In cybersecurity, few career combinations are as unexpected as “pastor and hacker.” Yet for Evan Connelly, this dual identity represents a unique approach to both his spiritual calling and his success in hacking. With six years in the bug bounty space and a top 10 position on Tesla’s leaderboard, Connelly’s journey offers valuable insights for hackers at every level.
Connelly’s entry into cybersecurity started with a broken home PC and basement scavenging. “As a child, my home PC died. I found parts from an old device in our basement and fixed it, but I couldn’t get Windows to reactivate,” he explains. “So I discovered Linux as a replacement, which led me down a path of tinkering and curiosity. Eventually, I found ways to make the games I was playing do things they weren’t supposed to, or even scan my ISPs whole subnet to try to learn what kind of infrastructure they used.”
When he entered the bug bounty world, Connelly took an ambitious approach. “Most (sane) people would start with a simple goal of finding a XSS or something, but I decided I’d begin by finding a vulnerability in the Tesla Model 3,” he recalls. After months of work and physically taking apart panels to connect to the infotainment computer in his daily driver, he found his first bug. While he started with a hardware focus, Connelly now focuses mostly on web apps and iOS bugs.
One of Connelly’s key insights centers on accessibility in bug bounty hunting. He champions Surge, a tool that allows proxying traffic directly from an iPhone without a laptop. “Being able to proxy traffic from your iPhone, using only your phone, is incredible and I’ve found a lot of bugs this way—no laptop needed,” he emphasizes. For Connelly, this capability represents a crucial advantage: “So much success in bug bounty is time and ‘reps.’ Being able to hack from anywhere in brief bits of downtime, especially for anyone who is not full time, can be a gamechanger.”
This mobile-first approach aligns with his philosophy of integrating hacking into a balanced life. As a full-time pastor with a wife and two small children, Connelly values flexibility. “Family time is very important to me. If I’m not on the computer, I’m probably with my wife, chasing my two small children,” he shares.
Looking at the industry, Connelly highlights an underappreciated vulnerability class. “I think as the use of multiple IdPs and SSO become more prevalent, improper IdP validation will become more common, and is certainly a P1/critical issue,” he warns. “Whether it’s internal or external authentication, or even exploiting the differences between multiple external IdPs, this will continue to be an issue.”
On artificial intelligence, Connelly maintains an optimistic, yet realistic, perspective. “AI has been quite impactful in my own hacking for a couple years now. I’m testing agentic tooling in Caido, but also with my own custom tooling,” he notes. He acknowledges the competitive pressure: “I do think AI tools will start finding bugs that I find now, but I also see myself using or even to some extent creating my own AI tools to do the same.”
However, he sees opportunity in AI’s expansion. “I think the use of AI in development has the potential to introduce bugs, whether that be from vibe coding, or even new vulnerability types in the AI features added to apps,” he observes. “So for all the vulnerabilities found by AI, I also see more coming as a result of AI.”
Connelly’s advice for newcomers challenges the herd mentality that often dominates the hacking space. “Don’t try to do what everyone else is doing. Pick something you’re genuinely interested in, both in the type of bugs you look for, and in what program(s) you focus on,” he urges. “Not only will this help you with motivation, which is quite important, but often it will lead you down a path less traveled, as in an area with vulnerabilities that have been untapped or overlooked.”
His first hardware vulnerability exemplifies this principle. “My first hardware issue with the Tesla infotainment system was not all that complicated from a technical point of view; it just took a lot of time and physical access to find.”
For those interested in hardware security, Connelly emphasizes patience. “Start small. Over time, you may need to buy gear, or take things apart, but don’t try to do everything at once. Start simple and do what you can do now,” he advises.
One crucial lesson he wishes he’d learned earlier concerns professional relationships. “Don’t ping programs a bunch for updates. It’s so exciting to get your first few reports in, but remember your report is not the only one they have to work on,” he cautions. “And you’re not just collecting a bounty, you’re building a rapport with a program and a platform that you likely want to continue with in the future.”
As someone maintaining multiple demanding roles, Connelly takes mental health seriously. “I have time on the calendar for exercise and make an effort to keep to that, even if it means hitting pause on an exciting lead I’m chasing in hopes of getting a new bug bounty report in,” he states. His hobbies include golf and running, during which he listens to podcasts.
He credits his faith as foundational and a fuel to his technical work. “My faith is a major influence in all areas of my life. Specifically with hacking, curiosity fuels so much of what I do. I want to know how things work and I want to see if I can bend things to work in a way they weren’t intended to,” he explains.
Connelly’s future plans center on giving back to the community that helped him succeed. “So much of my success has been a result of learning from the hacking and bug bounty communities. So I’d like to lean into sharing more via my blog and any other means,” he says. His goals include expanding beyond written content and starting to post videos on YouTube.
For his fellow hackers, particularly those just starting out, Connelly offers encouragement rooted in personal experience. “Imposter syndrome is huge in tech, and I’d say all the more in bug bounty specifically,” he acknowledges. “For anyone just starting or somewhat new to hacking, celebrate your wins, even small ones that don’t lead to bounties, and don’t get caught up in comparison. You’ve got this!”
Stay in the know on the Bugcrowd community and get involved by following us on X, Instagram and signing up!