It’s not just penetration testing, just like today’s guest is not just an offensive security pro.
If you’re the ambitious type who’s always up for new challenges, then you’re most likely going to resonate with today’s guest and his approach.
Experienced penetration tester and Volkis co-founder, Alexei Doudkine joins us in the second episode of the podcast to debunk pentesting misconceptions.
With 10+ years of offensive security experience under his belt and his learnings as a business owner, Alexei challenges the status quo to get other hackers to walk a mile in their clients' shoes.
You’ll also hear Alexei unpack the skills and mindset it takes to deliver quality in penetration testing and become a better ethical hacker. Some of these ideas may make you uncomfortable - and that’s why we believe they’re worth listening to.
Whether it’s about absorbing technical complexities like a sponge or developing an intuitive perception of vulnerabilities, this conversation highlights the aspects of penetration testing that make it a true craft.
So, come along with us on We think we know, as we unpack the layers and narratives shaping offensive security work.
Alexei Doudkine bio
Alexei is an offensive security maven with 10+ years of experience in activities spanning penetration testing, red team, physical intrusion, and social engineering.
Easygoing, but proud of the accomplishments achieved in past and current roles, he brings rich real-world experience to his work. Besides technical mastery, as the co-founder and offensive director of Volkis, Alexei focuses on building genuine relationships with people and making the world better through ethical hacking.
In this episode, you’ll learn:
Why it’s not about data, but how you use it and the human impact behind it. [12:24]
What it takes to develop your hacker intuition that tells you there’s something there - even before you have proof [15:25]
Why automation is not the problem, but using it as a standard checkbox in your engagements is [19:00]
How to use learning to also stay humble, rooted in the here and now [27:30]
Why it’s worth prioritizing people over security testing during tougher economic times [44:45]
The perks of being uncomfortable, hungry for learning, and doing your best work [49:20]
By the end of this episode, you'll look at your work - and the infosec community - with fresh eyes.
Resources from this episode:
Alexei on Linkedin
Alexei’s hacker origin story on the Volkis blog
Alexei on the Cyber Empathy podcast - Ep. 5, Season 1
Listen to this episode on:
Andra Zaharia: Only the most curious and persistent people thrive in offensive security. How do I become a better hacker? How can I build and maintain my advantage over adversaries? And what's limiting my ability to think creatively?
This podcast is for you. If you're the kind who's always digging deeper for answers, join me as I talk to some of the world's best offensive security pros about their work ethic, thinking, and real-world experiences.
This is, we think we know, a podcast from Pentesttools.com. It's not just penetration testing, just like today's guest is not just an offensive security pro. If you're the ambitious type who's always looking for a challenge, then you're most likely going to resonate with Alexei. Banking on his experience as a penetration tester, team leader, mentor, speaker, and co-founder and offensive director at Volkis, Alexei, brings a ton of real-world experience.
He's also as easygoing as they come, delivering truths and bits of wisdom with light-hearted humor. From noob to bona fide experts, Alexei connects the dots at every development stage in an ethical hacking career. He puts his finger on what makes the biggest difference towards reaching the next level. Whether it's about absorbing technical complexities or developing an intuitive perception of vulnerabilities, this conversation highlights the aspects of penetration testing that make it a true craft.
Learn how Alexei steps into the shoes of the business owners who get the results of his work, and how he stays grounded by facing the very challenges for which he prescribes solutions.
This episode is packed with power-ups to help you in your relentless pursuit of excellence. So if you've ever wondered about the heart, soul, and grit behind penetration testing, join us in this riveting episode. Trust me, by the end, you'll look at your work and this community with fresh eyes.
Andra Zaharia: Alexei, it's my pleasure to welcome you to the We think we know podcast, and it's such a great thing just to have you on the podcast and get to talk to you again. Really excited about this.
Alexei Doudkine: Yeah, likewise. Again, thanks for having me. We always have the best chats, so yeah, looking forward to it.
Andra Zaharia: Totally agree. Especially because today's topic is something that I know you care truly about and you've been so outspoken about this, and you've approached this topic from so many angles, both you and the team at Volkis. And I really wanted to just start with the biggest question, which is, why do you think some people think penetration testing is a commodity?
