The Cobalt Pentester Spotlight highlights the fascinating journey of our Core members. Through an interview style, we share their experiences, background, and insights into the world of an accomplished pentester.
1. What's your handle? Do you use more than one? Where did it come from/ What's the origin story?
I mostly go by tareksiddiki. It’s just my name, no story behind it. Over the years, it became my identity in the community, so I kept it.
2. What got you into cybersecurity? How did you get into pentesting specifically?
Back in 2006–07, I used to write bots for a popular instant messenger called mig33. That is how I first got familiar with HTTP request-response. It felt amazing to see how you could automate or even break things just by tweaking the requests. Later, when bug bounty programs started to grow, I joined in, not really for the money, but more for fun and the challenge. I did pretty well there. Then Cobalt came along and introduced me to formal pentesting, and that’s where I could really channel my strengths.
3. What exploit or clever attack are you most proud of and why?
I always take pride in hacking the hacker. It’s thrilling, almost like being Dexter. The vulnerabilities I found in hacker-centric platforms like Synack, HackerOne, and Cobalt are the ones I look back on with the most pride. I won’t name names, but I recently came across a well-known hacker platform that had an SSO vulnerability that had been sitting there for years. It was nothing fancy, just a simple logical flaw, but it gave me control over any tenant. The fact that such a small detail could expose such a big impact is what makes those moments unforgettable.
4. What is your go-to brag when talking about your pentesting skills?
That I’ve managed or led close to a thousand pentests, while still doing hands-on testing. I have a strong eye for flaws in OAuth, SSO, and authentication workflows. These are areas a lot of testers overlook or treat as a black box, but I like digging deep into them.
5. Share a time something went wrong in the course of a pentest? What happened and what did you do?
There was a time we were testing a staging environment, and I went all in with the testing. While validating a critical access control flaw, I deleted a few items, assuming it was just staging and safe to play around. Later, the client came back and said they actually had useful demo data in that instance. It was an accident, but it happened because I made an assumption instead of confirming. Since then, I always make sure to check with the client before doing anything that might cause harm. It was a simple mistake, but it taught me a lasting lesson.
6. What are your favorite tools or TTPs when conducting pentests? Why do you find them effective?
Burp Suite is always running, but I rely a lot on custom scripting too. I like using nuclei and Semgrep for quick coverage checks. For OAuth and SSO, I spend time digging into request-response flows, tweaking tokens, and checking edge cases around refresh and expiration. The fun part is when you find something the developers never thought anyone would try.
7. What are your favorite asset types (web applications, APIs, network, etc.) to pentest and why?
APIs are at the top of my list, because that’s where a lot of interesting logic and authentication flaws hide. Web applications are great too, especially when they use complex SSO or OAuth setups. Those integrations are often fragile, and testing them thoroughly pays off.
8. What certifications do you have? Why did you go for those ones specifically?
I don’t have any certifications and I’m not chasing them either. What I do chase is learning. Right now, I’m exploring AI/ML testing because that’s the hot topic and where things are heading. My main sources of learning are Defcon, Black Hat, and other conferences where people share real research, along with tech blogs where researchers explain how they think. That’s what keeps me sharp and relevant.
9. What advice do you wish someone had given you when you first started pentesting?
Don’t chase just the flashy vulns. Focus on depth, coverage, and methodology. Sometimes the “boring” access control check ends up being the million-dollar finding. And never stop documenting your work, clear notes can turn a good tester into a great one.
10. How do you approach explaining findings to customers during a pentest? Is there a way you discuss your findings with customers? How do you ensure they have a quality experience?
I keep things simple and focus on business impact. I explain the issue in a way they can understand, walk them through the logic, and make sure they know what needs to be done. The goal is always to leave them confident, not confused.
11. What is your favorite part of working with a pentesting team? What about working on your own?
With a team, it’s the back-and-forth and idea sharing. You get perspectives you’d never have thought of. Alone, I like the focus and flow of digging deep into a system.
12. Why do you like pentesting with Cobalt?
The mix of freedom and professionalism. The clients are high quality, the platform is smooth, and the community is strong. You get to bring your own style of testing and still be part of a solid structure.
13. Would you recommend Cobalt to someone looking for a pentest? Why or why not?
Yes. With Cobalt it’s not just about chasing compliance. Clients actually get to interact with testers and see how a team works. The diversity of thought and approaches is really interesting, and that’s something you’d never find in a typical pentest where testers are just checking boxes.
14. What do customers or the media often misunderstand about pentesters?
That we’re all just “hackers” in the Hollywood sense. Real pentesting is structured, patient, and methodical. It’s about solving problems, not smashing keyboards in a dark room.
15. How do you see pentesting changing in 2025 and over the next few years?
AI-based testing will keep getting better, and it’s going to replace the low-end testers. The way forward is to adapt and use AI as part of our toolkit instead of ignoring it. To stay ahead, we have to innovate and ride the wave. In the end, only the real innovators will thrive.
16. Whats your p(Doom)?
Pretty low. Threats will always evolve, but so will we. As long as we keep adapting and sharing knowledge, I don’t see doom anytime soon.
