[Vladimir Ichkov]

I had quite the confidence being a Linux sysadmin from before and then right after I passed OSCP, you know, I think the Dunning-Kruger diagram hit me, you know, where you feel like really confident and you don't know anything. So I was like there on the interview, I was like, you know, man, this guy's got nothing on me. Whatever they ask me, I can answer.

They can with any question that I don't know. And I went with it. Well, the thing is that I went with a huge smile as well.

So that's very important as well. So make the people that you talk to actually entertain them a little bit, like make them smile, make them laugh. If you make them laugh, you're going to pass the interview.

[Kyser Clark]

Welcome to The Hacker's Cache, the show that decrypts the secrets of cybersecurity one byte at a time. I'm your host, Kyser Clark. And today I have Vladimir Ishkov, a senior pentester with over 15 years of combined experience in system administration and offense security.

He holds both the OSCP and OSWE certifications. Vladimir has a reputation for strong analytical skills, deep technical knowledge, and a passion for hacking that extends well beyond his professional work. So Vladimir, thank you so much for coming on the show.

Go ahead and unpack your experience and background for the audience.

[Vladimir Ichkov]

Sure. No problem, Kyser. Thank you for having me here.

Wow, that sounds impressive. I must have socially engineered my LinkedIn profile really good. But anyway, so yeah, a little bit about me.

I currently work as a pentester at Bank of America. I've been with them for about three years. And then before that, I worked in a consultancy company for another two years.

So in terms of pentesting, I have about five years of experience. So my other 10 are from my background as a Linux system administrator, which I did a long time ago. And from them, I switched to cybersecurity.

So basically, that's my professional experience so far.

[Kyser Clark]

Perfect. And I'm a similar background, just less years. I had six years of system administration experience in the United States Air Force.

And now I have one year as a pentester. So yeah, being a sysadmin has really helped me become a pentester. So I'm curious, what your take is, and how has your system administration experience shaped the way you do pentest today?

[Vladimir Ichkov]

Oh, yeah, definitely. So it helped me a lot. So I had strong fundamentals in Linux operating systems when I was a sysadmin.

I learned quite a lot at that time. And then I actually started learning a little bit about computer programming and software engineering as well. So I started practicing with the C programming language, which gave me pretty good fundamentals into the programming field as well.

So it helped me a lot when I transitioned to cybersecurity. And when I decided to go for a pentester role, that actually really helped me with the preparation for the OSCP exam. So it literally took me, I think, about three months to actually get ready, prepare and actually take and pass the exam.

[Kyser Clark]

And why did you go from system administration into cybersecurity? And why did you choose ethical hacking and pentesting within cybersecurity over the other cybersecurity roles? What drove that transition for you?

[Vladimir Ichkov]

Sure. So why I switched, actually, because I always thought that something was missing when I was doing system administration. I loved, you know, playing with Linux systems and networking and stuff like that.

But then I was like, OK, so maybe I should switch to software engineering. Maybe I should become a programmer. And then after playing with a bit of programming and, you know, the C language and Python and stuff, I was like, OK, well, that doesn't sound like me, you know, like it's fun to create problems, but something is missing here.

And then I still remember back in the day, one of my friends discovered this website that was like a contemporary CTF, basically. I don't even know what a CTF was at the time. And he was like, dude, check this out.

You know, this is really cool stuff. So you got to go from a level to a level and basically, you know, pass different levels and you got to find like flags and stuff. It's really fun.

And then it's under Linux and it explores some topics like buffer overflows. So then I actually my first experience with hacking was creating buffer overflows on 32 bits systems. At the time, there was no ASR, so there was no randomization of addresses and things like that.

So it was much easier to grasp the concept. So I remember reading that article that everybody read at the time from the FRAC magazine. It was called Smashing the Stack for Fun and Profit.

It was a really cool article describing basically buffer overflows. So then I learned how to actually exploit buffer overflows in Linux systems. And I was really excited about it.

And I was like, OK, so well, what kind of job I can get with this? So at the time, I didn't even know that pen testing existed. So many, many years later, actually, the same friend that actually we were hacking with, he was like, OK, so why don't you because I was not doing actually Linux system administration anymore.

I was in a completely different field. So the guy told me, well, why don't you get back to hacking, you know, to the things that we loved back when we were like in high school. And I was like, bro, I really missed the train on this one.

