We think we know podcast

We think we know you can't attack what you don't understand

Publisher
Pentest-Tools.com
Updated at

Gabrielle isn't just a pentester; she's a powerhouse of knowledge, an advocate for cyber education, and a mentor shaping the future of ethical hacking. 

With 9+ years of experience in cybersecurity, she focuses on sharing it with her community members through practical and valuable resources.

In this episode, we continue to ask the meaningful questions:

  1. What makes a great pentester? 

  2. How can you balance the art of manual testing with the efficiency of automation?

  3. What is the unique value that pentesters bring to offensive security? 

  4. And what can't be commoditized in this craft?

Gabrielle's mantra, “action for cyberpeace”, resonates through her work, and today, she shares her journey, experiences, and the lessons that shaped her career so far. 

We think we know you can't attack what you don't understand

Gabrielle bio

Gabrielle Botbol

Gabrielle is an award-winning ethical hacker and an active member of the infosec space, serving her 9K+ community members with educational and helpful resources.  


She works as an Offensive Security advisor for the Canadian company Desjardins. With 9+ years of experience in cybersecurity, four of them in penetration testing, Gabrielle has a holistic approach to cybersecurity, focusing on lifelong learning and sharpening her critical thinking skills. Her mantra is “action for cyberpeace.” 


Gabrielle is a member of the Advisory Board of various hacking organizations and a speaker at international conferences like DEFCON 21, Black Hat, API Secure, OWASP, and many more.

Key highlights from this conversation:

  • What specific skills do you need to be a great penetration tester [02:45]

  • How self-learning and consistency help you achieve your goals [07:55]

  • Why she values team collaboration to deliver the best work you can do [13:57] 

  • How she got into cybersec and why she strives for cyberpeace [24:35]

  • How to find balance between your personal life and your work [28:37]

  • When automation is effective in pentesting and where that ends [32:02]

  • How to set healthy boundaries to protect your personal life and health [41:11] 

  • Which hobbies juggle her curiosity and broaden her horizons [51:59]  


Give this episode with Gabrielle a listen if you want to level up your ethical hacking skills and challenge your modus operandi. 

Resources from this episode

Gabrielle’s personal blog

Gabrielle on LinkedIn

Gabrielle on Twitter

Mentoring in cybersecurity with Gabrielle Botbol

The apprenance concept by Philippe Carré

Notion

ZAP

Burp

Phillip Wylie

Tanya Janca

Listen to this conversation on:

Spotify 

Apple Podcasts

Amazon Podcasts

Google Podcasts

Episode transcript


Andra Zaharia: Only the most curious and persistent people thrive in offensive security. How do I become a better hacker? How can I build and maintain my advantage over adversaries? And what's limiting my ability to think creatively? 

This podcast is for you if you're the kind who's always digging deeper for answers. Join me as I talk to some of the world's best offensive security pros about their work ethic, thinking, and real-world experiences.


This is We think we know, a podcast from Pentest-Tools.com


[00:42] Andra Zaharia: Welcome back to the We think we know podcast, where a hacker's innate curiosity meets the nuances of offensive security work. I'm your host, Andra Zaharia, and I'm delighted to have Gabrielle Bottol as our guest today. Gabrielle isn't just a pentester. She's a powerhouse of knowledge, an advocate for cyber education, and a mentor, shaping the future of ethical hacking. 


With strong experience in both pentesting and physical engagements, she brings a wealth of experience and practical insights that are both specific and highly valuable. In this episode, we continue to ask the harder questions. What makes a great pentester? How does Gabrielle balance the art of manual testing with the efficiency of automation? What is the unique value that pentesters bring to offensive security? And what can't be commoditized in this craft? 

Gabrielle's mantra, action for cyberpeace resonates through her work, and today, she's here to share her journey, her experiences, and the lessons that have shaped her career so far. 


So let's have a listen.


Andra Zaharia: Gabrielle, I'm so happy to welcome you to the We think we know podcast. I've been waiting for this conversation for a long time, and I'm really glad it's finally happening. 


Gabrielle Botbol: Thank you. Thank you for having me. I'm happy to be here. 


