In cybersecurity, we often operate in silos. The red team breaks things, the blue team fixes them, and management focuses on compliance. But what happens when you blend these worlds? In a recent episode of Simply Offensive, Phillip Wylie sat down with Chris Marks, a security leader and former student of Phillip’s, to discuss how an offensive mindset can transform defensive strategy and leadership.
From Network Engineer to Security Leader
Chris’s journey began in Lafayette, Louisiana, as a network technician. Like many in the field, early inspirations came from movies like Hackers, but the path to a real-world career wasn't immediately clear. It wasn’t until he moved to Dallas and began attending local meetups like the Dallas Hackers Association that he truly found his community [01:05].
Chris’s transition into security was marked by a relentless pursuit of knowledge, earning six certifications in a single period after being laid off [03:19]. This grit eventually led him to leadership roles where he now manages incident response and vulnerability management teams.
The Power of Offensive Thinking in Defense
One of the most compelling stories Chris shared involved his first offensive campaign—a simple fishing simulation using Metasploit Pro. Knowing his colleagues’ frustrations with the office coffee, he crafted an email asking employees to log in and vote for new flavors [05:40].
The results were eye-opening. While the simulation caused a minor panic at the C-suite level, it sparked a massive increase in actual fishing reports from staff [06:56]. This experience cemented Chris’s belief in the "Purple Team" mindset: using offensive tactics to educate employees and strengthen defensive tools.
"Until you actually look at how an attacker targets you... how they pivot... how they are patient... you fully don't understand it," Chris noted.
Beyond the Compliance Checkbox
Chris and Phillip discussed a common pitfall in corporate security: treating penetration tests as nothing more than a compliance checkbox. Chris argues for a shift toward:
- Tabletop Exercises: Simulating real-world scenarios rather than just automated fishing tests.
- Validating Tools: Using an offensive mindset to verify that security tools (and vendors) are actually picking up misconfigurations.
- Continuous Learning: Encouraging team members to set up home labs and learn tools like Burp Suite or Linux to validate their own environments.
Leadership and the Human Element
As a manager, Chris focuses on mentoring and understanding the human side of security. He highlights the importance of inclusive training, noting that people learn differently—whether they have ADHD, dyslexia, or simply prefer hands-on visual learning over reading a manual [12:44].
His philosophy is simple: Don't trust; validate. By training his team to think like attackers, he ensures they aren't just relying on "theory" or the alerts provided by their tools [17:53].
AI: A Double-Edged Sword
The conversation naturally touched on AI. While Chris acknowledges its utility in triaging alerts and optimizing GRC templates, he cautions against over-reliance. "AI is not going to help you be a better pentester... with no knowledge," he warned [19:11]. The key is to use AI as a tutor and a tool for "grunt work," while keeping a firm hand on the technical fundamentals [22:38].
.png)
.png)
