EN
Standoff 365 ambassadors
Mikhail Ilyin
Doom
Go to profile

Mikhail Ilyin

Pentester at JSC "Sogaz", winner of the Russian championship and cup in competitive programming of information security systems. I am interested in clinical psychology and its application in social engineering, I love to travel, I have traveled across the entire Caucasus.

Q&A with the ambassador

How did you get into bug hunting?
I came to bug hunting through a love of infosec. What could be better than legally breaking into various large companies that differ in their technological and business stacks, and getting paid for it. At first there were CTF competitions, school olympiads — simple web tasks and forensics — after several successful competitions I wanted to try real applications.
What is the most memorable vulnerability you've discovered?
The most memorable — the logic in company N, which allowed blocking any account via several endpoints in different services, connected into one network.
How much time on average do you spend bug hunting per month?
I try to devote 10 hours per week, but often I cannot allocate that much time.
What tools do you usually use for bug hunting?
Basic set: Burp Suite, dirsearch, Nmap, a modernized sqlmap, endpoints, I am trying to introduce AI agents into BB.

Advice for beginners in bug hunting

Master the basics: HTTP, TLS, auth, JavaScript, SQL, OS fundamentals. Practice in labs (PortSwigger Academy, THM, Juice Shop, Standoff Hackbase). Communicate more with the community: read writeups, watch talks, attend specialist conferences, ask in chats.

What to read about bug hunting

  • The Web Application Hacker’s Handbook — a deep guide to web vulnerabilities and exploits.
  • Real-World Bug Hunting (Dawson) — a practical guide: web + bug bounty.
  • Bug Bounty Hunting Essentials — a quick introduction and checklists for reports.
  • OWASP: Testing Guide and Top Ten — required for understanding common mistakes.
  • Best write-ups from HackerOne/Bugcrowd/Standoff365/Bi.Zone — analyses of real

What to watch about bug hunting

  • Recordings of talks from DEF CON / PHDays / OffZone.
  • PortSwigger Web Security Academy (videos + labs).
  • The LiveOverflow channel — reverse engineering of binaries, good explanations.
Next