Andra Zaharia: So there's so much to unpack from your experience and from your mindset and the way that you do things, which I think, and we believe, that it has such a big influence on the quality of work that we do and the quality of the deliverables, of course, that we put in our customers or colleagues hands. So to start with a not-so-easy question, what do you think makes a pentester great? And why is that?


[02:45] Gabrielle Botbol: So, we always bring in front for pentester the technical skills. But in my opinion, the difference between a good pentester and a great pentester would be soft skills. Because, for example, the ability to communicate and explain complex concepts simply. Also, creativity, because it's important to be creative if you want to craft say dedicated attacks for specific contexts. You need some creativity and curiosity. Also, it's really essential to understand our targets and how they work and how we could make them do things that they are not supposed to do. So yeah, there's the different subskills that I think are really important. 


Andra Zaharia: That's a great thing you spotlighted and very helpful examples that you added around that. Especially because something I've actually been thinking about for more than a couple of days is what actually makes the attacker's mindset. So we kind of have a much clearer understanding of the technical skills and technical knowledge that you need as a pentester. 


But when it comes to mindset and to these soft skills, let's say the landscape is much less clearer, it has a lot more nuance and we're less familiar with it. So when you have to shape your thinking and really think it like an attacker, and of course act with impeccable ethics, how did you personally shape your attacker mindset? How do you truly embody that perspective so you can be really sharp in your engagements and work? 


[04:30] Gabrielle Botbol: I would say to stay focused on your goals because there's so much to learn. We only have 24 hours. And so I had to make my goals clear at each step of my journey. 

And even today I regularly pause to make sure that my goals are clear and that the steps I plan to go and to do to achieve them are also very clear, just to make sure that everything aligns. 


So this would be an important thing to have in your mindset because this is really easy to get lost because we have so many things to learn and days are short. And so I actually have a very organized schedule and I think it's really helpful for me. It really helps a lot because this way I know that I have this time to do this and I don't go. 


Because if I don't do that, I know I'm going to do something completely different or something that's not related at all, or think about something and then do it and then stop a task I was doing because I'm thinking about something else. 


Gabrielle Botbol: The best way is to focus on your goals, make sure everything is clear. If it's a big goal, separate it into multiple steps and achievable steps, and in the end, you end up doing what you wanted to do. 

Andra Zaharia: I love that, talking about achievable goals, it's actually something that IppSec highlighted when we talked in a previous episode as well, make your goals smaller and more attainable, he said, because that of course gives you that sense of achievement that keeps you going, it gives you energy. 

So you can continue to do this very challenging, very just emotionally and mentally demanding work that is involved in offensive security. So I appreciate you sharing this. 

And I couldn't help but think of like time boxing, which is such an important concept, and penetration testing, but also for our lives, because otherwise we might get lost in a rabbit hole chasing something that we're looking for, which may not be there. And you can easily get lost along the way simply because there's so much possibility in this space, generally speaking. 

By looking at your profile and your experience, you do look like you have more time in a day than a regular person because you've achieved so, so much. And you also make a lot of time to share all of this with the community. So you post regularly, you have an immense community, not just on LinkedIn, but in other spaces as well. So I was really curious, how did you start writing about things and putting things out there? What was it like for you in the beginning and what is it like now? How has this practice of sharing changed the work that you do and how you do it, maybe? 

[07:55] Gabrielle Botbol: When I started, I have to go a little back and explain a few things before. So I trained myself to become a pentester. So I used references and articles and things that the community put out there for everyone to learn. And so it was very helpful for me and I wanted to give back to the community. And so that's why when I started my self-training to train myself, I used concepts from education science. 

So, for example, there is one called apprenance that I used for my self-training when I got into pentesting. And it is a concept by Philippe Carré, which is based on the concept of lifelong learning. And so to quote him, apprenance is a lasting set of dispositions favorable to the act of learning in all situations. So formal or informal, experiential or detective, self-directed or not, and intentional or accidental. 

Gabrielle Botbol: So in order to achieve my goal, I used six steps. So there was CTF conferences, there was also tutorials and MOOCs and internships, and also summer schools and volunteering. And so the CTF, I used it to learn by doing and conferences, I used them to have different points of view and approach cybersecurity from all angles because it is such a broad topic. It's not only pentest. There are so many things, you have law, you have psychology, you have a lot of things that are very fascinating in cybersecurity. So conference are a great way to have these different points of view. And also some MOOCs and tutorials were to support the practice of the TF with theory and summer course. 

