Episode 155: 2025 Hacker Stats & 2026 Goals

Title: Transcript - Sun, 04 Jan 2026 06:00:22 GMT
Date: Sun, 04 Jan 2026 06:00:22 GMT, Duration: [01:32:17.61]
[00:00:00.72] - Brandyn Murtagh
We literally get to put thousands of dollars in our friends pockets and they get to put thousands of dollars in our pockets and it's freaking fun.

[00:00:30.71] - Justin Gardner
all right, hackers, if you're really looking to take the deep dive this year, I really recommend you check out the critical thinkers tier in the CTV Discord. Okay. This is the place where we are doing hack alongs. AMA is giving you exclusive content that only the inner circle has access to to boost you as a hacker. Master classes, you know, custom interviews with extended interviews with guests, that sort of thing. It's a great way to support the pod and it's a great way to invest in yourself as a hacker. And it's a tax write off for sure. So give it a shot. Check it out. CTV show Discord will help you join us. Thanks. All right, my guy 2025 is in the freaking books, dude.

[00:01:09.64] - Joseph Thacker
Yes. And you're going to be hydrating it up today, right?

[00:01:11.79] - Justin Gardner
I am, yeah. Dude, I just got over like two weeks of being cold or like, can you. Of being cold? Can you hear the, can you hear the, the, the like raspiness in my voice still or.

[00:01:23.48] - Joseph Thacker
No, you sound great, dude.

[00:01:25.32] - Justin Gardner
It sounds to me like I'm like, like talking through a straw or something. It's like, it's bad.

[00:01:29.96] - Joseph Thacker
Well, unbeknownst to the listener, we've had to push this back at least once. And Brandon is also having some Christmas woes, so he might hop on at some point, but yeah, he might not make it. We'll see.

[00:01:39.48] - Justin Gardner
Brandon will hop into the episode live, so we'll see how that goes.

[00:01:43.25] - Joseph Thacker
Dude, show them your shirt. Check out this critical thinking merch for.

[00:01:47.37] - Justin Gardner
Those of you on YouTube.

[00:01:48.51] - Joseph Thacker
Like, look at this.

[00:01:49.21] - Justin Gardner
This is the critical thinking Secret Santa 2025 exclusive. We're going to keep it in the store till a couple days into January. So if you're listening to this episode within the first like week of it releasing, you can still get it at ctb, show swag, then we're pulling it forever. So if you want the critical thinking Secret Santa T shirt, this is the time to get it.

[00:02:08.34] - Joseph Thacker
Yeah, dude. Dude, what a year. I feel like between the mix of AI Bug bounty taking off hackbots, this has been the craziest bug bounty year ever.

[00:02:16.58] - Justin Gardner
Yeah, dude, you picked quite a year to go full time bug bounty.

[00:02:19.62] - Joseph Thacker
I did, yeah. And it worked out quite well, which we'll talk about. But. But yeah, man, what a time. Cause like, I feel like there's so much opportunity around, like Building products and doing all kinds of other crazy stuff. And also, not only first year bug bounty, but this is the, the end of the first year of me being a co host.

[00:02:35.53] - Justin Gardner
Yeah, man. Yeah. Dude, what a beautiful year. Thank you so much for coming along on this journey with me this year, man. It's like, yeah, AI, I mean, obviously like blowing up, I think, dude, you. We were talking a little bit on stats before the episode. You freaking blew full time bug bounty out of the water this year, man. So major congrats for that. Lots of fun collabs, lots of good live hacking events.

[00:02:59.25] - Brandyn Murtagh
Yeah.

[00:02:59.61] - Justin Gardner
Another year living the dream of a full time bug bounty, man.

[00:03:02.53] - Joseph Thacker
Dude, you got to soak it in. It's so easy to say onto the next thing. Yeah.

[00:03:06.56] - Justin Gardner
I was just sitting in the hot tub the other day just thinking about that, like, wow, I'm so blessed to have this job. This job is literally the best job. If I could, if I could pick a job that I couldn't pick a job that's better. Like, it just cons, dude. Let me just remind you guys really quickly, okay, like about what our job is. Okay. First we get in there and we have the coolest job title ever. Ethical hacker. Like when you're like, oh, at a party, you say, yeah, you know, I'm in cybersecurity or whatever. And they're like, oh, what do you do? And you're like, oh, I'm an ethical hacker. You know? And they're like, what, you're an ethical hacker? And then you get that moment of like, wow, people think this job is really cool. Right? So yes, excellent job title number one. Right. Number two, if you're a full time book bounty hunter, you have complete flexibility. You can work whenever, wherever. You know, you don't have to do any sales.

[00:03:52.71] - Joseph Thacker
Constant demand.

[00:03:53.75] - Justin Gardner
Oh my gosh, it's like unbelievable. You just show up, you do your thing, you get money, like, and sometimes there's a little bit of back and forth on the reports or whatever, but it's nothing compared to what you would face if you were actually doing sales or client acquisition.

[00:04:05.58] - Joseph Thacker
Right, Right. And this isn't the downplay people that like that, like struggle in bug bounty. Like we're clearly talking about people that are like, able to like make a living with it. Right. Full time bug hunters or part time for so many people. It's a huge blessing, like for you or for me at least. And I think for you too, like doing it part time. Before we even went full time, it was like this amazing side hustle that like, if you have time to do it, you can do it, but if you don't, you don't. Whereas so many other side hustles, it's like you have to show up, you know what I mean? And with Bug Bounty, it's like, yeah, if you have time to hack, you can hack and if you don't, you don't.

[00:04:34.35] - Justin Gardner
Yeah, dude, it's just, it's freaking unbelievable. Then, then listen to this, man. As soon as you, as soon as you do your thing, right, and you hack something, one, you feel like the coolest person ever because you just did something you're not supposed to do. You just outsmarted these, you know, multi billion. Oh, there's Brandon.

[00:04:47.14] - Brandyn Murtagh
Yo.

[00:04:47.70] - Justin Gardner
Yeah, just like we, yo. All right.

[00:04:54.35] - Brandyn Murtagh
Sorry about that. It's been like a bit of a whirlwind.

[00:04:56.58] - Justin Gardner
All good, man, all good. I'm just, I'm just telling the people why they should be so happy with Bug Bounty, you know, like then, you know, once you find the vulnerability, right, you get this hit of dopamine, you're like, oh my gosh, I just found it. You know, like, yeah, and then you're so happy, right? And then you're banging on the table, right? And then, and then you, you know, you write up the report, you submit it, and then you get another crazy dopamine hit whenever the bounty gets paid, right? You look at your phone, you see that, you know, report, you know, nothing compares to it. Email, you click the link and then boom. You know, and then you're like, oh my gosh, yes. And there's so much dopamine and like feel goodness in this job. It's like crazy. I feel like a crack addict sitting here talking about like, then you could.

[00:05:38.58] - Joseph Thacker
Tell your wife or your friends about the bounty if you're able to hear in that situation. And then you get to tell like other bug hunters about the really cool, like, finding that you had as well.

[00:05:46.94] - Justin Gardner
Yeah, I mean, and do you go to your wife and be like, hey honey, I made another, you know, like, say you've got your, you know, Silicon Valley job or whatever. Hey honey, another $12,000 this month. Woohoo. On my salary? No, but then you get a bounty for 12 grand and you're like, let's go.

