“Buzanowm” aka Matt Buzanowski has been a part of the Cobalt Core since 2017. He is one of the 400+ pentesters worldwide who has contributed to the over 4,000 Cobalt pentests. Based in the United States, he started his path in the US Army, where he learned to breach physical and electronic security perimeters. Matt brings this experience into his role as a security professional and pentester who focuses on full-scope Red Team engagements, physical security assessments, and web and mobile application pentesting. Matt has also honed his reverse engineering and exploit development skills over the years and is credited with multiple CVEs.
Can you tell us about your Pentester Origin Story? What was the pivotal moment for you – when did you know this was your career path?
I have always had a fascination with technology and understanding how it works. I watched Sneakers in middle school, which set my curiosity for hacking on fire. I received my first computer in the late 90s and discovered 2600 Magazine and our local meetup. I started to hone my skills in hacking and phone phreaking.
After leaving the Army, I worked for a defense contracting company in multiple information security roles while attending courses such as Offensive Security’s Original Pentesting With Backtrack (PWB) course. After participating in numerous information-security focused roles, my employer tasked me with creating an internal Red Team and penetration tester training program for interested employees.
Over the next few years, I created multiple Red Teams for Fortune 100 companies. During this time, I also completed numerous other certifications, such as the OSEE, OSCE, and OSWP.
As a consultant, I was fortunate to work with various clients in different industries. Constant exposure to new challenges pushed me to grow my career as an offensive security professional continually. I had the chance to work in a wide range of offensive security disciplines. This included web application and mobile testing, source code/binary auditing, physical security assessments, social engineering (in person, phone, etc.), network penetration testing, and blended threat assessments (Red Teaming). In addition to gaining a wealth of experience, I worked with coworkers who challenged me to continue improving and learning. All the experience I gained along the way has shaped my knowledge base and ability to make calculated decisions, sometimes under great stress. I constantly draw on my accrued experience in my daily activities. Today, I am honored to be part of another great Fortune 100 Red Team that I helped start and grow over the past four years.
What has your military experience taught you, and how has it shaped your career in security?
The number one thing I took away from my time in the military was what it means to be a good person and an effective leader. While not always, leadership has been a vital skill that I leveraged as a leader and follower. While in the Army, I experienced multiple leadership styles, and I eventually adopted a combination of these styles that I saw as honorable. Leadership mantras such as “lead by example,” “never ask someone to do something you haven’t done/wouldn’t do,” and “treat everyone with respect” have helped guide my decision-making process.
Where do you go to learn in the security community?
I don't necessarily go to a single source to keep up on things. I have curated a very focused feed in Inoreader that helps me stay up on the constant changes in the OffSec landscape. This way, it's all in one place, and I'm not having to waste precious time looking through tons of new info or scouring Twitter for something.
Do you have a pentesting specialty?
I have always enjoyed binary reverse engineering and exploit development. However, I’ve found that each discipline offers something different that I can deep dive into and have fun with. Therefore, I tend to like most specialties. For example, in my current position, I am responsible for scoping and performing external/internal network penetration tests, web application and API assessments, mobile application tests, social engineering engagements, physical security assessments, vulnerability research, and wireless penetration tests.
What advice would you offer to someone currently looking to get into infosec as a pentester or a security professional?
I would advise finding a specialty within offensive security to focus on initially. There are so many offensive security-related disciplines now that it can become overwhelming to decide. However, when choosing that specialty, keep in mind that the employers are looking for some things more than others. Therefore, if you are trying to land your first pentest job, you’ll have a much better chance of doing so if you focus on learning skills many companies want. Some good examples are web and mobile application assessments and cloud penetration testing. After landing your first gig, you can begin branching off to other specialties. This will keep you current and help ensure you have more to offer your current and future employers.