It was to have contact with the academic and professional world and meet experts in the field. And so volunteering was to meet other cybersecurity enthusiasts. And finally, the internship was to put all this learning into practice. And so, to this program, I also added a grid that was listing the skills I obtained from previous position that could apply to cybersecurity.

 

Gabrielle Botbol: And even if you were not in cybersecurity before, you can definitely use them in cybersecurity. And so, in order to document this approach, I created a blog to share my experience. And I wanted if someone, anywhere in the world is like, okay, I want to go into pentest, but there are plenty of resources online. And there are also, sometimes you don't even know what you want to do in cybersecurity. 

Sometimes people come to me and they say, okay, I want to do cybersecurity. And the next question I ask is, what do you want to do in cybersecurity? Because there are so many possibilities. So if someone want to do this, the blog was to help people. If they want to do pentest, this is how I did it, so they can use it and they can actually practice. 

And so the list of resources I did was also for this purpose. So there are many, many topics. And so if you're interested in this topic, or if you want to know if you're interested in this topic, you have this that you can do. So, yeah, this was the whole steps and tasks I use. 

Andra Zaharia: That's actually very helpful to the way you talked about validating your interest in something and validating it, that might be like a potential path for your learning process. Because, again, it's just like, I can go back to the thinking that sets behind penetration testing. Very hypothesis based. Like, we have this plan, we have this scenario, we have these potential, let's say, opportunities or end goals that we have in mind. 

But we're experimenting all the time to see how we get there. How do we get an initial foothold? 

How do we gain an initial access? How do we move laterally in the network once we're there? We know what we want to do. But how we get there is so different every time because it's so very dependent on the context. 

And having this idea in mind of constant validation and constant experimentation and constant learning, those are absolutely fundamental to this type of work, no matter the setting, like you said, like CTFs, volunteering, actually doing internships, and so on and so forth.

Andra Zaharia: One of the things that also stood out for me from your experience is how much you get involved in the community. So what is the difference, let's say, that you felt the most for yourself between learning by yourself?  With your laptop and learning with other people at conferences and doing volunteering and perhaps like doing CTFs together. What was it like for you and what was it like to have this experience? And how do the two learning methods compare? 

[13:57] Gabrielle Botbol: So in a team, each of us have trends and when we work on specific topic, we know who to ask. So I would say collaboration is mandatory to deliver. Like if it's a team collaboration to deliver optimum pentest and also interaction with people brings you other point of views and probably things you wouldn't have think of. So that's really important. 

So I would say it's important to have also all the work you've done by yourself, because this way you are able to be out there and understand what people talk about when you talk with them. And it helps construct also critical thinking. Yes, I think the combination of both is really important, but working with people is mandatory because you get other perspectives, you get other points of view on things, and sometimes you even have new ideas because you talk about something with someone and it brings you new things. 

Gabrielle Botbol: I really also like to see how other pentesters work because it's really interesting and it's really different from one person to another. You don't really expect this because it's a pentest. So you have the definite phase like enumeration and everything. But still people don't work the same, they don't tackle a subject the same, they don't use the same tool, they don't use the same mindset and they don't have the same instincts. 

Also because we are different and we have different experiences. So this is really rich and this is something you should not deprive yourself of this, because this is something really interesting to know about and to get better, to make yourself better also.

Andra Zaharia: Thank you for highlighting that. So indeed the richness of this experience, although it may be uncomfortable to step outside of our work area where we have control over all the things, but when we step outside of that and we make friends, we develop these connections with people and have that self, we build that self-awareness that we need so, so much if we want to progress in this field. 

And the fact that you highlighted the diversity in approaches and tool sets and everything that goes into this work, I feel really speaks to the craft aspect of penetration testing and why. It is very far from, let's say, the perspective that many people outside the space have on what penetration testing is, which a lot of people see as a checkbox exercise, something that you do just because you have to, but it's just so much more than that. So to you personally, what makes penetration testing truly a craft? 