You know, like it's been quite a while. Like, I don't even know if I can if I can still type commands on Linux. And he was like, well, I'll tell you what to do and then you can get a job with this.

I was like, well, what kind of job? They actually pay you money to do this? He said, yeah, there's this job called a pen tester.

I'm like, what? He's like, yeah, penetration tester. And I was like, OK, well, let me look it up.

It turned out that actually such a job existed in LinkedIn. So I looked up also the salaries about this. I was like, OK, so I'm still like in disbelief.

I was like, OK, this is something weird. Do they pay good money for that? Well, it turned out that they pay actually OK money with this.

And there's quite a lot of job offers on LinkedIn. And my friend told me, well, the only thing that you got to do is just pass OSCP and then you can get a job. And I'm like, pass what?

All right. So I looked up OSCP, some kind of a certificate about pen testing or something. And I was like, OK, so let me check if there's OSCP on LinkedIn.

So it turned out a lot of job offers actually require OSCP. And my friend said, well, you've got to sign up for Hack the Box. Go play some Hack the Box machines as soon as you hack a few and watch these videos by this guy called Hipsec on YouTube that we all love very much.

And then, you know, hit me up later. So I started with that and I really got I really got intrigued right away of the bat. So at that time, Hack the Box actually required you to to hack your registration in order to get an account.

So it was it was actually a lot of fun to, you know, with some JavaScript and stuff. And then I got a kick from it. And then I started playing Hack the Box.

And as soon as I solved six machines, I remember I signed up for OSCP. I was like, bro, I'm going for this. And that's how it started.

So after that, I, you know, I took the exam. I got really lucky that I passed from the first time. I got stuck really bad.

So like 12, 13 hours in, I was like like halfway there. Like I got like 60 points out of 70, I think that it was required. And I got really, really stuck.

But then luckily, I was able to pass through and pretty much the rest is history. So it literally took me two weeks after I actually fixed my LinkedIn profile and I put that I have OSCP to get a job. They hired me in two weeks.

So for those people that actually bashed on OSCP and Offsync in general, well, this is a real world example.

[Kyser Clark]

Man, I love that what you said there at the end. And that's actually a topic that I wanted to cover. And I was going to cover on a solo episode, but you're going to you brought it up.

So I'm going to cover it here. So you got your OSCP. And then quickly after that, you got the OSCP.

Sorry, you found a job after that. And you said there's people bashing OSCP. And I've also seen people bashing OSCP.

I've actually seen people say, I regret getting the OSCP. I'm not going to mention names. Actually, I don't even remember their name, to be honest with you.

[Vladimir Ichkov]

I saw that recent picture.

[Kyser Clark]

Yeah, I'm sure a lot of people saw it. But it was just someone complaining about the OSCP, how they regretted getting it because they couldn't find a job. And here you are finding a job to getting OSCP.

I found a job. I think the OSCP was one of the biggest keys to my success in my first pen testing job. But without it, I don't think I would have found a job as quick as I did.

We had a similar experience to OSCP as well. I got stuck 15 hours in too with one flag left. But yeah, so the reason I want to bring this up is because what do you think the big difference is between you and the person who passed OSCP that can't find a job?

What do you think is the key separator?

[Vladimir Ichkov]

Well, it turns out, so when I look in hindsight, I think probably the soft skills that I have when I'm on an interview, which I didn't have at all. But it looks like they worked for me. I thought that I had none, just like some technical skills and stuff.

So in the beginning, I didn't have much confidence in presenting myself on the interviews. So I think that that's what helped a lot. So a lot of people actually, I think they fall back behind on this.

So they might actually have to work a little bit on how they actually show themselves on the interview.

[Kyser Clark]

Yeah, that's a very valid point. And that's actually not the first thing that I think of is why this person couldn't find a job because this post also had something about how they'd never worked in tech, they never wanted to work in tech, they just want to go straight into cybersecurity. And I think that's the key to success is like having that tech background, like you did, like I did, you had that system administration background, I had a system administration background.

So once you get that OSCP, it does really open up a lot of doors for you because you have that experience. And I think a lot of people think like the cert is what gets you in the door. And that's not necessarily true.

You need the cert plus experience. And I know how do I get the experience without, without getting a job, you got to start at the low level, you have to be willing, in my opinion, and you might disagree with me about it, but you got to be willing to take those entry level tech roles, help desk roles, sysadmin roles, network engineer, whatever it is, and be willing to work those jobs before you get into cybersecurity. What's your take on that?

