: I have that same problem. My notes are a combination of walkthroughs of a particular challenge where I’ve just noted down how I’ve solved it, or I have to do a particular attack type or whatever it might be. So it’s a combination of styles of taking notes and I never know where I’m looking for what when it comes to trying to find that nugget of information I know I’ve used before but can’t find.
0xRy4n: Just self-host something like onyx.app and then point it at your Obsidian vault and just call it a day. It’ll be great.
FalconSpy: Okay. What is that? That is like a Notebook LM alternative. If you go to that website, you will immediately recognize it as having seen it before. Yeah. I’ll have to listen later and pull it up. All right. Anyone else? So there was, we’ll move on. All right. This one’s enough of a question. This individual is 18 years old, a cybersecurity student. They don’t have too much of a background in the field but they’re looking to obviously upskill. They’re not that great with coding. And they’re also new to Discord here. Any advice that we can give them in order to upskill and get further into the field and anything they should focus on learning.
ChadB: I’ve said this a number of times, but if you’re just trying to break into the industry in general from an absolute baseline, learn more than just security — learn systems, learn networking, learn basic coding. Security will just fall in line. It just becomes part of it. But if you have those fundamentals it helps you be a better pen tester, red teamer, or whatever you want to call it, because now you know how things are built and how they’re supposed to work. I’ve often argued that every red teamer should be able to pass a SOC analyst tier one technical interview. I recall one situation recently when I was looking for this job where I was straight up asked pretty detailed Linux admin questions, and I’ll say that at about that point I was no longer in consideration. Absolutely, be able to do more than one thing for sure. Specifically Linux admin, maybe also Windows admin. All of these things will help you in the long run. Once getting into a position, these things only help overall for sure.
FalconSpy: All right, Idna. This one’s for you. When it comes to defending servers or services within someone’s infrastructure, how can they do it against AI attacks?
idna: Well, I mean, largely the same way you would defend against human attacks. The attacks aren’t necessarily different — they might just be happening more rapidly. I would probably say I haven’t actually been in that situation myself since AI has really taken off in the last 12 months. But I would highly imagine that AI attacks are a lot more noisy than a sophisticated human attack, which may well be trying to stay under the radar. AI would likely be triggering all sorts of alarms and things like that. So if you’ve got good monitoring in place, I would heavily rely on that. And some of the guys here doing AI-based red teaming might correct me on that, but that’s my assumption.
0xRy4n: There are also things you can do to confuse AI — even really, really good models. There are things you can do to send them basically into loops where they just burn tokens infinitely. Like, just place random instructions in random places that no human would ever bother to read or follow, but an AI will see it and then infer something from it. You can do some experimentation on your own, but you can send an AI kind of into a loop in an attempt to literally just get it to burn tokens as it tries to attack you. So prompt injection and honeypot-style misdirection sounds so stupid, but this is where we’re at. And it’s actually not as stupid as it sounds.
FalconSpy: I can say, from the mythos side — seeing what it does when it gets caught by something like CrowdStrike if it’s doing some stuff — mythos, at least when it attempts to do certain things, adds comments and things to what it’s doing when it’s actually attacking the system. Obviously there are things you can change to make it harder, but by default, at least right now, mythos says, hey, FalconSpy is performing a cross-site scripting injection or whatever. Like obviously it adds the comment of who’s doing what and why they’re authorized to do it, at least in this perspective of what we’re doing for red teaming. But that’s not really helpful if you’re trying to be covert. But for now, you could definitely put in some things and look for different comments that mythos puts in there. The cyber model from OpenAI — I don’t know specifics of what their models inject when they do things as I haven’t looked too far into it yet.
0xRy4n: As far as I know, I don’t think it injects comments or anything. The cyber trust program just changes is that it won’t flag you when you attempt to use it for exploits. But I don’t think it does the comment injection thing.
FalconSpy: I guess I haven’t looked at it. I mean, I have access to it, but it hasn’t been one of the things I’ve looked too heavily into yet. All right. We speak about many different modules that contain AV stopping attacks, such as memory dumping on Windows. What modules do we have that cover antivirus evasion?