[00:06:00.16] - Joseph Thacker
It feels special. It feels different.

[00:06:01.92] - Justin Gardner
Exactly. Like, man, what a freaking beautiful thing, right?

[00:06:08.16] - Joseph Thacker
Dude, Brandon, check out the shirt. I know, sorry. For the audio listeners, we keep talking about it. Look how good this shirt looks, dude.

[00:06:13.83] - Justin Gardner
Secret Santa. You see this?

[00:06:15.56] - Brandyn Murtagh
Oh yeah, see, I just feel so terribly unprepared I'm wearing my gym stuff. Not Christmassy at all.

[00:06:23.00] - Justin Gardner
Dude. Sorry, man. You showed up. You showed up. Right? That's. That's. This December has been a whirlwind, right? Like, we all kind of talked about prepping for December and being like, you know, trying to get critical thinking stuff squared away and like, trying to get, you know, all of our hacking stuff done so that we can like, chill for the last like two weeks of December or whatever. Then the sickness hit, you know.

[00:06:42.08] - Brandyn Murtagh
Yeah, yeah, there's. There's no preparing for this December, unfortunately. No matter what you've done, there's no preparation that could have fixed it. So it's one of those ones. But hey, ho, we're all here, we're recording. That's all that matters.

[00:06:53.01] - Justin Gardner
Exactly. Exactly. Anyway, sorry for letting that, like, you know, just overflow of gratitude and passion for the bug bounty world.

[00:07:01.74] - Joseph Thacker
Dude, people who are living in dupe land are going to want to like, strangle you. They're going to be like, I know, I'm sorry. Justin's bragging about how amazing bug bounty is. I've gotten six dupes in a row and I'm going to go jump off a cliff, you know, like, well, let.

[00:07:12.22] - Justin Gardner
Me just share this one thing though. Let me share this. And I know you guys know what I'm talking about, but like, I had one of the most gutting live hacking events ever this year. Like, I. It was a new type of scope. I was like, all right, I'm going to go after this, you know? And I went after it and I accomplished exactly what I wanted to achieve. I got RCE on the thing, right? And I had like a nice attack vector and, you know, it's perfectly aligned with the scope doc, and it didn't pay. And I made like three grand on that live hacking event or something ridiculous like that, right? Yep. And it was gutting. It was totally gutting. And. And then, dude. And then, you know what happened the next freaking day is I went and went back to my like, you know, home program or whatever and popped like six credits and it was like, amazing, right? So this time I kind of got like, you know, the low kind of just spiked back up.

[00:08:02.13] - Joseph Thacker
Right?

[00:08:02.33] - Justin Gardner
But I definitely understand living in those lows too, because for a little while after that, life hacking, man, I was like, frick, I hate this, you know? Like, why can't they just. Why can't I just do a job where they give me money for effort, you know?

[00:08:11.69] - Brandyn Murtagh
Yeah, yeah, but this is it. You were speaking just as I joined about the high highs.

[00:08:17.47] - Joseph Thacker
Right.

[00:08:17.70] - Brandyn Murtagh
But comes with it at a low lows where it's very much part of the game and you need to learn to weather that like personally off air. I know both of you, I've spoken to about this, about when you're going for a bit of a hump and it's not going well, but then two weeks later, forgotten about is a distant memory. The bugs are coming back in and it's all going fine.

[00:08:36.59] - Joseph Thacker
Yeah, you need to have the memory of a goldfish to be a bug.

[00:08:39.30] - Brandyn Murtagh
Hunter, you know, and that's why I'm so happy.

[00:08:42.25] - Justin Gardner
You just gotta. You just gotta keep. That's why I'm so happy. That's funny.

[00:08:49.12] - Joseph Thacker
All right, yeah, jump to our questions, Justin. We got a lot to go.

[00:08:52.33] - Justin Gardner
Yeah, let's get into the meat. This we're gonna save till after and then. But let's go right into the meat. So this will be the second year in a row of doing this, third year of doing a similar concept. But we are kind of going to do a personal inventory for our. Our hunting. And Brandon, I know you got stuck in traffic and got sickness and a bunch of other things, so just like, try to stick along as best you can here with this. But what I did last year was I created like this list of a bunch of questions that will help you understand, like, what your year as a hacker looked like and like, do some reflection and figure out, you know, what you accomplished, what your best moments were, what your worst moments were. You know, did you, did you accomplish your goals? How can you improve as a hacker? That sort of thing. It's all sort of bundled in here. We'll release this again in the Hacker Notes in conjunction with this episode.

[00:09:42.32] - Joseph Thacker
But yeah, the listeners should listen, should post like a reflection like this on like in the Discord or on X or something. It'd be pretty sweet to see this from like, you know, our friends and, you know, people in the industry.

[00:09:53.84] - Justin Gardner
Yeah, I would love to see it. Yeah. So that's a great point. If you can do like a long form X post or like even go in the CTB Discord, maybe we'll open a channel or something like that.

[00:10:01.27] - Brandyn Murtagh
Yeah.

[00:10:01.63] - Justin Gardner
And that says like, you know, Reflections or something like that.

[00:10:05.57] - Joseph Thacker
Yeah, really cool.

[00:10:06.85] - Justin Gardner
Yeah, yeah. All right, Richard, if you're, if you listen to this whole thing, I know this gets crazy in December, but we would like to open that Reflections channel. So check it out in the CTB Discord or post it on X or both. All right, let's jump into it. First question was, what moments and bugs were the most fulfilling to you as a bug hunter in 2025? Reza, why don't you kick us off there?

[00:10:28.37] - Joseph Thacker
Yeah, for some. Somehow I like, copied that one down and didn't answer it. But it seems very clear to me what this one is. I think that, like, the. The best experience I had was definitely in Tokyo. Not to toot your. Not toot your horn too much, but it felt magical, right? Like, I had never roomed with a bunch of bug hunters because I got into bug bunny hunting after I was already a family man with kids and stuff. But, like, rooming with you and Lupin and Kieran was just like tons of fun. It felt like being in college again, you know, just like living with roommates. And when I was in college, like, I wasn't a hacker, right? So, like, living with roommates who are also doing the most exciting thing ever and competing in, like an awesome event and then hanging out with all of your, you know, all of your Japanese friends was like, Japanese felt the same way. Like just staying up late, hanging out with them and so anyways, yeah, shout out to them. Shout out to that event. That was definitely the coolest moment. I would say more. More like the proud moments were, you know, kind of those, like, high paying, really impactful bugs. You know, one I had on Amazon was just like, incredible and, you know, got the best. Best bug of the latest ipc. Amazon ipc. Those are. Those are the moments that I was like, you know, probably the most proud of.

[00:11:35.39] - Justin Gardner
So very nice, man. Very nice. Brennan, what about you? What is your, like, you know, best moment or.

[00:11:45.39] - Joseph Thacker
Proudest moments you can mention? More than one.