[00:03] Alexei Doudkine: I think some people try and make it a commodity. Right? It's just easier to sell it that way. Whenever something is a bit more complex and doesn't fit in a nice little package, people try to oversimplify it a lot of the time to the detriment of the service, which is unfortunate. But yeah, I think this is just driven by sometimes lazy sales practices. It's much easier to sell something that's commoditized.
Andra Zaharia: That is unfortunately true. And I say this, unfortunately, because penetration testing as a process, as a craft, loses something when you try to standardize it. What do you think it loses in this oversimplification process?
Alexei Doudkine: Well, the purpose of penetration testing is really to defend against a human adversary, right? Because we have human attackers, we need human defenders to stand up against them. That doesn't really work with things like companies selling penetration tests as just scans, or this new buzzword automated penetration test, which, who knows what that means.
You just miss a lot of the human ingenuity and the context behind doing these types of services. Like you're in a network, you see a file share, even if you have credentials, you see a file share. Anything automated isn't going to know if the credentials you have are supposed to have access to that file share. But you as a person, if you see a file share that says HR sensitive data or whatever the file share is called, and you're accessing this from maybe a receptionist's account, you're kind of going, that doesn't seem quite right.
Let's investigate further. And this is something that attackers will just see instantly. Of course, they're going to go straight for that. They're not even going to care to think about it. They see it, they open it, they pillage the data inside, and off they go. Suddenly you're the next company who's being asked to pay a ransom for the data that's been stolen.
Andra Zaharia: Yeah, and you touched on a super important thing here, in my opinion, the fact that while companies are trying to automate as much of the penetration testing process as possible, attackers are not. Their particular set of skills and experience is something that they use in a very targeted way, in very specific ways, because they don't want to waste time and they want to make the most of their time and get as much access and just as many resources as possible that they can monetize and just turn into cash.
Andra Zaharia: So what do you think penetration testers can learn from attackers in how they, let's say, hone their skills and their mindset, which is essentially the same? It's an adversarial mindset, but the huge difference is in the ethical part, obviously.
Alexei Doudkine: Yeah. I think pentesters specifically sometimes lack perspective in the final goal. A lot of the time. On the ethical side, I hate the term ethical hacker, but on the hacking for good side, we're always taught, to just find vulnerabilities. Just find vulnerabilities. You got to do it as fast as possible, because clients don't have much money, and they're not going to spend a bunch of money for you to sit around doing nothing, trying to bypass security controls that you might not need to bypass. Or sometimes you might, but you got to go fast. You got to find all the vulnerabilities, and that's it. What else is there?
Attackers don't really think like that. Obviously, they find vulnerabilities, but that's not their final goal. Their final goal is to do something on the victim's network, on the victim's systems, to their company. Is it just like a ransomware attack? Is it more targeted against a specific employee? Whatever the business does, is it something specific to that company? A lot of pentesters fall short of that. They sort of get to this point where, well, I've got access to everything, and then the client asks them, well, what can you do with that? And they're like, I can do anything. They're like, yeah, but what's anything? What would attackers do in this case? A lot of people struggle to really answer that question without taking that step further and really putting themselves in the mindset of the attacker and going, what would an attacker do in this case?
Andra Zaharia: That is very helpful, a very helpful perspective, and I think one of the areas of potential growth for many people who want to truly commit to the penetration testing process and truly do this as a craft, again, not as a commodity.
What were the, let's say, experiences that taught you the most and that helped you go beyond the stage of, let's just find and report vulnerabilities and explain what might happen into what helped you transition into this mature stage of knowing exactly how to explain these very palpable consequences that an attack might have on your client's infrastructure.
[10:27] Alexei Doudkine: Yeah, I guess I was lucky really early on. My manager and mentor and now business partner, Matt Strawn, drilled that into me very early on. Combine that with actually getting the chance to talk to a lot of people in the executive and board teams who are less technical, who don't really care that you got domain admin, but they do care when you can - well, it was one time, yeah. I got access to a CEO's email and found their ASIC key.
An ASIC is like the organization in Australia that used to register your business and everything like that. And basically with that key, I could legally change his company's name to something else entirely. I don't actually know if that's something attackers would go after, but I thought that was interesting. And I showed him and went, yep, I could just change your name to shit company PT, LT, or something like that. Right? And that resonated with him because it's his company, right? He built it from the ground up and doesn't want people to change the name of his company. So that's an example. But yeah, talking to people and talking to clients about what they actually care about, especially early on, changed that mindset for me. It was always originally for me, like just about data. We care about data and that's it, right?