[Vladimir Ichkov]

Oh, yeah, definitely. I think that I had quite the confidence being a Linux sysadmin from before. And then right after I passed OSCP, you know, I think the Dunning-Kruger diagram hit me, you know, where you feel like really confident and you don't know anything.

So I was like there on the interview, I was like, you know, man, this guy's got nothing on me, whatever they ask me, I can answer. They can ask me any question that I don't know. And I went with a, well, the thing is that I went with a huge smile as well.

So that's very important as well. So make the people that you talk to actually entertain them a little bit, like make them smile, make them laugh. If you make them laugh, you're going to pass the interview.

That's how I feel right now when I'm actually interviewing people at work, because right now I'm on the other side of the fence where I actually have to interview people for pentesters like once in a while. And I'm like, well, I see how people are on the other side. And then I'm like, okay, what kind of person do I want to hire?

You know, I want to hire people that are maybe like close to me, like curious people, enthusiastic people that, you know, go out there and like show their skills. And even if they're not that skillful, you know, this can pass if they can make me laugh or like say something stupid or like a joke or something. I don't know at the right time.

So it's really important to work on those skills as well.

[Kyser Clark]

Man, that's a golden nugget of wisdom right there. I appreciate you unpacking all that. And, you know, I don't get an opportunity to talk to many people who get to sit on the other side of the interview table who actually bring in people into these pentesting roles.

So I'm going to have to ask you, what is like some of the biggest red flags that you see from people interviewing? Like you bring them in, you brought them in for a reason, because you saw something on their resume, something on their LinkedIn profile that made it look like they were qualified for the position, but then they come in and you say soft skills is important and you have to like the person. But is there anything beyond that where like people like say some, like do some certain thing that just says immediate, like, nah, this isn't a good fit for our company.

Like what are some of the red flags out there that you're seeing?

[Vladimir Ichkov]

I'm trying to think actually, I was not the person who picked the people for interviews. So at the end of the day, I don't really care about their resumes as well. If they actually, you know, made it up to that interview, the resume is not important for me.

So I sit in front of you, I see you for the first time you see me, I start asking you questions. And then from then on, I try to, you know, go deeper, you know, ask different in different directions. And I want to see if you actually are enthusiastic about it, if you actually try to think, even if you give me the wrong answer, but you actually, you know, elaborate a little bit, try to discover the actual right answer.

That's very important for me.

[Kyser Clark]

Okay, yeah, that's, that's a huge, important thing that I try to tell people, like, yeah, you never want to lie in the interview. And if you don't know the answer, it's okay to not know the answer. And it's okay to have, you know, tell the interviewer, like, hey, I don't know this, but I can learn it.

Or, you know, this is what I know about, I don't know the rest of it. But at least I know this, this and this about it. And yeah, that's, that's very good wisdom there.

[Vladimir Ichkov]

I think I've stumbled upon people who actually when you said red flags, well, it's not exactly a red flag, but some people try to give you like boilerplate responses of questions, you know, like they learn something, but once you start like tweaking it a little bit, and they block. So this is something that I've seen as well, which obviously probably will not going to work with me, you know, because I'm going to start digging until you get stuck somewhere, or I get stuck somewhere, maybe you know better, more stuff than me. It's actually not, it's not improbable as well.

But that's the whole point, you know, engaging in a, in a cool pen testing conversation.

[Kyser Clark]

Nice. Well, yeah, thank you so much for those tips and tricks for sure you're helping people out who are trying to break in the field as a pen tester. Before we dive into deeper in our discussion, we got to get to the security Mad Libs audience, those who are new to the show.

Vladimir will have 40 seconds to answer three Mad Libs or fill in the blank questions. If he answers all five Mad Libs within 40 seconds, he'll get a bonus Mad Lib that's unrelated to cybersecurity. So Vladimir, are you ready?

[Vladimir Ichkov]

I guess I am as ready as I can be.

[Kyser Clark]

Here we go. Your time will start as soon as I stop asking the first question. Vladimir, the most understood role in cybersecurity is?

[Vladimir Ichkov]

Pen tester.

[Kyser Clark]

The last time I panicked during a test was because?

[Vladimir Ichkov]

Time was running out.

