Meet Amr: an expert hacker who views his craft through the lens of perpetual curiosity and initiative. Growing up in Egypt, his journey into cybersecurity wasn’t the typical computer science pathway—it was born from an insatiable need to understand the “why” behind everything.
“I’ve always had that urge to take things apart just to understand how they work, not just in tech, but in life too,” Amr explains. “I like figuring out the ‘why’ behind everything. That mindset pushes me to explore new ideas, learn something different every day, and never get too comfortable with what I already know.”
Amr’s mentality of pushing himself and not remaining too comfortable also extends to his hobbies. He says, “I love playing with cards. I’ll spend hours doing shuffles, little card tricks, or just practicing moves for fun. There’s something relaxing about it.”
Amr’s path to hacking took several detours. Starting around 12 years old, he initially channeled his curiosity into graphic design, then video editing, and eventually working as a senior video editor. While financially successful, something was missing. The real catalyst came between the years of 2019-2020 when he encountered a Facebook post that would change everything.
“I saw a post on Facebook where a security person talked about remotely accessing webcams—something about checking on someone at a cafe. I was shocked. I remember thinking: ‘Is that even possible? If they can do this, I want to learn how,'” he recalls. “That moment flipped a switch. I dropped everything and started learning properly.”
What followed was a period of intense, sometimes misdirected learning. “Back then I didn’t even know what ‘cybersecurity’ meant, or what path to follow,” Amr admits. He spent a year coding daily in C, C++, and C#, building discipline, but feeling lost afterward. The breakthrough came when he realized a fundamental principle: “I believe the best way to break something is to truly understand how it works.”
This philosophy led him to learn web development comprehensively—PHP, Laravel, JavaScript, Vue, Next.js, and Nuxt. “Knowing how apps are put together changed how I approach security—I stopped guessing and started reasoning about systems and design,” he says.
After three years of bug hunting, Amr developed strong opinions about what truly threatens security. While many focus on flashy zero-days, he believes broken access control deserves more attention.
“For me, broken access control is the real evil—it’s the bug that keeps on giving for attackers and keeps companies awake at night,” Amr insists. “Developers build features assuming users will behave a certain way; our job as hackers is to break those assumptions. That mismatch is where access control fails.”
He emphasizes its pervasive nature: “You can patch one case today and another will pop up tomorrow—vertical vs horizontal issues, API authorizations, business-logic gaps—the forms change but the root problem stays the same.” His approach is methodical: “I always start by questioning the assumptions in any system I test: who the code thinks the user is, and what the user is allowed to do versus what they can actually do.”
If you’re interested in this topic, Bugcrowd recently posted a blog about broken access control vulnerabilities and four other common vulnerabilities that security teams need to be aware of.
Amr’s work with Caido represents his transition from consumer to creator. “I discovered I loved building tools after I started using Caido. The UI and performance felt exactly like what I wanted—fast, clean, and light on my laptop,” he explains. His plugin suite includes GraphQL Analyzer, JWT Analyzer, Chatio (an AI-powered assistant), ReDocs, and Compare—each born from real testing needs.
His YouTube channel, AmrSec, extends this philosophy of sharing knowledge. “I started the channel because I believe the best way to learn something is to teach it,” Amr says. “When I was getting into web security I kept hitting walls—I couldn’t find clear, real-world walkthroughs for the techniques I wanted to learn. If I couldn’t find them, others probably couldn’t either.”
The channel focuses on practical, real-world demonstrations. “Teaching forces me to be honest with myself. Before I post a video I verify the steps, clean up the demo, and make sure the explanation is correct and repeatable,” he notes. His goal is clear: give the community useful, applicable skills without paywalls.
Amr views artificial intelligence as a force multiplier rather than a replacement. “I treat AI like a smart teammate—it’s great at taking over repetitive, time-consuming work so I can focus on strategy and creative parts of hacking,” he explains. He uses it for drafting reports, generating code for CTF demos, and automating tedious tasks.
However, he’s clear about its limitations: “AI is brilliant at repeating, optimizing, and combining known patterns, but it’s not creative in the human sense. The real breakthroughs—weird logic flaws, novel attack paths, creative chaining of tiny issues into a big impact—still come from people.”
For the industry, he predicts intensification: “The back-and-forth will be: defender automates a pattern, attacker finds a new angle, defender adapts. That cat-and-mouse speeds up, but it doesn’t invent real creativity.”
When asked about lessons learned, Amr doesn’t hesitate: “Don’t skip the hard stuff. Early on, I would see an app with an auth flow and, if the auth looked annoying to test, I’d skip it and move to the next target. That was a huge mistake. The stuff you avoid is exactly where the most interesting bugs hide.”
This principle extends beyond hacking. “Facing problems instead of ignoring them makes you better at debugging, thinking through complexity, and building real skill,” he says. “So my rule now: if something looks hard, that’s the reason to stay.”
Regarding CTFs, he offers a balanced perspective: “I’m not a CTF-first person—I prefer hacking real targets. Getting a flag in a lab is useful, but it doesn’t give me the same rush as finding a real bug in a company.” He acknowledges their value for learning techniques but emphasizes the gap: “Real targets have WAFs, complex filters, rate limits, legacy code, and weird business logic that a lab rarely models.”
Amr’s ambitions are concrete and ambitious. By the end of 2027, he’s pursuing two major goals: landing a six-figure bounty for a single bug and reaching one million YouTube subscribers. Beyond personal achievements, his vision centers on impact: “I see myself inside the kinds of huge organizations I’m already testing—either working with them or right on their teams.”
His ideal career combines security work, tool building, and teaching—solving real problems while helping others grow. It’s a vision grounded in the same curiosity that started everything, the belief that understanding how things work is the first step to making them better.
Stay in the know on the Bugcrowd community and get involved by following us on X, Instagram and signing up!
For security teams who want to work with hackers like Amr, contact us and we’ll help you set up your first bug bounty program, pen test, or red teaming engagement. Check out our new guide, Get to know the Crowd, to learn about more of the experts who work on our Platform.