Independent security researcher and senior penetration tester. Loves breaking the web, hiking, and living life to the fullest.
Q&A with the ambassador
How did you get into bug hunting?
I started working as a pentester in 2023—my first official job. About a month in, after the active projects wrapped up, someone suggested I try bug bounty. I was pretty skeptical at first. I figured if a company is big and well-known, their security must be rock solid. But I gave it a shot—and that's when it took off: a week later I found my first bug, then another a couple weeks after that, then a third, a fourth… before long I was at a hundred reports. That's how I ended up here.
What is the most memorable vulnerability you've discovered?
Not necessarily the coolest, but one of the first that comes to mind: an SSRF in a browser emulator that let me disclose employee personal data, locate a vulnerable host in the client's infrastructure, and take it over—basically a foothold for further attacks on the system.
On average, how much time do you spend bug hunting each month?
These days, not that much—sometimes a couple hours a day, sometimes just a few hours a week. Early on I spent a lot more time because there were tons of knowledge gaps I needed to close.
What tools do you usually use for bug hunting?
All the classics: nmap, RustScan, dirsearch, ffuf, Nuclei, subfinder, dnsx, SQLMap, plus a bunch of scripts—and of course Burp Suite.
Advice for beginners in bug hunting
Stick with it—patience and hard work go a long way. I know folks at the top who are incredibly talented young bug hunters without decades of professional dev or security experience behind them. Enjoy what you do, stay curious, and keep digging.
What to read about bug hunting
Andrew Hoffman's "Web Application Security" for a solid grounding in vulnerabilities—their nature and causes.
PortSwigger Web Security Academy to build hands on attacking and vulnerability finding skills. After that, you're basically a bug hunter 😊
I also recommend TryHackMe and Hack The Box for practice, and Tanenbaum's "Computer Networks" if you want to understand information processes far beyond what you see in Burp Suite.
What to watch about bug hunting
Books first. But if you really want video, check out recordings from events like Standoff Talks, OFFZONE, VK Security Confab, and more—or better yet, attend in person.
