Cobalt Pentester Spotlight — Sidney Jansen

The Cobalt Pentester Spotlight highlights the fascinating journey of our Core members. Through an interview style, we share their experiences, background, and insights into the world of an accomplished pentester.

Can you tell us about your journey into offensive security?

I began my career as an Information Security Officer, where I was first exposed to ethical hacking. That initial exposure quickly turned into a deep interest, and I started teaching myself offensive security techniques, continuously expanding and refining my skill set. I gained hands-on experience at several penetration testing companies, where I further honed my technical capabilities across a wide range of real-world engagements.

My career then led me to the Dutch military, where I operated in a highly disciplined environment and further developed my offensive security expertise under demanding conditions. In 2023, driven by curiosity and a strong passion for offensive security, I returned to freelancing. That same year, I successfully passed the Cobalt selection process and began conducting penetration tests for Cobalt customers in December 2023.

Fast forward to 2026, I am transitioning from active service to full-time entrepreneurship. Through my company, Crimson Sentinel, I focus on delivering high-quality offensive security services, combining military-grade discipline with practical, business-focused security testing. My goal remains constant: to make the internet a safer place by proactively hacking systems—always to protect organizations, Cobalt’s customers, and my own clients.

What's your handle? Do you use more than one? Where did it come from/ What's the origin story?

I tend to use more than one handle. The one I use for cobalt is sjansen which is a reference to my first and last name.

What got you into cybersecurity? How did you get into pentesting specifically?

My journey into cybersecurity began when I learned my wife and I were expecting our son. At the time, I was still finishing my degree and needed to get my career on track before his arrival. I found a position as an Information Security Officer through a boot camp, where a single module on ethical hacking immediately grabbed my attention. I was so fascinated by the practice that I convinced my manager to let me pursue hacking full-time. Ever since, I’ve been fully dedicated to honing my skills in this field.

What exploit or clever attack are you most proud of and why?

One of the exploits I’m most proud of occurred during a Cobalt pentest. The application in scope allowed users to upload PHP files, but it employed a comprehensive denylist of PHP functions. I discovered a few functions that weren’t on the denylist, enabling me to read files on the system. Another function allowed for directory traversal.

Using the module upload feature, I created a custom plugin that utilized these overlooked functions to read files and directories. In the process, I discovered that the application relied on a Smarty templating engine. Building on this, I uploaded another custom plugin that executed Smarty macros, effectively bypassing the denylist. This led to an arbitrary write of PHP code, which could then be executed.

It was a fun challenge to push the vulnerability as far as possible and end up with a robust exploit chain. The sense of accomplishment from combining multiple oversights into a single successful exploit is why this remains one of my favorite pentesting wins.

What is your go-to brag when talking about your pentesting skills?

I have discovered multiple high-impact vulnerabilities by treating each application as if I’m the first person ever assessing its security. Surprisingly, many of these issues can be uncovered using basic techniques. For example, I identified a blind, time-based SQL injection in an API call via a simple GET request. By appending various test strings to the request, I noticed differences in the server response and was eventually able to extract a substantial amount of sensitive data. Moreover, I found five additional endpoints affected by the same vulnerability.

In another case, I explored an application that allowed the upload of translation files in XLIFF format. Because XLIFF is XML-based, I uploaded a document containing an XXE payload. When the file was processed, it enabled me to exfiltrate files from the system.

Share a time something went wrong in the course of a pentest? What happened and what did you do?

During a red-team engagement, my objective was to gain access to a specific file server and retrieve particular files. After successfully locating the target files, I began exfiltration. Out of enthusiasm, however, I initiated a PowerShell command to copy a large amount of data from one drive to the C: drive—without checking available disk space.

I soon realized the mistake when the target system started running noticeably slower. Although I quickly attempted to halt the background copy, the process ran for a few minutes before I managed to stop it and delete the copied data. It was a stressful experience, but it taught me the importance of situational awareness and environment checks. Fortunately, the employees did not notice the slowdown, and we ended up successfully exfiltrating the data via a different route.

What are your favorite tools or TTPs when conducting pentests? Why do you find them effective?

