Saturday, October 4, 2025

Security Testing Journal Entry | w/e Friday October 3, 2025 - "Besides the BSides" Ed.

Security Testing Journal Entry | w/e Friday {{month}} {{day}}, 2025 - “{{ Theme }” Ed.

Highlights for the week

Got a great feeling about October, and from the looks of my calendar .. that is justified!! Mentee wants in on Pen Testing action. And I'm volunteering for BSidesNYC ... woot!

What We’re Grateful For

  1. I get to be here.
  2. Got a great family.
  3. Some money was given to us for good use.
  4. New opportunities showing up.

What We Loved

  1. Finally getting to go to BSidesNYC and volunteering.
  2. Gandalf Hacking posponed to next week.
  3. Got some great feedback with the AI prompt on "Husb.." fight scene.
  4. Re-assessed finances and consolidated a lot of balances down to two cards. Gotta make that money!!
  5. Got around to scheduling new appointment for DMV.
  6. Got a new doctor and hoping I can get to the new endo. This low-t thing is killing me

What We Learned

  1. Finished Module 4 for Google Prompt and came away learnig A LOT about prompts.
  2. Reading: WAHH Chapter 13 - [Status: In Progress]
  3. Hacking: TCM - Module 9 [Status: To Do!]
  4. Writing: Leveraged AI to expand on the fight scene between Mara and Dee. [Status: Done!] The feedback was amazing!
  5. Pen Testing (Bug Crowd): Need a new PT starting next week.
  6. Burp Suite: Bus. Logic flaws - [Status: Not Started!]. About to start CSRF, which aligns with the section in Chapter 13 of WAHH.
  7. QA Day: Continued work over the weekend [Status: In Progress]
  8. Gandalf AI - hacked around and did not find out! Prompt injection attack for level 1: [Status: In Progress!]

What We Longed For

  1. A great job doing cool sh**, with amazing people, making decent $$$ and benefits! Applied again to Perplexity (fingers crossed!)

What We Loathed

  1. Job Market in 2025. Unemployment is a real drag.

Saturday, September 27, 2025

Security Testing Journal Entry | w/e Friday September 26 - "The Rapture Cometh" Ed.


Highlights for the week

Around the world, this was an eventful week. The 47th president of the US continues to walk a path towards authoritarianism that no one is challenging him on. The death of a conservative influencer has done more to divide people than to unify them in solidarity against political violence. Tons of new hacking incidents. And the makers of AI are looking to spin up data centers that will each require the electricity of a small city to run, and millions of gallons of water to keep cool. Resources our infrastructure is incapable of supporting, yet money that could go towards improving the quality of our country is being diverted to these endeavors. It's a fast-moving freight train on a downward-sloping greased track with no brakes, headed towards a cliff.

Then there were rumors that caught fire, spread by some priest in So. Africa, that the rapture was iminent and that we would be wise to take action and repent!

As for me: I had a "down" week. Just didn't feel the verve to do much of anything. I fought the good fight in my head to stay disciplined in my workouts, but as for job hunting and learning stuff .. there was just little to no wind in my sails. Perhaps it's low-t, or the unemployment effects of all these rejections, but I'm on the last month before things go tit's up and not even so much as a ping! from recruiters. Also, I got the "thank you, next" email from Spotify. I didn't think I had a chance, but it was worth a try. Not really broken up about it.

My son found pictures of me, back when I was in my 20s and full of promise. Still broke, but not nearly as traumatized by life. Can't remember if it was pre- or post-Andrea, but I just remember the good times. I want to be that happy again. I am not defined by my past. I am refined by it. And it's awesome to say I still have time to choose who I want to be.

What We’re Grateful For

  1. Friends, referals, and good internet.
  2. I get to be here, another day.
  3. Family .. and a full 'fridge.
  4. As always, great health.

