Sup, fellow bug hunters and hacker collective! I’m Ads and if you’ve stumbled across my corner of the internet, you probably know me as a self-described meticulous hacker and that dude who’s always tinkering with AI agents and finding creative ways to break things (ethically, of course). But before I was diving deep into large-scale web application and API hacking, large language model (LLM) red teaming, and network penetration testing or serving on Bugcrowd’s Hacker Advisory Board (HAB), I was just another curious kid who couldn’t resist poking at systems to see what made them tick. This post is much different from my usual content—it’s intended to share some thought leadership and offer guidance to my fellow hacker fam who are just beginning their careers. Truthfully, I believe I am far from having “made it,” but I hope I can at least help others out along the way by sharing my own experiences.
For those of you who are just starting out in the cybersecurity industry in general, I also cannot recommend enough Keith’s recent post: “If I were Eighteen again.”
My journey into offensive security wasn’t paved with formal degrees or traditional pathways. I’m proudly self-taught and a reincarnated former network engineer—a scrappy learner who cut his teeth on late-night CTF sessions, GitHub rabbit holes, relentless late-night request for comments (RFC) reads with a Red Bull in hand, and the occasional “Wait, what happens if I try this?” moment that every hacker knows too well. This DIY mentality has shaped everything I do, from my approach to vulnerability research to how I think about the future of our community.
First things first: love what you do—this matters. I’ve been working in this industry for about 15 years now, and I’ll be the first to openly admit that I’ve long since passed the point of passion and landed squarely in full-blown addiction. Hacking, hunting, and curiosity give me a kind of joy and fulfilment that’s almost impossible to put into words. Once you’ve found your own happy hacker vibe, soaking up every opportunity feels natural—and you’ll get that organic, gushy feeling in your tummy.
Now, all jokes aside, STÖK nailed it the other day, and I had to reshare what he said immediately:
I genuinely share the exact same excitement as Justin here when it comes to talking or even thinking about bugs. But here’s the thing: I’m not preaching, and I’m definitely not boasting. It’s totally OK if bug bounty hunting or hacking isn’t your jam. Security is an incredibly big space, with countless paths and opportunities to explore. Many of the principles I talk about in this article apply across the board, so even if you’re in a different lane, I still hope this post offers you some value.
Being gritty, tenacious, and self-taught in security means you develop a particular kind of hunger. You don’t just learn what’s in a textbook—you learn what isn’t. Corny quote aside, every vulnerability becomes a puzzle and forces you to get uncomfortable and perform thorough research to make every system a potential playground. This approach taught me that some of the best security insights come from thinking sideways, not just following established methodologies.
When I first discovered bug bounty programs, it felt like finding my tribe. Here was a community that valued curiosity over credentials and results over résumés. I could feel the appreciation for an unconventional pathway, and I knew I was home. The democratization of security research through platforms like Bugcrowd has meant that anyone with the right mindset can contribute meaningfully to making the internet safer.
This self-taught background has been instrumental in my current work at the intersection of AI and offensive security. When you’re used to figuring things out from first principles, tackling emerging attack surfaces like LLM applications becomes less daunting and more exciting. My current Bugcrowd blog series explores exactly this—how anyone can exploit LLM applications and machine learning (ML) systems, as well as harness AI agents for reconnaissance, payload generation, vulnerability discovery, and to improve methodology for increased efficiency and maximum hacker joy.
My relationship with Bugcrowd has evolved from fanboy to hunter to contributor to advocate. As an honored member of the HAB, I’ve had the privilege of representing the global hacker community and providing expert technical guidance on platform strategy, vulnerability trends, and researcher experience to help shape platform improvements and community initiatives for hackers and customers alike. But what excites me most is the knowledge-sharing aspect—whether it’s through technical blogs, mentoring newer researchers, or pushing the boundaries of what’s possible in offensive security.
One of my proudest contributions has been democratizing both offensive and defensive AI-powered security testing. Too often, cutting-edge offensive techniques remain confined to enterprise security teams or academic papers. My work aims to bridge that gap, showing how individual researchers can leverage AI agents to amplify their capabilities without needing massive infrastructure or budgets.
The challenges I’ve faced in bug bounty programs have taught me that persistence beats perfection every time. Not every research path pays off, not every vulnerability is exploitable, and not every submission is accepted. But each failed attempt teaches you something valuable about the target, the attack surface, or your own methodology.
One thing I’ve learned over the years is that hoarding tools and knowledge is the exact opposite of good security, so I’ve made it my mission to open source as much of my work as possible. For example, consider Burpference, my stealthy Burp Suite extension that leverages AI to analyze HTTP traffic in real time, flag vulnerabilities, and even score their severity—no massive infrastructure needed. Then there’s StickyBurp, a slick Kotlin plugin built on the new Montoya API. I built it to let you pin session variables globally across all Burp tabs, so your auth tokens and cookies stick around without having to reconfigure every time. This is especially useful for testing broken authentication controls (BACs). With DOMspy, I brought that same curiosity to client-side app hacking, giving users an interactive view of the DOM to test for XSS, script injection, and other front‑end quirks.