I rely on several key tools and TTPs (Tactics, Techniques, and Procedures) during pentests because each plays a unique role in discovering and exploiting vulnerabilities:

1. Burp Suite
• Why it’s effective: It’s the go-to standard for web pentesting. The Repeater feature is excellent for manually probing endpoints and adjusting payloads on the fly, while Intruder automates fuzzing and brute forcing across parameters and input fields. Its extensiveplugin ecosystem also expands its capabilities.
2. ffuf
• Why it’s effective: This is my preferred tool for content discovery and subdomain enumeration. It’s fast, scriptable, and makes it straightforward to find hidden directories or virtual hosts that might be overlooked.
3. WeirdALL and Paco
• Why they’re effective: These tools excel in cloud enumeration automation. They streamline the process of enumerating assets and configurations in various cloud environments, saving time and reducing manual errors.
4. Cloud CLIs (e.g., AWS CLI, Azure CLI, GCP CLI)
• Why they’re effective: When credentials or Identity and Access Management (IAM) keys are exposed, normal cloud CLI operations allow you to explore configurations, permissions, and services just like a legitimate user. This can reveal how far you can pivot within the environment.
5. Nuclei
• Why it’s effective: Great for detecting known misconfigurations and “low-hanging fruit” vulnerabilities from an unauthenticated perspective. Its templating engine speeds up scanning for common issues without sacrificing thoroughness.
6. Naabu and Nmap
• Why they’re effective:
• Naabu is extremely fast for port scanning, making it ideal for large-scale reconnaissance. It integrates well with other ProjectDiscovery tools.
• Nmap is the classic network scanner and remains indispensable due to its scripting engine (NSE), which offers a wide array of scripts for detecting and exploiting specific vulnerabilities.
7. Postman
• Why it’s effective: It’s an intuitive GUI for crafting API calls, testing endpoints, and iterating quickly on JSON or XML payloads. This is especially useful for fuzzing and validating complex requests where manual control over headers, bodies, and parameters is essential.

All these tools significantly reduce the time spent on repetitive or basic tasks, allowing me to focus on deeper, more nuanced testing techniques. By enhancing efficiency, they free me up to apply my expertise where it really matters—finding and exploiting complex vulnerabilities.

What are your favorite asset types (web applications, APIs, network, etc.) to pentest and why?

I wouldn’t say I have a single favorite asset type—whether it’s a web application, API, or network environment. What really motivates me is the challenge itself: I love engagements that push me to learn new technologies and adapt to sophisticated defenses. Those are the tests where I have to get creative, persist through obstacles, and experiment with less common techniques. There’s a deep sense of accomplishment when I finally uncover a vulnerability in a way that isn’t straightforward or widely documented. Ultimately, it’s incredibly rewarding to know that by identifying and reporting these issues, I’m directly contributing to a stronger security posture for the clients I work with.

What certifications do you have? Why did you go for those ones specifically?

I’ve obtained a range of certifications that reflect my progression and interests in different aspects of offensive security:

1. eJPT (eLearnSecurity Junior Penetration Tester)
• This was my first step into the world of pentesting, and it provided an excellent foundational knowledge of network and web application security. It helped me learn the core concepts and skills that I’ve continued to build upon.
2. OSCP (Offensive Security Certified Professional)
• Widely regarded as the “gold standard” for penetration testers, the OSCP was a clear choice. It taught me not only advanced exploitation techniques but also the mantra of “Try Harder,” which pushes you to persevere through challenges and learn resourcefulness.
3. OSEP (Offensive Security Experienced Pentester)
• The OSEP took my skills to a higher level by introducing advanced techniques for evading defensive measures in a network environment. This certification emphasizes creating your own exploits, pivoting across systems, and bypassing AV/EDR solutions.
4. CRTO (Certified Red Team Operator)
• I pursued this to expand into more collaborative red-team engagements. The CRTO focuses on the methodologies and tools used in full-scale, team-based simulations, which is crucial for modern security tests that go beyond individual exploits.
5. Sektor7 Malware Development (Intermediate)
• I wanted deeper insight into how custom malware is developed, enabling me to bypass AV/EDR solutions that often block off-the-shelf tools. Building and refining my own malware for red-team operations has proven invaluable on engagements where stealth is paramount.
6. Black Hat “Hacking and Securing Cloud Applications”
• As cloud environments (AWS, Azure, GCP) play a growing role in enterprise infrastructure, I took this course to better understand how to exploit and defend cloud deployments. It introduced me to a variety of techniques specific to cloud-based services.
7. OSWE (Offensive Security Web Expert)
• The OSWE significantly elevated my white-box web application pentesting and exploit development skills by exposing me to realistic, production-grade scenarios. It reinforced a structured methodology for analyzing source code, identifying complex vulnerability chains, and developing reliable exploits, enabling me to approach white-box engagements in a more systematic and effective manner.