[17:29] Gabrielle Botbol: Exactly what I said before. We have different ways to tackle a pentest. So this is something that shows really that it's a craft. Also, a lot of companies, they have technologies that are specifically tailored to their needs. So it can either be in terms of configurations or in terms of development. 

So when we start a pentest for this kind of technologies, we have to understand them and the specific business needs to make a dedicated pentest and define useful attack scenarios. So it's not something that can be standardized, because it's not a unique product, and it's something we have to adapt to every target, to every concept. And so we want to craft our pentest for it to be as precise as possible. Because the most precise we are in our attack the most, it has chances of being successful. 

Gabrielle Botbol: And it is also a question of curiosity. You cannot attack something you don't understand. It's not because sometimes you have, like, I'm always excited to start a pentest on a technology I don't know because I get to know something, to learn something new. It's like when you see babies trying things out. What happens if you click here? And what happens if you do this? This really requires creativity and precision. 

And it's not also, another aspect is like, it's not because we imagined an attack that it will work. 

Sometimes you have these great ideas, oh, I'm going to do this, and it's going to work and it's going to be really efficient. But you do acquire crafting with practice and with trials and errors. 

The more we work on our crafting, the more it gets precise and clear. So this is really why it's important to be creative and to have critical thinking, because the context is really important. 

And it's also important to understand how a vulnerability can impact a specific business. 

Like some vulnerabilities won't impact different businesses the same.

[20:21] Andra Zaharia: That is the perfect segway for one question that I really wanted to ask, because we see this a lot in the industry. We see vulnerabilities like Citrix Bleed, for instance, or Log4J. And the general, let's say dialogue is that, oh my God, this is so important. Everyone's up in flames. It's happened again. Everyone's vulnerable. Like, you've got to patch it now, you got to do all the things, you got to find it. And that's not really nuanced. That's not a really nuanced, nor is that a realistic perspective.

So how do you approach situations where this type of potentially high-impact critical vulnerability affects a large number of systems? How do you engage with that, with your clients and the teams that you're part of? And how do you avoid going into straight firefighting mode and think and approach these things with more thoughtfulness? What's your take on that? 

[21:21] Gabrielle Botbol: So first, I would say that we need to keep a cool head because it's going to be a moment during which all cybersecurity teams will be very busy. So being calm is really important. And it's also in critical moments like this, stress is going to be confusing and it's going to prevent us from acting in a clear and efficient way. And also staying cool and stay calm is a skill that is really important to have in cybersecurity in general. 

So I would approach this also as an opportunity to learn new vulnerabilities and I would try to understand them. Like for example, when Log4J happened, a few days later, there was a box on TryHackMe to learn about it. So I was actually able to test it and learn more about it. So you can also deploy your own lab and test some things out. 

So it might be scary, but I think the best way to stop being scared of something is to try to understand it. Because this way, in the case of a vulnerability, you can also find some way to patch them or to deploy something while waiting for the official patch to come out. 

And by demystifying something you don't understand, it really helps us also keep the calm and the cool. 

Andra Zaharia: It really does. And I think that I can speak for many people when I say I'm so grateful when people publish write-ups and publish their research, or even make public exploits available, when they actually help you unpack that complexity and you get to learn from what they tried, what worked, what didn't work because I'm really appreciative of people who also share what didn't work. 

It also normalizes the conversation, or how trial and error, which you mentioned earlier, and like you said in the beginning of our conversation, just having that open access to education is how so many generations of ethical hackers have honed their skills and have become great specialists, great managers, great leaders, maybe great founders of their own companies as well. 

So it's really an evolving ecosystem that all feeds on these publicly shared sources of education, not just information. And this is something that I really appreciate about the space. And you contribute to that so, so much with your presentations and articles and the resources you post on LinkedIn, which get a ton of people to pay attention to this and give them. 

Gabrielle Botbol: Like, you constantly feel the fire. That's what I feel you do. Constantly feel the fire and the passion that people have for this specific area of offense and security. 

What attracted you to penetration testing of all the potential opportunities in the space before being a pentester? 