What We Loved

  1. This week was m'eh .. so not a lot to love. Cooking is always a blast!

What We Learned

  1. Reading: WAHH Chapter 13 - [Status: Not started]
  2. Hacking: New Weekly lesson with TCM - Foundational set up of lab for Active Directory. Module 9 is where it gets good. [Status: Done!]
  3. Writing: Need to expand on fight scene between Mara and Dee. [Status: Not started]
  4. Pen Testing (Bug Crowd): Continued Pen Test for items in scope for SR [Status: Closed]. Need a new PT.
  5. Burp Suite: Bus. Logic flaws - [Status: Paused]; Did SSRF instead. [Status: Done!]
  6. QA Day: Continued work [Status: In Progress]
  7. Gandalf AI - hacked around and did not find out! Prompt injection attack for level 1: [Status: In Progress]

What We Longed For

  1. As always .. a good job, making good money, with good people, doing cool sh**!
  2. Miss being in love; being held; kissing; s-e-x

What We Loathed

  1. Still sitting at 85% of no!

Saturday, September 20, 2025

Security Testing Journal Entry | w/e Friday September 19, 2025 - “And the beat goes on .. and on!” Ed.


Highlights for the week

Fall is around the corner and the weather has been spectacular. Gone are the days of high heat and humidity. Crisp temperatures, cool breezes, and sunny days are here. Job search has been abysmal. The cycle the same: see the job post > apply for the job > get rejected > see the job reposted.

Been listening to a lot of stoic philosophy videos on YouTube and have really improved my mindset. I've shut down the negative self-talk and I've replaced it with positive affirmation. I keep looking back on my time at Secure Ideas, and the more I study what went right and what went wrong, I am coming to understand that there was a lot I should have done better. I wasn't working to the level of my experience and I was humbled by just how much I still have to learn. The lessons learned were: need more experience; need to write better; blogging matters for the company in terms of sales and marketing; need more practice with portswigger pro!

How I'm improving on those weaknesses:

  1. Been trying to find new projects in bug crowd, but struck out with a recent engagement. Will keep hunting for new ones.
  2. Wrote up a report for a recent project (NFL). Need to keep that up.
  3. Been learning a lot about AI. Does it help with pen testing? No. But I also learned how to hack them, so out of curiosity, I've taken a course on prompt engineering and read a book on agentic security. It's moving me in a particular direction ... a fun one.
  4. As for Portswigger, I only have the community edition so the issues that caused me problems at SI will remain unfixed for the time being.

What We’re Grateful For

  1. Grateful that MIL provided us with lunch and food.
  2. Grateful for friends in great places.
  3. Grateful that I get to wake up and enjoy another day of good health, vitality, and well-being.
  4. I get to be here .. now .. making the most of my time to stay happy and productive.

What We Loved

  1. Jumped on a new opportunity for a completely new role at Spotify. I'll be happy if I get it, but cool with not. It's a new challenge.
  2. Applied to Spirit Halloween store .. a fun seasonal gig. I'm not above seasonal work at this point. Some money is better than no money.
  3. And while I'm on the work tip, some new U-Tests sprang up adding to a packed schedule. It's impacted some personal projects which keep getting pushed further back.
  4. New Deadlift achievement - 270lbs. Personal best is still 305lbs.
  5. While on the workout subject, my son is now part of my morining routines. He is motivated to start exercising .. very cool! It has however altered my mornings significantly
  6. Joined BSides-NYC as a volunteer. That starts in October, so super excited for that.
  7. While on the networking subject, Joined "Raices Cyber" - NYC Chapter. A latin-american group focused on Cybersecurity. Need to up my networking game tremendously. As the saying goes, "you are the sum of the 5 people you surround yourself with." Right now, I have no one. :'(

What We Learned .. a busy week!!

  1. Reading: Read "Securing-Agentic-Applications-Guide-1.0" and learned several new things and frameworks to play with. [**Action item]Gandalf AI Hacking .. start!
  2. Reading: WAHH Chapter 13 - paused for work and additional tasks. This is for fun so less of a priority. [**Action item] Get back on it.
  3. Hacking: New Weekly lesson with TCM. Learned about brute-forcing logins, password spraying, and HTB. [**Action item] Need to renew that membership
  4. Writing: "Husb" New chapter about reconings. Need to expand on fight scene between Mara and Dee.
  5. Work: A couple of new U-Test projects popped up forcing me to recalibrate my task list and reading.
  6. Pen Testing (Bug Crowd): New project started required credentials. After scoping, not a lot was possible. Will revisit scope and targets and try to test the write the report. It's all about the reps.
  7. Burp Suite: Bus. Logic flaws - paused for work; shall resume over the weekend as time allows.
  8. QA Day: Started practicing Playwright with typescript. The cool lesson learned: used Gemini to optimize my code for improved readibility. Something I wish I had done at Unqork.

