How these offensive security books changed their readers - and their authors
Books have extraordinary power. They give both readers and authors new perspectives on how to see the world – and how to inhabit it more meaningfully.
They allow you to go in-depth on a topic you love (or didn’t know you could love). Books create space for reflection and give you the chance to soak up someone else's experience and make parts of it your own.
Why security pros chose to write a book to inspire meaningful change
The unique stories that ignite change in readers carry a lot of weight in offensive security too. Even in the realm of the command line, the remarkable power of words doesn’t fade. In fact, one amplifies the other.
This is why we wanted to peek behind the scenes of some of the most cherished infosec books: to understand why their authors chose to write them and how things changed with this experience.
Let’s dig in!
The People Hacker by Jenny Radcliffe
Jenny is a 2022 Infosec Hall of Fame Inductee, a Social engineer, a burglar, an award-winning podcast host, a keynote speaker, and panelist.
She’s also one of the kindest, funniest, and most captivating storytellers in our industry, which makes her an amazing author.
Her goal for “The People Hacker” is inspiring and truly inclusive:
I wanted to show that there are many careers in security and that someone doesn’t have to be technical to be successful, but rather have the right work ethic and persistence to succeed.
I also wanted to show how social engineering contributes to hacks, scams, and breaches and that the job involves a wide range of tasks and skills beyond what people generally perceive it to be.
Finally, I wanted to amplify women in the sector and show how important it is to embrace who you are and where you come from and turn it to your advantage.
If It’s Smart, It’s Vulnerable by Mikko Hypponen
Mikko, the Chief Research Officer of WithSecure, has almost seen it all in his two and a half decades of experience with cybersecurity. He’s talked about his research to millions of people and taken this message well outside our industry. And he’s doing it again with his book.
I wanted to make cyber security more accessible to anyone. I see my role as a translator: I take complex technical topics and translate them into language anyone can understand.
As Mikko points out, this book explores the evolving relationship between the Internet and humans in a way that educates, fascinates, and helps readers wise up.
It tells about the things that threaten the future of the Internet: organized online crime gangs, governmental surveillance, and censorship, and the fight over control of the Internet.
It also tells about how law enforcement and intelligence agencies operate on the Internet, how money became data, and how we all carry a supercomputer in our pockets.
Cybersecurity First Principles by Rick Howard
Rick works as the CSO for N2K and the Chief Analyst for The Cyberwire (an N2K Brand). He used his 25 years of experience in the Army's Computer Emergency Response Team (CERT) to crystalize the cybersecurity principles he believes in his books, providing strategies to make them work.
He remembers how the CIA triad (Confidentiality, Integrity, and Availability) triggered (and inspired) him to deepen his understanding of cybersecurity principles by writing a book about them, taking us, readers, along for the ride.
Back in 2010, I heard an NPR story about two British mathematicians, Alfred Whitehead and Bertrand Russell who rewrote the language of math from the ground up, starting with first principles, in their 1910 book, Principia Mathematica.
They recognized some inconsistencies in the current set of rules used by the math community at the time. You could use the same rules to get two different and correct results, the Russell paradox.
It dawned on me that the infosec world had a similar problem. Back in the 70s, 80s, and 90s, some really smart scientists started thinking hard about just what cybersecurity is.
A lot of ideas emerged but these particular two stuck even to this day.
The notion of the CIA Triad (Confidentiality, Integrity, and Availability) and
The idea that we were going to configure our computers securely (vulnerability management).
Just looking at the daily headlines, it's pretty clear that those two strategies aren't sufficient. They aren't bad per se but different infosec teams can use the same best practices and get two different results. The infosec community had its version of the Russel Paradox.
The change that I wanted to make in writing this book was to challenge conventional thinking, reject the current set of best practices as being inadequate, and advocate a Whitehead/Russel approach to identify the absolute cybersecurity first principle that we all should follow and the strategies and tactics that logically flow from it.
Breaking into Information Security (LTR101) and Expanding your Security Horizons (LTR102) by Andy Gill
Andy is the Adversarial Engineering Lead at Lares Consulting with a decade's experience in offensive security, specializing in red team simulations, with knowledge in threat intelligence and purple team exercises.
He’s a generous person who actively helps the community grow through mentorship and educational activities. That’s why he decided to write these two books.
I wrote both LTR101 & LTR102 as at the time there weren't many books on the market for folks starting in the security industry. The first book, Breaking Into Information Security sought to help those with minimal skill set to better understand the steps required to pursue a career in penetration testing or bug bounty.
