The Cobalt Pentester Spotlight highlights the fascinating journey of our Core members. Through an interview style, we share their experiences, background, and insights into the world of an accomplished pentester.
What's your handle? Do you use more than one? Where did it come from/ What's the origin story?
My handle is sparmar. Nothing fancy behind it—it's simply a mix of my name and surname. When I first created it, I always thought I’d eventually switch to something unique or catchy, but I kept using it everywhere and it just became my identity. At this point, changing it feels unnecessary. I’ve seen a lot of pentesters use creative or mysterious handles, and sometimes I wish I had picked something like that from the beginning. But in a way, keeping my real name in my handle reflects who I am—straightforward, consistent, and it’s with me since the beginning of my cybersecurity journey.
What got you into cybersecurity? How did you get into pentesting specifically?
I actually started my career as a network engineer. I loved building computers from scratch, fixing hardware issues, and helping friends with network configurations. During that time, I attended a security conference where I was introduced to the world of information security. It immediately caught my attention.
That conference changed everything. I became excited to learn more, so I started studying security concepts, exploring application security, and trying my hand at both public and private bug bounty programs. The first six months were rough—duplicate reports, N/A findings, invalid ones—but eventually I landed an XSS report that earned me $750. In 2015, $750 was a huge deal for me and my family, and that reward gave me the push I needed. That was the moment I realized this field was where I wanted to build my career.
What exploit or clever attack are you most proud of and why?
One that really stands out was a multi-step access control bypass. Every individual issue looked minor on its own, but when I pieced them together, they led to full privilege escalation. It took patience, a lot of back-and-forth testing, and a good understanding of how the application behaved across environments.
What I liked most was that it reminded me pentesting isn’t always about finding a single high-impact bug. Sometimes it’s about connecting small dots that others might overlook. That process of discovering how everything fits together is what makes this work exciting.
What is your go-to brag when talking about your pentesting skills?
I’d say my strength is quickly understanding complex applications and mapping out their attack surface, even without documentation. I can pick up the flow, user roles, logic, and trust boundaries pretty fast, which helps me identify issues that aren’t easily detected by automated tools.
I’m also confident in my persistence. If something doesn’t make sense or looks slightly “off,” I’ll keep digging until I understand what’s really happening behind the scenes. Many of my best findings have come from refusing to accept the first explanation the application gives me.
And finally, I’ve always been strong at adapting quickly to new technologies. Whether it’s cloud, mobile, APIs, or now AI/LLM-based applications, I enjoy learning how things work under the hood and adjusting my testing approach accordingly. That curiosity and flexibility have helped me stay effective across different types of engagements.
Share a time something went wrong in the course of a pentest? What happened and what did you do?
Once, during an engagement, I couldn’t reach the scope environment through the multiple stage proxy. At first, it seemed like the environment itself was down. After some troubleshooting, I realized it was actually a configuration mistake on my end. The proxy settings weren’t aligned with the environment requirements, and the traffic wasn’t being routed correctly.
It was one of those moments where you feel frustrated because the issue is simple but still manages to delay you. So instead of wasting time, I continued black-box testing the parts I could access while fixing the proxy setup. Staying flexible helped me avoid delays in the assessment.
What are your favorite tools or TTPs when conducting pentests? Why do you find them effective?
Burp Suite is my main tool Repeater, Intruder, and Proxy are essential for manual testing. They give me full control over the request/response cycle, help me quickly validate assumptions, and allow me to test scenarios that automated scanners often miss. I use Repeater heavily for logic testing and Intruder for parameter tampering, fuzzing, and edge-case behavior.
For recon, I rely on Nuclei & pdtm, along with a few custom scripts I’ve built over the years to automate repetitive checks. These help me filter out noise so I can focus on the areas that actually need manual attention. I like having a balance between automation and human intuition—automation.
Overall, my approach is a combination of smart automation and deep manual analysis. Tools give me efficiency, but it’s the manual digging that consistently leads to the most interesting discoveries.
What are your favorite asset types (web applications, APIs, network, etc.) to pentest and why?
Web applications, Mobile and APIs, Active Directory are my favorite. They combine authentication, authorization, data flow, and business logic; everything that makes an assessment interesting. APIs especially feel like solving a puzzle where each endpoint gives you a piece of the bigger picture.