What We Longed For

  1. As always .. a job, money, health benefits.

What We Loathed

  1. The job market in 2025

Friday, September 12, 2025

Security Testing Journal Entry | w/e Friday September 12, 2025 - "Productive Week" Ed.


Highlights for the week

It was really a good week, personally. Accomplished a lot of what I set out to do with TCM and the Pen Testing. Job hunting still a slog, but I'm really positive something will turn up soon. I think my resume is working against me, but I also think having the "Security Consultant" role on there when looking for QA roles might be problematic. I dunno!!

Finally got some health insurance, so it will be interesting to look into getting my hormones checked out. All the symptoms of low-T are present: Vision is hazy at times; libido is in the toilet; no weight loss despite a consistent workout regiment; testicular atrophy. So bad!!

As I close another week, I'm grateful I have the means to keep the house happy. My son is making moves and getting started on his future. Wife is nesting for the holidays and getting into the Halloween spirit. I need to be the pillar they can rely on. Been focusing on stoicism and getting my mind back to a good place. So far, so good! Gotta keep grinding!

What We’re Grateful For

  1. I get to be here!
  2. I get to wake up to a comfortable bed.
  3. I have my health and well being.
  4. I get to have a home where I can learn cool things.

What We Loved

  1. It was a good week!

What We Learned

  1. Pen Testing - Finished NFL web app pt. Wasn't able to get to the mobile apps. Known issues kept testing. Lost a little momentum coming back from vacation.
  2. TCM - Completed Week 6 and learned a lot about enumeration during the external network pen testing effort. Need to look into HTB servers.
  3. AI - Learned to prompt more effectively. Need to practice Gandalf AI hacking !!So Fun!!
  4. WAHH - Moving through chapter 13; Read about HTML injection. The lesson is to keep the inputs sanitized, have anti-clickjacking in place.
  5. Portswigger - behind on revisiting the "Business Logic Flaws" module. Will make time for it on the weekend.

What We Longed For

  1. As always, needing a job .. a good job. Praying for that good job doing cool things with great people.

What We Loathed

  1. The lack of phone calls and fake job posts after 4 months is bad.

Friday, September 5, 2025

Security Testing Journal Entry | w/e Friday Sept. 5, 2025 - "Rested, Relaxed, and Recharged" Ed.


Highlights for the week

Coming home from a much needed vacation was awesome. The 10 days spent away from everything was necessary. While I didn't get the chance to actually sit with myself and reflect on what I want out life, I wasn't dwelling on the dumbshit I've done. I still feel a bit down about what happened at SI, and my confidence is at an all time low, but this week has been full of small wins and I'm feeling a little better. Sometimes I do get those pangs of guilt and self-loathing. The gym is my therapy and I have been the most disciplined as I have ever been in my workouts. I still don't have a solid diet, but I try not to eat like trash either. I aim to apply that discipline to my studies and work habits.

What We’re Grateful For

  1. Grateful to have been able to spend time away from the job rejection madness.
  2. Dark days at the start of the week lead to beautiful days (Friday!!)
  3. Grateful to be back to good physcial health, still working on the mental.

What We Loved

  1. Continued with Bugcrowd PT .. need to tackle the areas I marked off as points of interest. The week has been busy!!
  2. New pen test - app is https://voocab.com, and the backend url is https://api.voocab.com. Gave it a solid 6 hours of my day, pro bono! Client was happy.
  3. Picked up U-Test Application at the start of the week .. made some $$

What We Learned

  1. Portswigger practice with business logic flaws - post-poned to the weekend.
  2. WAHH Chapter 12 - completed; Chapter 13 started.
  3. TCM Lesson - On to week 6; need to complete the assignment of building out the Lab.

What We Longed For

  1. Should strongly consider making more contributions to my github by way of 2025 projects. Typescript, anyone?

What We Loathed

  1. Rejections! Getting the rejection email then seeing the job again reposted later makes me wonder why they bother.

Sunday, August 17, 2025

Security Testing Journal Entry | w/e Friday August 15, 2025 - "Vacation" Ed.


