The Cobalt Pentester Spotlight highlights the fascinating journey of our Core members. Through an interview style, we share their experiences, background, and insights into the world of an accomplished pentester.
1. What's your handle? Do you use more than one? Where did it come from/ What's the origin story?
I only use one nickname: EgiX. I chose this handle when I was fifteen, or rather, in a moment of my life when I experienced a spiritual change, or, in other words, when I started thinking for myself. It merely derives from my first name, Egi-dio: in Italian, "dio" means "god", so I simply put an X on the final part of my name, and the result was Egi-X.
2. What got you into cybersecurity? How did you get into pentesting specifically?
I was thirteen years old when I got my first computer, and was suddenly impressed by the "hackers world": the idea to get complete control over whatever computer/system connected to the Internet was really intriguing for me, and I was truly fascinated by some of the hacking techniques of that time (early 2000s). As such, I decided to start studying computers on my own. However, I soon realized I had to understand some computer fundamentals before mastering those hacking techniques, so I started learning programming (in Visual Basic, C, and Assembly). After a while, I also got fascinated by the “reverse engineering world”, spending my free time resolving and writing "crackmes". Some years later, in 2007, along with the beginning of my graduation studies, I also started to get passionate about the “web application security world”; indeed, the summer of that year I discovered a security bug in an open-source photo gallery (LinPHA), and I got my first CVE for that... This made me fall in love with web applications’ vulnerability research and penetration testing, and since then, I can no longer do without it! It simply became like a drug for me, then my thesis' subject, and finally my job! ♥️
3. What exploit or clever attack are you most proud of and why?
That's a difficult question to answer. Firstly, I'd say it's a quite critical and esoteric vulnerability that I recently discovered in a fairly popular piece of software. Unfortunately, I am unable to disclose additional information regarding this matter at this time.
So, to answer this question in another way, I would say I'm pretty proud about all of my PHP Object Injection exploits: I fell in love with this class of vulnerabilities back in 2012, and since then I carried out some extensive research on this topic, writing an OWASP page, publicly speaking about it (see here and here), and disclosing 25+ PHP Object Injection vulnerabilities in applications such as SugarCRM, Joomla, and Matomo (formerly Piwik).
4. What is your go-to brag when talking about your pentesting skills?
I believe the core skills that every pentester should possess are resilience, flexibility, and, above all, the ability to think creatively and outside the box. These skills are essential for navigating the challenges and complexities of penetration testing.
Resilience allows pentesters to persevere through obstacles and setbacks, which are inevitable in this field. Flexibility enables pentesters to adapt to changing circumstances and evolving technologies. And thinking outside the box is arguably the most crucial skill for pentesters: it involves approaching problems from unconventional angles and finding creative ways to bypass security measures and uncover hidden vulnerabilities.
I think I've amassed a diverse skill set over the years (including the above), honing these abilities not only through my professional endeavors but also by actively applying them to everyday situations. This approach has allowed me to seamlessly integrate my work life and personal life, creating a synergistic relationship where each domain enriches the other.
5. Share a time something went wrong in the course of a pentest? What happened and what did you do?
During a web penetration test on a designated "testing environment," I uncovered multiple Stored Cross-Site Scripting (XSS) vulnerabilities. As it was a testing environment, I left a simple pop-up as the XSS payload on each affected page, assuming there wouldn't be any repercussions. However, the client subsequently used the same environment for a customer demo without resetting or checking it. During the demo, the client's customers encountered multiple popups I had left as XSS payloads, leading to confusion and embarrassment.
While I apologized for the oversight, I believe both the client and I share responsibility for the incident. Although it was a testing environment, the client should have ensured the environment was clean and reset before using it for a customer demo. This incident highlights the importance of clear communication and thorough checks when using testing environments for any client-facing activities, even demos.
6. What are your favorite tools or TTPs when conducting pentests? Why do you find them effective?
While I may come across as a bit overconfident, I'd say my favoyrite "pentesting tool" is my own brain! I believe my ability to think critically, analyze situations, and devise creative solutions is what sets me apart as a penetration tester.
Other than that, I use “standard pentesting tools” such as Burp Suite, nuclei, nmap, Metasploit, etc. Most of them on a daily basis! I am also proficient in a variety of programming and scripting languages, which allows me to create custom tools and scripts to suit my specific needs.
7. What are your favorite asset types (web applications, APIs, network, etc.) to pentest and why?
I believe I have already provided an answer to this question! Web applications are definitely my primary focus and expertise. I've dedicated countless hours to web application security, immersing myself in security code review and penetration testing for a wide range of open and closed source web applications. This experience spans various industries and project types, including my work at Cobalt, freelance projects, and personal endeavors.