[Kyser Clark]

If I could remove one law that affects hackers, it would be?

[Vladimir Ichkov]

Drug possession.

[Kyser Clark]

My hacking playlist always includes?

[Vladimir Ichkov]

The offspring.

[Kyser Clark]

The fastest I've gotten root was?

[Vladimir Ichkov]

10 seconds.

[Kyser Clark]

That's really incredibly fast. You know what else is incredibly fast? Your answer is you got it in 37 seconds.

Congratulations.

[Vladimir Ichkov]

Oh, man, you really caught me off guard with those a little bit.

[Kyser Clark]

Yeah, you did great, man. Yeah, I mean, yeah, that's the point of it. Just keep going.

It's a little fun mini game. It's a I really enjoy these part of the part of the show.

[Vladimir Ichkov]

I plead the Fifth Amendment of the United States not to incriminate myself.

[Kyser Clark]

Absolutely. So let's go ahead and do the bonus question. In the bonus question, you can explain as much or as little as you want to.

You can even dodge a question entirely if you don't think it's worth talking about. But here it is. It's a little silly, but I'll go ahead and ask it.

If you could swap lives with an animal. You would be? A cat.

[Vladimir Ichkov]

How do I have to elaborate on this? Why?

[Kyser Clark]

You don't have to if you don't want to. I was just waiting. I was giving you the space to if you don't want to, then you don't have to.

[Vladimir Ichkov]

So we're going to be talking about cats. Oh, that's a lot of topic. I think a lot of people can relate to that.

So what's your favorite Linux command? Cat. How do you read a file?

Actually, it's funny that it's called cat. But anyway, so what do you have? We have a cat, we have head command, we have a tail commands, all kinds of animal stuff related.

Why I would be a cat? I don't know. I just love cats in general.

I thought that they're fascinating animals. I love them for being super curious yet doing, you know, really demented stuff all the time and also being very aggressive at the same time. So it kind of relates to my character as well a little bit.

So yeah, that's pretty much the answer to the question.

[Kyser Clark]

Yeah, I love your explanation. And I also would pick cat because I love cats. I have two cats myself.

And my spirit animal is actually a white tiger because I am I feel like I'm ferocious, but I don't fit in with the crowd all the time. And that's why I'm a white tiger. And yeah, cats are cool because they're independent.

They are curious. And they are cute, soft and cuddly, if you treat them right. But if you mess with them, they will absolutely fight back.

And that's kind of my mentality with life. So yeah, great analogy. Also, another Linux thing, another cybersecurity thing, related to cats, Netcat.

Can't forget about Netcat.

[Vladimir Ichkov]

Don't leave home without it, right?

[Kyser Clark]

So your most interesting response from the Security Mad Libs was the most misunderstood role in cybersecurity is penetration tester. And you know, I agree with you. But before I explain why I think it's a pentester, I want to hear why you think it's a pentester.

[Vladimir Ichkov]

Oh, actually, now I hear the question. I told the most understood role. And I was like, well, now now misunderstood.

Well, I guess I guess go both ways. Why? Why Pentester?

Well, if it's a misunderstood role is because nobody knows what the hell you're doing. Developers don't know what you're doing. You know, what do you call that vendors don't know what you're doing?

Your boss doesn't know what you're doing. Only you know what you're doing. They're actually reporting some stuff that might or might not be there.

Unless somebody else proofreads your reports, of course. So yeah, so that's, that's why I think I think probably the role would be a bit misunderstood from people. And you kind of, you can get away with like, you know, BS sometimes that you put, but I don't I don't encourage that.

I always put like 100% of my, my skills where I can. And I'm really trying to identify vulnerabilities and report them. And I rarely actually get pushback from from developers.

I think they pretty much understand what I'm trying to show them. I've probably gotten pushed back maybe twice for the last five.

[Kyser Clark]

So yeah, I mean, that's a great explanation. And I, I agree with you 100%. That's, I've experienced that myself.

And I think you're spot on there. The first thing I think of when I think about pen testing being misunderstood is a lot of people confuse it with red teaming. And I actually kind of fell in this trap that I thought pen testing, I was going to be emulating threat actors.

And I mean, you are a little bit but at the end of the day, like as a pen tester, at least in my role, like I'm not emulating threat actor, I'm just testing the security of a network or a web application. And I'm not worried about being noisy. I'm not worried about evading detection.

