The Cobalt Pentester Spotlight highlights the fascinating journey of our Cobalt Core members. Through an interview style, we share their experiences, background, and insights into the world of an accomplished pentester.
1. What's your handle? Do you use more than one? Where did it come from/ What's the origin story?
I mostly go by Pawani Chawla in professional and online spaces, as I like keeping my real name tied to my work. It gives a sense of accountability and recognition in the cybersecurity community. That said, I do use a couple of side handles depending on the platform, mainly to stay low-key when testing tools or joining discussions anonymously. The origin of my handle is quite simple: I wanted something consistent that reflects my real identity and is easy for people to connect with me professionally. Over time, it has become my go-to digital signature.
2. What got you into cybersecurity? How did you get into pentesting specifically?
Curiosity has always been my biggest motivator. I’ve always wanted to understand how systems work behind the scenes and what could go wrong if someone tried to manipulate them. My first spark came when I began experimenting with breaking applications in controlled environments. It fascinated me to see how small oversights could result in major vulnerabilities. Over time, this curiosity naturally led me into the world of ethical hacking. Pentesting became a perfect fit because it allowed me to think like an attacker while still making a positive impact by helping organizations strengthen their defenses. I initially started with web application pentesting and gradually expanded into API, source code, mobile, network, cloud, and AI/LLM pentesting.
3. What exploit or clever attack are you most proud of and why?
One of the most memorable moments in my pentesting journey was chaining a seemingly harmless misconfiguration with a logic flaw to achieve full account takeover. The application exposed an endpoint that leaked limited user details due to weak access controls. On its own, it didn’t seem very impactful. However, I noticed that the password reset flow relied heavily on those leaked details for verification. By combining the misconfiguration with this weak reset logic, I was able to reset any user’s password and take over their account, including privileged ones. Individually, both issues might have been dismissed as low to medium risk, but by connecting the dots, I escalated them into a critical vulnerability. That experience reinforced the importance of lateral thinking looking at the bigger picture rather than treating issues in isolation. I’m proud of it because it highlighted my ability to go beyond surface-level findings and approach problems the way a real adversary would.
4. What is your go-to brag when talking about your pentesting skills?
If I had to brag, I’d say my strength lies in versatility. I can adapt quickly to different environments, whether it’s web, mobile, cloud, network, source code, or even thick client applications. Many pentesters specialize in one domain, but I’ve built my skills across multiple areas, which helps me connect the dots across attack surfaces. Of course, my perfection lies in web, API, and AI/LLM pentesting, where I’ve spent the most time refining my craft. Working with different clients and projects has exposed me to a wide range of frameworks, techniques, and methodologies, giving me a strong foundation to approach problems from multiple angles. Additionally, I have a knack for automating repetitive tasks, which saves time and enables me to focus on more in-depth, creative attack vectors. That combination of adaptability and automation often becomes my ace in the field.
5. Share a time something went wrong in the course of a pentest? What happened and what did you do?
Like every pentester, I’ve had my share of “oh no” moments. In the initial phase of a network assessment, I was running some custom enumeration scripts to map services and check configurations. What I didn’t realize at the time was that one of the scripts was a bit too aggressive, which ultimately caused a temporary disruption to one of the services. Luckily, it wasn’t business critical, but it was enough to make me pause. The first thing I did was notify the client right away and work with their team to get the service back online quickly. Afterward, I took a hard look at my process and made changes, such as testing scripts in a safe environment first, adding extra checks, and throttling requests to ensure it wouldn’t happen again. It was a minor hiccup, but it taught me a valuable lesson about responsibility and transparency in penetration testing.
6. What are your favorite tools or TTPs when conducting pentests? Why do you find them effective?
I’m a big believer in hybrid toolkit automation for efficiency, and manual testing for depth. Tools like Burp Suite, Nmap, Nuclei, ProjectDiscovery utilities, and custom scripts are staples because they provide a solid foundation for reconnaissance and exploitation. Of course, the exact set of tools always depends on the methodology: network assessments call for a different toolkit than web applications, and cloud environments require yet another approach. On the manual side, I usually focus on server-side injections, tweaking payloads to bypass WAFs, or digging into access control issues where a deep understanding of user functionality is essential. I find this mix effective because it lets me combine speed with creativity, ensuring no stone is left unturned during an assessment.
7. What are your favorite asset types (web applications, APIs, network, etc.) to pentest and why?
I particularly enjoy testing web applications, APIs, and AI/LLM systems. Web apps are the front door of most businesses, and even small oversights can lead to serious risks. APIs, meanwhile, form the backbone of modern applications and are often overlooked, which makes finding vulnerabilities in them especially impactful. AI/LLM testing is fascinating because it’s still an emerging field—uncovering issues like prompt injection or data leakage requires both technical depth and creativity. I enjoy these areas because they constantly challenge me to think differently, and the satisfaction of finding vulnerabilities that others might miss is what keeps me hooked. That said, every asset type has its own charm and learning curve.
8. What certifications do you have? Why did you go for those ones specifically?
I hold certifications like CREST, Azure AZ-900, and ISO 27001. I chose these because each brings a different dimension to my professional growth. CREST is highly recognized in enterprise environments and validates deep technical penetration testing skills. Azure AZ-900 helped me build a strong foundation in cloud concepts, which is essential as more organizations move their infrastructure to the cloud. ISO 27001, on the other hand, strengthened my understanding of information security management systems and gave me a broader perspective on compliance and risk. Together, these certifications give me both technical credibility and a strategic view of security, aligning well with the skills and assurance my clients look for.
