The Cobalt Pentester Spotlight highlights the fascinating journey of our Core members. Through an interview style, we share their experiences, background, and insights into the world of an accomplished pentester.
What's your handle? Do you use more than one? Where did it come from/ What's the origin story?
My handle has always been knuthakki. It’s simply derived from my name, and I have used it consistently across platforms, engagements, and communities. I have never really felt the need to change it as it represents my work, and over time people have come to associate it with my identity in security.
What got you into cybersecurity? How did you get into pentesting specifically?
Honestly, I stumbled into cybersecurity. I was doing my master’s in cybersecurity, and the practical exposure to pentesting, risk analysis, and forensics really opened my eyes to how systems could be broken and defended. It shifted my perspective from just using technology to understanding how it actually works beneath the surface.
When I moved back to India, I joined a startup where pentesting was part of my role. That’s where I truly found my passion. I was actively testing and breaking into real-world applications that people used daily. Over time, I leveled up significantly working on red team engagements, Active Directory pentests, network pentests, and web applications. That hands-on exposure shaped my mindset and solidified pentesting as my core focus.
What exploit or clever attack are you most proud of and why?
I am most proud of attacks where I have chained multiple small issues together into a meaningful compromise. Individually, the issues might seem low impact, but when combined thoughtfully, they expose real business risk.
What makes those moments rewarding is demonstrating how attackers actually think systematically analyzing trust boundaries and assumptions rather than just looking for isolated vulnerabilities.
What is your go-to brag when talking about your pentesting skills?
Consistency, in-depth analysis, and reporting quality.
I approach every engagement methodically and ensure thorough coverage rather than relying on luck or automation alone. I focus on understanding the application, its architecture, and trust boundaries so I can identify meaningful issues, not just surface-level vulnerabilities.
Equally important is reporting. I believe it’s an undervalued skill, finding vulnerabilities is only part of the job. If you can’t translate those findings into clear business risk and actionable recommendations, they don’t create real value beyond being a checklist. My goal is to ensure customers not only see what’s wrong, but truly understand the impact and how to fix it effectively.
Share a time something went wrong in the course of a pentest? What happened and what did you do?
During one engagement, aggressive testing exposed stability issues in a non-production environment because certain safeguards like rate limiting weren’t properly configured.
I immediately paused testing, informed the client transparently, and worked with them to understand the root cause. It reinforced the importance of communication, controlled testing, and maintaining trust throughout an engagement.
What are your favorite tools or TTPs when conducting pentests? Why do you find them effective?
Core tools I use regularly in no particular order are:
- Burp Suite
- Nmap
- Nuclei
- ffuf
- httpx
- gowitness
Automation helps with coverage and efficiency, but manual analysis is where the real value comes from especially for identifying logic flaws and access control issues. But my favourite would be BurpSuite I guess since that's something we use daily.
What are your favorite asset types (web applications, APIs, network, etc.) to pentest and why?
Web applications and APIs are my favorite.
They tend to have complex logic, authentication mechanisms, and trust relationships. Breaking down how data flows and identifying assumptions made by developers often leads to impactful findings.
What certifications do you have? Why did you go for those ones specifically?
I have OSCP, CCSK, Crest CPSA, Certited AI/ML pentester. nitially, I pursued certifications as a way to grow and progress in my career and establish credibility in the field. They provided structure and helped me build a strong foundation across different areas of security. Over time, my motivation shifted now it’s less about the certification itself and more about the learning that comes with it. Each certification gives me an opportunity to deepen my understanding, explore new domains like cloud and AI security, and continuously improve my practical skills as a pentester.
What advice do you wish someone had given you when you first started pentesting?
Focus heavily on your fundamentals.
Over time, you realize that strong basics understanding networking, authentication, authorization, and application behavior make a huge difference. When your fundamentals are solid, you perform much better and can adapt to any environment or technology.
How do you approach explaining findings to customers during a pentest? Is there a way you discuss your findings with customers? How do you ensure they have a quality experience?
I follow a risk-based approach.
I translate technical findings into business impact so customers clearly understand the real risk. Rather than focusing only on technical details, I explain what the issue means from an attacker’s perspective and how it could affect their organization.
The goal is to help them prioritize effectively and improve their security posture.
What is your favorite part of working with a pentesting team? What about working on your own?
Working with a team brings diverse perspectives, which often leads to discovering attack paths you might not initially consider.
Working solo allows deeper focus and uninterrupted analysis. Both experiences are valuable in different ways.
Why do you like pentesting with Cobalt?
Cobalt provides a strong platform for collaboration and structured testing. The communication flow between testers and customers is smooth, and it allows for efficient reporting and remediation.
It also exposes testers to diverse environments and real-world scenarios.
Would you recommend Cobalt to someone looking for a pentest? Why or why not?
Yes. Cobalt provides access to skilled testers, structured workflows, and transparent communication.
This ensures customers receive meaningful, high-quality assessments that help improve their security posture.
What do customers or the media often misunderstand about pentesters?
People often think pentesting is just running tools.
In reality, the most impactful findings come from understanding systems deeply, analyzing logic, and thinking like an attacker. Tools assist, but mindset and analysis are what truly matter.
How do you see pentesting changing in 2026 and over the next few years?
Pentesting is evolving alongside modern architectures, with increasing focus on cloud-native environments, identity and access control, APIs, and AI-integrated systems. As applications become more distributed and rely heavily on interconnected services, the attack surface grows in complexity. While tools and automation will continue to improve, manual testing and architectural analysis will remain critical, as the most impactful vulnerabilities often stem from logic flaws, trust assumptions, and design weaknesses that require a deeper understanding of how systems are built and operate.
What’s one non-technical skill (e.g., writing, communication, project management) that you believe is becoming critically important for a successful pentester and how do you cultivate it?
Communication.
The ability to clearly explain risk and remediation determines how effective your work is. Strong communication ensures customers understand and act on findings.
What's your p(Doom)?
Relatively low.
The bigger risk isn’t AI itself, but how people implement and use it without proper security controls. Like any technology, responsible implementation is key.