It dove into many complex topics and broke them down into bite-sized chunks.
The second one follows where LTR101 l left off in that it expands the reader’s understanding of security. It also introduces many concepts around different areas of security.
The biggest change I wanted to make was to help bridge the skills gap and drive more people to be interested.
How I Rob Banks (and other such places!) by FC (freakyclown)
FC is the Co-Founder and Head of Ethical Hacking at Cygenta with 3 decades of experience as an ethical hacker. He passionately talks about his work and has stories “that will make you laugh, cry and finally change that crap password you’re using everywhere.”
He delivered more than 50 keynotes at events around the globe to help companies rethink security. After 10 years of collecting experiences and documenting them, he also decided to write a book.
I never really intended my book to be anything more than an entertaining way to share the more interesting things that have happened in my line of work. There is so much we do that is classified that I will never be able to talk about it, but there are also teachable moments.
The stories have been collected together over a 30-year career and took about ten years to pull together into an actual book. I didn't want to make the education piece boring though, I find that educating people through humor is always the best way.
Source: LinkedIn
Source: LinkedIn
Deep Dive: Exploring the Real-world Value of Open Source Intelligence by Rae Baker
Rae is the Co-founder and Creative Sleuth at Kase Scenarios. With a knack for maritime security and always following the latest transportation news, she just launched the OSINT Voyage newsletter.
She’s also an OSINT Analyst, focused on exploring the real-world value of OSINT, knowledge that she shared in her book.
When she decided to write Deep Dive, Rae’s goal was clear and powerful:
to create a book accessible to beginners but also valuable to veteran OSINT analysts.
Source: LinkedIn
My focus was methodology over tools because if you understand the why and the how then you can adapt any tool to your work.
Additionally, I focus a lot on ethics and mental health because I feel that is incredibly important to have as a basis for any work we do.
Finally, I tried to include topics we rarely hear about but are near and dear to my heart such as transportation (air, ground, sea) and what we can do with the information gathered.
The Pentester Blueprint by Kim Crawley and Phillip Wylie
Kim is a Cybersecurity Consultant at CloudDefense.AI and an experienced infosec writer with a lifelong learner mindset.
She’s also a generous and kind person who honestly talked about her transition to an infosec career path to inspire others without a technical background to take the leap.
Co-author of The Pentester BluePrint book, Kim said this was one thrilling experience for her offering many more book authorship opportunities. After its launch, it became the go-to book for penetration testers. It’s also at the top of the must-read books in this field.
Kim’s main goal was to help ethical hackers understand the role of penetration testing in the infosec space and what it’s like to work.
Organizations are improving their security maturity and the cyber threat landscape is getting more complex. The demand for skilled pentesters is inevitably growing.
But it can be pretty overwhelming for people to consider a career as a pentester. How do you start that journey?
Phil wants to make penetration testing careers more accessible to people. And I want aspiring pentesters to understand how pentesting fits into cybersecurity as a whole.
From our 20+ years of collective experience in penetration testing, we realized this. It is important to zoom in and zoom out to have the bigger picture and better understand your role.
It also helps you see how you can contribute to the community and what growth opportunities you have.
The Pentester Blueprint: Starting a Career as an Ethical Hacker by Phillip Wylie
Phillip is a veteran penetration tester, an international speaker, and a Security Solution Specialist at CYE. He has over 25 years of information technology and cybersecurity experience who passionately talks about within the community.
He’s also a kind and supportive person who wants to share knowledge, educational resources, and bring people together. He does it through the Phillip Wylie Show, but also through books. He explains in plain language what inspired him to write this successful book.
To make information on starting a career more accessible. People would typically have to know someone in the field to get this advice.
Here are 3 nuggets of wisdom for pentesters Phil highlights in the book:
Hands-on experience is the best way to learn about pentesting and building a pentesting lab is a must for any aspiring pentester. Building a lab can be an educational experience. “Learn to build, to learn to break” is great advice!
Be prepared to invest a lot of time and money in acquiring pentesting certifications. Your investment, however, will prove truly worthwhile for your career.
There will also be all kinds of skills and knowledge that you’ll lack, no matter what. There’s nothing wrong with that—even the authors of this book learn something new every day about computer technology or life in general. Always be a life-long learner!
How writing a book changes you in unexpected ways
The creative process of writing a book is deeply personal and can be quite transformative for a dedicated author.