What advice do you wish someone had given you when you first started pentesting?

Take your time. When I first started pentesting, I felt like I was in a never-ending race to keep up with all the new tools, techniques, and emerging threats. It was stressful because there’s an endless amount to learn, yet only so many hours in a day. I wish someone had told me it’s okay to pace myself.

Pentesting is a marathon, not a sprint. Focus on the areas you genuinely enjoy and dig deeper into those. By doing so, you’ll naturally stay motivated and continually refine your skills. Consistent practice is key—real growth comes from trying, failing, and then trying again. Mastery won’t happen overnight, so don’t rush yourself or feel pressured to learn everything at once. Ultimately, it’s about developing a strong foundation and gradually expanding your expertise in a way that’s both sustainable and rewarding.

How do you approach explaining findings to customers during a pentest? Is there a way you discuss your findings with customers? How do you ensure they have a quality experience?

I believe clarity is crucial when presenting pentest findings, especially for individuals who might not be deeply technical. To achieve this, I break down each issue into logical, easy-to-follow steps. I include screenshots to illustrate exactly where and how the vulnerability occurs, guiding the customer through the exploitation flow. This ensures they understand the problem without needing to interpret heavy technical jargon.

Rather than simply showing a proof-of-concept like a basic alert box for an XSS vulnerability, I create more realistic scenarios—such as injecting a script that prompts a user for credentials, then sends those credentials to an attacker’s server. Similarly, if I discover a Local File Inclusion (LFI), I show how it can be leveraged to access SSH keys, potentially leading to a complete system compromise. By demonstrating the real-world ramifications, I help the customer see exactly why the issue matters and how attackers could exploit it.

Finally, I keep open lines of communication, answering any questions the client may have and making sure the findings are easy to replicate and validate on their end. I provide clear remediation steps, prioritizing fixes based on risk level. By showing clients the “why,” “how,” and “what next” of each vulnerability, they gain a better understanding of the threat landscape and feel confident in both the pentesting process and the recommended mitigations.

What is your favorite part of working with a pentesting team? What about working on your own?

I’ve grown accustomed to working solo on many pentests, which offers complete autonomy and encourages me to explore every test case I can imagine. It’s a great way to hone my personal methodology and maintain independence in my thought process. However, the sheer scope of modern engagements can be massive, and working alone can sometimes feel overwhelming.

That’s where team collaboration truly shines. With a team, it’s much easier to divide the workload—meaning we can cover more ground without sacrificing depth. Moreover, we can tackle challenges together and bounce ideas off one another. When someone identifies a potential vulnerability, the shared knowledge and collective brainstorming significantly speed up validation and exploitation. If a teammate has encountered a similar issue before, they can offer insights that save time and help us refine our approach. Overall, pentesting as a team fosters creative problem-solving, knowledge exchange, and a comprehensive assessment, while working alone lets me focus deeply on specific areas and push my own limits.

Why do you like pentesting with Cobalt?

I’ve been with Cobalt for over a year and have never regretted joining. What stands out most are the regular, fun, and challenging engagements that keep me on my toes. The Cobalt Core community is filled with experts and enthusiastic peers who are genuinely passionate about sharing knowledge. Unlike some competitive bug bounty communities, where the race to submit a vulnerability first can overshadow collaboration, Cobalt strikes a balance between healthy competition and teamwork.

