About Me: Personal Introduction

Who Am I?

pseudonym: pxng0lin (pangolin)
location: United Kingdom
interests: data, learning, privacy, web3, independence from 9-5 (don't we all yearn for that?)

Some deets.

profession: Previously an analyst (data, forecasting, resource), all things data, forecasting resource and modelling used for predictions, over the past 4 years I've transitioned into cybersecurity and reignited my love of hacking and transferred my problem solving skills, and all things data over.
experience: Mainly in data for analytics, from insight to forecasting resource, modelling and prediction of customer data, etc., this was all before the 'dream' that is now AI.
- Web2: I started to dabble in hacking several years back and utilised platforms like Bugcrowd, Intigriti and HackerOne, great platforms still today. Earned some rep, learnt a lot more than I reported, built a lot of scripts in Bash and Python, and realised quite quickly, there's too many hackooors in that space, and knowledge is a scramble to get quickly, research takes a while too, especially to get to a top level, not for all, but for me and my circumstances, I didn't have the time (other responsibilities).
- Web3: I discovered Immunefi c. 2020, when looking at crypto and thinking at the time, "can this stuff be hacked?". I joined their Discord server and saw conversations around using Slither to detect vulnerabilities in smart contracts and talk about false-positives being high in the results (smart contracts? What's one of them?). I saw this and cloned the Slither tool from Github, ran this over a mainnet smart contract from Etherscan (shh... naughty!) and then the results showed, what I thought, were valid vulnerabilities - "Oh great, just like using web2 tools, such as Nuclei..", were not really, and it wasn't that simple!
- languages speaking/coding: I'm not expert in any, I have used/use several, and continue to learn, in no particular order
  - VBA
  - SQL
  - Python
  - R
  - Bash
  - Solidity
  - Javascript
  - English (Native, British)
  - Arabic (Fus-ha)

💬

As you can see, I don't share much personal information. I want my internet footprint to be minimal on my personal life. Rather, an output of my interests, things I do, and interacting with others that have similar interests to enable learning and discovery.

Ambitions

I remember a while back looking at my options and potential paths for the web3 space, in opposition to my current career in cybersecurity, which is web2 mainly, and focusses on management of assets within a business regarding vulnerabilities. I came across the Spearbit's Github repo that broke down the different levels of the positions they have, and this gave me a starting point of where to aim, for what I consider, entry level.

Spearbit Roles

Junior Security Researcher (JSR)

Associate Security Researcher (ASR)

Security Researcher (SR)

Lead Security Researcher (LSR)

Promotion Flow

JSR to ASR

ASR to SR

SR to LSR

My aim was to become proficient enough in this space to at least be considered a JSR. In doing so, I would then be in a position to apply for the role with places like Spearbit, or at least have a reference of my level for other opportunities they may arise.

Fast forward a little, the aim is still to be proficient, but, after experiencing audit competitions, the maturity of vulnerabilities and the shift of the severity from Critical to a low in under a year, I started to believe just meeting the expectation would be suitable; but wouldn't separate me from the rest.

After a Twitter/X post from Dacian (great chap!) for a role of LSR at Cyfrin (not applying, lol), I started to have a think about what I needed, and how I could prove it to potential employees. I dropped Dacian a DM too just to get a bit of insight into what I could do, without becoming a content creatooor all over Twitter/X, I'm not one for that sort of attention, nor did I really enjoy reading threads of regurgitated knowledge, good for those that have done it, but as many things do, it gets old and "seen it before" quite quickly. You could argue the same is with blogs, however, for me, this is an easier way to point someone to what you have been doing, what you know, and how you've applied what you've learnt; without having to link to tweets lost in your Twitter/X history.

So to wrap up! I want to use this space to share learnings from competitions, vulnerabilities I've reported and/or read about, and anything web3 or coding related that I do as I venture deeper into security research - emphasis on research, since this really is my main interest, I research, I try, I win and fail, but in general, I have a passion for learning things, problem solving, and usually sharing amongst family and friends (sometimes to blank faces and "that's nice" smiles), but hopefully now I can widen my reach to a bigger audience, and put myself in the window for the next role that comes up in the future.