Alexei Doudkine: But why do companies care about data? And this one in particular that I always remember there was a company I did a pentest for. And I always ask at the start, what's just your sort of nightmare scenario? What do you want me to really focus on? And they go, this company did counseling services, by the way, so specifically for families and with young children. And they had a bunch of records stored in this application. And they, basically said, yeah, if these records get out - and they were records about therapy sessions and counseling sessions and notes and addresses and everything like that - if this gets out, that's it, we are finished.
Not only are we finished, we could be criminally liable. Because..actually that was it. And I went back and did the pentest and after a little bit went, hey, here's all the data that you didn't want me to find. Doesn't matter how I got there. But I'm like, well, I sort of pushed forward a little bit and asked, well, how would attackers abuse this? And they're like, well, for example, a lot of the families that we deal with, one of the parents, usually the father, is abusive, and so the father is living somewhere else. The mother and the child are hidden from the father. The father doesn't know where they live, but if their address got out, that would be a pretty horrible situation, right?
Alexei Doudkine: And that particular example kind of always resonated with me that it's not just about the data, it's how the data is used and the human impact behind it. And of course, it's not always so doom and gloom, like financial organizations, big banks, okay, they're going to lose money, that's not great, but no one's going to die. Probably no one's going to be attacked physically, but yeah, that one always stuck with me. And so my point is just like, yeah, those kinds of early on experiences really cemented the importance of pushing beyond just the technical, beyond just: “I've got domain admin. Yay.” And taking it to somewhere that's meaningful to businesses, to people.
Andra Zaharia: To me, what you described sounds like a couple of stages that are really important in the development of an offensive security specialist, because the first stage might be a lot about practice, a lot about volume, a lot about data, like you mentioned, a lot about trying different things, seeing what works, and getting to learn just as much as possible. But once you progress to the next level, relationships start to be more important: relationships between your teammates, your and your client, relationships in your client's team, and their industry. Because it's relationships that get you the trust that you need to just go wild on your clients' network, of course, in terms of engagement. But relationships are also what give context and create that unique complexity that's very specific to a particular client. And this seems to be one of the most important aspects of what makes penetration testing a craft, and something that's very, again, particular and something that's very nuanced.
What else makes it a craft? I feel like one of the things that you talk about frequently is independence and how that plays into the way that you do things. And I was wondering if you could share a bit more about that and how it impacts your work.
Alexei Doudkine: Independence specifically?
Andra Zaharia: Independence specifically, in any other things that you see tied to the craft aspect of penetration testing.
Alexei Doudkine: Yeah, the craft specifically. I was actually at BSides, like I was saying before we started recording last week, and there was a keynote by Louis, the founder of PentesterLabs, who does education basically for security. And his keynote was about the different stages of learning, right? And, basically, he had these stages where novice, intermediate, and expert, like arbitrary stages, but he sort of goes, he had this point that really resonated with me.
[15: 25] Alexei Doudkine: You get to this expert level or the advanced level, and after a lot of practice, you get to the point where you look at the system you're trying to hack, which could be a web application or a network, and you just have this feeling there is something here and you can't put your finger on it. You can't specifically say why you feel that way, but you do feel that way. And most of the time you're right, there is something there. Not always, but certainly that feeling.
I don't know if it pushes you a bit more or if it's just this ingrained experience that, again, it's intangible, right? You just know. I don't know how to describe it. You look at a website and you just know. You play with it for half a day, even if you didn't find anything, you're like, there's definitely something here. And most of the time you're right. That's the craft of it. That comes from a wide range of experience, that comes from a lot of practice, that comes from recognizing that feeling and pushing through, just knowing that there's something there. It's just super important. And, in my opinion, that's where the craft of it comes from.
Alexei Doudkine: The independence thing is really just about blocking out the noise, right? Blocking out everything else around you and trying to do the best work that you can, trying to get the best outcomes for the client that you can. You don't want to have to worry about, like, if, I don't know, a lot of companies do this. They offer IT managed services to a client and they've also got a pentesting team as well. I don't know why you'd have both, but some clients have this and they sell both to the same client. They're like, oh, cool, we'll manage your IT, but also we'll test the IT that we're doing. That never made a lot of sense to me. Even if they have a good separation between the teams and everything like that, the person doing the pentest is just subconsciously going to go.
