We are happy to announce that Sunil Kande is Cobalt’s Pentester of the Quarter for Q2! After carefully considering the nominations from fellow testers, Sunil stood out as a Core member who exemplifies our values.
Sunil has been a part of the Core for a year now and has five years of experience in Information Security & Penetration Testing. His expertise is in Web and Mobile Application Security and Network and Thick Client Pentesting.
Here’s what his peers had to say about him:
Ninand: “Sunil is very skilled and knowledgeable about pentesting. He is very dedicated to finding and submitting vulnerabilities. Keep up the good work, Sunil!”
Himanshu: “I nominated Sunil because of his technical skills and teamwork that I’ve seen from him during projects. I have learned a lot of reporting skills from him.”
Farid: “ I had a good experience collaborating with him on one of the previous pentests. He was proactive during this engagement and provided timely, detailed updates. From working with him, I’ve learned to be more responsive.”
How you can be a successful pentester at Cobalt, according to Sunil
Strong technical skills. Do you think you are an entirely technically sound person? Of course not! Information security is a vast field, and new technologies appear every day. It’s essential to keep yourself updated with every new vulnerability exposed in the market. Never stop learning is the only slogan that keeps you growing. While working on any pentest program, one should know the programming languages PHP, Python, Java, ASPdotNet, etc. And networking skills to understand the backend architecture of the scoped applications.
Pentesting with manual methodology: With the manual method, we need a good amount of hands-on experience with tools, such as Burp Suite with some extensions like Authorize, reflector, Paraminer, secret finder, JS like finder, etc. where we can find out logical/business logic flaws that the Automated tool cannot identify. Never let the manual method fade away.
Pentesting with Automation: With the vast application, it isn’t easy to cover every section manually. There shines the Automated method to speed up the process and manual testing. Acunetix, Netsparker, Nessus, Qualys, etc., are a few automated tools one should understand. Make sure to validate the Automated finding manually.
Reporting: Excellent skills in reporting with proper steps to reproduce, describe, and remediation steps so that the developer or non-technical person could easily understand it.
Healthy coordination and communication with the team members: Good communication with the internal team members to complete the scope of the pentest program. During the kick-off calls, understand the complete scope, function, and criticality of the application from the client’s perspective. For any discussion with the client, calmly make them know the issue and briefly discuss the impact, remediation, and other details to resolve the queries from the client side.
Coverage: We have a vulnerability checklist provided by the platform. Check and update which issues are covered to track pentesting progress. This will ensure you never miss any critical test cases—understanding which test cases in the checklist do not apply to a specific project. Regularly update the client with functionalities and test cases completed via Team Updates, so clients know about the progress.
Sunil’s favorite memory at Cobalt
During one of my pentest programs, I came across an application with a broad scope and went deeper. It was fascinating to test. There was an endpoint hidden in a JS file during the recon. These endpoints were mapped to the application, allowing me to read AWS credentials via SSRF. It was a fantastic experience, especially since the JS file was very complex to trace, and it took me some time to construct the post body. The Cobalt gives a platform to dig deeper and think outside the box.