[00:11:48.03] - Brandyn Murtagh
I saw the one that comes to mind. I don't actually think I told either of you this, but it was. I think it was in April in Seattle for one of the smaller IPCs. I went there, gave it 100%. And then towards the end of the event, there was absolute magic happening. Like, just absolute magic. I won. I think I won my first. Was that my first award? I'm pretty sure I won my first award and won numerous awards, that event. And I was on a hacker's heart. It's my first time in Seattle. I'd done, like, a lot of things I didn't think were mentally possible on a target. Overcome. Overcome the. Overcome the scaries a little bit. And then as a reward, on the flight back, I checked if I could be upgraded and I could, and I flew back. Business. No, you didn't, dude.

[00:12:35.41] - Justin Gardner
Nice, man.

[00:12:37.10] - Brandyn Murtagh
That feeling. I Mean, that was like, you can't recreate that because the event was like this. And then it finished up here, and then I finished the whole trip. Coming back flying business, I was like, this is it. I don't know what this is, but this is it. And that, for me was like, one of those moments where. Where it just felt good.

[00:12:53.98] - Justin Gardner
Frick Nagli got to you, man.

[00:12:55.86] - Joseph Thacker
Yeah, no joke. Yeah. I don't really care. It's like, it's a couple hours on the plane. Who cares?

[00:12:59.65] - Justin Gardner
But we're like, what? I mean, I'm like, five, ten. You're like, what, six foot, maybe, Rizzo?

[00:13:04.82] - Brandyn Murtagh
Six, three.

[00:13:05.22] - Joseph Thacker
Oh, yeah. I'm five' eleven.

[00:13:06.41] - Justin Gardner
You're five' eleven? Yeah. So. And then you're six' three, Brandon. Yeah. It's a different experience, you know, like.

[00:13:11.37] - Brandyn Murtagh
And, like, for me, now I've done it. I'm not too fussed about it, but it's one, like, the whole thing was the experience, Right. I just started off full time in Bug Bounty. It was like my first event where I felt like I had something to prove personally, because I was fresh in Bug and I really want to do well. Like, personally, I really wanted to do well. And then there's parts of the event where it wasn't going well. And then I powered through that. I went really well. I'm much better than anyone could imagine. That's when I was like, you know what? Let's give it a go. And it, like, it was a lot of small personal things of, like, new experiences, and it all just come together to make a really, like, personal achievement for myself.

[00:13:47.84] - Justin Gardner
Beautiful man. Beautiful man. And I think for me this year, like, there were so many amazing moments of hacking. The Tokyo event was lovely. And getting in that Airbnb with the boys and, like, get around the table and just, like, you know, something that's.

[00:14:00.62] - Joseph Thacker
Near and dear to your heart. Right. I'm sure. That's so good.

[00:14:03.11] - Justin Gardner
Yeah, that was awesome. And. And. And then. Yeah, I mean, and also, just like, last time, I think I talked about this on the pod near there. But, like, last live hacking event in Tokyo, it was. Was a PayPal event, which was like, an event that I. Like, a target that I was pretty comfortable with, you know, And I was like, all right, I'm going to really crush this. And then I totally flopped, right? And. And wasn't even in the top 10, which almost never happens to me. And. And I was gutted by that. Right? And then, so it feels good to, like, come back and, like, take the mvh In Tokyo. The other moments I had on here was hacking with Franz and Matthias in Sweden. Just like, you know, working with those guys is amazing, you know, and, and then, yeah, the other one was seeing the stars align on that one new relic bug that I talked about at the end of the Halloween episode. Like, that was just one of those moments where I'm just sitting here at my desk like almost shaking with like, I cannot believe that happened. I cannot believe this worked. I've got the token. It's over, gg. You know, like, and, and, and so, yeah, man, I just like, those are, those are some crazy, crazy memories for me of this year. So, I mean. And okay, the next question here was like, were these moments when you found the bug or when you got the bounty or who you were working with? Right. And I think for me it was a lot of both, you know, like it was largely collaboration and you know, seeing the vulnerabilities line from a technical perspective. But I also have on here, as one of my favorite moments, popping a six figure bounty.

[00:15:35.00] - Brandyn Murtagh
Right.

[00:15:36.21] - Justin Gardner
Which was the first six figure bounty I've ever done. Right. So it's like, it's got for me, I'm really like balanced out across the three, you know, main components. I think of like, what makes a meaningful experience as a bug bounty hunter, which is, you know, technical, like victory, you know, collaboration and financial. Exactly. Financial, right. Like getting your bounties. So I don't know, what are your guys thoughts on like, which. Which one is most gratifying for you?

[00:16:05.76] - Joseph Thacker
I think for me, like, when you ask me, it's easy to like look back and like view them all together. Like in retrospect. Yeah, yeah, I think maybe just when it popped. Like when. Yeah, for me, just like when the. When that Amazon bug popped. Like just being really proud of that one. I. Yeah, I think that actually, I don't know, there's something really insane about not feeling imposter syndrome. And in that moment you get like the complete opposite. It's like, yeah, I'm a beast. You know, you feel awesome. You feel like you're like a football player in the stadium, NFL player just like screaming at the camera. Like, that's the moment that I feel like is like, makes it all worth, like worth it, you know?

[00:16:43.35] - Brandyn Murtagh
Yeah, yeah, yeah, I agree. I. It's hard for me to say because it's been. Obviously we're coming up as of a week one year since I've started full time bug bounty and it has been such a rich learning experience going full time, especially because I only done Bug Bounty part time for a year before, so like there's so many good parts to it that just unexpected things that I didn't think that would happen. Like collabing with both of you throughout Targets. This year has been great collabing with some other friends, access Dr. Ads, like all of these things and events. It has been such a rich learning experience and has like helped me grow personally as well as a hacker. I don't know, is it possible just to say like 2025 as a year has just been unbelievable. It really has been great. I just find it hard to like really nail it down because yeah, it's been, it's been explosive in terms of the learning experience, the personal barriers and things I think I've overcome both technically and mentally to be able to do it full time. And yeah, it's just been insane.

[00:17:48.46] - Joseph Thacker
I have a similar rant to Justin's rant about how awesome Bug bounty is about collaboration that I want to get to when we get to that section.

[00:17:54.70] - Justin Gardner
Oh, hell yeah. Hell yeah. I'm looking forward to that. Okay, so that, that kind of wraps the first two and then we're going to jump into looking back on your 2025 Bug Bounty performance. Were you satisfied with. And then we'll go through the list. Right. So for me, number of bugs, I landed at 104 bugs this year and it was kind of hard to calculate this year because it was like across HackerOne. Like I used to do largely Hackero One. So I'd like sum up all my Hackero One ones and then like grab a couple from over here. But like this year I hacked a lot on Google, hacked a lot on HackerOne, did some bug crowd, you know, it was, it was a little bit more all over the place, but I landed at around 104 and I'm pretty pleased with that. I think that's a good, a good volume, I think. Last year I said I wanted to do more, but I also said I wanted to get more criticality and I think I did get more criticality this year. So Overall landing at 104, I'm pretty pleased with that.

[00:18:51.83] - Joseph Thacker
Yeah, I had exactly 100. I was kind of surprised. It was a round number and I thought it was like funny that it was so similar to yours, Justin, which is interesting because I think that my average payout is probably slightly less and I had more diversified income. But if you take out your outlier, if you're a six figure bug, it's like, I wonder if they'd be Kind of similar probably, but also I find it more interesting because I think of you as more of a critical, like a person who finds a higher criticality of bugs than me on average. But I think that the bonuses and, and life hacking events played into my payouts a lot. Like, I think that my actual finding, if you remove the bonuses and life hacking events inflated bounties, then I probably would have like a lower criticality score. Overall, I did pull my average impact from hacker1, which is obviously lifetime and it's like 22.85 or something, which I felt like pretty good about.