Highlights for the week

It has been another quiet uneventful week. Some jobs applied to. Some jobs rejected. The circle keeps turning. I don't quite feel the fire like I once did. I'm trying really really hard to reignite the passion, but I've never been more disillusioned, disheartened, and disappointed in myself. I working on healing and silencing the negative talk, but every-so-often I'm haunted by the failures and the mistakes. Every week that goes by is a week that I kick myself for doing all the dumb sh*** that brought me back to the dark place ... the place I fought so hard for the last two years to get out of.

On a personal level, I've been listening to a lot of Jim Rohn and his videos have helped me get into a better headspace. Some of the quotes include:

  1. Failure is part of the process. YOU'RE NOT A FAILURE - YOU ARE FORMING!!
  2. Falling short is learning.
  3. Keep showing up. Some days will feel like nothing is working. Keep going. Keep showing up for yourself. 1000 imperfect steps

Two main things I want to focus on for this trip: PUROPOSE and REBUILDING TRUST

  1. Purpose: is living in alignment with your values, your standard, not someone else's expectations.
  2. Rebuilding Trust: Rebuild trust by aligning your actions with your values.
  3. Character is built by your habits, repetition, and daily decisions.

Conclusion: Quit doing the dumb shit!! Stay disciplined. Discipline is the highest form of self-love. It rebuilds compassion. It rebuilds confidence and trust .. one small action at a time. One win every day. Stay consistent. Repeatedly.

Non-sequitor: I really need to get myself checked out. Feeling all the symptoms of low-t and possibly enlarged prostate.

What We’re Grateful For

  1. Grateeful that I get to wake up and enjoy another week.
  2. Looking forward to the upcoming cruise and much needed escape from the dark cloud.
  3. Grateful that I have the energy and

What We Loved

  1. Love that vacation is next week. Going to rest, relax, reset, and reprioritize. Another cruise w/o a job is icky, but these are not fun times!!

What We Learned

  1. Started a new pen test project given its football season, it only made sense to test NFL.com
  2. Learned about Portswigger's SQL Lab - Visible error-based SQL injection to finish WAHH Chapter 9. Without PRO version, this was a daunting suite of labs.
  3. Completed week 4 of the Network Pen Testing videos. I'll probably double up on the lessons when I come back from break.
  4. WAHH - Chapter 11, just started and learned about some scenarios involving exploiting flaws in business logic

What We Longed For

  1. As always, longing for a paychcek

What We Loathed

  1. The fact AI is becoming the excuse for laying off so many people.
  2. Hating the job hunting process. Getting rejected from a job only to see it reposted is enfuriating
  3. Registered for DOL Cybersecurity training only to find out it was not as advertised

Friday, August 8, 2025

Security Testing Journal Entry | w/e Friday August 8, 2025 - "Weak Week" Ed.


Highlights for the week

Another week where emails and phone calls were silent with job prospects. It has been exactly 3 months since my time and SI and as I've written before, I'm not handling it well. I should have been happily employed, celebrating ONE YEAR in my new role as a security consultant. Instead, I'm back in the gulag of my own ineptitude. I haven't been sleeping well. My workouts have been steady, but not seeing the progress. And I'm gaining weight .. thinking its a low-t thing. The lonliness of not having anyone reaching out, or the fear that I may never land another job is really weighing on me. The motivation to even get up and keep moving forward has been tough. Discipline is how I operate.

The phrase, YOU FALL TO THE LEVEL OF YOUR TRAINING keeps bouncing around in my mind. As I meditate, I'm beginning to see just how true it is to everything I do and who I am.

Accepted another QA test cycle on U-Test (yay!)

Struck out on yet another HackerOne Pen Test (boo!)