Do I really want to make my own company look bad? Potentially look bad, right?! All that stuff is in the back of your mind. We even consider things like how much stock an employee might have in a particular company that we might be pentesting. If they've got a large stock in that company. It might be - depending on how they think, actually - it might be in their best interest to do a really good job, or it might be in their best interest to not disclose these vulnerabilities, right?! In some cases, depending on how they think.
But still, my point is, it's this weird back and forth, potentially in someone's head of what the right thing to do is, being independent, being separate to like, we don't have to recommend this vendor, we don't have to worry about saying this EDR didn't work or didn't block us or whatever that means. We don't have to worry about any of that. We just sort of try and do the best objective work that we can for the benefit of the client.
Andra Zaharia: Yeah, again, very helpful and very honest perspectives on something that happens in the industry a lot. And just having the ability to retain this independence and fighting for it and perhaps not sliding into the hyper-growth or grow-at-all-costs mindset.
I think this is what sets apart people who truly care about penetration testing and help it level up, help it truly advance, and be prepared to help customers where they are now and where they're going to be in the future. And separates this from the commercial aspect of it. Who tends to dilute things, who tends to want to again, standardize, automate, and do this in a blanket way that's really not tied to context, that doesn't take into account all of the nuances.
Andra Zaharia: How do you feel when you see conversations around fully automated penetration testing?
[20:00] Alexei Doudkine: Yeah, look, before I answer that, I just want to say I'm a huge fan of automation, right?! I use it as much as I can, I'm a big fan of ChatGPT, it scares me, but I'm a huge fan of how much it helps. Even I, and we, Volkis, as a company, we do automate as much as we can. But you get to a point where you got to make sure the quality doesn't suffer. And that's why we sort of draw the line. It's like, well, over automation is the problem, not just not using automation and just sort of standard checklists. That's not the problem. The problem is that you just use those things. And so, yeah, that's kind of where I draw the line. It just shows, you know, organizations that do have this fully automated penetration test, and you just know, you just get this feeling.
It's the same type of company that goes, we find all vulnerabilities or we are 100% secure. It's that same kind of feeling that's like, well, it's too good to be true. At best, they may be a bit misguided and misunderstand the core concept of what a penetration test is and what the purpose is. At worst, they know what they're doing and it's basically taking advantage of customers that don't know better. I try to think that it's the former and that it's just a misunderstanding.
But yeah, it's frustrating because the result is just not there. The amount of times I've been on a penetration test and a client's gone, oh, how come? We did the same thing last year. Sorry, just one recently, actually, even this year. It got me in and I did a penetration test and they're like, we've been doing the same penetration test, same scope, and everything for the last three years.
And this one vulnerability, or actually a couple, but this one in particular, no one's found. And I'm like, man, this is like basic. I don't understand why this wasn't found. It's just known that the first thing I tried didn't work. The second thing I tried worked. That's all it took, sort of. And I didn't know what to say, right?! I don't know how. I'm like, I'm happy to read the report, maybe try and give some insight of the past pentest, maybe why they didn't find it. But this happens all the time. It wasn't just a one-off. It's like, why wasn't this found last year? Why is your methodology more thorough? All these questions, and I don't know how else to answer my clients other than to just go, I don't know. But this is standard for us. This is stuff that we find all the time. But yeah, to sort of go deeper into the automation part, you can tell when someone does this as a passion and when someone does this as they're jumping on the infosec bandwagon, security is this hot topic. They've got FOMO. They want to jump into this industry. There's a lot of money here, right?!
Alexei Doudkine: I got to get in here quickly. I got to get here as early as possible and do something in here while it's still a hot topic. And those businesses, I don't really want to see that much, because, ultimately, if they can get away with it, I don't care that much. But what I do care about is clients just aren't getting a good service. That's what I care about. It's just the quality is just not there.
Andra Zaharia: And then it hurts everyone, and it impacts everyone because these disillusioned customers will perhaps either avoid getting a penetration test in the future or just see it as a waste of money because they've been let down, and that disappointment transfers. And it stays with you because humans are wired to remember negative experiences a lot more than they do positive experiences, which can be a huge disadvantage for the entire industry.