9. What advice do you wish someone had given you when you first started pentesting?
I wish someone had told me that it’s okay not to know everything right away. When I first started, I often felt overwhelmed by the sheer number of tools, frameworks, and techniques in cybersecurity. It seemed like there was always something new I didn’t know. Over time, I realized that trying to learn everything at once is impossible and unnecessary. The real key is to master the basics, then gradually build on them as you gain experience.
Another piece of advice I’d give newcomers is not to get too caught up in chasing certifications in the early stages. Certifications can add value, but what truly matters is learning, experimentation, and the development of practical skills. Set up your own labs, break applications, analyze how things fail, and then rebuild them. That hands-on learning makes concepts stick far better than any book or course.
Most importantly, stay curious and persistent. Curiosity will push you to ask “what if?” and explore beyond the obvious, while persistence will carry you through the challenges and frustrations that come with pentesting. Those two traits, more than any tool or certificate, are what truly shape a successful pentester.
10. How do you approach explaining findings to customers during a pentest? Is there a way you discuss your findings with customers? How do you ensure they have a quality experience?
When discussing findings with customers, I focus on making them impactful and easy to understand for both technical and non-technical audiences. Instead of overwhelming them with jargon, I translate vulnerabilities into real-world business risks how they could affect data, reputation, or compliance. At the same time, I present each issue in a structured format: risk, impact, severity, evidence of exploitation (EOE), OWASP Top 10 category, CVSS calculation, and clear recommendations. For technical teams, I provide detailed reproduction steps and guidance so they can resolve the issue effectively. For non-technical stakeholders, I simplify the explanation into business terms and prioritize actionable remediation steps. My goal is always to create a collaborative environment where clients feel informed and empowered, not intimidated, ensuring the engagement delivers real value and lasting improvements to their security posture.
11. What is your favorite part of working with a pentesting team? What about working on your own?
My favorite part of working with a pentesting team is the diversity of thought everyone brings different perspectives, techniques, and approaches to uncovering vulnerabilities. That mix often leads to discoveries that one person alone might miss. On the other hand, working solo allows me to go deep into technical puzzles with full focus and explore creative attack paths without distraction. I find value in both modes: teamwork sparks innovation through varied perspectives, while solo work gives me the space for intense concentration.
12. Why do you like pentesting with Cobalt?
Cobalt stands out because of its platform-driven approach to pentesting. The ability to collaborate directly with clients through a structured platform streamlines communication and reporting, making the process more efficient and effective. I also enjoy the global pentester community within Cobalt. It’s motivating to work alongside skilled peers who bring diverse expertise. The combination of flexibility, professionalism, and community support makes pentesting with Cobalt both rewarding and impactful.
13. Would you recommend Cobalt to someone looking for a pentest? Why or why not?
Absolutely, yes. Cobalt provides a unique blend of scalability, transparency, and quality that sets it apart from traditional consulting models. Clients not only get access to highly experienced pentesters but also benefit from the platform’s one-click test start capability, which makes kicking off an engagement agile and straightforward. The platform supports different types of assessments, ranging from web, API, mobile, and source code review to emerging areas like AI/LLM, covering almost all modern technologies. What I particularly value is the real-time visibility and collaboration: clients can track progress, interact directly with researchers, and see findings evolve as the engagement unfolds. For organizations seeking a flexible, agile, and future-ready pentesting partner, I would strongly recommend Cobalt.
14. What do customers or the media often misunderstand about pentesters?
One common misunderstanding about pentesters is that we’re only out to “break things,” when in reality our goal is to help organizations build resilience by safely simulating real-world attacks in controlled conditions. Another misconception is that pentesting is purely tool-driven. At the same time, tools provide a baseline; the real value comes from human creativity, problem-solving, and the ability to chain small findings into impactful business risks. Many also view pentesting as a one-time compliance checkbox, but it’s actually an ongoing process of strengthening defenses against evolving threats. In truth, pentesting is less about causing chaos and more about responsibly uncovering weaknesses, translating them into clear business impact, and enabling organizations to proactively improve their security posture.
15. How do you see pentesting changing in 2025 and over the next few years?
Pentesting is evolving rapidly with the rise of AI, cloud-native environments, and IoT, and I believe 2025 will mark a shift in how organizations approach security testing. Instead of treating pentests as annual checkbox exercises, we’ll see a move toward continuous, integrated pentesting that aligns with agile development cycles and DevSecOps practices. With AI and LLMs becoming central to modern applications, securing them will be a top priority, as will addressing risks in software supply chains where a single compromise can cascade across ecosystems. Attack surfaces are growing wider and more complex, so pentesters will need to adapt by combining automation for speed and scale with manual expertise for depth and creativity. Ultimately, the role of pentesters will move beyond simply finding vulnerabilities; we'll act as strategic security partners who provide ongoing insights, threat modeling, and guidance to help organizations proactively strengthen their defenses.
16. What's your p(Doom)?
My personal p(Doom) is when I forget to save my notes, POC or proxy history, and the laptop rebooted for an update. Hours of payload tweaking, gone in an instant. No matter how advanced cybersecurity gets, Windows Updates and unsaved work will always be the real adversaries.