[24:35] Gabrielle Botbol: Way before I was an actress. But after this, I changed because I always like creating things and all. So I became a developer, and I started to be a developer and work in a company, and I was like, okay, I'm delivering things, and I don't know if it's secure. And obviously, I want my customers to trust me. So I want something that I want to make sure that what I deliver is secure and that they won't have any problem after or anything. 

So that's how I started to Google about cybersecurity and how do you secure your applications and everything. And that's how I discovered pentest. And I was like, wow, this is really amazing because you get to learn about different vulnerabilities. You get to learn about the fact that I was going to learn something different and something new. 

Gabrielle Botbol: Every day is really nice because you don't have the same day. Every day is different. And also you get to help people, which is a value that is really important to me. I really believe in cyberpeace, and I want to achieve it. And this is a way to help achieve cyberpeace, to protect people, protect citizens, protect governments. When I discovered it, it has a lot of values that were dear to my heart and that I had to do it. 

Andra Zaharia: So that alignment was kind of like almost instant there, which is something that I resonate with so much. I love the space because it embodies all of these values, like accepting people of all backgrounds and trying to understand, and again, always juggling our critical thinking. There's so much good in cybersecurity. 

And I love that you're an ethical hacker who thinks about peace, because usually the conversation and the space and even the language you use, because it draws from the military, it's so black and white. There's always that sense of combat, that sense of fight, but it can be a fight for good, and we can change that to truly focus on not the fight itself, but the great people behind this effort of keeping things safe. And making things actually safer and more reliable and more resilient, which I think is such an important part of the work in offensive security.

And this also ties into kind of your artistic side, again, this sense of artisanship that plays into the craft of approaching every situation with a lot of, with a meticulous, clear-headed approach with that curious eye. Curious if we like the slightest detail that could lead you on an interesting path, how do you balance this depth and keep your knowledge and skills up to date with, let's say, the next thing you want to do in your career and with sharing all of this with the community because it takes tremendous effort to learn, practice, and share. That's a complete learning cycle, but it's also one that takes a lot of energy and a lot of personal commitment. So how do you find balance between these aspects of your life and the rest that go beyond that as well? 

[28:37] Gabrielle Botbol: So I mentioned a little before, I have a schedule that is really precise, and so it's really helpful to, in a way, take every aspect. I have dedicated time for learning. I have dedicated time for researching about the specific topics. And I also, of course, have most of the time to work. And so I try to fix slots. So this way I really have to do it. I use Notion for this. It's written in my Notion. I have this specific time to do it, so I have to do it and I actually do it. 

And the satisfaction when you cross a task that you've done, it's also really rewarding. So, yeah, that's how I would balance this in terms of methodology. And if I, for example, work on something and find another subject while working on a specific thing that is interesting, I will write it down and keep it aside for later. 

Gabrielle Botbol: And also I keep an eye out for the new trends and the new technologies because this is definitely something that we need to learn about because it's going to be the future. So we have to know about it. And so I say every year I try to make also a program of things I want to learn. So this way I know what, in a way, these are my goals. So, yes, I say, okay, I want to learn about this. So I look for resources, for resources for this or for different topics. 

Gabrielle Botbol: And so with all this, I'm able also to have the resources and to give them also for my post on LinkedIn. So this way it really completes one another and I can work on them and I can also share them with the community because a lot of people are sharing great things on their blogs, on different spots on the Internet. And so it's really nice to be able to spread the word in a way. 


Andra Zaharia: It really does. And it means so much when you have someone who has a bigger community to kind of give you that space where you can have more reach and just have more people see your work and be a very powerful thing. It can spur connections and debates and a lot of opportunity.


And something that I wanted to actually talk about from what you mentioned is the side of technological advancement and keeping an eye on things. How do you balance manual testing with, obviously, the effectiveness of automation, where it makes sense in your penetration test? What does that look like in your setup, in your old approach? 


[32:02] Gabrielle Botbol: So automation is convenient when I need to gain time for consuming tasks like brute force attacks, for example, because this is definitely something that you cannot do manually. But also sometimes in a company, for our practice, we do craft specific tools for specific tasks that are dedicated to the company. Like, for example, for reports. 


We want to ensure consistency and equal quality in the deliverable, so we can develop a tool to standardize our reports and make sure that it has equal quality everywhere. And also it has its advantages and it has its drawbacks. It really saves time on repetitive tasks that would really not really add a lot of value to a pentest. 


Gabrielle Botbol: But it can also be a drawback because, for example, if we use a vulnerability scanner, and so we do save time on some things, but we are still going to need to validate. 

So, for example, if we need to check for false positives and also sometimes a scanner will find something, but we are going to need to go further and to understand because, and sometimes it will bring up something, but it will not point specifically the vulnerability. 


It kind of saw it in a way, but did not point it. But when you read the report, you will actually see that might be something else. So, yes, you definitely need to also, well, this is definitely critical thinking and understanding the target. It has its advantages, but you cannot only rely on this. It's impossible. 


Andra Zaharia: Absolutely. I feel like that's the consensus among everyone in penetration testing, that all of the claims that you can automate the pentest 100% and things like that, that you can take the human out of the process, those are just, there are superficial ways of putting things out there. And honestly, it hurts more than it helps, definitely. 


So, yeah, I'm glad that we can clarify this for people who might be starting out and who may be worried, even that, hey, I'm investing all of this time in building a career. Am I going to have a job, or is this something that technology will be able to entirely take over, which is obviously not the case, simply because the biggest value in penetration testing and other types of security work comes from the actual people and their unique skill set, their unique mindset, and what they actually bring in this space.


Andra Zaharia: But when it comes to tool, just to dive a bit deeper into the technicalities, were there any particular tools that you feel have shaped the way that you work? And I'm going to quickly reference something that IppSsec said a couple of episodes ago. He said that, for instance, sqlmap has really changed the industry because when the tool appeared, not only did it make it possible to find a lot more vulnerabilities in this category, but also it instantly created more demand for this type of product and for this type of specific research into this, which hadn't existed beforehand. So it actually changed the dynamic in penetration testing. Do you have any, let's say, particular tools in mind that have influenced your work or that you've seen influence pentesting in general in a similar way? 


[36:04] Gabrielle Botbol: Oh, yes, I can think about Nmap without Nmap. I don't think you're able to do a network pentest as efficiently as with using Nmap because it's really a huge gain of time and you actually get in a way. When I'm going to start a network pentest, I'm going to launch Nmap, and this is going to give me a sort of checklist because I will see every port that is open and I will be able to have this checklist of things that I have to investigate. 


So yeah, this is definitely this tool that in a way defines my methodology. And also the web proxies like Zap or Burp, for example. I cannot imagine doing a web pentest without Burp or Zap. It's definitely something I'm going to use because it's really convenient to analyze a request and modify it and send it back to the server and see if it triggered something. I don't think I would be able to do a web pentest without it. It would be a challenge to do it without a web proxy. 


Andra Zaharia: I totally understand that especially, and I see this even if you mentioned that, of course, this is true, that everyone has a different toolkit that they use. There are also some fundamental components that are part of almost everyone's toolkit, which makes perfect sense because some of these tools have actually laid them. They sit at the very foundation of penetration testing, realistically speaking. And like you said, we couldn't envision our work without them.


And one other thing that I feel is entirely fundamental to this space are the people who are teaching their skills to others. So I was wondering, have you ever had a mentor or worked with someone in that capacity? Because I know you do a lot of mentoring yourself, but how has this type of role shaped your career so far? 


[38:31] Gabrielle Botbol: In a way, I had mentors, and it was different people, not always the same person. And I had people giving a hand to me. Like, I'm thinking of Tanya Janca. She sent opportunities my way, and she was in contact with me from the beginning, when I started in the beginning. So she's a really kind person and she was really helpful also during my career with colleagues, and I had the opportunity to have people who were available for me to answer my questions. 


So this is definitely helpful. When you go in a company, there's always people who are going to be open and willing to answer your questions. So ask them away, because it's definitely one of the best ways to learn is to ask questions. And when you find someone who speaks the same language as you in a way, like a language that you understand things, it's really helpful because you get really a lot of time in the research you would have done on your own.

 Gabrielle Botbol: So I did have these people step by step in my career that were really helpful and that I was able to also ask technical questions that I did not understand or just also questions about my career. Also, my friend Philip, he's also very kind, and when I have a question, I know I can ask him. 