8. What certifications do you have? Why did you go for those ones specifically?
I don't hold any formal certifications, as I've always found that hands-on experience and continuous learning are far more valuable in the cybersecurity industry. The landscape evolves so rapidly that certifications might quickly become outdated. So, I prefer to focus my time and energy on staying ahead of the curve by immersing myself in real-world scenarios and constantly expanding my skillset.
9. What advice do you wish someone had given you when you first started pentesting?
My personal journey has taught me that the foundation for any successful penetration testing career lies in building a strong base of knowledge. Before diving into the world of pentesting, it's essential to dedicate time to understanding the fundamentals. IMHO, key areas for foundational knowledge include: Web Programming, Networking, and Operating Systems (OS) Architectures.
By investing time in mastering these core areas, aspiring pentesters can develop the skills and knowledge necessary to identify and exploit vulnerabilities effectively. As you progress in your learning journey, it will become clearer which specific area of information security resonates most with your interests and skills, allowing you to specialize and excel in your chosen field.
10. How do you approach explaining findings to customers during a pentest? Is there a way you discuss your findings with customers? How do you ensure they have a quality experience?
When I discover a vulnerability during a pentest, I prefer to write a custom script to reproduce the exploit if possible, particularly for critical or high-risk vulnerabilities. I typically use PHP scripts for this purpose. In my reports, I always strive to clearly and concisely explain the vulnerability class, referencing the Common Weakness Enumeration (CWE) when applicable. Then I delve into the root cause of the issue and provide actionable steps for reproduction and remediation. This is my standard approach to vulnerability reporting, ensuring that the information is easily understandable and actionable for developers and other stakeholders.
11. What is your favorite part of working with a pentesting team? What about working on your own?
While working independently on a pentesting project certainly has its perks, such as the ability to deeply focus on the target and gain a comprehensive understanding of its functionalities, this approach may not always be feasible. The size and complexity of the target can often necessitate a team effort to ensure that every aspect is thoroughly examined and assessed.
Collaborating with a team of skilled professionals offers numerous benefits, one of which is the opportunity for knowledge sharing and skills development. By working alongside individuals with diverse expertise and backgrounds, I can learn new techniques, approaches, and perspectives that I may not have otherwise encountered. This "skills stealing", as I like to call it, is a valuable aspect of teamwork that allows me to continuously expand my knowledge base and enhance my overall effectiveness as a pentester.
12. Why do you like pentesting with Cobalt?
The flexibility offered by Cobalt empowers me to take control of my work schedule and select projects that align with my interests and expertise. Additionally, the opportunity to collaborate with diverse teams on each new engagement provides a unique platform for continuous learning and skill development. This dynamic environment fosters a "skills stealing" approach, where I can actively observe and assimilate valuable techniques and knowledge from my colleagues, further enhancing my professional repertoire.
13. Would you recommend Cobalt to someone looking for a pentest? Why or why not?
I would absolutely recommend Cobalt to any organization seeking penetration testing services, particularly those looking for a long-term partnership. Cobalt's unique model of assembling diverse teams of pentesters for each engagement ensures that the target system is examined from a wide range of perspectives and skill sets. This approach significantly increases the likelihood of uncovering vulnerabilities that might be missed by a more homogeneous team.
Furthermore, Cobalt's platform facilitates seamless collaboration and communication between pentesters, clients, and security teams, streamlining the entire testing process and ensuring that findings are quickly addressed.
14. What do customers or the media often misunderstand about pentesters?
Many people misunderstand penetration testers, often confusing them with malicious hackers or expecting them to find every vulnerability instantly. Pentesting is not just running automated scans; it involves deep analysis, manual testing, and sometimes even social engineering. It’s also not a one-time fix — security is an ongoing process. Despite media portrayals, hacking isn’t instant or guaranteed, and a clean report doesn’t mean a system is invulnerable. Pentesting is just one layer of a strong cybersecurity strategy.
15. How do you see pentesting changing in 2025 and over the next few years?
I think AI will definitely be a shape-shifter in pentesting, evolving from an assistant to an autonomous threat simulator, dynamically adapting to exploit and defend against emerging attack surfaces. On the other hand, I hold the belief that AI cannot replace human pentesters, as some vulnerabilities are simply too intricate to be discovered by an AI tool alone. But I might be wrong…
16. What's your p(Doom)?
I’d say my p(Doom) is quite low if we look within the next 100 years. While there are risks from AI, climate change, biotechnology, and other global challenges, humanity has a strong track record of adapting and mitigating threats. I think it's far more likely that we will navigate these challenges successfully rather than face an existential catastrophe. At least, I hope so.