Cybersecurity is built on curiosity, persistence, and a willingness to challenge how things work. Nowhere is that more evident than in offensive security, where thinking differently is essential.
This Women’s History Month, we’re spotlighting the women of the Cobalt Core who are doing exactly that. From discovering their first vulnerabilities to navigating complex engagements and shaping how modern pentesting evolves, their perspectives reflect both the technical depth and human insight that drive this field forward.
In this Q&A, we asked a group of Core members about their origin stories, the challenges that keep them engaged, the skills they believe matter most in an AI-driven world, and the realities of building a career in offensive security today.
These are real conversations with practitioners who are not only contributing to security but actively redefining it.
The "Origin Story" (With a Twist)
What was the first 'vulnerability' you ever discovered—even if it was just a logic flaw in a childhood game or a school website?
Seren Porsuk: My first discovery was a simple logic flaw in an online strategy game. I found that by interacting with the session in a specific sequence, I could bypass the resource timers. It wasn’t about breaking the game; it was more about the curiosity of seeing that I could understand the system’s logic better than the interface intended. That's when I realized how much I enjoyed finding those gaps.
Goonjeta Malhotra: My first real vulnerability was an XSS on the Dutch government’s website. I still remember the rush of seeing my payload execute successfully. It felt surreal. Even better, I received a really cool swag T-shirt for the report, which, at the time, felt like a trophy. It symbolised my entry into a space where curiosity turns into impact.
Cindee Tran: When I was in elementary school, there was a popular computer game called The Oregon Trail that we got to play every Friday. I’ve always had a curious mind when it comes to programs, so I started clicking around and eventually found a prompt where I could type in commands. I remember trying things like “HELP,” which revealed hints and resources that helped me progress through the game. It felt like discovering a hidden layer beneath the game itself.
I also remember my teacher saying, “One day, you’ll be able to hold one of these computers in the palm of your hand.” That moment stuck with me and sparked a deep interest in computers that has stayed with me ever since.
Andreea Druga: The first “vulnerability” I discovered was actually in a game. I remember that a childhood friend showed me how to use Cheat Engine while we were playing. That moment made me really curious about how games actually work behind the scenes, the calls, the logic, and everything happening in the background that made those changes possible.
It sparked my interest in understanding how technology works at a deeper level, and I think that’s where everything really started for me.
Was there a specific mentor, book, or CTF (Capture The Flag) event that made you realize pentesting was a viable career path rather than just a hobby?
Seren Porsuk: Actually, it all started with a cybersecurity bootcamp. Then, after reading 'The Web Application Hacker's Handbook', I knew for sure that this was exactly what I wanted to do.
Goonjeta Malhotra: My biggest mentor has always been my brother. He introduced me to bug bounties, and that changed everything. There’s something incredibly empowering about identifying a real vulnerability, responsibly reporting it, and getting rewarded for it. The first time I received a bounty, it wasn’t just “extra money.” It was validation.
Later, after dedicating myself to cracking the OSCP exam, I realised this wasn’t just something I enjoyed, it was something I wanted to build a career around. The discipline, the problem-solving, and the satisfaction of “pwning” machines confirmed that this field was where I truly belonged.
Cindee Tran: After working as a programmer for several years, I moved to another state and began looking for IT positions in my new city. During that search, I stumbled across a job posting for a pentesting role. Before seeing that ad, I had no idea there were jobs where you could actually get paid to hack. I applied for the position, and my manager ended up becoming my mentor for over 10 years. He taught me everything from the ground up and helped me realize how satisfying and interesting a career in pentesting could be.
Andreea Druga: For me, it wasn’t a specific mentor, book, or CTF; it was actually a news story. I remember watching TV and hearing about a Romanian who had discovered a vulnerability on a server. I remember thinking, “I could do that too.” The idea that you could find vulnerabilities and use those skills for something positive, to actually do good, really stayed with me.
Later, when I joined my first internship, I became even more certain. I was genuinely fascinated by my colleagues and wanted to learn as much as I could from them. They were open, supportive, and always willing to share their knowledge. I’ll always be grateful to my first team; they truly shaped the start of my journey and will always hold a special place in my heart.
When did you first realize you were interested in cybersecurity?
Seren Porsuk: I attended a cybersecurity bootcamp and met people who were doing this as a job. It was so exciting to see that I could actually spend my time exploring how applications work and intervening in their business logic. I realized right then that this was what I wanted to do.