I don't care if I send alerts to the blue team, because that's not what I'm doing as a pen tester. And furthermore, like I thought that pen testing was more of a red team role or red teaming is you get in you're evading detection, you're being sneaky. And you're just you're doing like actual cybercrime legal, simulated cybercrime with pen testing.

I don't feel like a hacker half the time, I feel like it's more QA for it more times than not. And don't get me wrong, like you get those opportunities where you're popping shells, but you're not popping shells every day. It's not as thrilling as I thought it was going to be.

And that's I made a whole video on this if you guys if the audience wants to check it out, it's a watch this before you become a penetration testers one of my most watched videos and explains my thoughts more, more fleshed out and more in a longer video. But yeah, I highly recommend watching if you guys truly understand what it's like to be a pen tester. Like what I the traps that I fell in coming in the field.

Now, I want to end on this like, just because I didn't think it was red team. It's not as fun as I thought it was going to be. I still absolutely love my job.

I'm totally glad that I went from just having a pen tester. I still very much enjoy my job. It's just a little bit more boring than I thought it was going to be.

[Vladimir Ichkov]

No, you said boring.

[Kyser Clark]

Yeah, I think it I think it does get boring. Sometimes I don't love it every day. I don't love it every day.

I don't love it every hour. And that's a fact. I do love it more times than not.

But it's it's for me, burnout is definitely a thing. And I'm not ashamed to admit that I love being a pen tester. I love what I do.

And I'm always trying to get better being a pen tester. But it is a grind for me. Like it's it's not always super fun to me.

I'm not having the best time every day.

[Vladimir Ichkov]

So my solution to that problem is that if it gets boring at work, go play hack the box. And actually mix up things with something different, solve some challenges, you know, like get back to basics, read some articles. And I usually do that on a daily basis.

So I kind of intermix my work with actually learning new stuff. And and that's how I don't get bored at work ever. So my work is basically a combination of me playing some challenges, trying to do some CTFs and things like that, or reading some hacking articles, trying to learn something new.

[Kyser Clark]

Yeah, and I have been doing that. I've been doing the Hack the Box Academy. I've been going through the CPTS.

Well, it's the Penetration Tester Job Role Path, which is the prerequisite to get the CPTS certification. That's one certification that I do want to attempt in the future. And I've been having a blast with it.

I think it's a really good course. And it has read that and DEF CON reignited my passion because I was facing like a lot of burnout. And I don't know, you're right, going to the CTFs is really fun.

And I think that is a way to revive the passion. But like, I think for me, what's what's difficult is, like what I'm in when I'm working with a client, and I'm in their network room on their web app, and I'm just not finding any exciting vulnerabilities, like no matter how hard I try, I'm like bashing my head against a brick wall, like the entire day, and I'm just stuck. That's when it gets grindy, because I'm not finding anything juicier.

I'm not finding anything that's, you know, a cool exploit. And I think a lot of it has to do with the fact that many of my clients like, have been pen tested longer than I've been a pen tester. Like they've been pen tested five, six, seven years in a row.

And then here I am, you know, a year and a half in my career as a pen tester. And I'm trying to find something that, you know, pops out. And don't get wrong, I do find vulnerabilities that were never exposed before.

But they're like low and mediums. I'm not finding those juicy, like RCEs and I'm not popping shows all the time. And that's where it gets boring for me.

I think finding root is the true, like popping a show is like, the biggest thrill. And that's why CTFs are a lot of fun. And in the real world, it's not as fun because you're not popping nearly as many shows in the real world.

And that's just my experience.

[Vladimir Ichkov]

Oh, that is true. Yeah. So, you're missing your dopamine kick, right?

That you get from a pop and a show. Well, you're right. It doesn't happen every day at work, but when it does actually, it's a lot of fun and it's very rewarding as well.

So, I myself probably, I think I have popped like three boxes at work when we were, for the last three years when I was at the bank. So, it was actually a completely different hack that I've never experienced before. So, it was one of those .NET systems that have the view state parameter that you can actually send serialized data in it and actually you can get a show from it. So, that was a pretty cool hack that I discovered and I haven't done it before in a challenge or a CTF or anything. So, that actually gave me a cool kick and I was like, okay, so this is why I'm actually doing this job. So, this is the fun that I get from it.