I didn’t stop there—I also coauthored robopages, a containerized toolkit for chaining offensive security tools and AI agents in reproducible pipelines. It’s like DIY LLM-powered pen testing that lives in Docker. And then there’s dyana, my eBPF-based Python tool you can pip‑install. It is designed to hook into AI inference and supply chain systems to spot odd behaviors—especially risky deserialization or dodgy dependencies.
By sharing each of these tools, I hope to show that you don’t need an enterprise budget or a heavyweight squad to level up your cyber skills. Everything I build is meant to be hands-on, immediately usable, and empowering—whether you’re hacking APIs, automating with AI, or profiling low-level systems. Heck, just a few weeks ago, I published my first research paper as a lead author, along with an agent harness and dataset released as a comprehensive benchmark. I’m genuinely not trying to brag here. Without being cliché, I just want to remind you that you really are in control of your own destiny.
For what it’s worth, I have zero academic background or formal coding experience. If I can do it, then so can you.
Creating open-source security tools isn’t just about being altruistic (though that’s a nice side effect). It’s also strategic on multiple levels.
I’m a proud OWASP Toronto chapter board member, and I serve as the tech lead and a board member for the flagship GenAI Security Project and Top 10 for LLM Applications initiative. Beyond that, I’m an active contributor to other pivotal open-source efforts, including the Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS) and the OWASP Agentic AI Vulnerability Scoring System (AIVSS).
If you’ve never contributed to a project like OWASP or published your own tools, I can’t recommend both enough. Foundations like OWASP are the grassroots and lifeblood of web application security—both the traditional methods and the fast-evolving AI-driven landscape. It’s where some of the best research, community knowledge-sharing, and standards come together in ways that directly shape how real-world security gets done.
Personally, contributing to open-source projects have been transformative for me in a few ways:
Personal arsenal enhancement—Every tool I build solves a real problem I’ve encountered in bug bounty hunting or red teaming. When you create tools for yourself, you make sure they actually work in the trenches—not just in theory.
Professional credibility—Nothing demonstrates your technical chops quite like well-documented, battle-tested code. Employers, clients, and collaborators can see exactly how you think, how you code, and how you solve problems. It’s a living portfolio that speaks louder than any resume.
Community capital—Open-source contributions create a feedback loop empowering learning and improvement. Other researchers use your tools, find edge cases you missed, and contribute enhancements. Suddenly, your personal project becomes a community-driven powerhouse.
The same philosophy applies to technical and blog content writing. When I publish detailed walkthroughs of AI red teaming techniques or DSPy optimization workflows, I’m not just sharing knowledge—I’m establishing expertise, building my brand, and creating valuable resources that come back to benefit me through speaking opportunities, consulting gigs, and collaboration requests.
Often, I will repurpose code and vulnerability research or alternatively take the opportunity to combine content with learning something new at that same time. Next time you want to learn something new (especially those things that aren’t traditionally well documented), consider writing on it or even documenting it in some manner to help both you and others. Each blog post becomes a reference point, teaching tool, and demonstration of capability—all rolled into one. Plus, the act of explaining complex concepts forces you to truly understand them, making you a better researcher in the process and further demonstrating your capabilities to help you shine.
I’ve been fortunate enough to have a lot of speaking opportunities throughout my career, which I have gathered under a dedicated “talks” website. I also have a little fun approach to a “hackerman” terminal-based site. This may not necessarily be the best approach, but I offer some food for thought on how to easily showcase your skills and gain some development and additional coding experience along the way!
An awesome and very recent project for me was participating in the BugBoss v3 challenge. This was truly a privilege. The “show and tell” session served as a prime candidate for me to hopefully inspire others ethically hunting for exploits within vulnerability research based on my own experiences.
Security research is a marathon, not a sprint. You can spend nights obsessing over payloads and edge cases, but if you can’t clearly communicate your findings—whether it’s a bug report, a pen test deliverable, or a technical writeup—you’re leaving value on the table. The way you present your work often matters as much as the work itself. A great report can lead to a vulnerability being fixed faster, ultimately winning trust and opening doors. A messy one? It can be overlooked, misunderstood, or dismissed entirely.
Pro tip: One of the fastest ways to improve your communication skills is to read great reports. Check out public disclosures via CrowdStream to see what clear, high-impact writeups look like.
Here’s what I think the future holds for our community: it won’t just be about finding bugs anymore—it’ll be about elevating the entire security ecosystem. In many ways, this is already the case. Bug bounty programs are evolving from simple vulnerability markets into collaborative security research platforms.
AI is going to play a huge role in this evolution. We’re already seeing AI-powered reconnaissance tools, automated payload generation, and intelligent vulnerability classification. But the real magic happens when human creativity meets AI efficiency. The future bug hunter won’t be replaced by AI—they’ll be augmented by it. Think of AI as any other major productivity tool or cutting-edge technology you’d embrace to push your capabilities. I demonstrated some examples of this earlier this year in “A low-cost hacking sidekick: Baby steps to using offensive AI agents.”