[00:19:44.47] - Justin Gardner
Yeah, that's, that's a good impact. Brandon, I know you don't have all the stats right in front of you, but do you, do you know roughly how many bugs you got?

[00:19:51.75] - Brandyn Murtagh
Yeah, yeah. So I came in just over 160 across all the platforms.

[00:19:57.10] - Justin Gardner
Look at this guy. Look at this guy.

[00:20:00.54] - Brandyn Murtagh
And like, I did want to spend a little bit of time speaking about this because obviously naturally you want to go for that impact as a hunter, but I found very naturally and as a natural byproduct of going full time, I got on the mindset of like, I am reporting everything that has a meaningful attack vector and like, I don't care what it is, I'm reporting it. And I'm going to argue this very in the bounty and blah blah, blah. It doesn't matter to me anymore. This is like my living and my lifeblood. So I would say it's a byproduct of that mindset a bit more because if I was part time, I'll definitely hold on to bugs for a lot longer and maybe even forget to report them. Like looking through my notes, I have literal bugs there which I just haven't reported like loads. So this year has definitely been a no. It doesn't matter what it is, get it in, report it. So I'd say that as a byproduct of that mindset that a bit more.

[00:20:52.67] - Joseph Thacker
Yeah, my number is not based on me trying to only report Heisen Crits. I have reported everything. So you just put in more work than me. I, I'm not a snob about that and I am of the same mind as Brandon. I think Bug Hunter should report everything. You know, obviously maybe not like open redirect lows and stuff like that, but in general, like if you find medium pluses and they have any kind of security impact, I'm a big fan of recommending people reporting them.

[00:21:13.86] - Justin Gardner
Yeah, I just pulled my, my stats here as far as severity distribution and Just assuming Hacker One is like a representative, you know, of all the samples, probably less criticals on Google, I'd imagine. But this one has my critical severity sitting at or ratio sitting at 15%. 30 for highs, 40 for mediums, 12 for lows, and then three none. So, yeah, I'm pretty pleased with that. I think that's. I think that's pretty solid. Also, I just asked hi with the HackerOne AI thing to generate that stat, like that pie chart for me to look at and it like one shotted it, which I'm very pleased with. I think that's pretty cool.

[00:21:58.69] - Brandyn Murtagh
Okay, so. So you got these stats from high because I didn't.

[00:22:03.08] - Justin Gardner
So go to go to performance on the Hacker1 dashboard. Click the little Explore High insights at the top and ask for a severity distribution pie graph and it'll just generate it for you.

[00:22:13.85] - Joseph Thacker
I went to the dashboard and then down to performance and you can just kind of build your own. And it looks like. Oh, I think that it does. Submissions though, Justin. Not including collabs, so at least mine's showing without collabs. So if you exclude collabs, my ratio. Oh, it doesn't have percentages though. Oh, man. Yeah, I need to just use high like you all did.

[00:22:36.89] - Justin Gardner
Nice. Yeah, yeah, I think high is pretty solid for this. I am going to look at my lifetime. My impact for the past 90 days is 25. My lifetime impact is at 20. So you said your lifetime impact is at 22.

[00:22:50.41] - Joseph Thacker
Yeah, 22, yeah.

[00:22:51.60] - Justin Gardner
That's sick. That's good. Well, you've been.

[00:22:53.65] - Joseph Thacker
You've been.

[00:22:54.00] - Justin Gardner
You've also been hacking for. When did you start hacking?

[00:22:57.76] - Joseph Thacker
It's been like five or six years.

[00:22:58.97] - Justin Gardner
Yeah, five years. Yeah, yeah. I just went to my.

[00:23:01.36] - Joseph Thacker
I just went to my profile and changed it to all time and I have like. Yeah, 22, actually 22.27.

[00:23:09.84] - Brandyn Murtagh
I would say my stats from the last 90 days have taken a bit of a beating from the event. We shall not. We shall not speak about it went to the floor and it pains me every time I see this stuff, but all time is 21.5, so it has gone down. Nice.

[00:23:28.45] - Justin Gardner
Yeah. That's sick. I wonder. I. I anticipate, like I. I'd have to do some additional stat magic to try to figure this out, but I know back in the day when I was a recon boy, I was submitting like just tons of lows and mediums.

[00:23:42.19] - Joseph Thacker
Well, yeah, you also did like subdomain takeovers and all that if you set it to last year.

[00:23:45.50] - Justin Gardner
What's the impact just on your profile on. On. Oh, past year. Oh, there's past year. Nice. That's nice. 22. So similar.

[00:23:54.77] - Joseph Thacker
Yeah.

[00:23:55.05] - Justin Gardner
Yeah. Okay, sweet. What kind of bugs do you think are kind of fueling your hacking?

[00:24:05.01] - Brandyn Murtagh
Hmm. Wow. I can tell you that my submissions is like, looks like a rainbow. And this very much comes down to I spoke about on the previous episode. But, like, I have this thing in my head, like, know your target and like, once you get a feel for the target and you sort of feel it out and have an idea, I just trying to adapt to what I think will be vulnerable for the scope I'm looking at. So, like, I'm very adaptive, I'd say, to my target, because I want to find bugs no matter what. So I try and adapt for that as much as possible. So mine's all over the place. As a short answer, literally everything, every type of excess, csrf, cache poisoning, business logic errors, broken access control, idor, prompt injection. Like, it's literally information disclosure, like, ssrf, everything.

[00:24:59.06] - Justin Gardner
My boy. That's awesome, dude. That's like. I mean, that shows how eclectic you are as a hacker, right? And how able to adjust to the target you are. I think largely for me, it was a lot of eye door, a lot of rce, a lot of business logic. Okay. A lot of rc, relatively. Right? A lot of rc, yeah, you know, a lot of rc, you know, xss, auth bypass, privilege escalations, that sort of thing. I don't know that I found a bunch of, like, caching bugs this year. Maybe like one or two, definitely CSRF and CSPT and like, you know, that sort of whole flow. But I would say largely, like, I mean, like the idorminator, right, that's been coming back on, on Twitter, has been saying, yeah, zwink, a lot of freaking IDOR bugs, dude. Like, just being thorough, being deep, testing those out, getting some AI assistance, you know, on that nowadays as well. Really valuable, I think.

[00:26:00.30] - Joseph Thacker
Yeah, for me, I would say it was mostly like, probably honestly, 40% AI bugs and then the rest were kind of split among idor, C, surf, info disclosure, business logic, like that sort of thing. But yeah, definitely a ton of AI bugs. But a lot of that is just a byproduct of what I was invited to. Like, I think that you, like, like Brandon was saying, it's ideal to roll with the punches. And I think for me, I've always been as pragmatic as I could from a hacking perspective. And so I think that, you know, I got a lot of brand new Invites that were AI related programs. And so it's like, of course I'm going to go look at bugs on those. And so, yeah, that's how it kind of played out for me. And I think, I think we're kind of supposed to be talking about whether we were satisfied with each of these things. Right. And so I think is whether I'm satisfied with those. I would say, yeah. I mean the year went great. It's hard to be negative about that. And I think that it is kind of crazy. Maybe outdoors, just live forever.