When you spend months, years even, collecting experiences, doing research, and distilling everything to offer readers the best experience you can, you’re bound to discover new things about yourself.
That’s why we wanted to understand how writing their offensive security books changed their relationship with their work and opened their world to experiences they didn’t expect.
Source: Twitter
Mikko Hypponen emphasizes how dedicating a generous amount of time to this project allowed him to refine his point of view.
The book was a very long project for me. When I was finally ready with the project, it crystallized how I viewed my work. I used to think my job was to secure computers. Now I understand that our societies run on computers in every way, and my - and our job - is not to secure computers. It is to secure the society.
Source: LinkedIn
3 insights you get and apply from Mikko’s book
Why working in cybersecurity is sometimes like playing a Tetris game. In this game, we use blocks to build a whole new line and when you succeed, the line disappears. Your successes disappear while your failures pile up.
How and why the Internet has changed the world, being the best and the worst thing that happened to us.
Why IT security is not rocket science if you consider how to make it harder for attackers.
Source: Twitter
Rick Howard explains he read a lot of offensive security books before deciding to write his - Cybersecurity First Principles. He did it because they were missing something.
One specific example is the chapter on risk forecasting. I've read all the risk forecasting books:
How to Measure Anything in Cybersecurity Risk by Hubbard and Seiersen
Measuring and Managing Information Risk: A Fair Approach by Freund and Jones
Security Metrics: Replacing Fear, Uncertainty, and Doubt by Jaquith
These are all great primers on how to think differently about precision probability forecasting. I highly recommend them. If this subject is new to you, it will change your view of the world.
But my problem with all of them is that I kept waiting for the chapter at the end entitled: ‘And here’s How to do It’ or, better, ‘Building the risk chart that you can take to the board.’ None had it or anything close to it. That part was always left as an exercise for the reader. So, I wrote it myself in my book.
Source: LinkedIn
Source: LinkedIn
3 key things you learn from Rick’s book
Learn to design a security program using the concept of Zero Trust because it is a philosophy, a way of thinking, not a product.
Why and how security automation is essential for improving your security data flow with a focus on DevsecOps.
How to use backups as a reliable strategy to become more cyber resilient and secure your data.
Source: LinkedIn
When asked how writing How I Rob Banks: and Other Such Places altered the relationship with his work (and readers), FC (freakyclown) gives a straightforward answer:
It hasn’t not. My work, the book, and my life are so entwined I don't think I ever really saw writing the book as work and never saw work as feeding the book.
He also highlighted how essential it is to love what you do and make a living of it.
I think the most important thing for me has always been that I genuinely enjoy my work, so I am fortunate to get paid to do my hobbies and interests.
Source: Twitter
Source: Linkedin
3 essential lessons to remember from this book
How you can successfully break into secure buildings: “Hacking large corporations, banks, governments, isn’t usually easy, but there are ways to do it. You could phish the right employee, then escalate privileges.”
Don't assume that higher cost means better quality in physical security (he shares a story of how he gets through a security door (costing $100,000 by observing a default mode that opens it every 30 minutes)
If you’re not sanitizing your input data, anyone can manipulate your backend. So fix the simple stuff first.
Source: LinkedIn
Rae describes the process of writing her first book through countless hours spent analyzing it and seeing how other experts work.
I learned quite a few things about cryptocurrency investigation that I never knew and it has helped me become a better more well-rounded analyst.
It is one thing to work in your own bubble doing the same things every day but it truly opens doors when you branch out and are open to learning new things.
Source: LinkedIn
3 takeaways from Rae’s book
Learn how to use image-based geolocation with deep analysis and specific geolocation steps to level up your investigative OSINT skills.
The impact of GNSS jamming and meaconing attacks on the navigation system.
How to spot the differences between cryptocurrency mining and minting and their validation methods.
Source: LinkedIn
Kim Crawley highlights how the success of The Pentester BluePrint (2020) made writing books an essential part of her career and contribution to the community.
Source: Twitter
I can't speak for Phil. But for me personally, it's led to many more book authorship opportunities.
Kim went on to write a solo book, 8 Steps to Better Security: A Simple Cyber Resilience Guide to Business, which was published by Wiley in 2021. And there’s more.
Kim has another two books coming out soon; Hacker Culture: A to Z (coming in October) and Cloud Penetration Testing for Red Teamers will be published in November. Here’s where you can keep up with her work.
3 key things to remember from The Pentester Blueprint book
What the Pentester blueprint formula includes: technology knowledge + hacking knowledge + hacker mindset to help you become a better ethical hacker.
