.svg){kind=icon}
.svg){kind=icon}
Did you know that Cobalt started as a bug bounty program? Some of our Core Pentesters, like Armaan Pathan, worked with us back then and came back when we moved to Pentesting as a Service. Armaan has been a part of our Core since 2019 and has been passionate about cybersecurity since 12th grade.
“I discovered a passion for cybersecurity, starting with phishing attacks and trojans for Windows,” Armaan said. “I then pursued a Bachelor’s Degree in Information Technology.”
Instead of concentrating on building applications, he was drawn toward spotting security flaws. This led him to join several cybersecurity groups where he learned about diverse cyber attacks. After he completed his Master’s degree in 2017, he secured a position at a cybersecurity consultancy firm which marked the beginning of his professional career.
“As a professional penetration tester, my experience involves simulating cyberattacks on systems to identify potential vulnerabilities,” he said. “Moreover, I've dived deep into web application testing, scrutinizing applications for any vulnerabilities that malicious actors could exploit, including injection attacks or client-side vulnerabilities.
A crucial part of his work involves comprehensive communication with clients. He meticulously compiles detailed reports, laying out the identified vulnerabilities in their systems, how they could exploit them, and the potential consequences. The reports also include strategic recommendations to rectify weaknesses and strengthen the overall security posture.
“As a penetration tester, I fill my day with solving complex problems, thinking creatively about potential vulnerabilities, and continually learning to stay ahead of the latest security threats,” he said. “Each day presents unique challenges due to the dynamic nature of cybersecurity, making it a continuously engaging and evolving profession.”
Armaan notes that penetration testing often presents many challenges with the rapid emergence of new technologies, fresh vulnerabilities, and attack vectors continuing to surface.
“To stay ahead of these changes, I constantly strive to learn and update my skills, often by attending conferences and engaging in various online labs and challenges,” he said. “Due to the intensive nature of pentesting, I often spend 8-10 hours a day working, which can impede quality time with my family. To balance this, I reserve holidays strictly for family time. The heavy workload can occasionally strain my mental health; however, I combat this by taking a vacation to explore a new country every three months.”
Armaan holds the OSCP certification, which enhanced his ability to think out of the box, chain bugs, and escalate medium-severity bugs to high. He has also received awards from the Singapore Government and Yogosha for outstanding performance and achievements.
His favorite projects are applications with large project scopes involving multiple user roles and functions. He finds excellent motivation in engaging with demanding projects that foster continuous learning and inspire creative thinking beyond conventional limits.
“My primary tool of choice is Burp Suite, which I extensively utilize for its array of functionalities to execute various test scenarios,” he said. “Besides that, I employ a range of other tools like Nuclei, Httpx, Naabu, and Axiom. For mobile applications, I resort to Frida, Xcode, and Android Studio.”
Pentesting at Cobalt
Armaan returned to Cobalt in 2019 to join the Core after some of his friends joined. He had actively participated with Cobalt when we were a bug bounty platform. Every project presents unique challenges and learning opportunities for Armaan, but one engagement, in particular, has stood out to him over time.
“This project included a function for file uploads that scanned files for malicious content before uploading,” he said. “I discovered a Server Side Request Forgery (SSRF) vulnerability. Once a file was uploaded and the application began to scan it, it inadvertently extracted internal data and forwarded it to my server. This project was exceptionally intriguing and rewarding.”
Before beginning a pentest at Cobalt, for Armaan, it would be helpful if every customer understood that the purpose and goals of the pentest are crucial. Establishing a clear and precise scope is critical; it should encompass the testing environment, the specific areas for examination, and any necessary credentials.
“Pentesters strive to minimize disruptions; customers should understand that testing might affect system performance or result in temporary outages; hence they should try to give staging environments,” he said. “Providing access to staging environments is advised whenever possible; quick responses to queries or clarifications raised by the pentesting team help in smoother execution and timely completion of the project.”
Armaan has engaged in various projects involving diverse technologies and business models. These experiences have broadened his knowledge and enhanced his communication skills. He says that the Core team’s practice of sharing expertise with everyone is beneficial, and collaborating with new individuals is always enjoyable.
Future of Security
“As technology continues to progress, I expect the field of cybersecurity to grow more intricate,” Armaan said. “Advancements such as the Internet of Things (IoT), 5G networks, artificial intelligence (AI), machine learning, and quantum computing will have significant roles to play. However, these advancements can also introduce new vulnerabilities requiring updated security measures. Similarly, the trend towards stricter privacy regulations, exemplified by Europe's GDPR, will likely persist. This means there will be an increased demand for individuals skilled in cybersecurity for legal and compliance roles. However, there will be more cybersecurity job opportunities than qualified professionals, further widening the skills gap. To address this challenge, we expect efforts to intensify in educating and training more people in cybersecurity.”
Cybersecurity requires vigilance. As changes in systems and technologies can introduce new vulnerabilities, experts recommend performing pentests regularly. According to Armaan, it’s vital to have an action plan with specific timelines to address and remediate identified vulnerabilities. Prompt action is vital to mitigate potential cyber-attacks.
Goals and Hobbies
In the short term, Armaan aims to delve deeper into cybersecurity, gaining knowledge in offensive and defensive application security techniques. He also aspires to expand his understanding of threat modeling, DevSecOps, and secure application development. Long term, his objective is to specialize in mobile and browser security research.
“To continue my learning journey, I actively participate in bug bounty programs and solve labs on platforms like PentesterLab. I refer to resources like appsecengineer to expand my knowledge. Attending cybersecurity meetups and conferences is integral to my growth. One of my most valuable learning experiences is chaining multiple bugs together to amplify their impact.”
Armaan is originally from Gandhinagar, Gujarat, India, but currently lives in Dubai, UAE. He loves Dubai because of its multicultural environment, where people from all over the world live and work together.
“The diversity creates a vibrant and inclusive atmosphere,” he said. “It is a global business hub, offering numerous opportunities for career growth and professional development.”
Armaan enjoys spending time with friends and family, traveling, trying diverse cafes and restaurants, and listening to music in his free time.