Goonjeta Malhotra: When I signed up for the OSCP exam, I made a commitment to myself. With dedication and persistence, I pushed through the long nights of practice, constant learning, and then ultimately cracked the exam. The journey of compromising those machines built something deeper than interest; it built conviction. Then came my first 4-digit bounty for a GraphQL flaw. That moment sealed it. It wasn’t luck; it was skill, creativity, and structured thinking coming together. That’s when I knew cybersecurity wasn’t just exciting, it was my path.
Cindee Tran: One of my first jobs out of college was as a programmer. It was an interesting role because many of the applications at the time were riddled with vulnerabilities. We had an internal payroll application that contained an SQLi vulnerability, which allowed users to bypass the login page.
When this issue was brought to the attention of management, they dismissed it, saying that since it was an internal application, it didn’t matter, and refused to allocate time to fix it. The problem, however, was that by bypassing the login page, anyone could view the payroll information of other employees.
That incident made me want to pursue a career in security. Not only did the field seem incredibly interesting, but it also reinforced my belief that building security into our code is critically important.
Andreea Druga: I’ve always been fascinated by math and computer science. I used to participate in national competitions, and I also played chess quite seriously. I loved finding tactics, thinking a few steps ahead, and figuring out how to solve problems and ultimately win.
Looking back, cybersecurity felt like a very natural career path for me. It combines the analytical thinking I enjoyed in math, the technical side of computer science, and the strategic mindset I developed through chess. It didn’t feel like a sudden decision, it felt more like a natural continuation of the things I was already passionate about.
The Daily Grind & Technical Mastery
What is your 'white whale'? Is there a specific type of vulnerability or tech stack that you find particularly challenging or rewarding to crack?
Seren Porsuk: My 'white whale' is definitely complex Broken Access Control vulnerabilities, especially in highly sensitive environments. There’s a specific satisfaction in navigating an application’s permissions and finding a way into data that's supposed to be strictly off-limits. It’s not about breaking things; it’s more about understanding the design well enough to outsmart it.
Goonjeta Malhotra: Business logic flaws. They’re my favourite because they’re never cookie-cutter. You can’t just run a scanner and expect results. You have to think like a user, like an attacker, like a product owner, all at once. Every application has its own story, its own assumptions, its own trust boundaries. Breaking those assumptions is incredibly satisfying. Some of my most interesting and impactful findings have come from thinking beyond scanners and diving into pure logic.
Cindee Tran: My favorite type of vulnerability to identify is logical flaws. There’s something very satisfying about being able to turn a $1,000 account into $1,000,000 by manipulating something like an exchange rate parameter, or by submitting a negative amount as a tip within a grocery app, resulting in the entire delivery being paid for. These types of issues can sometimes be relatively easy to identify, but automated scanners rarely detect them, which means human analysis is far more likely to uncover them.
A close second would be gaining a reverse shell after reviewing the source code and identifying exploitable conditions. It’s especially rewarding when you can trace the root cause and discover multiple exploitable instances stemming from the same underlying issue.
Andreea Druga: I’m always especially excited when I discover critical vulnerabilities, such as remote code execution. There’s something very rewarding about uncovering an issue that has a high impact. I also find it particularly interesting to enter vulnerabilities that not many people are aware of yet. Discovering something that isn’t widely discussed feels both challenging and meaningful, as it pushes me to keep learning and stay curious.
Pentesting requires a specific mindset. How do you maintain focus and creativity when you’ve been staring at a stubborn target for eight hours straight?
Seren Porsuk: I believe no system is perfect; there’s always at least one satisfying vulnerability hidden somewhere. For me, it’s a game of persistence and staying more patient than the system until I find that gap. It’s like going fishing; you don't want to go home empty-handed.
Goonjeta Malhotra: Curiosity fuels me. When something doesn’t break easily, I go deeper. I start analysing the requests, underlying API calls, tampering with parameters, attempting restricted actions, and questioning every implemented control. Having spent almost 8 years in pentesting and bug bounty, your brain starts to see patterns and, more importantly, gaps. Experience sharpens instinct. And today, AI-assisted tooling helps elevate that creativity even further. It allows me to brainstorm, chain attack vectors, and explore angles I might not have considered initially. But ultimately, it’s the hacker mindset that keeps me going.
Cindee Tran: I take breaks. If I’ve been staring at the screen for several hours and making little progress, it’s usually a sign to step away for a bit. I’ll often take my dog for a walk around the block to reset my mental state. That short break helps me come back with a fresh perspective and refocus on the problem.
Andreea Druga: Usually, I try to step away for a while and clear my mind so I can come back with a different perspective. It’s very easy to fall into a rabbit hole and spend eight hours chasing one specific lead. I think my fellow OSCP holders know exactly what I mean. Over time, I’ve learned that knowing when to take a break is actually part of the skill set. Even when it feels tempting just to stay glued to the laptop and push a little more, sometimes the most productive thing you can do is walk away for a bit. More often than not, the solution becomes clearer once you return with fresh eyes.