What We’re Grateful For

  1. I am absolutely grateful that I still have air in my lungs, food in the 'fridge, and money in the bank. God is not done with me.
  2. Grateful that I get to watch my son coming to his own with new opportunities.
  3. Grateful that my partner hasn't left. I've given her plenty of reasons.
  4. New workout - alternating days off. Days Off = active rest days, so no real laziness

What We Loved

  1. Not a lot to love this week.

What We Learned

  1. Learned to test localization on native android app for Red Cross
  2. Network Pen Test week 3 in the bag - bult a crappy network scanner

What We Longed For

  1. Longing for a proper job.

What We Loathed

  1. Nothing to really loathe except for the situation I am in of my own doing.

Monday, August 4, 2025

Security Testing Journal Entry | 90 Day Evaluation


Evaluating the past 90 days since my separation of employment from Secure Ideas

What We’re Grateful For

  1. First and foremost, I am beyond grateful that I get to wake up, have food in the 'fridge, and clothes on my back.
  2. I am grateful to the Lord (and grandma watching above) for answering my prayers. All outcomes were self-inflicted.
  3. Grateful to have the opportunity to continue with my security testing journey, having all my faculties in place.
  4. Grateful that I have a wonderful family and that we are getting through this as a united front.

First 30 Days: 1 - 30

Post firing, I was a mess. I was a combination of self-doubt, frustration, anger, depression, anxiety, and rage. Above all, I was disappointed. I let my friends, family, co-workers, mentor, and everyone else down. I was ashamed at failing ... yet again ... through my own negligence. At the end of the day, I had no one to blame but myself. I wrote up several red flags I uncovered as I reflected on my 9-months at SI, but this all on me.

The job search in the first 30 days was abysmal. I was frustrated to be back under the dark clouds that had plagued me for the past 2 years. Embarassed to have to file for Unemployment Insurance .. again. Humiliated at the thought of having to return to Welfare / SNAP.

Spiritually, I was a mess. Full of doubts, hopelessness, and lack of motivation. I was in a downward spiral of self-induced chaos.

By the last week of that first month, I had a breakdown and cried a bit. I motivated myself to reflect on what went well and where I failed, and just wrote about it.

Next 30 Days: 31 - 60

The job search is still a shit-show. No real progress. Not even so much as one interview.

Finding time to revisit and re-learn new skills. HackerOne has been a small blessing. Haven't made much progress as I keep finding crappy projects, but it its all about the grind at this point.

Made some new connections. Tried to reach out to recruiters .. no answer.

Recent 30 Days: 61 - 90

Professionally, things are not any better. To date: 62 jobs applied, 21 declined. Just as many have not responded at all.

Personally, in a much better place. I've been getting back into the spirit of things. Working out has helped. Sleeping better too. Set a routine of consistent workouts, steady work, job hunting, and making time for education.

Vacation in 16 days!!

*** RETROSPECTIVE QUESTIONNAIRE | EXTREME OWNERSHIP ***

    Q1. What were the problems that lead up to your termination at SI?

  • Issue-01: Performance - I was not performing to the level of my role and fell way behind the matrix to level up.
  • Issue-02: Reporting - I was under performing when it came to reporting, making it unecessarily burdensome when collaborating with others. This was proven in the last two reports prior to my dismissal in May. Although feedback was positive and encouraging, too little .. too late.
  • Issue-03: Testing - I was irresponsible testing file upload component and stupidly pulled in a link I had recently downloaded from a zoom invite, hoping the component was going to reject it.
  • Issue-04: Technical Accumen - Still had some demonstrable concerns as it related working with burp suite pro!
  • Issue-05: Communications - Subpar quality as it related to blog posts which revealed communication issues and inexperience.
  • Issue-06: Social Engagement - There was a lack of community engagement. I was not getting the right opportunities nor was I actively taking the initiative to make this happen.
  • Q2. What were the consequences?

  • Issue-01: Performance - The consequnce of not being level-set properly was failing to meet expectations set for the current level I was working towards.
  • Issue-02: Reporting - As stated, I was improving. I did well on reports that had contributors with solid notes. I struggled bad when context was missing. The consequence, especially in the last two reports was extensive re-writes, editing, and delays. Up to that point, I never ever had a report go out late.
  • Issue-03: Testing - This was a complete aberration. I should have known better. The consequence was a potential violation of some policy as well as introducing unnecessary risk to the client.
  • Issue-04: Technical Accumen - Needed a lot of help from superiors to get me to a good point.
  • Issue-05: Communications - Blogging required work.
  • Issue-06: Social Engagement - N/A
  • Q3. How did this hurt the team?

