The Cobalt Pentester Spotlight highlights the fascinating journey of our Core members. Through an interview style, we share their experiences, background, and insights into the world of an accomplished pentester.
What's your handle? Do you use more than one? Where did it come from?
I go by ffrez, and actually, there’s no story behind it. I like that it’s short and easy to remember. I started using it in video games, and then continued to use it on hacking platforms.
What got you into cybersecurity? How did you get into pentesting specifically?
As a kid, I remember being fascinated with stories about Kevin Mitnick. I read everything I could about him, being amazed at how he could do such things. I couldn’t understand it; the stories sounded like magic to me.
Looking back, I was always interested in computers, and particularly, computer security. Can’t explain why, but it was something about hacker culture that always caught my eye, somehow.
I started my career as a developer, but I always knew that I wanted to go into security. I studied everything I could about pentesting and hacking, and once I got a chance to make the switch, I jumped on it and never regretted it.
What exploit or clever attack are you most proud of and why?
Chaining vulnerabilities is always exciting. Being able to use different misconfigurations or low-impact bugs to create something much more impactful is something that I really look forward to in every test. Every time I find one of those, it really makes me proud.
I’m also very excited when I find clever logic bugs. They have become my favorite bugs to search for, and they come after really understanding what the product does, and what assumptions the developers made to be able to bend them, tweak them, and exploit them.
What is your go-to brag when talking about your pentesting skills?
I don’t like to brag about what I know, and I believe that I have some strengths and weaknesses just like any other professional in this field. Personally, I focus a lot on understanding what I’m hacking, the underlying system, and how it’s implemented, trying to identify what can hurt the clients the most, and making a strategy to go after it. That mindset takes time to develop, and I think it’s really important.
Share a time something went wrong in the course of a pentest? What happened and what did you do?
Targeting a host outside of scope by accident. Besides an angry message from the customer, nothing serious happened, no downtime or service disruption. I immediately apologized, made myself available to help them identify and filter the traffic, and ensured no further communication with the affected host.
What are your favorite tools or TTPs when conducting pentests? Why do you find them effective?
Burp Suite is a must for web/api pentesting. I cannot emphasize enough how good this tool is, from the essential Repeater, Intruder, Proxy, and Collaborator, but also Macros, Bambdas, custom Scan checks, and Extensions. It really is phenomenal, and all hackers should know it inside and out.
Besides the proxy, the tools I use the most are nmap, ffuf, jsxcout, different extensions, and other scripts I wrote to automate certain tasks.
However, I want to emphasize this: tools help you find things, but it’s much more important to know what and where to look. Understanding the application you’re hacking is a requirement to find stuff that matters. Having a methodical approach when targeting web applications is also key; then it doesn’t matter which tools you use, what matters is that you can get the job done.
With a good methodical approach and knowing where and how to look, you just need a proxy, any text editor, and a browser.
What are your favorite asset types (web applications, APIs, network, etc.) to pentest and why?
Custom web applications and APIs are my favorite asset types to pentest because they are always different, and they’re always changing.
What certifications do you have? Why did you go for those specifically?
I currently don’t have any certifications in my name. A few years ago, I decided to go through the bug bounty and pentesting learning route, instead of pursuing certs. This might change, though, since what drives me is curiosity and the desire to learn.
What advice do you wish someone had given you when you first started pentesting?
To become good in this field (or any discipline, really), you need to put an awful lot of hours hacking and researching. There are no shortcuts: you must read and practice a lot, and be consistent in that path.
Research your target and know it inside out, even if this means that you should spend hours reading official docs and reviewing client code.
Leave no stone unturned. If you’re testing certain functionality, check every endpoint and entry point, even if you assumed that this was already tested before. I have found vulnerabilities in public APIs or exposed JavaScript files that, at the time, I could not believe no one had seen before.
And lastly, choose wisely how you spend your time while testing. Certain tasks have much higher returns than others, so make sure to spend as much time as you can doing that. In my case, I have identified that what leads to more impactful findings is deep manual research, studying the logic behind each functionality, really understanding what has been implemented and its business logic, and this increases the chances of finding vulnerabilities.
How do you approach explaining findings to customers during a pentest? Is there a way you discuss your findings with customers? How do you ensure they have a quality experience?
I pay special attention to a clear and concise report, with reproducible steps. Almost non-technical customers should be able to at least know what to do to test a vulnerability when they read the reproducible steps.
It’s all about clear communication, and also measuring the risk appropriately as well. Pentesting to me is not about us testers showing that we find high or critical issues; it is more about communicating the risk and demonstrating clear impact.
What is your favorite part of working with a pentesting team? What about working on your own?
I like both parts, working alone and with others, but lately I’ve been much more interested in interacting more with the people I work with. A lot of vulnerabilities arise from having multiple ways of seeing the same things, having different points of view, and this is always better if more than one person is involved.
Why do you like pentesting with Cobalt?
I love everything about Cobalt. The flexibility that you can have in this job is fantastic, the transparency and expertise of the team, having clients from all over the world (it’s never boring, so many different apps to test!), and the colleagues from all parts of the world, from whom you can always learn something new. I’m really glad to be a part of the Core.
Would you recommend Cobalt to someone looking for a pentest? Why or why not?
One hundred percent. Great company to work with, full of very knowledgeable people.
What do customers or the media often misunderstand about pentesters?
That pentesters will find every single vulnerability, and after conducting one, you’ll be completely secure. Pentesting is one component of a much larger security chain of good practices. It’s important, yes, but it cannot replace other components and practices that will also improve the security of a company.
How do you see pentesting changing in 2026 and over the next few years?
It’s always changing, and in the past few months, it seems that it is going faster than ever with the rise of automated agents doing much of the work. We don't yet know exactly where this is headed, but pentesters who can leverage agents and automate certain tasks with AI have an advantage, though they're not fully replaceable. Human intervention will still be needed for more comprehensible tests and better results.
What’s one non-technical skill (e.g., writing, communication, project management) that you believe is becoming critically important for a successful pentester, and how do you cultivate it?
Communicating your work, what you've found, and how you approached the test has always been crucial. It's a fundamental skill that should be cultivated, and the only way to do it is to approach each conversation with a genuine desire to improve the security of the clients you're working with while staying humble.
What's your p(Doom)?
Very, very low. I’m skeptical about systems evolving into something we can’t control or turn off, and I believe the risks are overstated. I’m much more concerned about the misuse of AI by humans than autonomous agents deciding to attack or harm us.