And I feel like this situation you particularly described is one of the reasons why penetration testing had such a baggage that it just within itself in the industry. And I feel like it's an 80-20 situation. Like 80% of penetration testing is seen as low quality, just checkbox on a list that you just have to do because of regulations, but not something that can yield a lot of value, like disproportionately. Immense value to the, let's say, resources, and time, and effort invested, which it definitely can.
Andra Zaharia: So I was wondering, you mentioned some of the tendencies that tend to disconnect penetration testers from this craft aspect of their work besides this idea of chasing profit and just chasing the opportunity, the growth potential, and things like that. What are some other things that disconnect them from the, let's say, potential that this kind of work has to really elevate their expertise and give them even more chances of sustainable, durable growth in the future?
[25:44] Alexei Doudkine: Yeah, probably a big one is the willingness to share information and receive information. It's very dangerous when you find yourself in an echo chamber where everyone around you is telling you, doing a great job. We are the best. We do amazing work. But do you really talk to people outside? Do you participate in industry events or industry conferences? Do you talk to colleagues outside of your own organization? This is the main thing. It is genuinely hard to know if you're doing a good job or not. I, I go on many pentests where at the end I'm genuinely not sure. Like I get to the end and I'm like, man, maybe I missed something. I don't know, I feel like I did alright. But yeah.
How do you find out? You find out by maybe not in that instance, but in the long term, by talking to people, by constantly learning new things, learning more about what you're doing. Having a hunger for learning is a big, big thing, that's really essential in the industry because it is moving so fast. What else? Yeah, ego is always a big problem. You get the typical hacker ego that some people get going, I'm so awesome. I can hack into all these organizations and I'm a big shot. I'm a big deal. The Boris scene from GoldenEye. I'm invincible. I do feel like that sometimes. I'm not going to lie. I do feel like that sometimes as well. But you got to learn when that's valuable and when it's not valuable. And just staying humble I think is a big deal."
Andra Zaharia: And this is actually staying humble and just general modesty and being very rooted in the here and now.
Andra Zaharia: Something that I noticed about people who had like 20-30 years of experience in cybersecurity or people who have stayed with penetration testing as their main line of work for a really long time. And I was wondering, because you have over a decade of experience, how do you stay in this line of work? What kind of satisfaction, what kind of benefits do you draw from it that keeps you going and keeps you on this path that you chose? That's very driven by your values and that's very specific to what you want to accomplish and how you want to contribute to this space.
Alexei Doudkine: Yeah, over ten years. You're right. I should probably retire. Make way for someone else I've hated every moment of the entire decade. No.
Andra Zaharia: Welcome, happy to have your retirement and to have someone walk every day.
Alexei Doudkine: Don't give me ideas. That sounds too good. I don't know. Like I was saying before, a passion for learning, a hunger for learning. It does feel good when you do good work. I think regardless of the industry you're in, you do have some sort of self-feeling of self-achievement, self-accomplishment when you do a good piece of work. Whatever it is; whether that's a pentest, whether you've reconstructed a car, rebuilt a car, whether you're a hairdresser and you've done a really great piece of work for a customer, there doesn't matter what it is. If you're passionate about what you're doing and you sort of get this feeling, this rush of, yeah, that felt really good. I'm really proud of what I did. I think that always keeps you driven a bit more.
The environment that you're in has a really big part to play. Like, I've always been lucky that I've found myself in very good teams, very supportive teams. Everyone around me has always been very supportive of what I've wanted to do and given me a lot of opportunities in that space, obviously, within Volkis. But even before that, I've always felt very supported and that people around me want to succeed.
Very hard to do that if you're sort of always told that, no, you're good where you are, you're not good enough to do anything else. Just stay here. It is very hard to convince yourself otherwise. And just seeing the tangible benefit that the work that I do has on my clients, it's not always. It's not 100% success rate, obviously. But for the first part, I'd like to think that I see tangible benefits. It's never going to be 100% secure.
[30:40] Alexei Doudkine: I'm never going to tell them that they're unhackable now, but I can see that an attacker will struggle more after I've performed my pentest and they've remediated than they would have before that.
Andra Zaharia: And the fact that you made them more expensive targets is a huge achievement.