In the rapidly evolving world of AI and automation, what 'human' skill do you think remains the most critical for a successful pentester?
Seren Porsuk: I think the most critical skill is simply thinking like a human. Since systems are built by people, understanding the human logic behind them is often the best way to find a vulnerability. I call it 'simple but beautiful', it’s about noticing the patterns that an algorithm might miss.
Goonjeta Malhotra: I would say judgment, because AI can generate payloads. Automation can scan endpoints. But neither understands context the way a human does. A successful pentester needs the ability to think in systems, to understand business intent, user behaviour, and risk impact. The most critical human skill is the ability to connect dots that aren’t obviously related and ask: “What happens if this assumption fails?" Security is not about finding technical glitches. It’s about understanding trust boundaries and questioning them intelligently. That kind of intuition, ethical reasoning, and contextual decision-making is deeply human.
Cindee Tran: Logic and creativity. AI is only as effective as the prompts you give it, and humans are still needed to lead the process. Using logical thinking and human creativity to understand how an application works and to identify its weak points remains critical for a successful pentester. Not every vulnerability can be discovered through automation.
Andreea Druga: I truly believe the human brain is irreplaceable. There are many logic flaws that AI simply cannot identify in the same way a human can, especially when it comes to truly understanding context and intent. The ability to analyze a target, understand how it’s supposed to function, and then think creatively about how that logic could be broken is a deeply human skill. It requires intuition, curiosity, and critical thinking, not just pattern recognition. And, of course, unlike automated tools, the human brain doesn’t generate false positives.
What are your favorite security tools to use?
Seren Porsuk: My favorite is definitely Burp Suite Professional, frequently using both its library of extensions and the ones I write myself to find vulnerabilities.
Goonjeta Malhotra: I rely heavily on my own automation scripts tailored to how I think and test. Custom tooling gives me flexibility and speed. Beyond that, I use AI as a thought partner to help with mind framing, brainstorming potential attack vectors, and identifying chaining opportunities. Tools are powerful, but they’re most effective when aligned with your personal methodology.
Cindee Tran: Burp Suite is the one tool I use every single time. I also enjoy using tools like ffuf, nmap, and sslyze for reconnaissance, along with other open-source tools depending on the tech stack of the project. I also enjoy building custom tools when necessary for specific projects.
Andreea Druga: I use pretty much everything that comes with Kali Linux, it’s an amazing ecosystem and covers most of what I need during an engagement. And if something isn’t already there, chances are you can find it in other places, such as GitHub. I like having a flexible toolkit and adapting depending on the target, but Kali is usually my starting point.
Identity & Industry Perspective
The cybersecurity industry is often described as a 'boys' club.' What is one myth about being a woman in offensive security that you’d love to debunk?
Seren Porsuk: The biggest myth is that expertise is gendered; early in my career, I had to overcome clients' biases by letting my results speak for themselves, whereas for a man, just doing the test would have been enough without any prejudice to break.
Goonjeta Malhotra: One myth I would love to debunk is the idea that women are “naturally less technical” or less analytical. Technical ability is not gendered. Curiosity is not gendered. Logical thinking is not gendered. What truly determines success in offensive security is persistence, pattern recognition, creativity, and resilience. These are human qualities, and I’ve seen countless women demonstrate them at the highest levels. The growing number of women leading pentests, winning top bug bounties, and earning advanced certifications is living proof that this stereotype simply has no foundation.
Cindee Tran: While it’s true that I’ve worked mostly with men throughout my career, my experience in pentesting has actually been very positive. I’ve been fortunate to work with incredibly supportive colleagues who have always treated me as just another member of the team. They’ve never made me feel less capable or out of place, and there has always been a strong sense of mutual trust and respect.
Interestingly, I can’t say my experience was always the same when I worked as a programmer. But within offensive security, my colleagues have consistently valued skill and collaboration above anything else. I’m not sure if I’ve simply been lucky, but I do feel for women who haven’t received the same level of support that I’ve experienced throughout my career.
Andreea Druga: I truly believe that talent and skill aren’t defined by gender. Everything in this field can be learned; it’s a matter of curiosity, discipline, and the time you’re willing to invest. Follow your passion, trust yourself, and don’t let stereotypes define your path. There’s nothing you can’t learn or achieve if you genuinely commit to it.
How has your unique perspective influenced the way you approach a pentest? Have you ever found a bug because you looked at a problem differently than your peers?
Seren Porsuk: It’s interesting because I don’t perceive that difference while I work, nor do I attribute the vulnerabilities I find to it.