So, yes, it's a lot of different people that I met at some point in my career and that were really kind and helpful. This is also one of the reasons I told you earlier I wanted to give back to the community because I met a lot of great people. And a way to give back for me is to also share resources and do some montoring and coachings and things like this because I had this, and I know what value it brings to a career. 

Andra Zaharia: And I applaud you for that. And I, too, am a huge fan of Tanya and Philip as well. They're consistently helpful and generous people and have done this for such a long time. They're actually, I think, some of the first people that I found, as I was learning about cybersecurity almost ten years ago, and it's fantastic to me, is that they still invest and give. They still invest in the community and give with so much excitement and energy, even after all of this time of doing this. And to me, that is absolutely wonderful. 


And it makes me think about the fact that there's honestly the human element of penetration testing is truly invaluable. And we don't talk about it enough simply because the conversation is usually focused on more technical aspects of the work, which, of course, are essential because we work with technology. But technology is not actually the end goal, and I think that's helpful as a reminder for our work and for how we interact with each other.


Andra Zaharia: So if we think about, let's say, into the future just a little bit, as people are trying to scale everything, they're trying to commoditize penetration testing, what kind of skills do you think are valuable to build for the future? Skills that will serve you well, even if you decide to change paths or focus on something more specific, what are those skills that you're building for yourself? 


[42:48] Gabrielle Botbol: So I would say with the technologies that changes constantly and really fastly, be adaptable and always be keen on learning because it's definitely going to be helpful in every aspect of cybersecurity. So this is the first thing that comes to mind, adaptability and curiosity also. And yes, keep on learning. I think a word to set up cybersecurity would be lifelong learning. You have to learn all your life


Andra Zaharia: That is so true. And that is, in a way, true to our lives in general. If we want to have a rich experience in life through our work, through our relationships, through everything that makes up generally, like our livelihood, that's definitely. Lifelong learning is definitely at the very center of that. 


And I appreciate that you shared your learning system and the concept of apprenance. I hope I said that correctly beforehand because I think that that is so helpful to pull information from other disciplines. And like you said, education, science, it has so much to teach us. There are so many methods and concepts that we can actually just borrow and apply to what we do in offensive security.


And one of the other things that I wanted to ask around, let's say values and principles, what is a key mindset element that's besides lifelong learning that you feel has most shaped your approach to the work that you do right now? 


[44:44] Gabrielle Botbol: Yes, I would say consistency, because.. And never give up. Also, staying focused on something and if you feel like it's too hard, it's okay. Cut it into small chunks because it's going to be easier. So be consistent. It really helped me because as I told you before, I love a lot of things and I can easily go all over the place. So being consistent and forcing myself to be consistent was really helpful for me because this is how I got to achieve the goals I wanted to achieve. 


Andra Zaharia: That's again, another valuing skill, especially when things get uncomfortable in whichever way we get. Speaking of uncomfortable experiences, you've also done, like, physical engagement. What has that taught you about penetration testing that you might otherwise not have learned? 


[45:55] Gabrielle Botbol: I had a specific experience that I will remember all my life. I went into a building and we stayed with my colleague. We stayed all night long in the building. And I'm someone who needs sleep, but I wasn't sleepy at all. Like, I stayed up all night. And it was really thrilling and really interesting because, yes, you mentioned the human factor before. It's definitely the combination of multiple human errors that allowed us to get in. 


Like, for example, one of the first door was not locked. Well, this is not really an error, so to speak, but there was a special access gate, and so there was a gap under it, so we were able to go under, and then the door right after was unlocked. So two elements that allowed us to get in, and then we had to reach our targets. 


Gabrielle Botbol: And so this was when my acting skills came into use because the building was huge. So we were from one spot and we went all the other way and we did different stairs, and so we were able to access our targets. And the hardest one was the office. And it was very, very. We had to use ours. Well, at some point, there was someone who was walking the corridors to check that everything was okay that was coming. And so I remember I was so scared. I hid in the corner and there was a huge light that was going right on me, and I was sure I was going to get caught, but the person was arriving from behind me, so they did not turn their head, so they did not see me. 


