The Cobalt Pentester Spotlight highlights the fascinating journey of our Core members. Through an interview style, we share their experiences, background, and insights into the world of an accomplished pentester.
What's your handle? Do you use more than one? Where did it come from/ What's the origin story?
My handle has always simply been Dennis. I don’t like hiding my identity; I actually prefer that people and customers know me by my real name. Sometimes I use Dennisleo or demendoza, but that’s usually only because “Dennis” is already taken or because some Active Directory setups automatically generate usernames using initials and last names. For me, transparency is part of how I work.
What got you into cybersecurity? How did you get into pentesting specifically?
I will never forget the first time I discovered OWASP ZAP during my Systems Engineering studies. One of my professors showed us that the requests between the browser and the web server could be modified, and that the application could behave in completely unexpected ways. That moment blew my mind.
From there, I completely fell in love with security. I spent countless nights without sleeping, testing again and again. Every time I had class with that professor, I showed him new things I had discovered. I started reaching out to him outside of class (WhatsApp, email, in person), asking for an opportunity at the consulting firm where he worked.
One day, he finally told me, “There’s an opening at the consulting company, go interview.” I went, was interviewed by someone who later became a very close friend, explained what I knew how to do, and got a yes. Today, we are all very good friends, and I will always be deeply grateful to both of them for allowing me to learn and become who I am today.
All of this happened over a decade ago. Today, after more than 10 years of hands-on experience in cybersecurity and pentesting, I still carry the same curiosity and passion I had from the beginning, now backed by real-world experience, sound judgment, and a strong focus on business impact.
What exploit or clever attack are you most proud of and why?
While working at that consulting firm, we performed many pentests for banks. On one engagement, I was able to access the bank account of virtually any user in three different banks, using only a Colombian national ID number (DNI).
The impact was massive. The client was genuinely shocked, and thanks to that finding, we were able to sell and invoice additional services beyond what was originally scoped. It was a clear example of how impactful pentesting can be when done properly.
What is your go-to brag when talking about your pentesting skills?
I don’t really like bragging. In the hacking world, there are always people who are better than you. It’s important to stay humble. What I do tell my clients is that I always take the time to understand their business, identify what could truly affect them, and focus my work on generating real value—not just technical findings.
Share a time something went wrong in the course of a pentest? What happened and what did you do?
I was conducting an internal penetration test for a small financial institution. Because the entire network resided on a single VLAN, I launched a man-in-the-middle attack using Cain & Abel to capture credentials in cleartext. I successfully obtained usernames and passwords for an AS/400 system; however, as an unintended side effect, user connections were disrupted.
We had to manually reset user sessions one by one with the client. Everything was resolved within about two hours. Beyond the temporary downtime, the client clearly understood the risk of having everything on the same VLAN and was able to justify a network redesign to the board.
What are your favorite tools or TTPs when conducting pentests? Why do you find them effective?
My day-to-day tool is Burp Suite. I honestly can’t imagine life without it (laughs). In addition, I frequently use tools like Nuclei, Nmap, BloodHound, MobSF, Frida, and custom tooling depending on the asset type and scenario being tested.
What are your favorite asset types (web applications, APIs, network, etc.) to pentest and why?
I enjoy testing everything and constantly learning. While my strongest areas are web and mobile applications, I’m always open to new challenges. I’ve tested everything from ATMs and physical intrusions to infrastructure and LLMs. Every attack surface is an opportunity to learn something new.
What certifications do you have? Why did you go for those specifically?
I hold several certifications that required a lot of effort and many late nights (laughs), but I’m very proud of them. I have OSCP, OSEP, and OSWE, as well as CEH and some Qualys certifications from a scanning provider. I chose these because they are highly hands-on and truly prepare you for real-world pentesting scenarios.
What advice do you wish someone had given you when you first started pentesting?
If you truly enjoy what you do and genuinely love it, you will become very good at it. If you find yourself working late at night out of pure motivation rather than obligation, then this is what you’re passionate about. Passion makes all the difference.
How do you approach explaining findings to customers during a pentest? Is there a way you discuss your findings with customers? How do you ensure they have a quality experience?
I always start by understanding the client’s business model and then explain findings in terms of business risk, not just technical impact. I’ve worked with both technical and non-technical clients, and I want everyone to clearly understand what’s happening.
On one occasion, a company president was very reluctant to invest in security. With full client approval, we ran an awareness exercise just for him: we extracted cleartext passwords from Active Directory, wrote his password on a card, and handed it to him personally. That experience completely changed his perspective, and he chose to invest in security. It was a controlled and authorized exercise that turned into a very successful business outcome.
What is your favorite part of working with a pentesting team? What about working on your own?
I definitely enjoy learning from others—new techniques, new ways of thinking, and new perspectives on business risk. Working independently has its value, and I’ve done it many times, but I much prefer teamwork, especially when discussing severity, impact, and findings.
Why do you like pentesting with Cobalt?
I love the business model. Having a clearly defined scope and everything ready to start is amazing. Everything is transparent and well-organized. Getting paid to do what I love — it’s the job I always dreamed of.
Would you recommend Cobalt to someone looking for a pentest? Why or why not?
Absolutely. The service is exceptional, and I’ve already recommended it to several colleagues.
What do customers or the media often misunderstand about pentesters?
Many people think pentesters can just break into anyone’s Facebook or Instagram, or that hacking is inherently illegal or criminal. I believe that those of us who don’t hide our identity are helping change that perception and professionalize the industry.
How do you see pentesting changing in 2026 and over the next few years?
I believe AI will help us design better scenarios and approaches. However, I don’t see AI fully replacing pentesters. AI can help find SQL injection or XSS, but business logic vulnerabilities (like moving money between accounts, bypassing KYC, or chaining multiple issues for real impact) will continue to require creative humans willing to deeply understand and break systems.
What’s one non-technical skill (e.g., writing, communication, project management) that you believe is becoming critically important for a successful pentester, and how do you cultivate it?
Without a doubt, I'd have to say communication with the client. Being able to explain the importance of security to a bank executive or business leader with no technical background is essential to becoming a successful leader in this field.
What's your p(Doom)?
I have a phrase I use often: “Within what’s allowed, everything for impact.” For me, this means always giving my best to generate the highest possible impact during a pentest, so that the client truly understands the value of the work and the findings.
I always operate within the agreed scope, permissions, and ethical boundaries. The goal is never to “break things just to break them,” but to responsibly demonstrate how far an attacker could go and why it truly matters.