Goonjeta Malhotra: Absolutely. Collaboration during pentests often highlights this difference. There have been several instances where a finding was initially considered low severity. When I examined it, I focused on chaining possibilities, asking, “What can this become?” rather than “What is this now?” By reframing the issue and combining it with other weaknesses, I’ve been able to demonstrate significantly higher impact than initially assumed. Sometimes the difference lies not in spotting the first bug, but in recognising its potential.
Cindee Tran: I have my own methodology that I follow every time I perform a pentest. Whether it’s looking for low-hanging fruit or critical vulnerabilities, I try to cover everything. I like to think of myself as very thorough in my approach.
I test every piece of functionality, even small things like sorting a column when loading a report. In fact, I’ve discovered SQLi in sorting parameters multiple times. Taking that level of care and attention to detail has helped me identify bugs that are sometimes overlooked by other pentesters.
Andreea Druga: I really enjoy hunting for logic flaws, especially the kind that can lead to serious impact, like account takeovers. I also like exploring broken access controls and IDORs from different angles, trying to understand how the application should behave versus how it actually behaves.
If you could go back to your first year in security, what’s one piece of advice you’d give yourself to navigate the industry more confidently?
Seren Porsuk: I’d tell myself to trust my own logic more and not get distracted by the complexity others project, because the most effective solutions are often the simplest ones.
Goonjeta Malhotra: Keep going, and stay focused on your growth. Keep learning, no matter what, because every challenge is shaping you. Confidence in this field isn’t instant; it’s earned through repetition and resilience. The only way forward is through, and every step you take, no matter how small, counts.
Cindee Tran: I would tell myself not to be intimidated and to ask my peers more questions. I found that once I opened up and started having discussions with colleagues about vulnerabilities—how they were discovered and exploited—it helped build my confidence in both identifying issues and speaking about them.
I wish I had been more communicative earlier in my pentesting career. Imposter syndrome can be very strong in this field.
Andreea Druga: I would tell myself: trust yourself, you’re on the right path. In a strange way, I knew that from the beginning. I can’t fully explain how or why, but I had this strong feeling that I was exactly where I was supposed to be. That sense of certainty gave me confidence, even when things felt challenging.
Looking Forward
What does 'breaking the glass ceiling' look like in the context of ethical hacking and bug bounties?
Seren Porsuk: In my opinion, it’s simply reaching a level where your technical impact is so clear that you no longer have to fight any biases to be seen.
Goonjeta Malhotra: To me, it means representation with impact. It means not just succeeding individually, but becoming visible enough to inspire others who see themselves in you. It means pushing beyond limits, continuously learning, and giving back to the community. Women are already breaking barriers across industries. In ethical hacking and bug bounties, breaking the glass ceiling means leading high-impact research, mentoring others, and shaping the future of security, not just participating in it.
Cindee Tran: More representation of women—especially in leadership roles. Breaking the glass ceiling also means shifting the “boys’ club” culture in pentesting toward a more diverse and inclusive environment. That includes creating safe spaces for women, enforcing zero tolerance for harassment, and actively addressing imposter syndrome within the field.
Andreea Druga: For me, breaking the glass ceiling means being recognized for the actual technical depth and impact of your work, not as a simple metric, but as a security professional who genuinely improves systems. It means growing from submitting basic bugs to finding complex, high-impact vulnerabilities.
What’s one specific area of security (e.g., Cloud, IoT, API) where you want to see more women taking the lead in the next five years?
Seren Porsuk: In my opinion, picking a specific area feels like another limitation imposed on women; there’s no need to choose. I sincerely want to see women taking the lead across every single field in security, from Cloud to IoT, without being confined to a single niche.
Goonjeta Malhotra: I would definitely say AI security. As AI systems become deeply embedded in products, healthcare, finance, and decision-making processes, the risks grow exponentially. Prompt injection, model poisoning, data leakage, logic flaws in LLM workflows, this is the new frontier. I want to see more women shaping how AI is secured from the ground up, influencing standards, leading research, and redefining how we test intelligent systems. The future of security is AI-driven. And women absolutely deserve to be leading that future.
Cindee Tran: I would love to see more women leading the way in AI security. As AI becomes more deeply integrated into applications and development workflows, it will inevitably become a major focus area for pentesters. I believe that in the near future, most security professionals will be using AI as a tool in their testing process, and it would be wonderful to see more women leading the charge in this space.
Andreea Druga: I definitely think AI security is going to be one of the most important areas in the next few years. I’m genuinely excited to be part of this wave and to explore vulnerabilities in AI systems. I think this space will naturally see more women researching, publishing, and finding creative ways to break and improve these systems.
