The Cobalt Pentester Spotlight highlights the fascinating journey of our Core members. Through an interview style, we share their experiences, background, and insights into the world of an accomplished pentester.
What's your handle? Do you use more than one? Where did it come from? What's the origin story?
My handle is Sterben. I mainly use that one. It came from an anime. It was basically the secondary nickname of a villain. The word itself has a meaning in German and is often associated with hospitals, as well as with someone dying. I’m not sure why it got with me, but I liked the lore behind it and started using it as my handle.
What got you into cybersecurity? How did you get into pentesting specifically?
Since I was a kid, I’ve always spent a lot of time on my computer trying random things and messing with my friends' stuff, like sending .bat files or even taking down their internet with DoS attacks, which was pretty common back then. After a while, my mom started telling me I should use the computer for something more productive, so I began learning programming. At the same time, I still liked messing around and trolling people, and some of my friends started calling me a “hacker." That made me curious if becoming a real hacker was actually possible. While looking into it, I found the offensive side of cybersecurity, and I got hooked right away.
What exploit or clever attack are you most proud of and why?
I usually try to focus a lot on business impact, because sometimes even something like RCE doesn’t really impress non-technical people if they can’t clearly understand the risk.
While I was testing a FinTech, I initially found a blind XSS. After spending more time on it, I realized the payload was being executed inside an admin intranet. I wasn’t able to exfiltrate cookies, so I started thinking about what real business impact I could still achieve with that. While exploring the admin features, I found the perfect functionality: the ability to add money to customer accounts.
So in practice, by chaining the blind XSS with that admin functionality, I could add money to any account. For me, that was really satisfying. I was with a vulnerability that generated infinite money in my hands only because of a trivial blind XSS, and it became something with a very clear and serious business impact that anyone could immediately understand.
What is your go-to brag when talking about your pentesting skills?
I would say one of my strongest skills is being able to look at an application from different angles and truly understand how the business logic works. Most of my best findings came from going beyond obvious technical issues and exploring workflows in ways the application wasn’t designed for. That mindset has helped me uncover some impactful vulnerabilities that can be missed in a standard assessment.
Share a time something went wrong in the course of a pentest? What happened and what did you do?
Early in my career, I got really excited about Burp Suite’s scanner and used it a lot during assessments. It worked well at first, but one time I pushed scans too aggressively in a production environment, including POST requests, and ended up creating and updating data in the application by mistake. It was a mess and a stressful lesson, but it taught me to be much more careful with automation.
What are your favorite tools or TTPs when conducting pentests? Why do you find them effective?
I know it’s kind of a cliché answer, but my favorite tool is definitely Burp Suite. It’s the tool I spend the most time with during any assessment, and for web pentesting, it’s still the center of my workflow.
More recently, I’ve also been using AI tools like Claude during pentests, mainly to help with test cases, enumeration, and quick code review. I treat it like a second brain; it helps me to be faster and makes the overall testing process more efficient.
What are your favorite asset types (web applications, APIs, network, etc.) to pentest and why?
My favorite asset types are APIs, web applications, and mobile applications. I really enjoy testing all three because each one has different challenges.
More recently, I’ve also been testing LLM scopes, and I’ve been enjoying that. It’s interesting because it requires a different approach, but it still involves the same core mindset of thinking creatively, finding edge cases, and understanding how something can be abused.
What certifications do you have? Why did you go for those specifically?
The most well-known certifications I have are OSWE and eWPTX. Besides those, I also have some regional certifications focused on web and mobile security, and I have a degree in cybersecurity as well.
I mainly chose certifications that were aligned with the types of assets I enjoy testing the most. At the same time, I’m not really into collecting certifications; I usually prefer hands-on learning through real-world testing.
What advice do you wish someone had given you when you first started pentesting?
In my opinion, there are two main keys. First, enjoy the process and don’t try to skip it. Hacking is genuinely fun, and a big part of it is learning step by step, understanding how things work, and finding vulnerabilities along the way. If you enjoy that process, it becomes much easier to keep improving.
Second, I would say it is persistent. Pentesting can be frustrating sometimes; you’ll spend hours testing things that go nowhere, and some findings take a lot of time before you get them. But like anything else, if you keep learning and don’t give up, you’ll keep getting better over time.
How do you approach explaining findings to customers during a pentest? Is there a way you discuss your findings with customers? How do you ensure they have a quality experience?
My approach is to first understand the product and the business behind it. That helps me explain findings in the most relevant way, whether the customer needs a technical explanation or a clearer business-impact perspective.
I also adapt depending on whom I’m talking to; developers, security teams, and business stakeholders usually need different levels of detail. My goal is always to make the risk clear, actionable, and easy to understand so the customer has a good experience and knows exactly what needs attention.
What is your favorite part of working with a pentesting team? What about working on your own?
My favorite part of working with a pentesting team is learning from how other people think and approach testing. I feel like every person brings a different perspective, and over time, that helps to improve my own methodology. A lot of the way I work today is a mix of things I learned from teammates, combined with my own skills.
I also enjoy working on my own. It feels like a personal challenge, and it’s always really satisfying when I go deep into an assessment and find something impactful by myself.
Why do you like pentesting with Cobalt?
What I like about Cobalt is the balance between independence and teamwork. I have the freedom to approach testing in the way that works best for me, while also having a very collaborative team whenever I want to work through something together. That environment makes it easy to keep learning, work on interesting targets, and enjoy the process.
Would you recommend Cobalt to someone looking for a pentest? Why or why not?
Absolutely. I’d definitely recommend anyone to join Cobalt. It’s a great place for pentesters who want to work with skilled people, keep learning, and challenge themselves with real-world applications. The platform gives you a lot of good opportunities to grow while working on interesting targets.
What do customers or the media often misunderstand about pentesters?
I think people often assume pentesting is just running tools or quickly breaking into systems. In reality, a lot of the work is understanding the product, thinking through business logic, and clearly explaining risk to the customer. The technical part matters a lot, but context and communication are just as important.
How do you see pentesting changing in 2026 and over the next few years?
I think pentesting is changing a lot because of how quickly AI is being integrated into products and development workflows. This creates a completely new attack surface.
At the same time, AI is also changing how pentesters work. It can help with a lot of parts of the pentesting process, which makes the testing process more efficient. Over the next few years, I think pentesting will continue to require the same core attacker mindset, but with a much stronger focus on AI security and knowing how to use it to be more efficient.
What’s one non-technical skill (e.g., writing, communication, project management) that you believe is becoming critically important for a successful pentester, and how do you cultivate it?
I’d say communication is one of the most important non-technical skills for a pentester. Finding a vulnerability is only part of the job; being able to explain the risk clearly is just as important.
I try to improve that by understanding the product well and adapting how I present findings so the customer can clearly understand the risk and what needs to be done next.
What's your p(Doom)?
My p(doom) is probably somewhere in the middle. I don’t think the biggest risk comes from the technology itself, but from how people build and use it. From a security perspective, I’ve seen how fast teams adopt new technology, and sometimes security, context, and proper validation don’t move at the same pace. That can create a lot of risk very quickly.