Yes, we all want to find and report the most critical issues, but we also value helping each other out by sharing techniques, insights, and potential leads. This sense of camaraderie not only enhances the overall quality of each pentest but also makes the process more enjoyable. It’s fulfilling to work alongside people who are just as motivated to learn and innovate in the security space.

Would you recommend Cobalt to someone looking for a pentest? Why or why not?

Absolutely. Opting for Cobalt gives you access to a global network of top-tier pentesters, each bringing specialized experience to the table. The platform does an excellent job matching client needs with the right experts, ensuring you get thorough coverage of your assets. Beyond expertise, Cobalt’s collaborative culture means testers often share findings and methodologies, reducing the risk of critical vulnerabilities slipping through the cracks. So, if you want a rigorous security assessment backed by seasoned professionals who genuinely care about finding and fixing vulnerabilities, Cobalt is a fantastic choice.

What do customers or the media often misunderstand about pentesters?

There’s a common misconception—often fueled by Hollywood—that pentesters instantly hack systems by typing a few magical commands. In reality, ethical hacking is a methodical process. We systematically gather information, test potential entry points, exploit vulnerabilities where possible, and carefully document everything.

Sometimes, clients are disappointed when we don’t uncover a high or critical vulnerability, expecting a big “gotcha” moment. But not finding severe flaws can actually be a testament to their strong security posture, not a failure of the test. Our job is to assess, confirm, and report vulnerabilities within a set time frame and scope. If we don’t discover any major issues, it’s a positive outcome; it means the organization’s defenses are doing their job.

How do you see pentesting changing in 2026 and over the next few years?

AI is set to play a growing role, especially for repetitive or predictable tasks such as broad-scale reconnaissance and basic vulnerability detection. We’ll see AI-driven tools generate more efficient scans, analyze large codebases faster, and even suggest exploit paths. This could free human pentesters to concentrate on business logic flaws, creative attack vectors, and nuanced exploitation chains—the areas where AI still struggles without context and critical thinking.

Despite these advancements, I don’t foresee AI fully replacing human testers anytime soon. Many vulnerabilities involve subtle complexities, require strategic thinking, or rely on domain-specific knowledge that an algorithm can’t easily replicate. We’re also dealing with real-world environments where incomplete data, system quirks, and human behavior play key roles. Trusting an LLM blindly with security-critical decisions isn’t advisable just yet. While AI will streamline certain aspects of pentesting, human expertise remains essential.

What’s one non-technical skill (e.g., writing, communication, project management) that you believe is becoming critically important for a successful pentester, and how do you cultivate it?

I believe writing, time management, and project management are becoming critically important skills for experienced pentesters. As you take on multiple concurrent engagements, your effectiveness is no longer defined solely by technical depth, but by your ability to deliver high-quality coverage within strict time constraints. Clear, concise writing ensures findings are actionable for both technical and non-technical stakeholders, while strong time and project management enable you to prioritize attack paths, manage scope effectively, and avoid shallow testing.

I cultivate these skills by treating each engagement as a structured project: planning test phases up front, continuously tracking time and scope, and iterating on my reporting style to maximize clarity and impact with minimal overhead.

What’s your p(Doom)?

I’d rate my “p(Doom)” as fairly high—not because I expect a single apocalyptic cyber event, but because so many organizations may already be compromised without realizing it. AI-driven phishing campaigns and automated exploits make it possible for even inexperienced attackers to create sophisticated tools, while countless companies remain under-resourced, lack mature security teams, or simply don’t invest enough in cybersecurity.

Worse, breaches can go undetected for months or even years, giving attackers ample opportunity to exfiltrate data and move laterally across networks. This slow-burning nature of persistent, unseen threats is more alarming than the occasional headline-grabbing hack. It’s a challenge made more formidable by the rise of AI, which I believe will push cybersecurity to a level humans alone couldn’t reach in a lifetime. On the flip side, this same technology can generate convincingly altered images and videos, casting doubt on the trustworthiness of digital evidence. If anything and everything can be manipulated, it raises a fundamental question: whom can we trust?