The Cobalt Pentester Spotlight highlights the fascinating journey of our Core members. Through an interview style, we share their experiences, background, and insights into the world of an accomplished pentester.
1. What's your handle? Do you use more than one? Where did it come from/ What's the origin story?
My handle is hackaccinocraft. I don’t use any other handle because this one has become part of my identity in the cybersecurity space. The name came from my coffee habits as I’ve always been a coffee lover. Back in the early days of bug bounty hunting, I consumed a lot of caffeine to keep going, and that inspired the “hackaccino” part. It reminds me of those nights grinding through reports and testing, while fueled by coffee.
2. What got you into cybersecurity? How did you get into pentesting specifically?
My entry into cybersecurity was driven by curiosity and inspiration from the media. Two series, Scorpion and Mr. Robot, first sparked my imagination. In university, we often faced restrictions on accessing YouTube or social platforms, so I began experimenting with bypassing those protections. That curiosity grew into a passion for understanding systems and breaking barriers. In 2015, I discovered the concept of bug bounty programs, and from there, my journey into penetration testing officially began.
3. What exploit or clever attack are you most proud of and why?
Over the years, I’ve discovered countless vulnerabilities, but access control and injection flaws stand out. Among those, I’m most proud of uncovering a critical SQL injection vulnerability. It reinforced my confidence in my skills, and showed me how impactful deep technical persistence can be in protecting organizations.
4. What is your go-to brag when talking about your pentesting skills?
When I talk about my skills as a pentester, my go-to brag is my persistence in uncovering vulnerabilities that others might overlook. I take pride in not just finding “easy wins,” but in diving deeper into logic flaws, access control issues, and subtle injections. It’s the blend of technical precision and creative problem-solving that defines my approach. I’ve built a reputation for consistently delivering value to clients by translating raw vulnerabilities into practical risk insights they can act on.
5. Share a time something went wrong in the course of a pentest? What happened and what did you do?
Early in my career, I was testing a production environment and unintentionally disabled a real user account during access control testing. It was a stressful moment, but I immediately reported the issue to the project team. The silver lining was that I’d kept detailed logs of my actions, which allowed the team to fully understand the scope of the incident and remediate quickly. That experience taught me the critical importance of keeping logs no matter how big or small the test. Documentation is the safety net of every pentest.
6. What are your favorite tools or TTPs when conducting pentests? Why do you find them effective?
Every pentester has their toolkit, and mine starts with Burp Suite, the daily driver for web application testing. For large-scale scanning or internal network testing, I rely on Nuclei from ProjectDiscovery. It’s fast, flexible, and allows for custom templates, which makes it incredibly effective for automation across big attack surfaces.
7. What are your favorite asset types (web applications, APIs, network, etc.) to pentest and why?
I’ve worked on almost everything including web applications, mobile apps, APIs, networks, cloud environments, and even thick clients. My personal favorites are web applications, networks, and cloud environments. They provide endless opportunities to learn, adapt, and challenge myself with complex attack vectors.
8. What certifications do you have? Why did you go for those ones specifically?
I hold the OSCP (Offensive Security Certified Professional) certification from OffSec. I chose OSCP because it’s one of the most respected certifications in our field. It doesn’t just test theory; it pushes you to prove your skills in real-world scenarios using Kali Linux. The exam demands persistence, problem-solving, and practical exploitation across web and network environments, making it a perfect reflection of what I enjoy in pentesting. Beyond the technical aspect, it taught me resilience and how to think under pressure, skills I apply every day in my work.
9. What advice do you wish someone had given you when you first started pentesting?
When I first started, I wish someone had told me that pentesting isn’t about knowing every single exploit or tool, it’s about mindset. The best pentesters aren’t the ones who memorize payloads, but the ones who stay curious, keep learning, and are willing to fail repeatedly until they succeed. I also wish I had understood the importance of building strong communication and writing skills. At the end of the day, you need to explain your findings clearly to make an impact, and that’s where your ability to write reports and communicate effectively matters just as much as technical ability.
10. How do you approach explaining findings to customers during a pentest? Is there a way you discuss your findings with customers? How do you ensure they have a quality experience?
When explaining vulnerabilities to customers, I always keep in mind that not everyone in the room is technical. I break findings down into simple terms, focusing on three things: what the vulnerability is, the potential impact if left unresolved, and how to remediate it. For high-priority issues like P1 or P2, I emphasize urgency without overwhelming them. Clear, simple, and actionable communication is the key to giving customers a positive experience.
11. What is your favorite part of working with a pentesting team? What about working on your own?
What I love most about pentesting is the constant learning. New techniques emerge daily, and every test is a chance to sharpen skills and learn from different logical flows built by developers. This field keeps you on your toes. Collaborating with other pentesters is equally rewarding because every professional has their unique strengths, and sharing insights elevates everyone’s game.
12. Why do you like pentesting with Cobalt?
I’ve been working with Cobalt for over three years, and it’s been an incredible journey. Cobalt is a leader in Pentest as a Service (PtaaS), and what I value most is the flexibility it provides. I mean you can work flexibly and manage your time according to your schedule. Cobalt gives testers that freedom, which makes the experience far better than traditional models. Unlike bug bounty platforms, Cobalt gives me the chance to work in structured environments with professional teams while staying updated with the latest methodologies. The opportunity to collaborate with some of the best pentesters in the world makes it even more valuable.
13. Would you recommend Cobalt to someone looking for a pentest? Why or why not?
Absolutely. I would recommend Cobalt to anyone seeking a penetration test. Their community is filled with some of the most talented testers globally, and the platform itself ensures consistent quality and professionalism.
14. What do customers or the media often misunderstand about pentesters?
One common misunderstanding is that pentesters are out to “break things” recklessly. In reality, our goal is to help organizations strengthen their security by safely simulating real-world attacks. Another misconception is that pentesting is just about running automated tools. Tools play a role, but the real value comes from human creativity, thinking like an attacker, and spotting issues that scanners would never find.
15. How do you see pentesting changing in 2025 and over the next few years?
Pentesting is evolving rapidly, and 2025 will highlight how artificial intelligence is changing the landscape. AI-powered tools will speed up vulnerability discovery, automate repetitive tasks, and even simulate adversarial behavior at scale. But AI won’t replace human pentesters, instead it will enhance us. The real challenge will be adapting to test AI-driven applications, machine learning pipelines, and increasingly complex cloud-native environments. The human element, creativity, intuition, and ethical responsibility will remain irreplaceable.
16. Whats your p(Doom)?
For me, p(Doom), the probability of catastrophic failure due to technology, lies in over-reliance on automation without oversight. If we blindly trust AI or automated defenses without human review, we risk creating a false sense of security. The future depends on balancing automation with human expertise, ensuring that technology serves as a tool rather than a crutch.
