“Not everything works as configured. Not everyone behaves as trained.”

The reality of this statement makes it possible for us, the people in offensive security, to have a job. It also highlights how unpredictable our work can be and how never-ending our learning process is.

We work in a space where things are so complex that we need to combine big-picture, higher-level thinking with boost-on-the-ground practice.

And our guest today is brilliant at doing just that.

Pete Herzog has spent over two decades distilling the fundamental principles of security testing, turning them into a decade-defining manual - the Open Source Security Testing Methodology Manual (OSSTMM). Pete brings offensive and defensive security concepts together to break down important misconceptions.

Listen to this conversation to uncover:

• Why you can’t do security without understanding the process behind it [08:23]
• How automation can help but, at the same time, hurt the ones using it [11:00]
• Why you can’t rely only on automated security tools in your pentests [19:10]
• The importance of implementing security controls to change the environment [28:22]
• Pete’s perspective on "Zero Trust" and how they tackled this ion OSSTMM [35:18]
• Why he thinks there are “too many parrots, not enough pirates” in this space [43:42]
• The excitement of researching for OSSTMM v4 and exploring new technologies [51:40]

From the expert systems behind AI-driven tools and their blindspots to generalizations that hurt offensive security outcomes, we explore key elements that shape today’s problems - some of which you’re probably wrestling with as well.

Let’s explore them!