These days, I’m also focusing a lot on AI and LLM testing, which brings an entirely new set of challenges. The attack surface is different, the risks are evolving, and the techniques are still being shaped. It’s exciting to work in an area where the industry is still defining best practices. I see this space becoming a major part of pentesting in the future, and I want to stay ahead as these technologies continue to grow.
What certifications do you have? Why did you go for those ones specifically?
I’ve always believed more in practical, hands-on skills than in collecting certifications. But I’ve completed a few important ones—CREST (CPSA & CRT), OSCP, PCI, and others—mainly to meet industry requirements and stay aligned with what many organizations expect from a pentester.
At the same time, these certifications helped validate my skills in a formal way and exposed me to structured methodologies. Even though real experience teaches you the most, having the right certifications definitely opens doors and keeps you in sync with the standards of the industry.
What advice do you wish someone had given you when you first started pentesting?
I wish someone had told me that feeling stuck is completely normal. Every pentester, no matter how experienced, hits walls. The key is consistency, patience, and learning something from every assessment, even the frustrating ones. And honestly—document everything. Good notes and repeatable steps make a huge difference in the long run.
I also wish I knew how important community is. Following other researchers, engaging with peers, and learning from their write-ups can accelerate your growth more than any course. And finally, don’t rush to chase high-severity bugs—focus first on building strong fundamentals. Once your basics are solid, the advanced vulnerabilities naturally start making sense.
How do you approach explaining findings to customers during a pentest? Is there a way you discuss your findings with customers? How do you ensure they have a quality experience?
I always try to explain vulnerabilities in simple, non-technical language. Instead of focusing on payloads, parameters, or HTTP headers, I focus on what matters to them: the impact, the risk, and how an attacker could realistically misuse it. When customers understand the “why” behind an issue, the conversation becomes much smoother and more meaningful.
I also make sure to connect each finding to their business context—how it affects user data, operations, or reputation—because that helps them prioritize fixes more effectively. Clear remediation steps are equally important. I prefer giving them practical guidance they can implement right away rather than leaving them with high-level suggestions.
Throughout the engagement, I keep communication open and proactive. If something important comes up, I share it immediately rather than waiting for the final report. I also encourage customers to ask questions, clarify doubts, or even walk through reproducing the issue together. This builds trust and makes them feel supported rather than overwhelmed.
For me, a quality experience means the customer finishes the engagement with a clear understanding of their risks, a solid plan for remediation, and the confidence that they can improve their security posture going forward.
What is your favorite part of working with a pentesting team? What about working on your own?
With a team, I enjoy the collaboration—sharing ideas, learning new techniques, and seeing how others approach problems. On my own, I enjoy the freedom to dive deep and explore areas without any distractions. Both experiences have helped shape my growth.
With a team, I enjoy the collaboration—sharing ideas, learning new techniques, and seeing how others approach problems. Every tester has a different thought process, and sometimes a quick discussion with a teammate can help unlock an angle you might not have considered. Team engagements also create an environment where you continuously learn, support each other, and build a strong rhythm throughout the assessment. That sense of collective problem-solving is something I really value.
On my own, I enjoy the freedom to dive deep and explore areas without any distractions. Solo testing lets me follow my curiosity, spend more time on complex logic issues, and fully immerse myself in understanding the application flow. It gives me the space to test at my own pace and experiment with different ideas or approaches.
Both team-based and solo work have shaped my growth. Team engagements sharpen collaboration, communication, and shared learning, while solo work strengthens focus, independence, and deep technical exploration. Finding a balance between the two has made me a more well-rounded pentester.
Why do you like pentesting with Cobalt?
Cobalt is very organized and structured. The onboarding is smooth, instructions are clear, and the collaboration with other talented testers is amazing. I enjoy the PtaaS model because it brings global expertise into one place and makes the whole process efficient for both pentesters and customers.
What I appreciate most is how the platform removes unnecessary friction. Instead of spending time on logistics or coordination issues, I can focus purely on testing. The workflows are streamlined, communication channels are active, and the Cobalt team is always responsive when support is needed.
Another big advantage is the diversity of engagements. You get to work with companies of different sizes, across different industries, and on various types of applications. This variety keeps the work exciting and helps me stay current with new technologies and emerging attack surfaces.
