We think we know hackers thrive on deep environment knowledge

“Not everything works as configured. Not everyone behaves as trained.”

The reality of this statement makes it possible for us, the people in offensive security, to have a job. It also highlights how unpredictable our work can be and how never-ending our learning process is.

We work in a space where things are so complex that we need to combine big-picture, higher-level thinking with boost-on-the-ground practice.

And our guest today is brilliant at doing just that.

Pete Herzog has spent over two decades distilling the fundamental principles of security testing, turning them into a decade-defining manual - the Open Source Security Testing Methodology Manual (OSSTMM). Pete brings offensive and defensive security concepts together to break down important misconceptions.

Listen to this conversation to uncover:

• Why you can’t do security without understanding the process behind it [08:23]
• How automation can help but, at the same time, hurt the ones using it [11:00]
• Why you can’t rely only on automated security tools in your pentests [19:10]
• The importance of implementing security controls to change the environment [28:22]
• Pete’s perspective on "Zero Trust" and how they tackled this ion OSSTMM [35:18]
• Why he thinks there are “too many parrots, not enough pirates” in this space [43:42]
• The excitement of researching for OSSTMM v4 and exploring new technologies [51:40]

From the expert systems behind AI-driven tools and their blindspots to generalizations that hurt offensive security outcomes, we explore key elements that shape today’s problems - some of which you’re probably wrestling with as well.

Let’s explore them!