Interview with ★ Alexandre Zanni ★
What do you do for a living?
For a living, I’m a Penetration Testing Engineer (a.k.a. a Pentester). I’m paid to conduct penetration tests, mostly against web application (what I enjoy the most) but also against internal infrastructure (often including Microsoft Active Directory environment), Android applications. The job sometimes requires to performs other kind of audits: configuration review, code review, vulnerability assessment, architectural audit, etc. Outside pentests / audits, I also have other activities, my current position includes 25% of my time doing Research and Development (R&D). So I’m also researching and documenting offensive methods about new or uncommon technologies to rain the team, researching vulnerabilities, writing tools and exploits, writing articles for my company’s blog, preparing presentation for public or internal events, etc.
In the past, I have also been Pentest team leader doing the following tasks in addition: management of audit missions, coordination & team management, scoping of engagements, being the technical referent, etc.
What did you do to get there?
On the school side, I have started with scientific studies, first a high school preparatory class, then a technology university degree about Networks and Telecommunication, and then a diploma in Cyberdefense Engineering. But as you mostly learn theoretical stuff and only view the very basics of the technical side, I had to learn by myself a lot on my free time.
At the same time when I joined the engineer school, I started a CTF team called Rawsec where I was the captain. I participated in more than 150 CTFs during the past years. During all those CTFs I learned a lot and also took a lot of time to systematically describe my methods on write-ups on my blog in order to save the knowledge but also share it with others.
On this blog I’m also writing about general security or Linux oriented contents. I have been a technical writer for years now and the blog makes 3k unique viewers per month (without ads or SEO).
That’s how I started.
How do you keep up to date with latest developments, threats and techniques?
First, I’m monitoring the news by following dozens of RSS feed of corporate and technical infosec blogs with an aggregator called TheOldReader. I have also made a public dashboard on Netvibes for my company.
In a similar way, I’m listening to a few cybersecurity podcasts, mostly in French (Cyber Pop, NoLimitSecu, Hack’n’Speak, Le Comptoir Sécu) but also in English the great story telling of the Darknet Diaries.
But the best way to stay up to date it’s keeping practicing everyday.
I wrote a website from scratch called Rawsec’s CyberSecurity Inventory. It is an inventory of tools and resources that aims to help people to find everything related to CyberSecurity. It’s a well organized place where the content is browsable, sortable, filterable and formatted allowing everyone to quickly find tools, resources like platforms or courses, CTF frameworks or security related operating systems in seconds.
I’m also a huge FLOSS (free libre and open source software) fan, I’m contributing in tons of projects as you can tell my seeing my Github profile. I also wrote some tools that I continue to enhance and maintain. I’m top contributor at RubyFu and PayloadsAllTheThings projects. I also tend to contribute to
- ProjectDiscovery Chaos,
- Public penetration testing reports
- The Ruby Toolbox
- and many other security related FLOSS knowledge base.
I’m also working for BlackArch Linux (an Arch Linux-based penetration testing distribution for penetration testers and security researchers) as a Maintainer or more exactly a tool packager. I package dozens of tools and I’m helping maintaining the distribution.
I have stopped CTF as I felt it was mostly always the same thing and I was no longer learning stuff in 90% of CTF that are often organized by unexperienced students and also because it’s often far from being realistic. But I still continue to learn on the challenge platforms I mention previously as well as on PentesterLab and the PortSwigger Web Security Academy which are more real life centered.
From time to times, I also participate in some on site events and CTFs in France such as SSTIC or BreizhCTF but mostly online ones or view replays, many LevelUp from BugCrowd for example.
What are the tools or services you rely on for your job?
I can’t start to enumerate tools extensively as it will take hours to lists the hundreds of tools I use. Nearly all tools I use are packaged in BlackArch Linux (2800+ tools available) and when they are not I tend to package them. Of course, I use common ones like Burp Suite Pro, Nessus Pro, Pingcastle, nmap, crackmapexec, ffuf, sqlmap, etc. I have made an AUR meta package for the most common tools (need BlackArch repository enabled, see the list). Among the ones I wrote I often use haiti for hash type identification, ctf-party for quick string manipulation (some says it’s a CyberChef-like CLI) and pass-station to search for default credentials.
What’s something that you feel most proud about as professional?
Of course as a whole I’m proud of my path, of my start of career, of my contributions and knowledge sharing and how I keep pushing to continue to be better.
Among the infosec website I run, I have already mentioned the Rawsec’s CyberSecurity Inventory and my blog but I also started The Hacking Tool Trove recently which is a website providing TL;DR manual pages and reviews for hacking tools.
I also passed some Offensive Security certifications: OSCP (Offensive Security Certified Professional) and OSWE (Offensive Security Web Expert). By the way, if you plan to try some I made some exam report templates in markdown for Offensive Security certifications.
What advise would you give people who are starting in this industry?
School path is not that important since it’s mostly about the theory and basics. But if you want to learn a job and get some serious technical skills you’ll need some intense practicing. Not during one month or one year but during your whole studies and career. Even when you start working, the tasks you have to do at work are often repetitive and limited to one area so if you want to progress, get more advanced skills, learn other stuff or explore new areas, it’s important you keep allocating a fair amount of your free time practicing infosec. Whatever it is reading blogs and whitepapers, writing code, playing CTFs and challenges, doing Bug Bounties, R&D, etc.
I often say cancel your Netflix subscription and play to fewer games less often. You clearly need to keep some social and physical activities as well as some entertainments but you’ll never be awesome if you play video games 6 hours per day or if you are watching two TV show seasons per week.
Enough of try harding speech, you also need to enjoy what you do every day at work. We have the chance to have rare profiles that companies are desperately seeking and if you are experienced and have an amazing resume you’ll be an even rarer and wanted profile. So if you don’t like your job tasks, if you have bad work conditions, if you have a too low salary, if your boss or workmates are a pain, just leave and find another job. Don’t fear the judgment of you next employer, they will be way too happy to have you, whatever are your reason for quitting your last place (unless you are abusing of course).
Where can we find about you online? (eg blogs, social media, …)
Social medias and other profiles:
- Packet Storm
My websites and the ones of my organizations:
- My hacker profile
- Rawsec’s CyberSecurity Inventory
- Rawsec’s blog
- The Hacking Tool Trove
- Write-up factory
Sponsoring me and my work: