Recently crowned the recipient of the Bugcrowd Ingenuity Award for Top Pentester, Nerdwell offers a profound look into the philosophy, challenges, and enduring principles that define top-tier penetration testing.
When asked about his thoughts, Nerdwell expresses immense gratitude for the recognition, stating, “It’s a huge honor to be recognized as the Top Pentester! I have worked and collaborated with many of the other Bugcrowd pentesters, and I have a huge amount of respect for each and every one of them, so to receive this award is an incredible honor.” This sentiment underscores the collaborative spirit inherent in the hacking community, even amid individual achievements. Team work is the name of the game.
When asked about the unique attributes that distinguish his pen testing approach, Nerdwell has a lot to contribute. “There are several key ways that I try to set myself apart from my fellow pentesters,” he begins. First, and most strategically, Nerdwell emphasizes flexibility and a customer-centric mindset, aiming “to maximize the value we deliver to customers.” Second, he prioritizes diligence in meeting deadlines and immediate communication of blockers. Third, he highlights the importance of “high-quality documentation and submission write-ups, with the goal of minimizing the effort required of the Bugcrowd team to translate my vulnerability findings into customer-ready reports.” Lastly, comprehensive coverage and deep digging are crucial, as Nerdwell strives to ensure exhaustive coverage of every pen test target and maximize the impact of all findings.Ultimately, Nerdwell says, “I always strive to help Bugcrowd deliver world-class pen test solutions and to highlight impactful vulnerabilities that others may have missed.”
Nerdwell delves into the methodologies and techniques that form the bedrock of effective cyberattack simulations. He advocates for a balanced approach, explaining, “I aim to strike a balance between the structured testing of a methodology-driven approach and a less structured approach driven by a hunch as to where vulnerabilities might be.” While methodologies offer organization and comprehensive coverage, Nerdwell notes, “Some of my most impactful findings have been the result of ‘listening to my gut’ and diving into rabbit holes simply because I could ‘feel’ a soft spot in the target.” To achieve this balance, Nerdwell leverages the methodology-driven approach as the foundation of his testing, taking note of any hunches he feels as he executes his method. He then follows up on any gut feelings once the core methodology-driven testing has been completed.
The methodologies Nerdwell finds most effective include the OWASP Testing Guide (OTG), OWASP Mobile Security Testing Guide (MSTG), Penetration Testing Execution Standard (PTES), NIST SP 800-115, and MITRE ATT&CK. “Each of these has some advantages and disadvantages, especially as applied to different kinds of targets, so I factor that in when choosing a methodology for each specific test,” Nerdwell shares. For general testing, Nerdwell states, “PTES and SP 800-115 provide a solid high-level structure to testing that I find very useful for engagements involving unique targets or a combination of different types of targets.” The OTG is his go-to for web applications and MSTG for mobile apps. For engagements emphasizing real-world attacker behaviors, Nerdwell leverages many MITRE ATT&CK techniques.
Regarding essential tools, Nerdwell lists Burp Suite, Kali Linux, and IDA Pro as staples, though he acknowledges that tools vary by test type. Increasingly, Nerdwell is integrating AI/LLMs into his workflows, which have been especially helpful for writing one-off scripts, checking his work, and serving as sounding boards to bounce ideas off of. Beyond hacking-specific tools, valuable resources he relies on include cloud services for quickly testing ideas in a lab environment, O’Reilly Books Online for access to most cybersecurity books, and Arduino/Raspberry Pi for building use-case-specific hardware hacking tools.
Recounting a particularly challenging engagement, Nerdwell describes an “assumed breach” scenario where the goal was to escalate access from an unprivileged user’s email inbox to compromise an organization’s “crown jewels.” He states, “Ultimately, we successfully compromised the crown jewels and escalated our privileges to complete enterprise-wide pwnage.” The exploit chain for this engagement was extensive, involving database credentials leakage, traditional web application security vulnerabilities, remote code execution (RCE), handcrafted PowerShell scripts leveraging .NET libraries, and lateral movement via cloud integrations. Reflecting on the unique opportunity, Nerdwell says, “As a security researcher, we don’t often get ‘free reign’ to see how far we can take things, so it was fun but challenging to get an opportunity to do so.” For Nerdwell, this experience “helped to highlight tangible real-world impacts of chaining many findings of various severity to achieve maximum impact, in a way that could be appreciated by both technical and nontechnical audiences.”
Nerdwell passionately advocates for the role of penetration testing in bolstering an organization’s cybersecurity posture. He believes that regular (i.e., periodic) penetration tests are a critical component of an organization’s cybersecurity program. The structured nature of pen testing ensures full coverage of an attack surface and produces compliance-friendly reports that help capture a target’s cybersecurity posture at a given point in time. Furthermore, pen testing offers hackers the chance to work hand in hand with a customer’s application development and security operations teams, allowing for custom-tailored testing. Nerdwell further points out that the reliability of penetration testing can be difficult to replicate with other methods, which makes it well-suited for integration into continuous development and deployment pipelines. While recognizing Bugcrowd’s solutions, Nerdwell believes that hackers bring a unique approach to testing that blends the structure and reliability of traditional penetration testing with the novel research and real-world tactics of the bug bounty community.
In summary, Nerdwell thinks that “penetration testing is invaluable to an organization’s cybersecurity posture because it demonstrates the real-world impact of vulnerabilities and helps communicate findings to nontechnical stakeholders in a meaningful way.”
For aspiring pentesters, Nerdwell offers crucial advice: “My best piece of advice would be study hard but practice harder.” While studying provides the necessary knowledge base, it’s only part of the equation. Nerdwell emphasizes, “It’s also important to put this information to work by practicing hacking—whether via online platforms like Hack The Box (HTP), bug bounty programs, capture the flag (CTF) events, or other hands-on hacking opportunities.” Nerdwell observes a common hesitation, noticing that aspiring hackers do not believe they “know enough” or just aren’t “ready” to start. However, he argues, “You’ll never feel ‘ready.’ You just gotta jump in and go for it.” Nerdwell draws from an artistic analogy, saying, “I recently heard David Hansson (aka DHH) state it well—no one has ever learned how to play the guitar by watching someone else; you have to pick up the guitar and practice.”
Finally, ensuring actionable insights for clients is paramount. Nerdwell emphasizes, “At the end of the day, even the most interesting bug is meaningless if it can’t be translated into business impact for the customer.” For every reported finding, Nerdwell asks, “So what?” He challenges himself to present every finding in a way that demonstrates its security impact to customers. He also strives to chain vulnerabilities or otherwise apply them in novel ways to maximize their demonstrable security impact. When applicable, Nerdwell highlights regulatory compliance risks. Lastly, he aims to understand the application development context in which each vulnerability arises and then provide remediation guidance that’s likely to be compatible with the target environment while incorporating industry best practices.
Nerdwell’s insights underscore why he’s the top pentester and deserving of Bugcrowd’s Ingenuity Awards. His style of penetration testing is a blend of methodological rigor, intuitive exploration, and a deep understanding of business impact. If you want more lessons from Nerdwell, check out his LevelUp series on hacking crypto.