[00:26:53.25] - Justin Gardner
Yeah, I mean, I think so. And I think they're, they're. I mean, as a full time hunter, it makes sense, right? Like you clean up the ID scope and then you focus on something more like, you know, technically depthful. Right. I would, I am satisfied with this overall. I think for me, I would like more RC and I would like more SSRF and I would like more arbitrary file write and read. I think that those would be pretty valuable. And I think every time I've gone deeper and tried to look at like, you know, some areas are possibilities for that sort of thing.

[00:27:26.60] - Joseph Thacker
Good service.

[00:27:28.21] - Justin Gardner
Yeah. Yeah. I think I just need to do that, you know, more often. So I'm going to continue doing that and I made improvement on that this year and I think I will continue to make improvement on that in the future.

[00:27:38.73] - Brandyn Murtagh
Yeah, 100%. I have very mixed emotions about mine because part of me is like, just start hammering that impact. Like last year when I went through the incredible SSRF run, like I was feeling good, the impact was there, but it wasn't my, I wasn't full time. So now the mindset has completely changed around that. And what matters to me more is around it being more sustainable rather than going after that. And like personally compare the start of this year to now, the skill set improvements that I've had and the scope that I feel comfortable looking at and the collabs that I feel comfortable doing, I feel like it has just been such a rich experience and you can kind of see that a little bit from the stats and the bug cluster have reported per quarter. But I would say that there's been massive technical improvements as well. For me, this year has been insane. So part of me is like, yeah, you can't probably could have done better. But then the other part is like, relatively speaking, you've done well at your first year. You've done a lot outside of bug Bunny as well, so be grateful for that, dude.

[00:28:44.69] - Justin Gardner
You know, you all shared with me the numbers for your years in, in total before this, this call. And I'm just blown away by Yalls like first year performance as full time hunters. Holy crap. You guys, like, absolutely unbelievable. I did do some analysis based off of like the HackerOne Power Security Report thing and all of us land in the top 2% and one of us lands in the top 1% for hackers. So guys, like, just let me understand, you know, to the listener, like, these guys are awesome at this, right? Like, we are all at the top of this 1% of bug bounty hunters and we're going to keep it that way with hosts for this podcast. Like, if anybody is going to be coming on here and hosting the podcast, they need to be as a prerequisite, I mean, at least top 5% bug bounty hunter in my opinion. So anyway, I just, I just, you know, without.

[00:29:42.16] - Joseph Thacker
Justin says that with his personality tap, not bragging. He says that because he wants to provide you with by far the best information and he cares deeply about making sure that we provide that for you guys and that we are like, you know, people who are technically strong. And so that was a part of Justin's interview process. And so, yeah, I think that he cares so deeply about that.

[00:30:01.33] - Justin Gardner
Exactly. And, and I, you know, it's essential for, for critical thinking's brand as well, I believe, like, to understand that you have to be doing it. Like, and let me just tell you, it is very hard to create content and also be in the top 1% for something. Right? So really good. Like, and I've had a little bit of practice now over the past couple years, right? You guys did it your first freaking year. Like, that is badass. And I'm so proud of you guys. So really good job.

[00:30:29.10] - Brandyn Murtagh
Thank you very much.

[00:30:29.91] - Justin Gardner
All right, so going back to the list here, what are you guys satisfied with? The scope that you hacked on, the programs that you hacked on, and the quality of your reports.

[00:30:43.43] - Joseph Thacker
I do think that it's hard to know if you're making the right decision at any moment in time. You know, looking back, I think it clearly worked out. But, you know, hindsight's 20 20, I guess maybe not though, because I don't really know what decisions I made that I could have made differently. But I do always second guess myself with like, man, do I have a good anchor program? What would a better anchor program be? What should I be hacking on? Because we have so much opportunity, not just from like, I mean, even if you weren't in any private programs, there are so many public programs and so many of them, like, actually do pay well. Like whether it's Google or meta or whatever. Like there's like lots of good programs out there. That's a hard question to answer about whether I'm satisfied in that regard. Like it's very hard to know what to be hacking on. But as far as the scope, yeah, I think the AI stuff was a good decision, both getting into it initially and then continuing to press into it. And I think quality of reports, just having like AI be able to like help you throw together reports to write them much faster, it's really helped me. So I'm super happy with quality. Super happy with scope programs is a harder. Is a harder answer for me.

[00:31:44.24] - Justin Gardner
Yeah. Yeah, that makes sense. Brandon.

[00:31:46.88] - Brandyn Murtagh
Yeah, I. I'd agree. So I done quite a few events this year, so that has driven the scope I've looked at to an extent. What I would say is I would probably like to have one more program on rotation that I regularly go back and look at that I'm in tune with. I know roughly when they do their development. I know where to find documentation that I'm very much in tune with. I'd like one more of those because I feel like that would be quite beneficial.

[00:32:16.33] - Justin Gardner
How many do you have?

[00:32:18.36] - Brandyn Murtagh
I have two.

[00:32:19.08] - Justin Gardner
Two.

[00:32:19.56] - Brandyn Murtagh
Two right now. I did have another one but then I sort of gone off of it. So I'd like three titles that I can rotate through consistently and have that on. So that definitely would be a bigger goal for me next year. But other than that I would say in hindsight it was as best it could be.

[00:32:39.80] - Justin Gardner
Yeah, I, I want to say I have three based programs and they're actually all public so I can talk about them all. They're Google Epic and Capital One and feels good, man. I mean I think three years I'm.

[00:32:52.15] - Joseph Thacker
At basically like zero. Like for me it's kind of go kind of Google, but I don't really like come back to it consistently in the way you do. So I think that that should be a goal for mine is to like pick, you know, two or three.

[00:33:02.86] - Justin Gardner
No anchor program and you earned that, dude. You crushed it this year, man. You.

[00:33:07.19] - Brandyn Murtagh
That's pretty crazy.

[00:33:08.19] - Justin Gardner
That is sick. Yeah, I think as far as quality of reports goes, Google has a report quality bonus that they give out and just being like financially incentivized to do that. Build some good habits for me. I think that I even found transferring to other programs. So shout out to Google for like building the whole ecosystem, like encouraging hackers to write better reports in general by their report bonus. And I think that definitely, that definitely helped me this year.

[00:33:35.88] - Joseph Thacker
As an outsider who saw you do that, I just want to say to the audience because I think it's like a really good technical tip. Justin almost always records a video for any high plus vulnerability and also spends way more time on POCs than I think most people do. Like I would say, you know, when you're doing, when you're doing bug bounty, like, you know, most people will throw together a POC or have an okay one maybe. But on some of our reports, like specifically thinking about the Google Tokyo event, Justin put in hours on a POC to make it realistic looking. And I think it probably 5x the bounty, like it was a. But actually, to be honest, it might have went from unpaid to paid as a higher critical legitimately just because of the quality of the PoC. And so I think that that is like probably a really great takeaway.

