The following spotlight is an article in the recent edition of Inside the Mind of a Hacker. Download the full report to read more hacker spotlights and gain insights into the ethical hacking community.
At Bugcrowd, we talk a lot about the societal misconception that hackers and security professionals are two separate groups when in reality, they are one and the same. Full-time security professionals often hack on the side.
There is no better example of this than Ads Dawson, who has been both a Bugcrowd customer and a hacker on the Bugcrowd Platform. Ads has achieved some amazing accomplishments in his career, including most recently contributing to the Bugcrowd VRT update on AI application vulnerabilities. Read on to learn more about Ads!
A journey into building and breaking
Ads started in the security space with an apprenticeship at an MSP. He did not have an educational background in computer science. Nevertheless, from there, he progressed along the path toward networking and security, network pen testing, application security, and eventually LLM applications and AI security. Ultimately, he has a passion for dissecting concepts down to the essence, which is extremely relevant in hacking and the security space. “I figured that if I already know how to build, manage, and deploy hybrid cloud networks, why not learn how to break them?” Ads says.
Ads has been hacking for about six years, and he’s loving it so far. He’s a self-described “meticulous dude” who cites a dedication to curiosity in every aspect of his life to be a main driver of his hacking success. “I have always challenged and motivated myself to fully comprehend a solution or function at a very detailed level,” Ads shares. “This has kept me constantly driven to adapt, learn new concepts or technologies, and improve my skills.”
Ads is a self-described “networking nerd at heart,” although he applies a well-oriented full-stack approach to hacking. He is also heavily involved in AI red teaming, which is a particularly new space. He is extremely motivated to constantly improve his machine learning (ML) adversarial capabilities. “Another cool aspect of hacking that I love is developing and building tools or a script that helps me fix common hacking problems. It is really effective to spend time on enhancing your offensive arsenal for investing in the long run,” Ads says.
Advice for hackers
Ads has been on both sides of a bug bounty program. Therefore, his perspective is valuable for hackers looking to improve their skills and earn greater recognition. When it comes to advice for hackers who are engaging with security teams, Ads suggests a well-rounded approach. “Consider every angle, leave no stone unturned, and always parse information thoroughly. It’s always incredibly easy to skim information, especially when you’re running on fumes. Prioritize yourself when you’re feeling burnt out—taking a walk or going to the gym does magic for your productivity. Lastly, don’t become hard-set on your favorite toolset or setup—always take the opportunity to step outside of your comfort zone,” Ads advises.
Ads also views stepping outside their comfort zones as a great way for hackers to earn more invites to hack on private programs. By involving themselves in the community and ongoing CTF events, hackers can increase their visibility. One way Ads does this is through his involvement in an OWASP chapter, which keeps him in the loop and regularly allows him to challenge himself. He also suggests that hackers document their work (such as writeups) as a great way to show off their experience.
Common tools and resources for hacking
Ads uses many tools to hack, but here are some of his favorites:
- A solid Linux distro such as Kali Burp Suite (I’m a huge James Kettle fanboy!), including some neat extensions and Bambdas
- Bruno (sorry Postman)
- VS Code and Warp AI Terminal
- ZAP
- Metasploit
- Nuclei
- NMAP
- Python and Go
- Ollama
- VirtualBox
- Wireshark
- Some good old-fashioned cURL and netcat tinkering
- Spotify (a must to get some good vibes flowing).
Advice for security teams
For teams hoping to get more out of their bug bounty programs, Ads shared valuable insights from the hacker perspective. It starts with fostering better relationships with the hacking community. “Challenge the hacker and always motivate them to dig deeper! If you are denying a submission, it’s important to elaborate why and always be open to the possibility of a decision change. Another thing that goes a long way is spending some time on a cadence to update your program with new features or even notifications about behavior changes,” Ads says.
He also recommends that teams put themselves in a hacker’s shoes. Ask yourself if your scope is clear and concise while providing a clear and valid reporting chain with achievable acceptance criteria. By reviewing your program details from a different lens, you can catch areas where you’re potentially pigeonholing your program.
To wrap up, we asked Ads what he wished security leaders understood about hackers. “Hackers spend a lot of time out of their personal lives working within reasonable disclosures and constraints to secure companies’ attack surfaces. Come to the table with a cooperative spirit and a willingness to achieve mutually fair reasoning,” Ads says. “Embrace the fact that every hacker has unique insights, perspectives, and capabilities to offer. Having a dedicated and motivated hacker finding holes in your ecosystem is incredibly valuable, especially compared to traditional methods of security testing in resource-constrained environments.”