21y4d: As of now, we only have, I think, a couple — one of which is in CAPE. I don’t have the exact name, but we do have one in CAPE. And I think we have another as well. I can’t remember the exact names, but I remember we did create one for evasion toward the far end of CAPE.
0xRy4n: Not category modules, but some of the pro labs also feature some light AV evasion — I’m not sure how topical they are now, but there are some which do have AV evasion as part of the process. Why did I say AI evasion? I don’t know why I just said that. You can tell where my brain is. AV evasion — you guys knew what I meant.
FalconSpy: Today is an AI day, apparently. So anyone else? Let’s move on. All right. This person’s a cybersecurity student in their third year at college. They are currently taking cloud engineering as one of their internships. And so far they don’t think they’ve seen a relation so far between cybersecurity and cloud engineering. What’s your take on this? If you’re going through a cloud engineering internship, I would imagine you’ve done some type of cloud-based course at college. I graduated almost 14-15 years ago now, so I don’t know if those are covered. I would imagine they have you at least interacting with one of the various cloud providers out there, whether it be OCI, Google, Azure, AWS. They all have and require security. Pretty much every single one of these cloud providers has identity access management, or IAM for short. If you pop IAM, you’re going to get a lot of access to whatever you want. That’s pretty much the first gate right there — the part that helps you authenticate and authorize what you can and can’t get access to once you’re authenticated. So if you pop IAM and get access there, you can pretty much do whatever you want. So to say maybe you haven’t come across a particular instance yet where you can see the relation of cybersecurity with cloud engineering, but they’re very heavily hand in hand.
0xRy4n: This is especially true because basically if you’re a person who does cloud testing, your skillset is literally that you’re just a cloud engineer who also knows how to pen test. The two things don’t really interact until they do — and then they fully overlap. So like if you want to pen test AWS, the skillset there is just be an AWS engineer and then also be a pen tester.
FalconSpy: And like once you have both, then you can see how they overlap.
idna: I’d say yeah, as Falcon was saying, the cloud is much more about identity than sort of more on-prem based engineering and security, but there’s still a lot of more typical engineering-focused security components to cloud as well. So on the actual devices themselves, there’s still things like firewalls and network traffic, gateway control and things like that. Those things will still happen. It just kind of depends maybe what area of the engineering you’re doing where you’re not necessarily seeing those more traditional security elements as well.
ChadB: Yeah. The Hailstorm AWS lab that we offer actually has a really good example of taking an existing set of IAM keys, or even an EC2 role, and figuring out what those have access to and then laterally moving to other services based on that. So if you have like read access to one service, you can enumerate the sub-permissions of that particular service that you can possibly abuse and lead into something like Lambda function abuse or creating a new user, et cetera. I can’t tell you how many pen tests that I’ve had success on just because the AWS SSM role was attached to an EC2 instance, which basically gives you system level rights to that box.
FalconSpy: Oh, were you responding to the — do you speak French? Yes. Okay. Ryan speaks French. All right. We’ve surprisingly lasted 30 minutes before we had to drop this disclaimer. So here it is. We typically don’t discuss things that we’re working on, module wise, content wise, Academy wise, so we don’t give any information to our competitors. We also don’t try to give deadlines — that way if we miss it, people aren’t unhappy with us. So we typically don’t do that. That being said, I’ll ask the question anyway, and it’s up to Zayad — or whoever it’s targeted at — if he wants to answer it or we just fall back to the disclaimer. So what is the next focus of Hack the Box? What are some topics related to modules that will come in the future?
21y4d: Yeah. Like you said, we cannot confirm or deny anything. You can take a look at recently released modules and you would get an idea of where we are heading. Usually we wait until all modules in a path are released before releasing the entire path and then following up with a certification. So you can get an idea like this, but yeah, we cannot confirm or deny what stuff we are working on.