[00:34:19.48] - Justin Gardner
Yeah, yeah, I know the report you're talking about and like it was a hard call and thank you guys for standing by me with that, you know, in the live hacking event. For me to spend, you know, three hours putting together a POC in the middle of a live hacking event the day before, you know, the competition. Right. But it did work out this time and I have in my notes here that I think like now I am addressing root cause and suggesting fixes in my reports, which I think is good. I think I still let the POC and POC video do a little bit too much talking for my report. I think I could probably explain things from a technical perspective in text better. Um, yeah, it's very frustrating when a.

[00:35:03.32] - Joseph Thacker
Triager comes in and asks a question that you answer clearly in your video and you're like, I should have just put it in text.

[00:35:07.96] - Justin Gardner
Yeah, exactly, exactly. So I think if I can just get that video and you know, hopefully, I think, I think that is the most impactful thing, right? Like POC or gtfo. Like if you can provide a good POC and a POC video, the impact and the, you know, methodology should explain itself to most technical people. Right. But I think because there are so many layers that go into bug bounty, like triage, you know, people that are creating the tickets, you know, then the devs, then the security team, you know, it does help to have it in text as well and just hit it from all angles.

[00:35:41.94] - Brandyn Murtagh
Sweet.

[00:35:42.46] - Joseph Thacker
I didn't have anything else there, Brandon.

[00:35:45.38] - Brandyn Murtagh
No, I think I've always been from the report inside. Okay. Anything medium is like my 80% and then anything high in crit is the video the full works. This is why, this is why I given it this CBSS metric. This is why it affects integrity and things like that. So I would say the report effort does coincide with the report severity too. So that's just a bit of the meta strategy I have though.

[00:36:14.48] - Justin Gardner
I like the explaining the cvss. I've done that with programs that have like high CVSS correlation. Right. Where it's like, okay, they pay by the book for cvss, which one of my anchor programs does. So yeah, I think that's a good call and I imagine you get a lot higher, a lot less back and forth because of that.

[00:36:31.75] - Brandyn Murtagh
Exactly. What I would say, and I've recently went on the POD and spoke about this, is that CVSS and AI fundamentally doesn't work. It's not fit for purpose. So don't do that for an AI bug because you will get screwed 10 times out of 10, every single time. So for your traditional web and mobile and things like that, that's okay. But not AI.

[00:36:54.78] - Joseph Thacker
It requires too much user interaction and. Yeah, and the impact is often one user. Right. So it's tough but like, you know, like we've, we've pushed for in the past, you know, it's a new skill set, it's a new domain. You know, we recommend programs like trying to pay it well.

[00:37:08.21] - Justin Gardner
Yeah, I did want to share something anecdotally about that though because we did the episode with Sassy, right. Which I would recommend you all go back and listen to if you haven't. I know that we do a lot of AI stuff, but this is really going to be pivotal, you know, in Noma Security on the Gemini Jack thing. And I watched the episode and of course, you know, recorded the episode and it was very interesting, you know, to see the approach that, that he went through and to make it zero click, right? Where it's just the users just asking their normal workflow and then they get pwned and then, you know, it caused. And obviously people are going to go into Gemini and ask like, hey, you know, can you summarize this for me? Right. But I have to say for the first time, like last week I actually did that myself. Like I went into Gemini, I said, hey, check my email and create an itinerary for this trip, right. That I, that I, that I already booked all the stuff, I just want an itinerary.

[00:37:59.98] - Joseph Thacker
And you thought I could have just got zero clicked.

[00:38:01.69] - Justin Gardner
Yeah. And then, and then as I pressed Enter, I'm like, shit like that. This looks like the beginning of a POC video. You know, like, and, and, but, but I think that validates, right, that validates the attack vector that like as a user I just did that. Right. And you know, maybe we're the most tech forward bunch, but everybody's going to be doing that in like a year, you know, if they're not already so.

[00:38:23.48] - Brandyn Murtagh
Exactly. I feel like that needs to mature a bit from triage side and also internal program knowledge side because I've personally had so much friction around like, okay, you are using CBSs for this, but that is like normal user interaction. So do you set UI required or like where does the scope change in this context? So yeah, there needs to be a new, there needs to be something new there. But I agree with everything you said.

[00:38:48.25] - Justin Gardner
I firmly believe that if you're not coming to an attacker controlled site and you're performing an action that normal users would do with normal use of the application, then that is not UI required.

[00:38:57.76] - Joseph Thacker
I think we need a blog post for that or something. We need something that's a blog post about that on both scope and ui, I think scope and UI for CVS on AI bugs. It'd be really nice to have like a reference doc.

[00:39:09.25] - Justin Gardner
Yeah, you're the blog guy, dude. You got it.

[00:39:11.15] - Joseph Thacker
I will, yeah, yeah, no, I'll do a post on this. I like it.

[00:39:13.30] - Justin Gardner
Do it.

[00:39:13.75] - Joseph Thacker
I got to stand up for my boys.

[00:39:15.30] - Justin Gardner
Yeah, I think, I think one of the interesting thing that I realized this year as well with my Hong Kong talk, I really enjoyed that talk and I would really recommend the listeners go check it out. Um, but I, I hate doing talks, bro. Like, I hate prepping slides. Like I hate it.

[00:39:32.71] - Joseph Thacker
I procrastinate to no end.

[00:39:33.98] - Justin Gardner
I.

[00:39:34.30] - Joseph Thacker
And then cram it at the last day.

[00:39:35.98] - Justin Gardner
And I think it's so funny how I can come on here in the pod and talk and for, you know, an hour, hour and a half every week and like give no lilies and like just like not bother me at all.

[00:39:47.53] - Joseph Thacker
Right?

[00:39:48.17] - Justin Gardner
And, and then like if I have to prep slides and do a talk on it, like giving the talk itself is not a problem. Like I love giving the talk, but like prepping the slides for a talk is like the worst. So I think I, I've decided I'm never going to do it again.

[00:40:01.21] - Brandyn Murtagh
Sorry.

[00:40:01.69] - Justin Gardner
I think I've never again. I think I'm never going to do it again. I think I don't have to do it. I think I, I have, I have money, I have time. I have like, I have a podcast. I produce content. I don't have to give a talk ever again.

[00:40:14.09] - Joseph Thacker
I think you should. I think you should just do a live talk, basically just do a live podcast. Like, you can be like, hey, I'll get up there, I'll do panels. You can even tell. You can even ask me questions about the bugs that you want me to talk about. You can do hosting. So I think that's fine. I love it. I really love radical decisions around lifestyle design. And if this is something that you've decided that you just don't love, don't ever do it again.

[00:40:35.34] - Justin Gardner
I just hate it. And you know, the thing is, maybe I'll do a little, like, recording or something like that, and I'll just pay somebody to go prep the slides or whatever.

[00:40:43.26] - Joseph Thacker
Oh, maybe they could do the slides over top of it.

[00:40:45.23] - Justin Gardner
Yeah, exactly. You know, and, and. But I just realized I hate it. And, and like, and I don't want to spend my time doing it. And looking back at this past year, the, the times that I've been most stressed are when I'm doing that.

[00:40:57.36] - Joseph Thacker
That.

[00:40:58.01] - Justin Gardner
And I, and I just like. And like, literally. And like, that says a lot, right? You fres know my year that I've had, right?

[00:41:05.28] - Joseph Thacker
Yeah, yeah.

