Kroll Conversations: Meet the Offensive Security Experts

Organizations are under constant threat from vulnerabilities hidden deep within their own systems and applications. Uncovering these types of weaknesses before they lead to security issues such as malware, ransomware attacks and social engineering is a challenge that Jugal Bhatt and Jonathan Hosick take on every day. As Security Consultants in the Kroll Cyber and Data Resilience Offensive Security team, they put clients’ systems and applications to the test by applying the perspective, skills and tools of the cybercriminals themselves. Jugal explains:

“We complete penetration testing to look for security vulnerabilities and issues for web applications, mobile applications, API infrastructures and internal and external infrastructures. My job is to security test and try to “break into” the applications and ensure that all the assessments go well, are on track and completed on time, and that there are no issues with meeting the various reporting standards. I work closely with an enterprise client in financial services on around four or five assessments per day or week.”

Jonathan adds: “Pen testing typically involves one- to two-week assessments. That’s for different organizations, but with some repeat work for bigger clients. Every couple of weeks I work on something brand new. I would say 70% of what I do is web application testing, then there's some infrastructure work and some phishing to help test clients’ resilience.”

From Private Investigator to Vulnerability Hunter

With complex systems and detective work so central to the role, it’s no surprise that these themes feature heavily in the career track of both professionals. A lifelong fascination with apps, systems and their potential vulnerabilities led Jugal to pursue a career in offensive security and gain more than a decade of specialist experience in penetration testing, cloud security, malware analysis and forensics. Jonathan joined the field more recently, having been a private investigator for 13 years, before recognizing that sitting alone in a van isn’t very conducive to family life, and discovering the rewards of offensive security.

As an example of the depth to which their investigative work can go, Jonathan shares an insight into a current project:

“In the banking application we’re currently testing, there are comments in the code from around the year 1999. That means the company have had around 25 years of people working on the code and adding and taking away different elements. As a result, nobody has insight into the entire system, and that's where we find, in my view, the biggest problems, because you have to test every single aspect to make sure that that one thing isn't broken.”

The Teamwork of Testing

As pen testers, working closely with each other—and the client—is vital, points out Jonathan:

“You never work alone because you have another consultant with you on the actual project or you work with the program manager or engagement manager for that specific assessment. As a team, we're always collaborating, but there is also a lot of client contact. For example, when we find vulnerabilities, we complete a type of risk analysis and come up with recommendations for the client’s application team. We work with them to find out what's causing the issue we're seeing and identify how they can remediate or mitigate that issue.”

“Around 50% of my day is spent testing and 50% is spent working very closely with the client’s security team and our own security team,” says Jugal. “I act as a bridge between our team and the client’s, and then give briefings on the application, the test cases and so on. In the background, I will also test aspects myself just to make sure that we’ve covered everything. So it's not just about the technical side; it's also about having that good working relationship with the client.”

Uncovering the Overlooked

Proactively hunting for weaknesses within many different systems makes for a fast-moving and often pressured role. But these demands are balanced with a lot of job satisfaction for people who thrive on problem solving. For Jonathan, much of the fulfillment he gains from working in offensive security is uncovering the weaknesses that others have missed:

“This job is never routine because things are always changing. I always feel like I'm learning and that keeps it exciting for me. It’s really rewarding when we find issues and clients are thrilled because they get annual pen testing done and switch companies every year, then say to us ‘That problem wasn't found by XYZ company doing some testing last year but you managed to find it!’. We’ve found old weaknesses that were previously missed many times, thanks to our approach to tests and methodology.”

“For me, another reward of the job is when clients praise our work,” comments Jugal. “One of the main objectives when I onboarded as a subject matter expert for the financial services client was getting assessments done on time without any obstacles or issues. The client team recently said that Kroll is their best and preferred partner for pen testing, and as a result, they allocate a lot of work to us. That’s very rewarding. I also love the tools, the tactics, the learning; finding the issues and resolving them.”

Discover Kroll’s Penetration Testing Services