And I saw my colleague, who was a little further and not in the light, and he was having his eyes pleading like, be careful, and we did not get caught at this point. And I think it was the most scary and exciting and a lot of emotions at the same time. And so this is definitely something that will teach you to, well, like you mentioned, for incidents to keep your cool. 

You really learn a lot about yourself when you do something like this. I didn't know how I would react in such a situation, and I ended up really enjoying it. And we had a ton of fun. 


And in the end, we were able to help the company make a better physical security and tell them, okay, at this point, you have to be careful that someone always checks this door. And also there were some funds on the tables. 


And also we were able, at some point, to find a card to a badge to enter the building. And so when we went out, we did not go back our way because it was too far. So we went out with the big gate, and so there were people that were here all night and all day, and so we went out using one of the cards we found, and we pretended it did not work anymore because we didn't know if it would work or not. 


Gabrielle Botbol: So we tried it and we went out. And so they were so surprised to see us getting out of the building, and we had to invent something on why we were here. Well, it's definitely something where you learn. Yes. To keep your cool and to apprehend different situations, unexpected situations, and to also, yes. The speed of your reactivity. It goes fast. So what do you do? That's what I learned from physical intrusion. 


Andra Zaharia: Thank you for sharing that story with me. I could feel the emotion and also the thrill, but also the fear, honestly, of, like, this has to go right because we still need to reach our target. And to me, that's one of the most intense ways of working. And honestly, in this field, it probably feels like nothing, like no other experience that you could possibly have. And it's what makes it truly memorable, of course.


So, one last thing that I wanted to round up this lovely conversation that had so many very helpful, very specific, very practical ideas is what's something that's super exciting for you right now? What is something that you're researching and spending time on and something that gives you that energy, and again, that juggles your curiosity in that way that feels really rewarding. 


[51:59] Gabrielle Botbol: So my hobby at the moment is to learn about API and mobile app pentest. And also I did a few presentations about this, and I always learn a lot, and I always have a ton of fun because this is something that we use for mobile, this is something that we use every day, and it's part of our lives. 


And so we definitely need to make sure that we are safe and that it's not breached or anything. 

So I really have fun with it and I really like to play with it. And also because we see more and more IoT devices, and I'm starting to learn about this also because there's a lot of different types of devices. So this is also definitely on my list of things to learn this year and maybe next year.


Andra Zaharia: Well, I hope you have time to enjoy all of these things and to enjoy the results of your labor. And thank you for everything that you shared with me today, from what makes a great pentester to your personal experiences, to learning, to all of these insights that you've gathered from doing a lot of hands-on work and doing it with such rigor and enthusiasm as well. 


Thank you so much for being on the podcast and I'm really glad we got to have this conversation. 


Gabrielle Botbol: Thank you for having me. 


Andra Zaharia: Ever wondered how deep the rabbit hole goes in the world of ethical hacking? Well, we're still falling, and we're dragging you along with us. One question at a time. 


Thanks for wandering through this maze with us as we tackle the nitty gritty flipped misconceptions on their heads and maybe, just maybe, made you rethink some of the things that are important to you. 


This has been the We think we know podcast by Pentest-Tools.com and before I sign off, keep this in mind. 


There's always a backdoor, or at the very least, a sneaky side entrance. 


See you next time.

Get vulnerability research & write-ups

In your inbox. (No fluff. Actionable stuff only.)

Related articles

Footer

© 2013-2024 Pentest-Tools.com

Pentest-Tools.com has a LinkedIn account it's very active on

Join over 45,000 security specialists to discuss career challenges, get pentesting guides and tips, and learn from your peers. Follow us on LinkedIn!

Pentest-Tools.com has a YouTube account where you can find tutorials and useful videos

Expert pentesters share their best tips on our Youtube channel. Subscribe to get practical penetration testing tutorials and demos to build your own PoCs!

G2 award badge

Pentest-Tools.com recognized as a Leader in G2’s Spring 2023 Grid® Report for Penetration Testing Software. Discover why security and IT pros worldwide use the platform to streamline their penetration and security testing workflow.

OWASP logo

Pentest-Tools.com is a Corporate Member of OWASP (The Open Web Application Security Project). We share their mission to use, strengthen, and advocate for secure coding standards into every piece of software we develop.