Alexei Doudkine: Yeah, it's weird. You see people behind that as well. Like I said, for me, it's all about people. Right?! Like you've talked about relationships before. For smaller businesses especially, you want to help them protect their business, especially now, as a business owner myself, that resonates with me so much more. I want to help them protect the thing that they've created. You don't want to have some other person come in and smash the science and Sandcastle away, so to speak.
But even in larger organizations, it's harder to sort of pinpoint the specific person or this one person built this because it's not just one person. And at this point, it's, well, I want to help everyone involved, not just the employees of that business, obviously, they've got their own families to feed and their own careers that they've probably been working hard at as well, but also that business's customers as well.
The customers that have trusted their data to that business, that have hopefully had some good services from them, they don't really deserve to be screwed over either. So it sort of grows from there. And when I'm doing my pentests anyway, that's really what I'm thinking of, trying to think of an example. But I have made recommendations that go against the best interest of the client. Well, I want to say in the short term, it probably goes against them in the short term, but protects their clients more in the long term. And then, in my opinion, in turn, protects them in the long term as well. Trying to explain that is quite hard. It's a lot harder said than done. Detail. Can I go into?
I can't go into too much detail, but basically, there was a mobile app that I was testing that just took way too much data from their customers' phones. They told me what the purpose was and we just went, this is too much data. You're taking too much data from people's phones for the purpose you're using it for. Our recommendation is to cut that down to just the bare minimum because, yeah, if you do get hacked, this will become a big deal for you.
This will become newsworthy. It became a bit of a big deal within their organization. They sort of questioned that finding, and we got on the phone with them and we talked to the CEO about that, trying to basically explain why from our perspective and the fact that we'd seen it before, that similar organizations would get hacked.
And then it's suddenly, why do you have this much data? I didn't approve you taking this much data. I don't really know what ended up happening with that. I don't know if they ended up taking a recommendation or not, but, yeah, that was an example. Of when we just had to stick to our guns, because, for us, the greater good was to protect their customers as much as it was to protect them.
[34:20] Andra Zaharia: And a penetration test is such a powerful way to gain self-awareness as an organization and as a team who is trying to support that organization to grow and to be stable and to avoid crisis situations as much as possible. Such as having an attack that truly impacts everything from finances to customers, everything that you've mentioned before, and having this ability to even raise these topics with a customer and advocate for them, I feel it's such an important service that you're providing, which goes again far beyond.
Andra Zaharia: It starts from a technical finding, but it dives into the inner workings of a business and the potential legal consequences. I feel like the technicality of it, the technical aspect of penetration testing offers the basis for some serious conversations around security, around risk management, around business processes, around training your team. And these are truly valuable aspects that define a company's growth, a company's just contribution to its community, to its ecosystem, and so forth. And all of these accumulated effects become, it just snowballs into something that's a lot bigger, which is why I really believe in the ability of penetration testers and other offensive security professionals to truly impact these decisions, these lines of thought, these conversations, which again are so instrumental to the entire ecosystem.
Andra Zaharia: What could help penetration testers see kind of this ripple effect that their work has? Like you mentioned, it's stepping outside your echo chamber, it's going to conferences and seeing what other people work. But how can they connect to the results of their work as their customers experience them? For instance, do you follow up calls after a number of weeks or months with your customers to see how these things impacted them in the short and let's say midterm, how do you connect to these effects? Because they can be quite far removed from one another?
Alexei Doudkine: Yeah, definitely. The sad reality is a lot of the time you don't not really like you can do follow-up calls. I'll get into that in a sec. But yeah, a lot of the time, especially from the end customers' perspective, customers of the business that you're pentesting. From their perspective, you're not really going to know. Unless you run into someone who happens to use that application, you're not really going to know. And it's such a small piece of the puzzle as well. In terms of how we as security practitioners help the organization, it's such a small piece like security is obviously important, but in terms of the entire organization, it's a relatively small piece, right?!
I'm happy to be a small piece, like, to do what I can, but I also recognize that it's not an all-or-nothing, right? My recommendations, there might be very good reasons to actually not accept my recommendations, which I don't have insight into. Someone else who has a better understanding of that business might make those decisions, but to actually get that feedback more immediately, the really good clients, the ones that use you for a lot of different services and come back year after year and maybe for different projects throughout the year, they're the ones that are going to give you the most feedback, right?
