The Future of Pen Testing Automation with Alton Johnson

November 7, 2022 Hacker Valley Studio

00:00:00

Show Notes

Alton Johnson, Founder and Principal Security Consultant at Vonahi Security, automates his way out of his pen testing job in this week’s episode. An AOl hacking gone wild got Alton into defensive cybersecurity years ago, and now, as the Founder of Vonahi, Alton advocates for automation and efficiency in the pen testing process. Alton talks about his connection to defensive over offensive, customizing a pen test report to your audience, and finding that sweet spot between practitioner and entrepreneur. 

 

Timecoded Guide:

[00:00] Learning the importance of automation in defensive cyber

[07:48] Connecting with automation & defensive cybersecurity over offensive

[12:01] Showing the results that matter to the right people in a pen test report

[15:27] Prioritizing exploitations in the world of vulnerability assessments

[21:59] Maintaining the cyber practitioner & the entrepreneurial side of Vonahi

 

Sponsor Links:

Thank you to our sponsors Axonius and NetSPI for bringing this episode to life!

The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley

For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more.

 

How have you seen automation change yourself and your role? 

As a penetration tester, Alton explains that time is often not on his side. There’s a limited amount of time to do an assessment, and the measure of a good pen tester is often determined by fast, high quality reporting. Automating the repetitive tasks of pen testing not only saves time, but Alton believes it genuinely changes the role into something much more efficient, high value, and successful. 

“Automation obviously plays a huge part in growing in the career too, because the more you can do, the more value you can provide, and the faster you can provide that value makes you a better pentester.” 

 

How do you convey the story of a red team engagement in different ways so that message is received by everyone in the company? 

At Vonahi Security, Alton’s team separates pen testing reports into an executive summary and a technical report. The executive summary is high level, demonstrating the impact and severity of what was discovered from a business point of view. Many business executives don’t need the technical play by play, which is why that is saved for the technical report. The technical report acts as a scene by scene story of what was done and how to technically fix it.

“We separate the two conversations. Here's what we did at a high level to anyone that doesn't really care about the technical stuff, but only cares about how it impacts the business, and then, for the person that has to fix the issues, here's everything that they would need.”

 

What would you tell the newer generation of cybersecurity practitioners about the offensive side? 

When Alton first started his cybersecurity journey, he was very into hacking and coding. That passion for code has served him well, allowing him to become successful enough to start his own business with Vonahi. For the younger generation of cyber practitioners, Alton recommends not skipping that coding education. As technically advanced and automated as cybersecurity tools are, practitioners should be prepared to code when something breaks or doesn’t work as intended.

“I think coding is extremely valuable, because there's going to be many times that tools that you use don't work and you have to have the experience and knowledge to basically fix those problems with coding.”

 

What have you learned over the past few years that has helped you to maintain both the technical and business side of Vonahi? 21

Efficiency is the name of the game for Vonahi— and it’s the one thing that has allowed Alton to remain in a hands-on pen testing role while still being a business owner. Keeping it efficient is more than just technology and automation. Alton believes his success is a direct result of the efficient technology around him and the hardworking, intelligent, efficient team members working with him at Vonahi.

“It is really just about efficiency. We look to all these other leaders, but for me, I like to learn from other people's failures. I don't want to take the same growth processes as the person who failed and didn't do well.”

---------------

Links:

Keep up with our guest Alton Johnson on LinkedIn and his personal website

Learn more about Vonahi Security on LinkedIn and the Vonahi Security website

Connect with Ron Eddings on LinkedIn and Twitter

Connect with Chris Cochran on LinkedIn and Twitter

Purchase a HVS t-shirt at our shop

Continue the conversation by joining our Discord

Check out Hacker Valley Media and Hacker Valley Studio

Recent Episodes

December 5, 2023

Ransomware: How to Use AI to Create

a Readiness Kit with Scott Suthe...

The adversary is using Artificial Intelligence. Why aren’t you? In this episode, Host Chris Cochran talks with Scott Sutherland, VP of Research at NetSPI, about everyone’s favorite hot topics; ransomware and AI...

November 28, 2023

Cover Your SaaS: Navigating OAuth

and SaaS Security Challenges

SaaS misconfigurations may be responsible for up to 63% of security incidents. Do your SaaS applications have risky OAuth grants and misconfigurations? Let’s not find out. We will unravel the complexities of OA...

November 21, 2023

Standing Out On LinkedIn as a

Cybersecurity Professional with ...

In this episode, host Ron Eddings speaks with Chris Hughes, President at Aquia, Cyber Innovation Fellow at CISA, and cybersecurity legend. Special guest, Chris Hughes, was initially inspired to build a personal...

November 7, 2023

Adversarial AI: Navigating the

Cybersecurity Landscape

In this episode, host Ron Eddings is joined by Sr. Director of Red Team Operations at Coalfire, Pete Deros, to discuss the hottest topic around; adversarial AI. Ron and Pete discuss how AI is used and how the a...

October 31, 2023

Protecting What You Can’t See with

HD Moore

In this episode, host Ron Eddings is joined by Metasploit creator, co-founder and CEO of runZero, HD Moore. HD changed the world with Metasploit and he’s doing it again with runZero. Attack Surface Management c...

October 24, 2023

Penetration Testing, Public

Speaking, and Content Creation w...

In this episode, Ron Eddings is joined by Penetration Tester, Instructor, International Speaker, Best Selling Author, and Podcast Host, Phillip Wylie. Phillip shares how pen testing and the need to educate peop...

October 17, 2023

Ruse and Deception: From Hollywood

to Corporate Espionage with Robe...

In this episode, Host Ron Eddings interviews Robert Kerbeck, author of Ruse: Lying the American Dream from Hollywood to Wall Street. Robert shares how his professional acting skills helped his career in corpora...

October 10, 2023

Hacker Culture and ADHD with Kim

Crawley

In this episode, host Ron Eddings is joined by cybersecurity researcher and writer, Kim Crawley, to deep dive into one of her greatest passions; computing! From its origins to its newest capabilities in quantum...

October 3, 2023

Starting at the Endpoint with Danny

Jenkins

In this episode, host Ron Eddings is joined by Co-Founder and CEO of ThreatLocker, Danny Jenkins, to talk about his "Hero’s Journey" from IT to launching ThreatLocker. From spam emails, bots, and ransomware to ...

September 26, 2023

Having Resilience In Your Cyber

Career with Erika Eakins

In this episode, host Chris is joined by Erika Eakins — a cybersecurity sales ninja, podcaster, and co-founder at Teach Kids Tech. Erika opens up about her challenges entering tech and cybersecurity as a woman ...

WORK WITH US

PODCASTS + SPEAKING + EVENTS

Are you the best kept secret in cybersecurity? Let's change that by partnering together for podcast ads, social campaigns, and your next event or keynote. Send us your details to get started.