  • Issue-01: Performance - Showed I could not be relied on to get the job done.
  • Issue-02: Reporting - Added unnecessary work to others on the team.
  • Issue-03: Testing - Placed the team in a precarious position, even if it lead to a good vulnerability finding.
  • Issue-04: Technical Accumen - Constantly needing help instead of being self reliant proved burdensome.
  • Issue-05: Communications - Not really an impact to the team as my work never made it out of draft. It did waste people's time.
  • Issue-06: Social Engagement - Nothing bad .. but no way for me to promote SI to the NYC family. Still felt too new!
  • Q4. How will you prevent a future occurrence?

  • Issue-01: Performance - Keep practicing!! Will work twice as hard and keep practicing to improve. Will need certification(s) a.s.a.p!
  • Issue-02: Reporting - Keep practicing!! Remember that not every team has the same process .. but follow it and get help when stuck. Use AI!!
  • Issue-03: Testing - Keep practicing!! Ask questions when in doubt.
  • Issue-04: Technical Accumen - Keep practicing!!
  • Issue-05: Communications - Keep practicing!! Work at improving your writing skills to be more technical. Time and experience will play a large role.
  • Issue-06: Social Engagement - Keep looking for new opportunities!!
  • TAKE ACTION - EXECUTE! PROVE THAT YOU CAN BE COUNTED ON .. FOR YOURSELF, YOUR FAMILY, AND YOUR FUTURE. DON'T QUIT!!

Friday, July 25, 2025

Security Testing Journal Entry | w/e Friday July 25, 2025 - "Chances Past, Present & Future" Ed.


Highlights for the week

CELEBRATING WINS:

A decent week of jobs applied to. Sadly, a few rejections. The market for 2025 is the worst that it has been in quite some time. I'm not about to be one of those who is going to bitch and moan about how bad things are. Although my energy this week has been somewhat low, I have to put out the good vibes. Positive Mindset and what-not!!

I haven't deposited my Secure Ideas retirement. Gotta wait until I actually have low enough funds to show a need for Medicaid/Snap (again!!). Another company had some money sitting in an account that was still available. Got that situation squared away and more money made its way to my bank (yay!).

I'm back on the HackerOne circuit, trying my luck at another pen test. I opted for a network pt, but I wasn't able to gain anything out of it. The new engagement has issues around logins and I'm blocked. Job search is still a grind!

What We’re Grateful For

  1. I prayed, God answered in the form of another blue jay feather .. a good luck charm
  2. Grateful as always that I get to wake up, work out, and live with food in the 'fridge, a roof over my head, and clothes on my back
  3. Looking forward to the upcoming vacation for Lorenzo's graduation. I will NOT be bringing low-vibes to this vacation like I did on Royal Caribbean
  4. I will forever be grateful for the support of wife (desipte wanting the divorce some time back), and support of mom

What We Loved

  1. Prayed to God and feel like things are going to happen when they are meant to happen

What We Learned

  1. Finally started the "Network" Pen Test video lecture series. First weeks was getting the environment set up
  2. Moving through Portswigger stuff - tried my luck at "Mystery Labs" and found some were challenging
  3. WAHH - Chapter 10 ... near complete. Bit of a grind, but all good stuff. A lot to learn
  4. Made some new connections on LI

What We Longed For

  1. Miss my security job more and more, but I'm humbled by how much I still have to learn

What We Loathed

  1. More rejections this week
  2. Reached out to a few recruiters and not one responded back

Saturday, July 19, 2025

Security Testing Journal Entry | w/e Friday July 18, 2025 - "Downward Facing Slog Ed."


Highlights for the week

Not a lot of highlights for this week. Started the week off with a rejection. Feeling like I'm never going to land a new job in Security. Posted a mini-rant about it, and got somewhat skewered by the community. Maybe its me and I'm wrong. The consensus was that hiring folks will tend to favor CVEs (Common Vulnerabilities & Exploits) as proof-of-experience, over none. I want to keep going, but this week is a drag. Tuesday was a rough day. Over 40 jobs applied to, and still not one word in the positive. I've reached out to some recruiters expressing interest, nothing but silence.