Discover the most popular pentesting tools you can try to simplify your workflow and automate repetitive tasks.
How to get hands-on experience in the field with a focus on interactive labs, CTFs, and bug bounty programs.
What readers got from these offensive security books
Many of the people we follow or know have either read or wishlist these offensive security books.
But what did readers learn from them?
From the authors’ perspective, here are the main takeaways.
Jenny expressed her delight in her book reaching readers beyond information security and giving people an entertaining experience along with the educational side.
I knew that social engineering was not a well-known profession outside of the industry but I am humbled and delighted at how both security professions and the public more generally have enjoyed the book and found it useful as a guide to both being an ethical social engineer as well as part of defence education.
It’s been great to know that people have enjoyed the humour in my job as well as found the security and career advice helpful.
This is probably one of the most fulfilling experiences for any book author: getting recognition for all the work they put into writing such a book.
Source: LinkedIn
Been following Jen's work for a while now and was excited about the book coming on preorder. It arrived three days ago and I finished it yesterday, unheard of for me! I am an Investigator and counter-fraud specialist by trade, although not in Jen's area of work, and so the content was very relevant for me.
My job is ruled by procedure and policy so it was brilliant to read about Jen getting results by using social engineering, thinking on her feet and making the traits of everyday people work for her. Read it, you will understand what I mean.
A brilliant read, hoping there is a sequel! - Ian Allcock on Amazon
Source: LinkedIn
Mikko summarized that “the main takeaway people had from my book is that it's too easy to blame users for all the security problems we have. If users can't take responsibility for their cybersecurity, that responsibility should be taken away from them.”
This is a 5-star book for those not in security and a 4-star for those in the field. If you have friends and family always asking questions about what you do in cybersecurity, buy them this book. It is an easy and entertaining read as Mikko weaves key information in with great personal stories. The early chapters on the past are quite impressive in how they cover so much ground so effortlessly.
If you are active in the security community you will know most of the information (but I bet you will find something new). What will be most interesting to you is Mikko's stories. He drops some short one-three-page ideas that will make you think. Such as why security training fails, will cyber deterrence be a reality, how we are going to deal with IoT security, ... I had the good fortune to interview Mikko for my Unsolicited Response show and dive into some of those areas. - Dale Peterson on Amazon
Source: LinkedIn
There's nothing more entertaining than witnessing how virus hunters chase bad guys on the Internet. This book is authored by a white-hat who cracks code himself and understands how nefarious minds think.
Written as 80 ultra-short stories, organized into 8 chapters, each of them a vignette about a famous hack or a criminal take-down, along with a moral lesson about how our data security and privacy are vulnerable as a consequence. Nonetheless, it presents an optimistic forecast for the future. - MXA on Amazon
Rick highlighted how well readers reacted to his book which is consistently in the top 100 Amazon bestseller lists.
I received positive reviews on LinkedIn similar to the reviews left on Amazon.
Source: LinkedIn
Source: Twitter
As a practitioner that looks for better ways to formulate the objectives of SecOps Use Cases I have found the methods presented in this book to be immensely helpful.
I have also given copies away as gifts to students who are just entering the field as this is by far the best intro to the long history of Cyber Security that combines the best direction for the future. - Ivan Paul Ninichuck on Amazon
Source: LinkedIn
FC (freakyclown) was overwhelmed and amazed by his readers’ reactions.
Almost everyone has loved the book and the lessons from the anecdotes, many people had already heard a few of them in talks I have done around the globe.
It’s a book about security that’s also fun. It reads like a well-wrought crime novel. FC is a renowned ethical hacker who makes his living breaking into buildings whose owners want to test their physical security countermeasures.
He’s a penetration tester (pentester) for doors, locks, and security guards, versus firewalls.
FC has a knack for storytelling. He creates suspense. He has a sense of humor. The book comprises over 70 separate anecdotes, which are detailed enough to be fascinating and informative, but understandably scrubbed of client revealing detail.” (book review by Hugh Taylor)
But they all seem to have appreciated the extra details and background on those. I still can’t believe it’s a number 1 best seller in both print and audiobook. I wish my old teachers could see me now!
Dangerous & fun. If you like It Takes a Thief, How to Steal a Million, Oceans 11, or I Robot; you'll love this book. It's the same as a magician revealing their tricks. Even if you don't want to be a first-class burglar; it's a fun read. I would have added an additional chapter. Since he claims recon is most important; it would be nice to have a workflow as to how he approaches a job. What he looks for first, second, etc. - Will Pfister on Amazon
Bought it for a lazy poolside read on holiday as I thought it would be good fun.
