For Justin Gardner, known to hackers as Rhynorater, hacking isn’t just a career or a side hustle—it’s a passion that has transformed his life. As the host of the Critical Thinking – Bug Bounty Podcast and a respected mentor in the community, Rhynorater has carved out a unique cybersecurity path that combines technical expertise with a spiritual approach to life and work.
“Hacking has completely changed my life. It has given me complete geographic, financial, and time freedom since 2020, and for that, I am eternally grateful,” says Rhynorater, who has been participating in bug bounty programs since 2017.
The evolution of Rhynorater
Rhynorater’s journey into hacking began at age 9, when he started learning about programming and computers from a church friend. However, his path from there was anything but straightforward. He became a moderator on HackForms’ Python section and had a brief “stint on the blackhat side of things,” but he stepped away from hacking at 16.
“I didn’t pick it back up again until college, when I started the CyberSecurity Club at my school,” Rhynorater explains. “One day, Tommy DeVoss walked into my classroom and told me about bug bounty, and that’s when it all started.”
That chance encounter set Rhynorater on in a direction that would eventually allow him to pursue bug bounty hunting full-time. While he describes himself as a “versatile hacker” capable of tackling web vulnerabilities, mobile security, source code review, IoT, and network issues, he admits to having a particular fondness for client-side vulnerabilities. “My passion is client-side. The chaining aspect of client-side is irresistible to me,” he says.
Vulnerabilities and tools to watch out for according to a hacker
When asked about emerging threats, Rhynorater was quick to mention one particular vulnerability class that he believes is flying under the radar. “Without a doubt, it is client-side path traversal (CSPT). It is a really nasty vulnerability, and it is gaining some popularity nowadays. It will no doubt take the place of CSRF as one of the main client-side vulnerability classes within the next 5 years, as CSRF-oriented mitigations continue to gain traction,” he warns.
Gardner’s technical toolkit is extensive, featuring both commercial and custom tools. “My favorite tools include Caido, ffuf, DomLogger++, an array of custom chrome extensions, AI (Shift, ChatGPT, Claude via Cursor, etc.), fabric, clairvoyance, etc.,” he lists.
Embracing AI in hacking
On the topic of AI, Gardner is enthusiastic about its potential to revolutionize the field. “AI is going to be huge. Hackers must start integrating it into their workflows ASAP,” he insists.
He identifies three primary applications for AI in a hacker’s toolkit: “Coding and scripting automation with Cursor, friction reduction when using tools (Shift, ShadowRepeater, etc.), and source code analysis (Cursor, Claude Code, custom solutions).”
Beyond the technical: Mentorship and community
Rhynorater’s influence extends far beyond submissions and rewards. Other hackers frequently mention him as their mentor, though he modestly describes his mentorship style as “teaching [others] how to teach themselves how to hack.”
“My process is pretty simple,” he explains. “I also cover topics such as attack vector ideation and hacker mentality, but for the large part, people just need to follow the tracks that have been put out there (PortSwigger Academy, NahamSec’s HackingHub, LiveOverflows’ Hextree.io, etc.), put in the hours learning, and then spend 200–500 hours failing at hacking before they succeed.”
Rhynorater believes that finding the right mentor is valuable, but mentorship can only take someone so far. “In my humble opinion, you can’t really teach hacking. You must guide. A hacker must be a very quick and avid learner on their own or they won’t be able to face such a wide array of targets as is required by the job,” he says.
Failure as a learning tool
For new or hesitant hackers, Rhynorater offers a big dose of reality. “You must get really comfortable with failure. As hackers, we’re going to fail 99.9% of the time. And then eventually, something will work. If you’re failure-averse, you’re never going to make it,” he advises.
He also encourages redefining what constitutes failure: “Just because you didn’t find a bug in this hacking session doesn’t mean that you failed. Did you learn more about your target? Did you become more adept at reading HTTP requests or minified JavaScript? Did you find yourself a gadget you can use? Those are all wins.”
One lesson he wishes he’d learned earlier? “Push harder than you think you should when something is very close to being exploitable. There is often a way,” Rhynorater says.
Balance and burnout
The demanding nature of hacking, running a podcast, and attending events requires intentional strategies to maintain health, both physical and mental. For Rhynorater, this begins with a strong foundation.
“Disconnecting my self-worth from my performance at work is pivotal. Instead, I base my self-worth on something more steady and consistent: the love of Jesus Christ,” he explains. “Religion works well for me (especially Christianity, since it isn’t work-based but a free gift from God), but for others, things such as a steady interpersonal relationship, progress indicators, or a moral code would all be better than putting your self-worth in something as volatile as bug bounty.”
Additional self-care approaches include “regular several-day breaks, spending time in the hot tub and in the sun, and making sure I get my workouts in.” He also credits his wife as a source of support, noting that “going on dates with my wife has been extremely refreshing as well. She understands the bug bounty industry well, and we even did a podcast episode with her.”
Life beyond hacking
Despite his immersion in cybersecurity, his podcast, and the community, Rhynorater maintains a rich life beyond his professional pursuits. “Outside of hacking, I love to spend time with my wife and foster daughter riding bikes, roller skating, playing imaginary games, or playing video games,” he shares. “My wife and I also participate in rec volleyball club each week, which I love.”
He dedicates his personal time to physical fitness and spiritual growth: “During my independent free time, you’ll find me in the gym weightlifting (strong lifts, mostly), in the hot tub with a coffee, or in my sunroom reading the Bible.”
Looking ahead, Rhynorater sees no reason to pivot from hacking and current pursuits. “To be honest, I would have a really hard time justifying any other job besides bug bounty. Complete time, financial, and geographical freedom, while doing something I’m so passionate about, is a dream come true,” he concludes.
For Rhynorater, the future is bright, balanced between technical excellence and personal fulfillment—a model that challenges the traditional narrative of the burned-out security professional. His example offers a glimpse into a sustainable approach to a career in cybersecurity.
Final thoughts
As mentioned above, Rhynorater runs an excellent podcast called Critical Thinking – Bug Bounty Podcast. It provides not only technical knowledge (think bypassing DOMPurify and COOP, learning how to use OAuth gadgets, and attacking third-party providers) but also an insightful avenue to learning about hackers and the variety of pathways into cybersecurity. At its core, it’s a “by hackers for hackers” podcast focusing on the technical details of bug bounty. Rhynorater says, “Sometimes, we do stray a bit into the mental health/financial optimization/etc. sides of bug bounty to care for the hacker holistically.” That being said, expect to hear from the best on everything from technical, to life stories to finances.