Because you're just talking to them the most. We have a couple of clients actually, that have done pentesting with us year on year and just seeing that improvement every single year, it's just evidence for me that this does work.
Like the first year, we basically broke in and got everything in half a day, right? Found as much as we could. Here's your report. Let us know if you need help fixing this stuff. Yeah, let's do it again next year. Next year they come back like, cool, the same thing. Let's go. Okay. Came back the second year, most of the stuff was fixed. Not everything, but yeah, it made our job much harder as attackers. So this time it took like, I don't know, a day, a day and a half, I don't remember exactly what it was. I was like, okay, still got in though. Even after a day and a half, it's better, but we still got in.
Same repetitive process. Right. Here are the new findings. Some of them we didn't catch last year, some of them were just new in that year, like new research. Third time came around and it's like, yeah, we spent the whole time trying to break in. We managed to get some things. We managed to find the vulnerabilities, but it was never to the point where we got domain admin and it's like, oh, awesome, right? That's such an achievement. It's not easy to do.
They took this very seriously. They genuinely followed our recommendations to the letter, basically, and implemented some of their own. So they really cared about this and it showed. They kept coming back, they kept doing the same thing. They kept improving. The fourth year they got unlucky. There was a new vulnerability that was discovered about a couple of months, two, or three months before we did the pentest. They didn't know about it. We did the pentest, we found it and it was a pretty severe one. So we did manage to get the main admin that time.
That was like active directory certificate services vulnerability, which was a pretty big deal. Like I said, you're never going to be perfect. But that was still so much harder than just three years ago. That did feel good. That did feel good to see that. It's also selfishly just a better pentest."
[40:49] Alexei Doudkine: Like when you're forced to really think outside the box and you're forced to come up with stuff that you wouldn't normally do. It's just more interesting. The puzzle is harder. I want the puzzle to be harder for a lot more organizations.
Andra Zaharia: That's absolutely a great source of both personal achievement, but also something that keeps you. The challenge of it just keeps you wanting to improve and wanting to learn. And it's this a-ha. Just unquenchable curiosity that's very specific to people in this space. It's one of the reasons why you do the work that you do, why people in the space are so into this kind of work, because this constantly, this intellectual challenge is always there. It's always there to give you an incentive to do things better.
And again, how we do things and why we do them, I feel it defines the type of work that penetration testers do, the kind of impact that they can have on the community and how far they can take this craft, how far they can take this process. Because like you mentioned, the process of it is what you control the most. You don't really control the outcomes because that's up to the company to implement them.
That's up to the people who decide what's important to them. It's influenced by context and so many other things, but the process of it, the level at which you do it, and the intent behind it, that's 100% under the control of the penetration testers. And I feel that it's still such a great opportunity to grow, not just as a professional, but also as a human, generally giving you that much space to evolve and to try things out. And the fun of it, of course.
Andra Zaharia: So we talked about several aspects of this craft aspect of penetration testing, and why it's so specific and unique. And obviously, there are no two pentests alike, even for a repeat customer as you mentioned, that you get to know really well.
One of the things that you talked about a bit earlier in our conversation was that your perspective changed a bit also when you became a business owner, and I was wondering if you could dive a bit more into that. So you mentioned there's this new layer, a stronger empathy towards business owners and what their responsibilities are, what their fears are, what they try to avoid or try to build towards. What's something else that has changed, you being a professional but also a business owner at the same time?
Alexei Doudkine: Yeah, I guess priorities, right?! It's given me insight. I've got we're a team of eleven people now, and every Christmas we're all remote, but we fly everyone down to the same place and we invite their families as well. So we get in a room and you look around the room and there's suddenly like 40 people in the room and you just look and you sort of freak out for a second going, how did this happen?
Priorities are important. I've sort of off the back of that, I've realized that although security is important, it's not the most important thing. If I can't take care of the people that I already have, what's the point of being secure, right?! So what I mean by that is a lot of businesses have fallen on hard times and we're in the middle of a recession.
[44:45] Alexei Doudkine: If pentests can be expensive, security in general is expensive. If you can't afford to pay your people next month, don't even worry about security, right?! There's no point. There's no point securing something that won't exist in a month or two if you don't prioritize something else. I know it's kind of like counterintuitive for me as a security professional to say that, but that's the reality that I found myself in. It also helped me try and figure out how to provide things in a more efficient way. How to provide services in a more efficient way, right?!
