The world of cybersecurity has undergone a massive transformation in just a few decades. In this episode of Simply Offensive, host Phillip Wylie is joined by Denis Calderone, a veteran practitioner with over 30 years of experience, to discuss the shift from analog hardware "hacks" to the cutting-edge world of agentic AI.
Denis’s journey into the mindset of a pentester began in the 80s with a simple analog cable box. As a curious kid, he took the box apart and discovered that by turning knobs under the buttons, he could reprogram the channels—much to his father’s chagrin [02:32]. This early experimentation taught him a fundamental lesson of security: it’s not just about what a system is supposed to do, but finding the "gray area" of what else it can do [02:56].
Starting his career in the mid-90s, Denis witnessed the era when security was often an afterthought. Back then, many systems didn't even have passwords, and security budgets were virtually non-existent [04:18].
Denis shared a story from his very first pentest where he discovered an active threat in a client’s web route while he was testing it [06:45]. At the time, vulnerabilities like directory traversal were ubiquitous, and many breaches went unreported because there was no compliance requirement to do so [07:36].
Fast forward to today, and Denis sees a new challenge: "vibe coding." With the rise of AI, people are generating and deploying code at breakneck speeds without a fundamental understanding of security frameworks [11:34].
"The frameworks got good... but now it’s the Wild West again," Denis explained. AI-generated code can often introduce "stupid" vulnerabilities that modern frameworks had previously solved, making systems easy to break into once more [12:15].
At Suzu Labs, Denis focuses on a "white glove" approach to security. This includes dark web monitoring, which he views as an essential tool for the modern enterprise [14:00]. By identifying stolen credentials or pre-texting campaigns before they are fully launched, companies can proactively secure their environments rather than just reacting to a breach [15:51].
For those looking to advance their careers, Denis’s advice is clear: learn the agentic side of AI. He believes pentesting is moving toward an "augmentation" model where skilled practitioners use AI agents to automate redundant tasks [18:30].
However, he cautions against purely automated tools. Without a qualified human to set guardrails and ask the right questions, automation often results in poor-quality output and missed zero-day vulnerabilities [20:54].
Ending the conversation on the "skills shortage," Denis emphasizes the importance of community. Most of his team was built organically through networking at conferences and discussion boards like Slack and BloodHound [22:44]. In an era of AI-generated resumes and "coached" virtual interviews, he believes the best way to find true talent is to meet people in the field and identify those who possess that natural, inquisitive "pentester mindset" [28:34].
Watch the full conversation here: From Analog Hacks to Agentic AI – The Evolution of Offensive Security with Denis Calderone