FalconSpy: All right. I’ve got a question. Is mythos becoming public? Yes, it should be becoming public. I think they’re giving a version of mythos — I shouldn’t say dumbed down — it’ll have more guardrails than what all of the Project Stargate companies had access to. But it is supposed to become public soon. When? I don’t know because I don’t work at Anthropic, but I’m pretty sure it is becoming public. All right. Next question is also upvoted. What’s the best way to learn Android or iOS pen testing? What’s the best resource for it? Why is there no solid path or such on Academy, and should we expect it on the Academy platform?
21y4d: We do have the Android pen testing path. So there is one. And for iOS, pen testing is very difficult because Apple does not allow it or makes it extremely difficult. And you can get into legal trouble if you do it without their consent. And then again, pen testing apps on iOS is kind of pointless to a point. You can get some kind of stuff, but then it would fall to web pen testing. But in Android, you can actually achieve some meaningful stuff. If you are talking about binary exploitation like attacking the iOS OS or Android itself, then that’s a different thing. But for actual app testing, yeah, like I said, we do have the Android application pen testing skill path.
0xRy4n: Go Google the number of companies who are legally authorized to fully emulate and virtualize iPhones and iOS. Go look at the number and that should tell you why it’s hard.
FalconSpy: It is a single digit number — a low single digit number. If you do want to emulate a Mac, there was a project — well, I think Apple had the author pull this down and I think it got put back, so I think they were technically allowed to do it now. It’s Docker Mac OS X. I think that’s the repository on GitHub. Basically it will spin up a Docker container with a bunch of extra stuff underneath it that lets you actually run OS X and you can VNC in or remote in or whatever. It’s still a thing. Sick Codes is the author. It’s got 52,000 stars. It’s docker-osx. I’m just posting this in the chat for anyone else who is listening or recording later. Sick Codes is the author. Yeah. Not iOS or iPhone mobile, but at least you can run a Mac without doing a Hackintosh. All right. Next question is also upvoted here. What are the biggest mistakes you see beginners make in cybersecurity? Thinking it has to make sense right away and then getting discouraged when it doesn’t make sense, instead of just accepting that it won’t make sense for a while and you just have to do it anyway. Yeah. I’d say overcomplicating how to get started.
ChadB: Just get started. Just pick a topic, start learning. They’re all going to be related in some capacity.
21y4d: I’d say not building proper foundations. So trying to jump into various topics without understanding the underlying foundations. This can hurt you later on because you would get to a certain exploit or vulnerability that you understand how it works, but later on, if you want to implement something else related to it, you would not understand how everything is working because you did not do the proper foundations. So I would say, even if it is a little bit boring at the beginning, try to take it one step at a time. Starting with — for example, if you are doing Academy — we intentionally do it like this. You can start with CJCA, build the foundations and then go into CPTS. And this way you would have the proper foundations laid out. So later on, when you learn anything advanced, you would understand how everything works. Rather than if you skip, at some point you would have to go back and re-learn everything.
FalconSpy: Next one is also upvoted. Do you follow any particular methodology or internalized list? This individual finds themselves skipping past some basics only to find themselves back to them many hours later because they missed something simple. I’ll start it off then. I mean, I have my particular methodology that I’ve adapted from someone else’s methodology. Honestly, I think I’ve said it in previous ones — I’ve kind of stolen or borrowed ippsec’s methodology and then I’ve adapted it to what I need based on how I learn and the things that I know of and the tools that I like to use. And I do have all of the things that I write down — like all the tools and things and the steps that I take — they’re written down in my notes. I used to use Obsidian and I use Affine now, but you know, they’re in my Affine. Pick and choose your favorite note taking tool. But yeah, I guess they’re technically internalized lists, but I also have a particular methodology I follow based on the things that I’ve adapted from ippsec.
idna: In the real world, there are methodologies that you have to follow if you’re doing commercial pen testing. It depends where you are in the world and what industry you’re in. But in the UK, we have things like CBEST and Crest and things like that, where you have to follow those in order for it to be covered as an official penetration test that has been tested in the correct way. I appreciate that’s not necessarily probably what you’re asking when it comes to hacking into machines on Hack the Box, but in the industry there are kind of guardrails that will push you through that.