Wednesday through Friday were productive, and it's been a drag to get to the gym, but I got it done. Sitting here on a Saturday and I'm tired .. mentally and physically. No Leg day for me. I realized I had worked out from last Saturday through Thursday straight.

What We’re Grateful For

  1. Still have my health.
  2. Upcoming trip for son's graduation.
  3. Wife is still around, amazing as ever. This 'quiet divorce' has been weighing on me and it's all my fault! Another thing I need to fix.

What We Loved

  1. Not a lot to love this week.

What We Learned

  1. Sat through an amazing walk-thru on attacking LLMs
  2. CVEs are the way to go for recruitment and landing a job as a Pen Tester.
  3. Working through another HackerOne job. Not a lot happening .. just going through the motions.
  4. Finished Chapter-9 of WAHH. It's about attacking Data Stores, SQL injection and what-not.

What We Longed For

  1. A great job and a great paycheck. I had it then lost it.

What We Loathed

  1. Getting rejected from a good job.
  2. Failing the assessment, yet not getting word on what was missed. Definitely gotta try harder!

Saturday, July 12, 2025

Security Testing Journal Entry | w/e Friday July 12, 2025 - "My Nine Months at Secure Ideas" Ed.


Highlights from a career pivot

What we learn from failure, and what we do with that knowledge, is what matters — M. Bloomberg

So here's a quick recap of how it went with my time at Secure Ideas since my last post:

  1. JANUARY

    • THE GOOD:
      • Had just come back from holiday break. Lots of report writing and CISSP. Lot's of constructive feedback and learning.
    • THE BAD:
      • Attempted my first blog and received some feedback regarding the subject. Completely missed the assignment.
    • THE UGLY:
      • My inexperience was showing.
  2. FEBRURARY

    • THE GOOD:
      • Awesome client-facing experience (funny guy!).
      • Documentation for mobile is on-point!
      • First network PT went well.
      • CISSP studying going well.
    • THE BAD:
      • End of month - the project was severly underscoped, had to do way more as a junior; no help from partner (who was a principle).
      • Needed to pull in extra resources to get API test to done
    • THE UGLY:
      • The report for the project was late because we ran into issues early in the project.
  3. MARCH

    • THE GOOD:
      • Learned a lot about passive recon.

        VHosts - 1 server, multiple hosts (IPS / websites).

        PTR Records (reverse DNS look up) A PTR record is a "pointer record" query the name for a given IP address;

      • Be quiet; no actively interacting with the host; recon - learn as much about the external footprint looking for host name, CIDR subnets, and domains

        Following any kind of a scan, be sure you save it and upload the data to Engagements

        Access-Control-Allow-Origin is missing - that its missing is intentional; it keeps the security tight, blocking AJAX calls

    • THE BAD:
      • CISSP Studies - need more practice. Struggling a little bit to keep up.
    • THE UGLY:
      • rookie-mistake no. 1 - Had a report go out where I forgot to update the TOC until late.

        Whenever there are any kind of structural changes to the report, where headers are renamed, always always always update the TOC right before pushing it up for review How it happened? We got hung up in the details of the bigger finding and made sure all pertinent details that mattered were in, and I forgot to update the TOC
  4. APRIL

    • THE GOOD:
      • Holy Week .. lots of reflecting and gratitude for the good job
      • Spent a lot of time with are home-grown Vulnerability labs ... good practice with API testing, CORS, etc.
      • Moving through API training with great succeess; Active Directory home lab completed; Finally got a blog post published.
      • Lots of compliments on the documentation revamp.
    • THE BAD:
      • rookie mistake no. 2 - as mentioned .. not updating the TOC;

        rookie mistake no. 3 - During the meeting with the client a JS vulnerability was recorded with no corresponding CVE.

        It was found during the call (a proper search). How did it happen? not searching diligently enough;

        rookie mistake no. 4 - I reviewed a report I had helped write.

        The feedback was for the new content. Per the process, anyone who collaborates on a report, or helps to write it, cannot be a reviewer

      • Another quiet week not on a billable project.

        Feeling a bit worried / vulnerable / insecure about my work. And with taking off on 6/25, it moved me off a project making me on the bench from the end of May through June and beyond. I've been assured things are going to pick up, but I've heard that before ... it didn't end well.