And then in the meantime, again, always you have 20 active machines on hack the box, try pop some shows there. There's plenty of those. Maybe try an insane machine.

Then you get really stuck when you know that there is a vulnerability there and you cannot find it. So, that's even worse.

[Kyser Clark]

Nice. Great wisdom. I appreciate those insights.

So, changing gears a little bit here, I want to talk about your OSWE certification because that's what's really made me want to bring you in on the show because OSWE certification is something I dabbled in that course. That's the Web 300 course from Ofsec. And one thing that was really hanging up, like one problem that I was having is that it required or it seemed like it required a lot of coding.

So, what do you think is the key to success when it comes to the OSWE certification?

[Vladimir Ichkov]

Oh, yeah. I will definitely tell you. So, if you're a little bit afraid of coding and writing exploits in Python, because when I started OSWE, I didn't have any Python coding skills.

I knew a little bit. You know, I actually created a couple of scripts and simple exploits in Python. I think actually when I passed OSP, we still had the buffer overflow exploit that we had to do.

So, you have to write a Python script, but it's pretty trivial. So, it was not that hard. But for OSWE, I was like, okay, man, I'm really behind with my Python.

So, that's probably what's going to get me stuck. So, on the contrary, when the exam actually came, what I got stuck on was actually chaining the whole, you know, the whole attack together. So, all the vulnerabilities within the web app that I was trying to hack.

So, I was trying to chain them together and just I was missing certain pieces. So, I couldn't get them chained, you know, dynamically, let alone writing an exploit. So, my breakthrough actually came, I think, 24 hours in the exam, because it's a 48 hour exam.

So, at the 24 hour, I was like, I had like one flag out of four or something like that. So, I had to get three flags or something. And I was like, man, I'm really going to suck at this one and I'm going to fail.

So, I accepted my fate. I went outside on the balcony, smoked a cigarette. I was like, okay, I need to, you know, get back to my senses, because I'm really not finding it.

And I'm not even ready to write the exploit. So, I'm not there yet. I cannot hack the system, I have the whole source in front of me.

That's embarrassing. Very embarrassing. And then I was like, okay, so I'm going to go and I'm going to brute force the whole code, like meaning like reading line by line, every little thing, every parameter to see what's going on in a specific field that I knew that the vulnerability was a specific kind that I'm not going to mention, you know.

But anyway, I knew that it was there. So, I was reading every line connected to that type of vulnerability to figure it out. At the end of the day, when I figured it out, and when I actually chained the whole thing together, I literally wrote the exploit in 30 minutes.

So, everything was in my head, the whole attack chain was there, and writing the exploit was the easiest thing that I've ever done. So, don't be afraid of writing Python code for OSWE. It's actually very, very simple stuff.

It's like literally statement after statement. You send the request there, you get a response. You parse this response, then you send the request somewhere else, then you parse the response, and then back again.

That's all there is to it. And then a couple of loops in between.

[Kyser Clark]

Thanks for explaining that. And yeah, that's good. That's good reassurance.

For me, I... So, I learned how to code Python pretty well. I like to consider myself like I was at the intermediate level.

And I was doing pretty good. I was very comfortable with Python. And I wasn't a developer by any means, but I could definitely write programs.

And I have an entire blog, if you guys thought, just check it out. It's my 100 Days of Code on my website, Kyserclark.com. It's also on my GitHub.

And yeah, when I got towards the end of the 100 Days, the last 25 days or so was just a grind, because I just started disliking coding. At first, it was super fun. But then it kept getting harder and harder, because that's what I do.

I progressively get harder. And then I'm like, dude, this is rough. I could never do this for a living.

Anyways, fast forward to the release of ChadGBT, because I learned how to program before ChadGBT came out. And now, like ever since ChadGBT came out, and even today, like I'm vibe coding, like almost everything I do. And it really, I feel like it really hurt my skills.

Because if you don't use them, then they do get rusty. And they do lower, in my experience. And I got so mad at myself that I let my skills deteriorate.

And I allowed, like ChadGBT to like ruin my skills. So now I do some more coding classes, just to, if I want to go after the OSWE, I think. So that's a long winded explanation of why I think coding is important.

But I do see a lot of people on LinkedIn, on YouTube, and a lot of influencers saying that you don't have to learn how to code to be in cybersecurity. And I totally disagree with that. Do you agree or disagree with that?