And of course, the community itself is a huge part of the experience. The Core is filled with talented, passionate people who are always willing to share knowledge, jump in to help, or collaborate on difficult findings. Cobalt has created an environment where learning, growth, and teamwork are part of the daily routine—something that’s rare and valuable in this field.
Would you recommend Cobalt to someone looking for a pentest? Why or why not?
Absolutely. Cobalt combines experienced testers, strong collaboration, and a platform that streamlines the entire lifecycle of a pentest. Customers get speed, depth, and clear reporting—all without compromising quality.
One of the biggest advantages is the PtaaS model, which gives customers flexibility that traditional consulting models often lack. They can communicate with testers in real time, get updates instantly, and track findings as they are discovered. This transparency helps organizations respond faster and keep security improvements moving without waiting for a final report.
Another reason I’d recommend Cobalt is the breadth of expertise available. Companies don’t just get a single consultant—they get access to a pool of specialists from around the world. This means they benefit from multiple perspectives, diverse skill sets, and years of combined experience.
The platform also makes remediation smoother. Customers can ask questions, request clarification, or discuss fixes directly with the tester. That level of engagement builds trust and ensures they walk away with a clear understanding of their security posture.
Overall, if someone is looking for a pentest that is efficient, collaborative, and backed by strong technical talent, Penetration Testing as a Service (PTaaS) is one of the best choices.
What do customers or the media often misunderstand about pentesters?
Many people think pentesters just run automated tools and wait for results. But real pentesting is creative work. It’s about thinking like an attacker, understanding logic flows, chaining small issues, and exploring areas tools can’t reach. Tools help, but they don’t replace intuition or experience.
Another common misconception is that pentesters always find critical vulnerabilities in every engagement. In reality, the goal isn’t to “break everything” — the goal is to help organizations understand their security posture honestly and accurately. Some applications are well-built, and finding only Informational and low-risk issues is not a failure; it’s a sign that the engineering team is doing a good job.
People also underestimate the amount of time spent on research, experimenting, and understanding the unique architecture of each system. A lot of our work happens quietly in the background as we map the application, test assumptions, and validate our theories.
Finally, there’s a misconception that pentesting is just about technical skill. Communication, clear reporting, explaining risk, and guiding the customer through remediation are equally important. A good pentester doesn’t just find vulnerabilities— they help teams understand them, learn from them, and improve their overall security posture.
How do you see pentesting changing in 2025 and over the next few years?
Automation will continue to grow, especially for identifying routine or low-risk issues. Human pentesters will spend more time on logic flaws, cloud environments, AI-driven systems, and complex integrations. As systems become more interconnected, understanding relationships between components will be just as important as understanding the components themselves.
I also see a major shift toward continuous security rather than one-time annual checks. Companies are deploying faster, releasing features weekly or even daily, and relying more on SaaS and third-party integrations. This means security needs to keep pace, and pentesters will be increasingly involved in shorter, more frequent engagements.
The rise of AI and LLM-based applications introduces an entirely new attack surface. Prompt injection, data leakage through model outputs, insecure integrations with external tools, and model manipulation are already emerging as major concerns. Pentesters who can adapt to these new patterns will play a big role in shaping how AI security evolves. Cloud environments will also demand deeper specialization. Misconfigurations, complex IAM policies, container orchestration, serverless functions—these areas require testers to go beyond traditional web skills. Overall, the future of pentesting will reward adaptability. The tools will get smarter, but so will attackers. The testers who combine strong fundamentals with continuous learning will be the ones who stay ahead.
What's your p(Doom)?
For me, my p(doom) is low. Technology evolves fast, but so do defenses, awareness, and the global security community’s ability to adapt. I’m generally optimistic because every new challenge pushes us to improve. We’ve seen this pattern with the rise of cloud, mobile apps, and now AI—each wave brings risks, but it also brings better solutions, stronger collaboration, and more skilled professionals working to keep things safe.
I believe the future will be shaped by how responsibly we develop and secure new technology. As long as we continue learning, sharing knowledge, and building safeguards along the way, I think the chances of a full-scale “doom scenario” remain low. It’s better to stay prepared, stay curious, and keep contributing positively to the ecosystem.