Wasn’t disappointed, it’s an easy read with many entertaining yet thought-provoking anecdotes.
Would thoroughly recommend it… You won’t look at physical security in quite the same way ever again - Andy Davies on Amazon
Rae felt overwhelmed by how positively readers reacted to her book.
Many of my readers have reached out to me to tell me how they couldn't put it down (which is a huge compliment for a non-fiction book).
I think the biggest takeaway is that the book is not just a list of links, it is a comprehensive and accessible guide to OSINT for beginners through all levels.
She also added one particular note: “I got a few comments on my use of she/her throughout instead of using all-male examples which made me smile.
Source: Twitter
This book is a definite game changer, not only did I read it cover to cover, but it is utilized as an excellent resource as I navigate complex OSINT investigations. It is also being utilized as a training text for new staff that are brought on. I definitely recommend this book!! Jason McCausey on Amazon
Source: LinkedIn
As for Kim, she believes the Pentester BluePrint was a smashing success because it gives readers the a-ha! moments they need to build a pentesting career with enthusiasm and determination.
“It's safe to assume that people are reading our book. And something clicks with them. That's what people are saying on Goodreads and in Amazon reviews.”
Pentesting is a relatively new occupation, and there aren't obvious academic paths to those careers. So what readers are getting from our book are their own Eureka moments about how they can turn their curiosity about computer technology into a career. It makes sense that they'll tell people online about how our book has helped them. And it humbles me. Phil and I each wrote about 50% of the book, but my contribution was mainly the ideas about how pentesting fits into cybersecurity as a whole.
Here’s what readers think about the book
This was a good book. I also ADORE the authors. They are pillars in the information security community. Great folks. This book however isn't really for mid to advanced-level pen testers or anyone in information security at the mid/advanced level, for that matter.
I consider myself beginner-mid so there was a lot of information in this book that I already knew, however, there was some information towards the middle to the end of the book that I found new and helpful, but this book didn't change my life.
I like how I have all these resources now contained in one book, I also loved hearing about the different types of certifications out there. Some of these I have never even heard of, so that was neat. I also really enjoyed the stories and experiences shared by other Pentesters in the community. Leesa Ray on Amazon
Source: LinkedIn
“Phil does a great job pointing the practitioner and newcomer to resources they can use towards a career as a penetration tester. But this book goes beyond that really, I believe that all career Cybersecurity folks can learn something about developing a personal strategy in their career.
Security leaders who need to hire for this type of role will get a better understanding of qualifications and guidance in preparing job descriptions. A great read for Cybersecurity practitioners at all levels, not just pentesters. D. Belanger on Amazon
What does a book do that other content formats can’t?
Unlike other content formats, books invite us to delve deeper into deep thoughts and reflection. They also offer a unique opportunity to step into the minds and beliefs of authors, allowing us to understand the core values they cherish.
Continuously serving as an invaluable resource for learning, books reveal the intricacies of their structure, valuable ideas, and the messages authors passionately wish to convey to their audience.
Wrapping things up, books remain a treasure trove of ideas we can learn from and apply in our lives.
If you haven’t read these offensive security books yet, but are planning on doing it, these valuable tips from book authors will help you boost your ethical hacking career.
A huge THANK YOU goes to all 8 offensive security pros who generously shared their valuable perspectives on what it takes to write a book and the impact upon us!
Here’s a list of all the security books we mentioned in this article.
People Hacker by Jenny Radcliffe
If It's Smart, It's Vulnerable by Mikko Hypponen
Cybersecurity First Principles: A Reboot of Strategy and Tactics by Rick Howard
Breaking into Information Security: Learning the Ropes 101 by Andy Gill
Expanding Your Security Horizons: Learning The Ropes 102 by Andy Gill
How I Rob Banks: And Other Such Places by FC Barker
Deep Dive: Exploring the Real-world Value of Open Source Intelligence by Rae Baker
The Pentester BluePrint: Starting a Career as an Ethical Hacker by Phillip Wylie and Kim Crawley
Feel free to add them to your reading list and bookmark this article because we’re planning on updating it with more interesting perspectives.
Bonus: If you want to be a better hacker by challenging your assumptions and digging deeper into the why, how, and what of offensive security, tune in for our brand new podcast: We think we know.
Stay tuned!