[00:41:05.84] - Justin Gardner
And. And probably I've had a stressful year in lots of other ways, but, like, easily top, top five, three of them are. Are prepping slides. I don't know.

[00:41:15.80] - Joseph Thacker
I don't. I don't understand how the security industry has ran off of conferences for so long. Because I feel the exact same way, Justin. And it's crazy to me that so many people will spend like weeks or months doing research weeks doing slides, and then they go to a conference and speak for. Speak in front of 10 people. I'm like, holy crap. People, like, don't realize the amount of effort that goes into people's socks that didn't get no reach.

[00:41:38.28] - Justin Gardner
I just also feel like my slides look like shit. You know, that's the other thing is, like, I spend a lot of time like. And maybe AI will fix this, you know, in the next year, hopefully. And I know Gamma's already doing some good stuff with this, but I also feel like I get to the end of it and I'm like, wow, this looks bad. You know, like, and, and you know, for me as a hacker, I just, like, you know what? Actually I don't give a shit, you know, like, I'm just going to present it. Like, it gets the content across. It helps the people. That's the goal, right? It's not. We're not like, you know, freaking Giving a, you know, talk to pitch people for an investment or something, you know, like. But yeah, I think. I think either I'm just going to not do it, or I'm going to have somebody else make the slides and then I'll deliver the top and. And that'll be what it is. Brandon. What? What you're giving me for this. Why are you giving me shit?

[00:42:22.03] - Brandyn Murtagh
No, no, no, no, no, no. I'm not giving you any stick at all. I. I respect it as a friend, but I'm upset because I know how much people and the community loves the stuff you do and how much of, like, of a pillar you are. Because when you do a talk, people listen. That's why I'm a big guy. But as a friend, I respect it.

[00:42:40.26] - Joseph Thacker
They just got to tune into the hack alongs to keep listening to the pod.

[00:42:42.67] - Brandyn Murtagh
Right? Wow. That's it, man.

[00:42:44.11] - Justin Gardner
Yeah, well, that's the other thing is, like, I don't want to not give back to the community, so I will do podcasts. Right. You know, I just don't like the visual piece of it, like, creating the. Like, I'm. I'm not very visually creative in general, actually. I think this is like a personal. We're getting really off topic here. But I think this is like a personal weakness for me is like, you know, I can't draw. Like. Like everything artistically that I do is. Is like music, right? And so, like, no. No drawing, no painting, no. You know, even, like, design, right. Like design of like, interior design or. Or even, like. Right. I do real estate. Renault. Right. I completely, blindly trust my wife with that. Like, I say, mariah, tell me what we're doing here. And then she does it. She tells me, and then I go, make it happen. Right? And it looks great every time, which is great, you know, and she's got my back there. But I think just visually, like, I think that's a weakness. And so, yeah, I think when I'm trying to work from this area, that's a weakness. It stresses me out and it doesn't get good results. And so that. Those are the things you should kick out of your life.

[00:43:47.73] - Joseph Thacker
Yeah.

[00:43:48.17] - Brandyn Murtagh
Right. Yeah. I mean, yeah, just before we move on. I completely agree. And when I obviously done the hacker nights, UG would, like, look at my templates and, like, look at my stuff. And he's like, how do you work with this? It doesn't look good. And I'm like, I'm not in the business of making stuff look good at all. Is far beyond my comprehension or ability. So please, if you want to do that, do that. But I'm focusing on content. I'm in the same boat as you, mate.

[00:44:14.19] - Joseph Thacker
I do want to gas up our man Brandon here though, from a talks perspective. 2025 brought him a lot of inbound and boosted his personal brand. So talks can also do wonders for things. Obviously, Justin, you have the personal brand or as a brand that is building his up right now. But I think that like, you know, they can still be very powerful, you know. Yeah, Brandon used them to great. To great. What's the word there? To great effect in 2025 and I think that's really cool.

[00:44:39.19] - Justin Gardner
Yeah, I think, yeah, I totally agree there and I think I'm going to miss giving talks, right? Like if I don't find a good solution to have somebody make slides, then I, I'm going to miss giving talks because I love giving talks. Giving talks is the best, you know, and like, especially like when you're giving them live, like I will say it makes sense, right? Like maybe we should just upload the talk to YouTube and instead of giving them in a room of 20 people. But it's also pretty sick when you're in the room with like, you know, all right, let's call it 50 people or 100 people. And you got your mic'd up, you got your slides behind you, you're talking about something you're really passionate about. You're walking through the crowd, you know, talking to people and like, you know, explaining things and like, you know, transferring that energy out. You know, we kind of get spoiled because we get to do that every week on the pod. Right? But, but you know, being there in person I think definitely does have a little bit of a different aspect to it. Yeah, yeah. Okay, okay, okay. We got super way off topic here, but let's hit these pretty quickly. Okay, we've got 30 minutes, we're good. Are you happy with your current level of automation, organization, collaboration?

[00:45:45.53] - Brandyn Murtagh
Who started?

[00:45:47.84] - Justin Gardner
Let's start with you, Brandon.

[00:45:49.36] - Brandyn Murtagh
Me. Okay, so automation, you both probably know that I'm slowly and I'm not talking like full scale automation, I'm more talking about workflow automation. I've upped that. I went from nothing to something this year and that for me came in the form of JavaScript monitoring. And that's now I would consider in quite a good spot, quite a powerful spot. I say I integrated and it's actually feeding me leads which are actionable. So I'm happy on that front. And I'm not an automation guy and I'VE also spent a lot of time vibe coding a lot of things. So if it wasn't for vibe coding, I would have nothing. I will probably say that out of like, I just couldn't bring myself to do it because I know I could be hacking and making more money. But vibe coding is very like, it's a vibe, as the name suggests. It's good, it's fun, it's frictionless almost. So I'd say yes on the automation, definitely getting there. The organization solely, and I mean solely held together by my notes and my note structure. That is it. That is probably the, the only organization I have in my life. So yes, I would say better than that. And here's something I do want to talk to you too about. What I found is though, that completely goes out of the window in a live event. I don't know what it is. I'm like, I'm more frantic in a live event and I use my notepad more, but not my notion more in a live event. Do you guys take notes or how.

[00:47:15.71] - Justin Gardner
Yeah, I take notes. I don't want to say almost exclusively at live hacking events, but like, same.

[00:47:21.92] - Joseph Thacker
Kind of, kind of more way, way more during events for me.

[00:47:26.36] - Justin Gardner
Yeah.

[00:47:26.80] - Brandyn Murtagh
So, yeah, see, it's different for me. I take, I, I take note of like the gadget or weird behavior, but I don't take a lot of the context, if that makes sense. So like they're very brief and nowhere near as concise as my main, as my main notions.

[00:47:41.40] - Justin Gardner
I've noticed in your notion stuff you, you, you take a lot of detailed notes like about the stack and stuff like that too. I think for me this year I'm going to be spending, I'm going to be pushing a lot of that to AI because Kaido. Kaido Shift agents. Like, dude, I was blown away I mentioned this in the talk, but like I ran a research agent from, from Kaido on a target that is one of my core targets and an API I'm very familiar with. And it like pulled three or four insights that I did not know about, you know, and correlated things. And I was like, oh, wow, that's. That's very insightful actually. And, and, and so I'm definitely going to be using shift agents to, to like do that sort of research and note taking in the future and then take those learnings. Right, because it'll create learnings in its system and just export those to notes.