I say services because maybe not just pentesting, maybe the best thing to do for a customer isn't a pentest. Maybe they're not quite there yet. They're still a relatively small business, small attack surface, their environment is still maybe controlled by one person, maybe one of the founders, or they've hired one person to manage.
And they're at the scale where it's easier for them to literally go to every computer and update it rather than install some expensive security software to manage, to look at patch levels and some expensive patching software just as an example, right?! It might be easy to do that and cheaper to do that. So finding inventive ways to help clients stay secure when they do have a limited budget is something that I'm a bit more aware of because I've had to do that myself.
Andra Zaharia: Eating our own dog food is, I feel, one of the most powerful experiences that really stays with you and creates a lot of context and creates that connection to people who are on the other side of the screen, on the other side of whatever it is that you're doing and offering?
And I really appreciate that perspective. I feel like a lot of people could resonate with that and could learn from that, especially when you have to, again, communicate and explain what you found after an engagement. Again, that part, the delivery part, just like Alethe mentioned in another episode, it's all in the delivery, it's all in how you connect to the other person and how you manage to explain things, how you manage to really tailor them to what they need to, what they're interested in, to what they can do. So it feels like it's useful and doable for them, so it doesn't feel like it goes over their head or it's just too much. Again, with all priorities.
Alexei Doudkine: Yeah, I really want pentesters to go and actually perform some of the recommendations that they give, like actually do it if you have the opportunity. A lot of pentesters will obviously try it themselves, hopefully at least once in an environment that they've created themselves that has maybe one or two machines in it. Oh, cool, I've spun up an internal network with Active Directory and it's got one server with no actual users in it, with no actual staff. Try doing that recommendation in an organization with hundreds of employees and weird systems and systems that fall over for no apparent reason. I want pentesters to understand that you might think that a solution is easy, but in reality, when it actually has to be done in a real organization, it might not always be that easy. So going back to your other podcast, maybe have some empathy for the person trying to implement it and make their life as easy as you can make it. Yeah.
Andra Zaharia: What's something you've shared so many aspects of, again, the craft of penetration testing and a lot of practical things that go into this and why this is important and how it can benefit both the customers and the penetration testers and the community in general.
What's one thing that you'd like to see more of in the future among your peers and people who want to just evolve towards this kind of work?
[49:20] Alexei Doudkine: Yeah. Keep the hunger going, the hunger for knowledge. Keep fighting back against automated pentests and services that are obviously going to have poor results. We are a sally outspoken bunch, I feel, already. So even if you're in an organization that sort of tells you no, this is how you have to do it, question that. You question it on a pentest, why not question it within your own organization and within other organizations as well? I'm going to sit here and pretend that we do the very best work. Maybe we don't. Maybe we do. I don't know if you want to question something I'm doing or something my company is doing, absolutely, go ahead and do that. We will take the feedback on board. Yeah. Help each other, basically is my takeaway. Stay hungry. Keep learning. Dive deep. At some point, you're probably not going to learn much from doing courses or getting certs.
At some point, you're sort of on your own trying to find the next thing to learn. That's scary. If you're scared, that's good. It's a good place to be. Be uncomfortable.
Andra Zaharia: That's such a perfect way to wrap up this amazing conversation and this large stack of great ideas who are, again, very practical and who are such a good fit for this mindset that's so specific to this industry, which is, again, like working on your critical thinking, like you mentioned. Questioning things and trying to find better ways to do them, better ways to serve people, better ways to be ourselves, and just be kind to ourselves as well.
So thank you so much for this, Alexei. This has been such a great conversation, a great resource, and a huge inspiration. Thank you for that.
Alexei Doudkine: No, thank you. Thanks for doing this, as always. Yeah, love the podcasts you do. So thanks again for having me on.
Andra Zaharia: Ever wondered how deep the rabbit hole goes in the world of ethical hacking? Well, we're still falling, and we're dragging you along with us. One question at a time. Thanks for wandering through this maze with us as we tackle the nitty gritty flipped misconceptions on their heads and maybe, just maybe, made you rethink some of the things that are important to you.
This has been the We think we know podcast by Pentest-Tools.com and before I sign off, keep this in mind. There's always a backdoor, or at the very least, a sneaky side entrance.
See you next time!