The Cobalt Pentester Spotlight highlights the fascinating journey of our Core members. Through an interview style, we share their experiences, background, and insights into the world of an accomplished pentester.
1. What's your handle? Do you use more than one? Where did it come from/ What's the origin story?
My handle is Sappi, and it’s the only one I use across all platforms. The name actually came from my college days. A friend thought my voice sounded similar to one of the Punjabi artists in Jazzy B’s song Soorma. At the beginning of that track, there’s a line where one of the artists says, “Kar oo mera hummer start yara Sappi.” From that day on, everyone started calling me Sappi, and it just stuck. Over time, it became my online identity, and now I use it everywhere — from social media to professional platforms.
2. What got you into cybersecurity? How did you get into pentesting specifically?
In my final year of college, I didn’t land offers from the MNC companies like TCS or Infosys because of their strict academic percentage cutoffs. Instead, I joined a small cybersecurity firm in my hometown as an intern. That turned out to be the start of everything. I began diving deep into cybersecurity on my own, following experts like Frans Rosen, Geekboy, mlitchfield, and filedescriptor on Twitter. Soon, I started hunting for vulnerabilities on platforms like Twitter, ProtonMail, Google, Shopify, and Yandex — basically anywhere offering swags or bounties. I spent a lot of time on HackerOne and Bugcrowd in those early days, but eventually focused more on HackerOne and private bug bounty programs. That hands-on bug hunting experience really pulled me into pentesting.
3. What exploit or clever attack are you most proud of and why?
I’ve always had a strong eye for access control issues, especially when it comes to complex roles and permissions. Most of my proudest finds came from spending extra time mapping out how an application handles privileges. It is not something you can rush because you need to carefully go through each part of the app, test how permissions tie to actions, and spot inconsistencies.
One case that stands out was when I managed to compromise an entire organization by manipulating a single HTTP request. I originally had access only to a regular service portal at service.example.com, but through privilege escalation, I was able to gain admin rights on a completely separate domain admin.example.com. Pulling that off required patience, a deep understanding of the application’s logic, and careful testing, which is precisely the kind of work I enjoy the most.
4. What is your go-to brag when talking about your pentesting skills?
My strength has always been in complex access control and role-based permissions. This is where I find the majority of my vulnerabilities, and it is the area I enjoy the most. I like to spend as much time as needed to make sure nothing slips through when it comes to permissions. Looking at my own stats, about 60 percent of my findings are privilege escalations, and if I include all access control issues such as IDORs, that number is closer to 80 percent. So whenever a pentest is authenticated and involves multiple roles, I know that is where I can deliver the most value, and I always dedicate extra focus to it.
5. Can you share a time something went wrong in the course of a pentest? What happened and what did you do?
There have definitely been a few situations where things didn’t go as planned, and we had to shift timelines. One that stands out was around IP whitelisting. I had asked the client to whitelist my IP, and they had a proper process in place. But right when I was about to start testing, my ISP changed my IP since it wasn’t static. That meant I had to send over a new one, which ended up delaying the entire pentest to the next available slot. Since then, I always provide both my home IP and a server IP as a backup, so if my ISP changes something, I can quickly reroute traffic through the server.
Another situation happened a couple of times in staging environments where a feature broke mid-test, and some critical resources were removed from the application. The client had to re-enable those resources, which added another day or two to the schedule. Luckily, those incidents only ever happened in staging or test environments and not in production.
6. What are your favorite tools or TTPs when conducting pentests? Why do you find them effective?
I use many tools, and it always depends on the type of pentest I am working on. For reconnaissance, my current choice is reNgine, while in the past I often used Osmedeus. The tool I rely on the most overall is Burp Suite Professional, since it gives me flexibility across web and API testing. I usually combine it with plugins such as Active Scan++, Auth Analyzer, 403 Bypasser, and Param Miner to uncover issues more effectively. Beyond that, I adjust my toolkit based on the engagement, whether it is focused on web applications, APIs, networks, or mobile testing. Choosing the right toolset for the right environment always makes the work more effective.
7. What are your favorite asset types (web applications, APIs, network, etc.) to pentest and why?
My favorite targets are web applications, APIs, and internal networks. I enjoy testing access control, injection flaws, and business logic issues in web and API environments because they often reveal impactful vulnerabilities. On the network side, I particularly like exploiting Active Directory, gaining access to domain controllers, and chaining different exploits to escalate privileges.
More recently, I have started focusing on AI and ML pentesting. I am interested in exploring weaknesses in MCP implementations, AI agents, and other AI integrations within applications. I believe this area will become one of the most important parts of pentesting in the coming years, and it is quickly becoming a new favorite for me.
