How pen testers help us understand cybercriminals

Discover insights, inspiration and exclusive interviews from the global Black Hat MEA community – in your inbox every week. 

This week we’re focused on…

Pen testers, and how they help us understand threat actors from the inside out. 

There’s a certain mystique about hackers. They move like ghosts through networks, think several steps ahead, and exploit systems by seeing opportunities most people never could. 

In cybersecurity, the goal isn’t just to stop hackers – it’s to think like them. 

That’s where penetration testers come in. Because they don’t just find the cracks. They help organisations understand how and why someone might exploit them. They become the enemy so they can help their clients build better defences. And as the threat landscape becomes more sophisticated, this skillset is more valuable than ever. 

Mapping out the attack surface 

For Rana Khalil (Application Security Team Lead at C3SA), understanding an organisation’s vulnerabilities starts with a comprehensive analysis of their environment:

“As an Application Security Engineer, my primary focus when joining a new organisation is to understand their application landscape and the security integrations within their processes, pipelines, and overall culture,” she told us. 

“This involves reviewing existing documentation and engaging with the appropriate stakeholders. Once this is understood, the next crucial step is to conduct asset discovery, cataloguing all applications, APIs, and related assets within the organisation. It's surprising how some organisations lack a comprehensive catalogue of their web services – introducing a significant risk, since you can't effectively secure what you're not aware of!”

That insight alone – the sheer number of organisations who don’t know what they have – gives pen testers a unique perspective on risk. And once those assets are identified and prioritised, Khalil explained, they tailor a security strategy around the critical vulnerabilities that matter most.

This approach mirrors that of malicious hackers. Mapping exercises enable them to discover hidden assets or misconfigured systems. But while the hacker seeks to exploit, the pen tester’s goal is to inform and strengthen.

Teaching the hacker mindset 

Khalil also shares her knowledge widely, through her YouTube channel and her Web Security Academy, which includes a course called the Web Security Academy Series:

“This course contains over 50 hours worth of content covering 15 critical vulnerability categories. We break down the technical details of each vulnerability, show how to spot it, exploit it, and defend against it. We also get hands-on experience with labs that mimic real-world applications.”

With over 27,000 students globally, she’s teaching people to think like a hacker. Because the more defenders understand how attackers operate, the faster they can shut them down.

It’s not just about breaking in 

Pen testing isn’t all high-stakes exploits and clever break-ins. As Quinn Carman (Cybersecurity Leader at the National Security Agency) said when we asked how he communicates vulnerabilities to a customer, it’s also about what happens after the breach.

“If you just go and kick down the door, point and laugh at them, then leave – that doesn’t do anyone any good. You’re forgetting that you’re on their side. You’re part of your customer’s team. If you don’t follow up and help them fix these things then you’re just going to come back a few years later and do the same thing – and there’s nothing more disappointing.”

This speaks to a deeper truth: effective pen testers must understand both sides of the attack – the technical angle and the emotional response of the organisation. 

It’s easy to feel embarrassed, or even defensive, when someone shows you how your systems can be broken. So without compassion and clear communication, pen testing risks becoming performative rather than practical.

Pen testers have to translate risk into action 

Carman said it like this: 

“It’s very easy to attack a network...but that’s not the important part. The important part is what you deliver to the customer when you’re done. If you don’t tell them all of the details, there’s no point in doing it in the first place.”

Pen testers need to bridge the communication gap between technical discovery and executive understanding. That means adjusting their language, mindset, and delivery to suit the organisation – whether they’re talking to a SOC analyst, a head of IT, or a non-technical CEO.

And in case you were under any illusion about how hard that is…it’s really hard. 

“Saying something isn’t communication,” Carman added. “We have to then communicate this to, maybe, a General who’s used to commanding tanks, and try to speak the same language and impress upon them why they need to pay attention and why what you’re saying is important.”

Being an attacker and an ally at the same time 

Pen testers sit in a unique position in cybersecurity. They straddle the line between attacker and ally, using the same techniques as malicious hackers – but with the goal of making systems stronger, not weaker. 

Their work is about exposure and education. Breach and build.

And the best among them know that technical excellence is only half the job. The other half is human: empathy, storytelling, and making security real and relevant for the people who rely on it.

At the end of the day, a pen test is only successful if the organisation walks away safer than before. And that’s why pen testers have to do more than just hack; they have to help an organisation recognise why it was at risk, and see what the attacker’s eyes can see.