FalconSpy: All right. Next question here. I know every software engineer on the planet has been stressing about whether AI will replace them. Will it just replace juniors? Will the world of software engineering just move to proofreading AI code instead of writing it? Probably a little bit of all.
0xRy4n: Realistically, yeah, it probably will displace some jobs. Other jobs will be heavily modified and augmented by AI, so you’ll be using it a lot and doing a lot more proofreading. Some jobs really probably won’t go to AI anytime soon. AI’s quality of code is not equal amongst all use cases and all languages. Yeah, I think I no longer am going to say, no, AI is not going to affect anybody’s job — I just don’t think that’s reality. I also don’t think it’s going to displace all of the jobs. I just think the jobs are going to change. It might be cut down, or you might see the inverse happen where, because people can now write more code with AI, maybe you just see people still hiring but with way higher output. But I do think the industry will change. I don’t think anybody can say with full honesty that no one is going to be affected by it.
FalconSpy: All right. Next question here. What’s the difference between a red teamer and a pen tester?
ChadB: For pen tests, they know you’re there and you can, within reason, make as much noise as possible. For red team, you’re threatening a later adversary simulation — so you’re pretending to be a bad guy sneaking around and also trying not to set off alarms. So for the client, the difference would be a pen tester is going to probably find more actual things that are wrong. A red team is going to show you what to look for when a bad guy is trying to get into your system — and maybe not find as many actual technical findings to report. First thing I’m going to do on a pen test is probably kick off my Nessus scans within the scope I’m given. For a red team engagement I might poke around externally for a month and a half before I ever try to get on the inside of the system. So a pen test is a more thorough overall engagement. Whereas a red team — they think they’ve got it good maybe from some pen tests, and they want to see how an actual bad guy might quietly navigate and get into the network.
idna: The way I’ve always answered this question — and it may not be fully accurate — is that a penetration test tests the system, whereas a red team tests the SOC. That’s the kind of way I tend to put it. A red team will test the people and the processes surrounding the environment, rather than just the raw application testing to see what vulnerabilities there are.
FalconSpy: Fair statement for sure. The next question here is, do you have any good path for incident response and threat hunting? Does the CDSA cover that?
idna: Yes. There are modules on the path linked to the CDSA — the SOC analyst path — both on incident response itself and the processes you would follow doing that. But also there are quite a few modules in there around using things like Splunk and Elastic, and some other tools as well, to hunt through event logs and try and find evil within there. I think one of the modules is even called Finding Evil. Zayad can explain that in much more detail than I could, but the answer is yes.
FalconSpy: Zayad, I don’t know if you heard the question. I can repeat it if you need.
21y4d: Is it, do we cover SOC?
FalconSpy: Any good paths for incident response and threat hunting? And does the CDSA cover that?
21y4d: Yeah. I mean, it does cover it to an extent. And obviously CDSA is an intermediate level cert, so it covers that to this point. For anything more advanced, we have some other modules, but currently they do not belong to any path. So yeah, I mean, we do have some stuff related to this in Academy.
FalconSpy: All right. Next one is an upvoted question. What should individuals expect to retain after finishing certain modules? Modules are filled with a lot of information that people are inevitably going to forget. How are they supposed to deal with external resources highlighted in green? They usually visit it, read a couple of lines to grasp the main idea and that’s it.
21y4d: Usually the external resources are for further reading. You don’t have to read them, but if you are interested, you can. We try to create the modules to be self-contained so you do not rely on anything external. But having said that, if you mean that you will forget most of the stuff that you learn — I mean, this worry is normal. It is natural. And this is what was discussed earlier. You have to kind of build a second brain and you have to dump everything you understand into notes. So once you build it in a system that is easily accessible for you, you can easily recall this information. And because you understood it the first time, the second time — even if you forgot — you will not have to fully relearn it. But you know, just go through your notes and try to retrieve it.