    • THE UGLY:
      • rookie mistake no. 5 - As I had completed several blog posts, one of them set off alarms.

        The repositories I was referencing were NOT for public use.
      • Mentor has been MIA for quite some time. Without his help/guidance, been feeling like I'm drowning. Truism: No one is coming to save you!
      • Some steps in the client-provided documentation were missed. Somethng to do with sign-up .. can't remember
  5. MAY

    • THE GOOD:
      • Got to see Mom for her birthday!
      • Had a productive week where I got to help
      • New project with my "AWOL mentor" and favorite API wizard
    • THE BAD:
      • Things started to come unglued after the ZERO report.

        rookie mistake no. 6 - I tested the file upload component on the website like QA, not HACKER. In so doing, I uploaded a link from an app that should absolutely NOT have happened. It lead to finding a vulnerability, but becaues of the way this was tested, I presented the likelihood of introducing risk to the client and putting SI in a bind. As it were, the component was inadequately tested. I've corrected this mistake, but this was bad!!

      • rookie mistake no. 7 - failing to follow process.

        . I thought the report was good-to-go, and in my hubris, put it up for review. The report feedback was scathing and the CEO torched it. Although it was collaborative, and it could have been done better, the authorship fell on me as the primary agent responsible for it. NO BUENO!
      • New project the following week, and everything went well until the report. It took several rewrites and a lot of late nights to get it to done. Another situation where I was the author and bore the full responsibility, but it was collaborative and others had issues as well. Can you see the pattern .. things were getting worse for me
    • THE UGLY:
      • Bad became worse as my two blog posts were shredded beyond hope. I completely missed the assignment.
      • Concerns were raised regarding my performance. I was not excellent and had failed on many levels.
      • Beginning of the end for me ...
      • KEY TAKE-AWAYS FROM A BAD MONTH:
        • The client comes first.
        • The report is a reciept of services rendered along with being a statement of competence in the service provider. You cannot fail them.
        • Always follow the process and be transparent about when things are being done; report readiness.
        • Be Humble. You're not as good as you think you are. There's always room for growth.
        • Do better.
        • Ask lots of question; clarifying questions that help you do your job better.
        • Get better with the tools (ie, Burp Suite Pro) and technology (Windows, AD, Networking, etc.).
        • Time is money. Don't waste them.
        • Revisit the Portswigger labs and re-learn.
        • Learn from this and move on. Don't dwell in the failure of the past.
  6. JUNE

    • THE GOOD:
      • Last week in may -- Trip to Jacksonville to meet the CEO, and co-workers.
      • Progressively getting better with report writing, but more work still needed. Manager sees significant improvement. Good job!!
    • THE BAD:
      • The trip was a PIP in disguise. Fell way beind on career progression to the next level.
      • Failed to meet expectations - performance was subpar.
      • First Friday of June - 86d.
    • THE UGLY:
      • I hated having to go to work to hear that I have cultural issues that need attention; my work is in jeopardy ... again!
      • I hated the hotel I was at.
      • Lost the best job I've had in a long while and have only myself to blame. The first two weeks were a nightmare.
      • It's taken me a solid month to process the loss, and from it I finally got to confront the final element of what has been holding me back.
  7. JULY

    • THE GOOD:
      • Nothing good so far.
    • THE BAD:
      • Four weeks and no Unemployment Money yet.
      • 25 jobs applied to so far, 8 rejections, not one phone call.
    • THE UGLY:
      • Job Market for 2025 is without a doubt the worst ever!!

    No question this was a longer recap than I anticipated. I am eternally grateful for the chance at getting to work in pen testing for as long as I did. I learned a metric ton and made some invaluable connections. Met amazing people and I have nothing but the utmost regards for the opportunity. I am strong, smarter, and wiser as a result. Yes, there were a lot of mistakes. The kind of mistakes that could have been avoided with the proper guidance. Sadly, that's been the story of my life: figure it out or fail forward and learn the hard way.

    Wife has been super-supportive, despite calls for divorce, which I half expected. Having a steady paycheck and benefits was awesome. Getting fired from a "prayer's answered" job hurt like hell. Still does. But the experience was immeasurable .. and despite the mistakes, I am better for it.