8. What certifications do you have? Why did you go for those ones specifically?
I hold OSCP, BSCP, CREST CPSA, CREST CRT, PNPT, and C-AI/MLPen. I chose OSCP because it has become a minimum requirement in the industry, and with my experience, I felt ready to take it on. BSCP, the Burp Suite Certified Practitioner, is more specifically focused on web application pentesting and is gaining strong recognition, which made it a natural fit for me. PNPT was actually the first certification I pursued, as I had the opportunity to work on it while at RSM and was fortunate enough to earn it. I went for the CREST certifications mainly because many Cobalt clients require them for certain engagements, so it was important to meet that demand. Finally, C-AI/MLPen is my personal favorite since the industry is quickly shifting toward AI, and I want to stay ahead by building expertise in that space.
9. What advice do you wish someone had given you when you first started pentesting?
When I started with bug bounties, there were very few resources or blogs to learn from. It took me almost six months just to understand the basics of Burp Suite and how to use its features effectively. Looking back, I realize how much faster I could have progressed if I had proper guidance in those early days. Another piece of advice I wish I had received was to get hands-on experience with at least one programming or scripting language, such as Python or Bash. That would have made automating tasks, writing custom scripts, and understanding application logic much easier right from the start.
10. How do you approach explaining findings to customers during a pentest? Is there a way you discuss your findings with customers? How do you ensure they have a quality experience?
When discussing findings with customers, I like to begin with a clear explanation of what the issue is. I then explain the impact, what it means for their business, and what could potentially be broken or abused. After that, I walk them through the steps to reproduce the issue so they fully understand how it was discovered. Finally, I provide remediation guidance that is practical and actionable.
This is also an area I want to continue improving. Clear communication is just as important as technical skill, so I always welcome advice or guidance from others with experience. Anyone who has tips is more than welcome to reach out to me on Slack.
11. What is your favorite part of working with a pentesting team? What about working on your own?
Most of the time, I have worked alone, which allows me to stay focused and thorough. At the same time, I like working in teams because collaboration often makes the work more effective. Dividing responsibilities, sharing ideas, and building on each other’s strengths not only improves results but also creates good learning opportunities. I recall an instance where a teammate assisted me in creating a proof of concept for a remote code execution vulnerability in a web application. That experience showed how teamwork can lead to stronger results and help boost confidence.
12. Why do you like pentesting with Cobalt?
I like pentesting with Cobalt because of the variety of clients and industries I get to work with. Every engagement is different, which keeps the work challenging and helps me continue learning. The platform also makes collaboration simple, whether it is sharing notes with customers or working alongside other Core members. On top of that, the level of professionalism and the structured process make it easier to focus on the technical side of the work while still delivering clear results to customers.
13. Would you recommend Cobalt to someone looking for a pentest? Why or why not?
Yes, I would definitely recommend Cobalt. The testers on the platform go through a proper selection process that includes hands-on labs and assessments of report-writing skills, so customers can trust the quality of the work. Along with that, the platform makes collaboration smooth and ensures findings are presented clearly and professionally. The combination of skilled testers, strong reporting, and an efficient process gives customers both technical depth and a positive experience.
14. What do customers or the media often misunderstand about pentesters?
One common misunderstanding is the idea that pentesters only run automated scans. In reality, a lot of the value comes from manual testing and deep knowledge of how vulnerabilities work. Many people are not fully aware of threats like those in the OWASP Top 10, or how dangerous certain flaws can become when chained together.
Take SSRF as an example. A customer might think blocking access to AWS metadata endpoints is enough. In practice, there are often ways to bypass those controls, and an SSRF can sometimes be used to map internal networks or scan ports. Understanding those risks and testing them thoroughly is something automation alone cannot deliver, which is where a skilled pentester makes the difference.
15. How do you see pentesting changing in 2025 and over the next few years?
I see pentesting evolving quickly as AI and machine learning become more integrated into business applications. Security testing will have to address new categories of risk, such as prompt injection, model poisoning, data leakage, and insecure supply chain dependencies. LLMs and AI agents introduce unique attack surfaces where traditional web and network testing methods are not enough.
Another major shift will be the growing importance of supply chain security, since organizations now rely heavily on third-party models, datasets, and frameworks. Pentesters will need to adapt by developing skills to test these AI and ML systems, validate the integrity of training data, and assess how these components interact with the wider application. I believe AI and ML security will become one of the core areas of pentesting in the near future.
16. What's your p(Doom)?
For me, doom usually looks like running Kali Linux in a virtual machine. It always seems to crash, hang, or shut down right when I need it most. More than once I have lost Burp Suite data and had to restart everything from scratch. If there is a real p(Doom) in my day-to-day, that would be it.
Learn More from our Cobalt Core
Unlock the secrets of successful pentesting. Read more the Cobalt Pentester Spotlights on our blog homepage.