FalconSpy: All right. Just a little bit of timekeeping. We have a little under 15 minutes left. We’ll do the best we can to get through all the remaining questions. This next one is an upvoted question. What would be some good projects to include on a SOC analyst resume for an entry level role?
idna: I would probably say if you’ve written any tools, or possibly showcasing how you’ve developed processes to use other tools to make things more efficient — sift through logs, build up your portfolio of the kind of things that you know in that way. Threat hunting, sorting through logs, extracting key information from large data dumps, things like that. I’m kind of stumbling for the examples.
0xRy4n: I think anything that shows you know what you’re doing. I would even say, like, if you just have a blog of you just writing about Sherlocks, that’s probably something right there. Cause now you have a blog that’s just you talking about doing defensive work. That’s maybe not an easy project, but it’s an easy project to get started on at the very least.
FalconSpy: Harder project to maintain. Another upvoted question. Where’s the best place to start learning about cybersecurity and what would be a good topic to practice?
0xRy4n: Oh boy. Do I have an answer for you and you’re never going to guess it. Does anybody want to take a guess where I think the best place to learn about cybersecurity is? Anybody in the audience?
FalconSpy: Hold on. Hold on. Hold on. Is the answer, it depends?
0xRy4n: No, it never depends.
FalconSpy: This is the definitive answer. Hack the Box, baby. And Let’s Defend, which is not part of… All right. So I’m going to answer. Well, it’s my real life. That wasn’t a bait. It could have been — it was upvoted, I had to ask it. So this is how the thing works. All right. Next question here is also upvoted. What are the limits of using AI for learning and practice?
0xRy4n: No, Joe, you opened this with hater of AI. Come on. Give us a hot take.
ChadB: Don’t use it as a crutch. I mean, if you’re trying to learn a language and you’re trying to build a project in that language to learn it, don’t ask the AI to build this function for me to do X, Y, and Z. Instead, prompt it to say, hey, I’m trying to accomplish this task — break it out into subtasks and kind of give me an idea of where to start, and then ask it to check you as you’re writing your own code. I think at this point, you can ask it to teach you, right? Have it give you mini challenges as a way to teach you how to learn that language, rather than just spitting out code.
0xRy4n: I agree with that. Pre-AI, the Stack Overflow problem — one of the hardest things is, I want to make this thing and I don’t have any clue where to start. It can be very hard to find the right information, the right resources that tell you how you should start approaching this. If you want to learn, that’s where you should be focusing with AI — having the AI guide you on your entry point. You probably want to start here. And then you have a place to work off of and build from. That’s useful. As opposed to just telling Claude, build me this thing, and then it built you the thing — and cool, what did you learn how to do? Maybe you learned how to iteratively prompt an AI. Great. That’s actually a 100% amazing skill set you just learned.
ChadB: Which is still a true statement, even though you’re joking. You guys have already said it — hey AI, teach me how to code Python in stages from beginning to intermediate, go. I did that with Claude the other day just to test out a few things and actually I almost dug into the prompt because it gave me some good information. Yeah. Just use the tool. Don’t let the tool use you. Don’t 100% rely on it.
FalconSpy: Get something from it. All right. Next question here is an upvoted one. How would you distinguish bad actors using Hack the Box to learn techniques and or ban them accordingly for performing bad actions? Or is this completely separate from the responsibilities the platform has?
21y4d: There are certain topics we try not to go into because we know they can be misused. So we avoid them — like some kinds of OSINT, some kinds of IoT hacking. These things can be used against people you don’t like and so on. So we try to avoid covering them. And if we do, it will most likely be for B2B only, because for B2B we at least have some kind of control over who can access this content rather than it being openly accessible to everyone. I suppose that’s the only way we can control who can do what. Apart from that, the vast majority of content is created from a defensive perspective. And for example, pen testing — in the end it is for defending yourself or defending your organization, even though you are attacking it. So I suppose even if it can be misused, it’s not that harmful like the topics that I mentioned earlier.