And what would you say about that? You don't have to learn, you don't have, you don't have to know how to code to be in cybersecurity.

[Vladimir Ichkov]

So I always avoided coding, if possible, when it comes to cybersecurity. But that was the moment of truth when I actually had to face writing my own exploit without using ChadGBT on OSWE. So that was actually really good for me that I actually, I felt that I'm not scared anymore after I actually passed the exam.

And I really felt, hey, you know, if I can do it, then, you know, anybody can do it. So it was not that hard to actually write the exploit. So I definitely think coding is a vital skill.

Definitely. So not only like reading code for source code analysis, but actually writing like snippets of code is very important as well for penetration testers. You don't have to be a software engineer to do like large projects, but you really have to know how to write like small snippets of code to automate testing if possible somewhere.

Or just in general, like just reading code should be something that every penetration tester should have on their belt.

[Kyser Clark]

I agree. And I need to get back in the coding. I need to stop relying on ChadGBT vibe code my way through everything because it's quick, it's easy, because like when you're in the middle of a pen test, you're like, man, I just need to write a code super quick.

And I overrely on ChadGBT nowadays too much because as one of the things you mentioned during your security Mad Libs was that you're running out of time on pen test engagements. You do have a time limit and, you know, time is money and time is precious on an engagement. So I'm like, man, I don't got time to sit here and troubleshoot my code all day.

Like I just want to get something that works like right now because I got to get this engagement done. Moving on. So in your current role as a pen tester at Bank of America, I'm assuming that's pretty big and complex environments.

So what's some of the biggest challenges you face when testing those large, complex environments?

[Vladimir Ichkov]

Well, what we do actually in my team, we test web applications only. So I don't do any network, internal, external pen tests anymore. I kind of miss it.

You know, I used to do that before when I was at the consultancy company, but right now we do web app pen tests. So I wouldn't say that there's like many challenges when it comes to testing that. So maybe sometimes you get more of a, you know, I don't know, just an authentication flow and things before you actually start the test.

There's like a bunch of hurdles that you might have to pass, but this is not related to the actual pen testing. After that, it's pretty much all the same to me. It's just a web application that I have to hack.

I don't care what language it's written on, what system it's on. I'm gonna find it and then start from there. Basically, I guess in order to make my work easier, I always try to get as much information as possible beforehand from the app teams.

Like for example, what kind of server it's running on. Is it a Linux machine, Windows, what kind of database, Oracle, whatever, MySQL, something, something. So the more information I get, the easier for me to start the test and actually prepare whatever.

If I do any automatic testing with Burp or whatever program we use, then it's much easier to actually do the whole setup. From then on, it's only you. You start like digging through Burp requests, responses, and you try to figure out the context of the app and do some manual hacking.

[Kyser Clark]

Nice. Thanks for unpacking that. Unfortunately, we're running out of time.

So I'm gonna ask you the final question. Do you have any additional cybersecurity hot takes or hidden wisdom you would like to share?

[Vladimir Ichkov]

Well, hot takes for the new people, you know, don't get scared to get on interviews. Go out there, show yourself, try to be as confident as possible, even if you are not. Fake it till you make it, they say, right?

So it's actually true for our profession as well. So try to be nice, smile, make people laugh, and then you're gonna pass interviews. Some people don't care about your skills, they care about your personality a lot more.

I'm one of those as well.

[Kyser Clark]

Great wisdom. Thank you so much for sharing that, Vladimir. And thanks for being on the show.

Where can the audience get a hold of you if they want to connect with you?

[Vladimir Ichkov]

If anybody wants to reach me out, I'm on LinkedIn. My name is Vladimir Richkov. They can find me there.

So no problem. Anyone is welcome.

[Kyser Clark]

And audience, best place to reach me is in the YouTube comments. Drop a comment, ask your questions, provide your insights, expertise, whatever you want. I will reply to those comments and I will see them.

Audience, if you are on audio, do me a favor, rate the show five stars. If you can see more than one episode, and you're really enjoying it, and you're really getting value out of it, it would help the show out tremendously if you rated the show five stars if you're on audio. If you're on YouTube, hit the like button, hit the subscribe button, and share the show with a friend.

Cybersecurity is a lot easier and more fun with friends. Audience, thank you so much for watching. Thanks for listening.

Vladimir and Kyser, signing off.

[Vladimir Ichkov]

Guys, thank you so much. Keep hacking.