Blog

Report Ranger roadmap

Posted on 2023-02-23 by Matt Strahan in Volkis News

When we started Volkis, Alexei and I had a big ranty discussion on how reports should be done. The next day I hacked together a PoC. We looked at it and went “damn, we already like this better than what’s already out there!”

Fast forward three years and Volkis is now more than just Alexei and I. That PoC ended up as Report Ranger and we’re still using it internally. Each time I ask “is Report Ranger still working for us” the answer seems to be “yes”. I follow that up with “are you sure?”, worried that they might just be trying to be nice and not hurt the feelings of the Managing Director and they still say “actually yes, I really like it!”

Part of the advantage of using our own internal tool for reporting has been the flexibility. Much of the functionality that Report Ranger has now was put in for a specific use case. We need a report that has charts, so let’s just put charts into Report Ranger. Wouldn’t it be good to have it read a spreadsheet and automatically generate our compliance report? Report Ranger can now do just that. Recently we had a report that needed two sections with separate groups of vulnerabilities and so now that change has been put together. All these breaking changes were fine - we just posted a message on our company Slack channel to give everyone a heads up and that was that.

There’s a big issue that has now cropped up though. Report Ranger is an open source project is now being used outside of Volkis. Ah well, there goes our fun. We have to start doing stuff properly!

Continue reading

Hacker Origin Stories: Alexei Doudkine

Posted on 2023-02-23 by Alexei Doudkine in Feature

Welcome to the first episode of Hacker Origin Stories. We have started this series to create a space where professionals can share their own personal experiences about their journey into hacking and cybersecurity. The aim is to showcase the many different paths into the industry and inspire the next generation of hackers to carry the torch.

This origin story has been written by Volkis co-founder, Alexei Doudkine.

Let’s get into it.

Continue reading

The three questions boards should ask to manage cyber risk

Posted on 2022-11-25 by Matt Strahan in Business Security

If you were a company director and you could ask three questions to judge the cyber security of the organisation, what would they be?

Continue reading

From SysAdmin to Pentester - Part 5 - OSCP vs PNPT

Posted on 2022-10-31 by Nathan Jarvie in Industry

Part 5 of the Sysadmin-to-Pentester series is a comparison between two entry level penetration testing certifications. Offensive Security’s Certified Professional (OSCP) and TCM Security’s Practical Network Penetration Tester (PNPT). While both have their merits, they focus on different elements and provide different experiences. Deciding which to go for can be a challenge.

Continue reading

From SysAdmin to Pentester - Part 4 - Tickets please

Posted on 2022-10-24 by Nathan Jarvie in Industry

Part 4 of the Sysadmin-to-Pentester series is discusses offensive security foundation-level certifications. While not required to get a job in the infosec industry, there is no denying that certifications help your chances of landing your first role. Luckily for you, I have done quite a few so far, and can tell you which are worth your time (and which are not).

Continue reading

From SysAdmin to Pentester - Part 3 - How to stand out in a crowd of paper

Posted on 2022-10-17 by Nathan Jarvie in Industry

Part 3 of the Sysadmin-to-Pentester series is all about how to make your CV stand out from the crowd. Junior roles are rare with many many applications. Additionally, hacking skills don’t translate well to text. So how do we show we have more skill and drive to be a penetration tester than the other candidates, on paper? Well…

Continue reading

From SysAdmin to Pentester - Part 2 - Great expectations

Posted on 2022-10-10 by Nathan Jarvie in Industry

Part 2 of the Sysadmin-to-Pentester series is discusses the differences between the idea and the reality of being a penetration tester. The certifications and the industry paint a picture a little different from the reality. A better understanding and more preparation towards the roles requirements will help you to decide if this is the role for you and how to ace the interviews.

Continue reading

From SysAdmin to Pentester - Part 1 - The hard way

Posted on 2022-10-05 by Nathan Jarvie in Industry

This is the first part of a 5 part series in which I will walk through the decision making process and the steps involved in transitioning from a system administrator to a penetration tester. The certifications taken and the the issues and obstacles that I faced along the way.

This is my story, and I hope it helps to inspire people who are considering a mid-life career change that it is possible to do so and to take the leap.

Continue reading

Active Directory Hacking Speedrun

Posted on 2022-09-23 by Alexei Doudkine in Tools of the Trade

On Saturday 24th of September, I gave a presentation at CSECcon titled, “Active Directory Hacking Speedrun! 14 attacks in 30 minutes.” This post is here to provide some post-talk resources to those wanting to learn about any of these attacks, how they work and recreate them.

Continue reading

5 methods for Bypassing XSS Detection in WAFs

Posted on 2022-08-09 by Karel Knibbe in Tools of the Trade

Ever since the 1990s, Cross-Site Scripting (XSS) vulnerabilities have plagued the world wide web. It’s been a difficult problem to solve because of the many ways that it can introduce itself in applications. This, and other application level attacks, contributed to the rise of Web Application Firewalls (WAFs). However, like any other solution that does not tackle the problem by its roots, it’s not ideal. Pentesters, red teamers, bug hunters and malicious actors alike have been playing cat and mouse with vendors to find ways around these additional defence mechanisms. In this post, we’ll be discussing a few fundamental techniques that you can use to bypass these firewalls.

Continue reading