0xRy4n: Yeah, I mean, look — all the information that we cover, it’s information that’s out there in the world. It’s information that people can learn from other places. It doesn’t have to be Hack the Box. So if we just suddenly decided, okay, we’re going to close up shop because we don’t want to risk someone who is going to do something malicious using our platform to learn that thing, they’re just going to learn it somewhere else. The best thing we can do is provide an environment that optimizes their path to be legitimate, right? We have the job board. We have certifications. We have networking and connections. We try to push people in the direction of doing things the right way and connecting them to other people who are doing things ethically. And that has a way bigger impact on the total amount of people who want to do this stuff maliciously than it would if we just decided we’re not going to teach it at all.
FalconSpy: All right. Next one is also an upvoted question. Is mythos good at black box testing? Short answer is yes. Did pretty good on things we’ve tried it with. Had some hiccups along the way, but it did pretty good. I’ll leave it at that. All right. Next one is also an upvoted question. Which jobs would you think are best in five years with the upcoming era of AI?
0xRy4n: I gave up all pretense of trying to predict anything that’s more than six months in the future like years ago.
ChadB: I just want RAM prices to go down.
FalconSpy: Okay. My take on it is if you’re good at doing things like prompt injection or something like that, that can translate into helping write guardrails for the models. At the end of the day, right, everyone’s worry is, is it going to become Skynet? So if you can do things like help write guardrails so people can’t abuse it, or guardrails so it doesn’t become Skynet — knowing how to write guardrails for a model is actually pretty helpful. Or as Goblin put it, you could be an EMP manufacturer. All right. Next question here. Are there any things to look for while developing a vulnerable machine for submission, like specific networking setups or reset scripts? How does the platform handle a machine restart or reset? Cody, that’s probably best for you since you’re on the machine review team.
ChadB: Repeat the question. I wasn’t paying attention.
FalconSpy: All good. Are there things to look for while developing a vulnerable machine for submission, like specific networking setups or reset scripts? How does the platform handle machine restarts and resets?
ChadB: Cleanup scripts aren’t really required anymore as we have dedicated instances. But if you’re trying to build a machine and want it to be accepted to the platform, the best piece of advice I can say is just do research of what’s already on the platform and try to come up with ideas that are unique — something that stands out. In terms of networking setups, you’re kind of free to do whatever, just as long as it can be self-contained into a single host.
FalconSpy: All right. We have a little bit of time left — under five minutes. I think we have enough time to maybe ask two or three more questions depending on the questions and the answers. So this next one here is, how can someone get better at doing APK reverse engineering for Android apps?
idna: We’ve got a few Android forensics Sherlocks. I don’t remember names off the top of my head and I’ll try and find some and put them in the chat. But I believe they’re all sort of easy to medium kind of difficulty, so they are pretty approachable, as long as you have a reasonable grasp on Java and things like that.
FalconSpy: Next question here is an upvoted one. Which one is the entry level job in cybersecurity and how to crack it? Any SOC analyst, junior pen testing — look for any of the positions that say junior analyst or something along those lines, as those are usually entry level.
0xRy4n: Yeah, I’d say the most common actual cybersecurity entry level job is probably SOC, but I would twist this question to say you should also look at things that are security adjacent — IT jobs, help desk jobs, anything that you can then pivot into a security team after you get a spot in the company.
FalconSpy: I think this will be the last question here. After someone completes the CPTS path, if a person wants to go for IoT hacking, do we have a path for IoT hacking?
21y4d: Yeah. And this is what I mentioned earlier — we don’t, mostly for ethical reasons.
0xRy4n: Right. There are some machines that have IoT elements. The only one I can think of off the top of my head is Omni, which was a long time ago. But I know there’s like a small handful of stuff that uses Windows IoT Core as the OS.
FalconSpy: But beyond that, I don’t know. That will do it for this week. Thank you everyone for joining us for this week’s Cube Talk. We host these every week on Friday at the same time, unless stated otherwise. You can see the announcements as they go live. You can take a look at the top of Discord to see when these go live in your local time zone as well. You can say you’re interested in future events. These are recorded, so this will be up on Spotify later. We are also going to now have them appearing on YouTube starting after June 5th. So anything after June 5th will be on YouTube for everyone to listen to if you don’t like Spotify for whatever reason. And we hope to see you all next week. Thanks everyone. Thank you. Good day everyone.