This is why knowledge sharing is so crucial. When I publish a blog about using DSPy for AI red teaming or building AI agents for reconnaissance, I’m not just sharing techniques—I’m contributing to our collective security intelligence. Every researcher who learns something new makes our entire community stronger.
It should be recognized, however, that AI should enhance and optimize you, not replace you. It’s important not to become too dependent. Always verify with human-in-the-loop checks—and keep learning so you don’t lose your edge.
The InfoSec community has always been special because we understand that security isn’t a zero-sum game. When one organization becomes more secure, we all benefit. Bug bounty programs embody this philosophy perfectly—they turn security research into a collaborative effort where everyone wins.
My experience across diverse environments—from frontier AI model companies to traditional web applications—and critical infrastructure has reinforced this belief. The most impactful security improvements happen when researchers, developers, and organizations work together rather than in silos.
If you’re reading this and thinking about getting involved in bug bounty programs, here’s my advice: start. Don’t wait until you feel “ready” or until you have the perfect setup. The community needs diverse perspectives, creative approaches, and fresh eyes on old problems.
For seasoned researchers, consider how you can contribute beyond just finding bugs. Share your methodologies, mentor newcomers, contribute to open-source security tools, or help improve the platforms we all use. The future of security depends on us nurturing the next generation of researchers.
And remember—whether you’re debugging your first XSS or architecting complex multistage attacks, you’re part of something bigger. Every vulnerability you find, every technique you share, and every newcomer you help makes the internet a safer place for everyone.
Here’s some real talk that goes beyond the technical stuff. Learning is genuinely a privilege. Treat every single day like it’s a school day and feed that continuous hunger to learn and consume knowledge. I’m constantly reading and absorbing every piece of content I can from my personal OGs and role models who have paved my path: Jason Haddix, James Kettle, Gareth Heyes, Keith Hoodlet, Dan Guido, Eugene Lim, Shubs, Will Pearce, STÖK, Dana Epp, Sam Curry, Rhynorater, and countless others who’ve shaped this community. Learn from their mistakes, celebrate their successes, and build on the foundation they’ve laid. All questions are valid and important to your growth. Never feel uncomfortable about asking a question because you’re afraid of how others may perceive you.
But here’s the thing nobody talks about enough—your body is your temple, and you need to treat it as such, not just fill it with protein bars and energy drinks. Any type of regular exercise, sleeping properly, and proper hydration and nutrition will keep your brain firing on all cylinders. Some of the best ways to practice self-care is to remind yourself of whatever you love outside of that keyboard. Fill your body with endorphins, and never let the screen be your only source of happiness. Take periodic breaks, recharge when you need to, and absolutely do not let burnout become part of your narrative. Embrace the challenges that come your way, get comfortable being uncomfortable (that’s where the real growth happens), and never give up on your dreams. You’ll never know what you’re truly capable of until you push yourself to those limits—just make sure you’re doing it sustainably and in a scalable manner.
And speaking of pushing limits, embrace cutting-edge technology to absolutely demolish your competition. If you’re not leveraging at least basic programming skills for automation, you’re already falling behind. The days of purely manual testing are numbered, and the hackers who adapt fastest will reap the biggest rewards. You need automation for increased capital gains and to keep pace with both the community and the industry’s evolution. I’ve written extensively about using AI to enhance offensive security workflows, from reconnaissance automation to payload generation. Yes, I even have AI agents serve as my personal “PR janitors” and bounty report writers. This isn’t just convenience; its critical adoption for today’s era. The researchers who master these force multipliers won’t just survive the changing landscape—they’ll dominate it.
Lastly, never be afraid to screw up spectacularly. Learn to embrace failure with your chin held high. It’s truly a superpower to reorient a failure into an opportunity for growth. Mistakes are your best teachers, and in this field, every failed exploit attempt, every rabbit hole that leads nowhere, and every embarrassing bug report that is marked as “not applicable” is actually pure gold. Those moments sting, sure, but they’re solid learning opportunities, building your intuition and teaching you things no tutorial ever could.
For example, I originally planned to publish a technical blog on abusing Model Context Protocol (MCP) servers. After weeks of cycling through ideas and almost having it ready for peer review, I realized I just wasn’t in love with it. So for now, I’ve parked it without worrying. I’m sure I’ll come back to it later with a fresh perspective, or at worst, repurpose some of the work in another way.
Don’t sweat the small stuff either. Rejected from a program? Cool, move on to the next one. Spent three days chasing a false positive? That’s three days of learning how NOT to do something. The hackers who stress over every little setback are the ones who burn out or quit. The ones who shrug, learn, and keep moving? Those are the ones who end up with the fat bounty checks and speaking slots at major conferences.
I hope this was insightful. I encourage you to stay curious, stay ethical, and remember: the best security research happens when we combine human creativity with relentless curiosity. The bugs are out there waiting to be found—think evil, do good. Now let’s go hunting.
Keep up with Ads’ wacky experiments or follow any of his content @ LinkedIn, GitHub, or GitHub page. Ever in Toronto, Canada? Hit me up for coffee and donuts!