[00:48:30.07] - Brandyn Murtagh
Yeah, that's, that's really nice. I think I'm gonna explore that a bit more. Reza. I Feel like you've always got some nice little, like something, I don't know, workflow wise, like the FUF masterclass. I was just taken back by how much of a noob I was. And like all these other little AI things I always consult you on in terms of workflow. So I feel like you're doing something there.

[00:48:50.30] - Joseph Thacker
Well, the audience doesn't know that I gave you that little masterclass. That's funny. I hopped on a meeting with Brandon and like walked him through how to use FFUF the right way. So that was kind of fun. But no, honestly. So my answer to this is no, I've not been doing enough of it. I think I did less this year than I've ever done. And I'm really sad about it because I feel like I'm the hackbot guy and I have people like JD messaging me how they're using cloud code to. He's been using cloud code to find tons of bugs. And Justin, you know, did the shift agents talk and research and I'm like jealous of it too. So, you know, I'm, I'm, I'm resting in my contentment. I think this is incredible year both, you know, with my young kids, even though we've had a crazy year as well, and then also, you know, professionally. But no. Yeah, my answer to this question is I'm not happy with my automation. I want to do much more of it. I think that I dropped my ring. Um, I think that there's a much more capability for people to do that now with live coding, which I really, really enjoy. And so I think that I should build more automation in that way and more hackbot automation. I think that Kaido and Shifter in like the best place ever to be able to find some insane bugs organization. I've been fine on and collaboration. I have, yeah, collaborated maybe a lot in the early part of the year and then less in the later part of the year. And I had this light bulb moment that I wanted to mention. I think I messaged Justin when it, when it, when I first had this light bulb moment. But I think that there is a desire to, you know, be personally awesome. And I think that, you know, all hackers go through that desire, you know, to like fight back imposter syndrome and to feel awesome and to like, you know, really pursue mbh and I don't know, I think that the pursuit of that I basically have had like maybe let's say three or four events over the last two years where it was like, nope, I'm gonna go Solo I'll do some, maybe some like light collaboration with people if like it makes sense, like one off. My goal is to be solo and in every one of those I left way less satisfied with the results and way I feel like I was under motivated in them, even though the whole point of doing it that way was to be more motivated. And so I think that I am just the type of person who is more energized and more motivated, which I know I'm an extrovert, right? But I think that I actually have seen that play out in my life so many times now that I'm going to always pursue collaboration. And I think that it is an incredible aspect of our industry and the fact that like we literally get to put thousands of dollars in our friends pockets and they get to put thousands of dollars in our pockets and it's freaking fun. And I'm learning way more and I'm getting filled, enjoying it way more and that maybe that matters maybe more than we can even tangibly, you know, understand. Because like that affects how much you want to do it that night and how much you want to do it the next day and how much you, you know, you're talking about it with your friends the next week. Right. And I think that collaboration allows you to talk about leads which are really interesting and fun to talk about and when you're solo and you don't get to share those like those little pieces of quirky behavior with others, you know, maybe you do once the Duke period's over, right? Or maybe you do the next week or maybe you do at some point. But I think like sharing those as they occur kind of can create more hype and more fuel like to the fire that makes it more exciting and more fun and it definitely ends up in way more bugs. For me personally, I know that like Justin, you know, is often more of a solo flyer and does better that way too. But I think that for me, like I've just decided I'm going to stop attempting to go into events solo unless for some reason, you know, like I pre hacked and I found a bunch of bugs and I think like this is the one to make the run for NVH on or something. Um, I think that for me personally I just like had that light bulb moment in the same way. Justin doesn't want to talk anymore. I don't want to do solo events anymore.

[00:52:23.90] - Justin Gardner
Yeah, no, that's very good, man. Brandon, I'm curious, are you an introvert or an extrovert?

[00:52:32.15] - Brandyn Murtagh
Mate? I would say you don't know this. I don't know. I think it depends on who you ask. I'm very. I have some funky wiring, I would say, so I'm not. I don't know how to answer that question.

[00:52:43.42] - Joseph Thacker
This is usually the best way to answer it. When you leave a social gathering, are you like, oh, man, I need to rest. I'm a little worn out. Or do you get home and your mind's buzzing like, holy crap, I wish I could have hung out for another three hours with those people.

[00:52:54.84] - Brandyn Murtagh
No, no, no. Rest.

[00:52:56.84] - Justin Gardner
Okay. Yeah, okay. Probably so maybe a little, little bit on. On the line, but definitely on the introvert side, I think it's very rare. I'm squarely in the introvert category. But, like, I think it's pretty rare to see like a solid, like, solid extrovert, you know, do well in. In this industry because it's. It is kind of lonely, you know, so you definitely got something special going there. Reso.

[00:53:22.19] - Joseph Thacker
Yeah, thanks. I mean, I do think that there's like a power in that. So if there's anybody out there who feels extroverted and feels like they're a little. They're struggling, like, I just, I have used it to, like, I just have like a mapping of like, hey, these people are good at these things in my head. And I just message friends. Like, even when I got started, I've noticed, you know, fav. He's going to love getting shouted out on this FAAV Fav. Up and coming young hacker. And he is so networky, right? He finds a cool lead and he messages all of us, right? He finds a cool bug, he tells everyone about it. And I think that this is actually a good way to use extraversion as a way to kind of like, level up because you get feedback and you get network, you get connections. Like, I messaged him like I was hacking Microsoft whenever they dropped that new thing where they're paying for all criticals. And I, like, I fuzzed him overnight and like, I sent him the leads, right? Because I know he hacks on Microsoft and, like, he's already messaging me. And so it just kind of like pays off to be like, talking to people all the time.

[00:54:09.88] - Brandyn Murtagh
Totally. Yeah. No, I do agree. Yeah. After a 30 seconds of reflection, I'd probably serve for more into the introvert bucket. Like, it's being. It takes a ungodly amount of energy to force myself to post on, like, socials and things. Actually talking to people like you guys and networking is fine, but, like, I need to be compartmentalized. And have like my me time for a day when there is no talking and nothing going on rather than just me in the zone. I need that.

[00:54:39.13] - Justin Gardner
But dude, that's the ticket right there though because like, if you're an introvert, you need energy. You know, you get energy from spending time alone, right. If you're an extrovert, then you get energy from being with other people. So like a lot of people think it's about like, oh, do you enjoy being social? No, that's not it. It's where you get your energy from. So if you're spending time like alone, needing to reset, you know, that sort of thing after a lot of social interaction, then yeah, it's probably a little bit more introverty. At least that's my understanding.

[00:55:07.03] - Joseph Thacker
Yeah, that's how I understand it too.

[00:55:08.71] - Justin Gardner
Yeah.

[00:55:09.34] - Brandyn Murtagh
Then yeah, I'm definitely on the introvert side for sure.

[00:55:12.46] - Justin Gardner
Yeah, I think for me as well, just looking at automation and organization, having notes in Kaido this year super helped me. Just being able to take notes directly from Replay, like with a key binding, super helpful. I've kind of got JX Scout and some AI stuff built in built up, which is really nice. And I think my organization on my POC server could be a little bit better. It's not very good there, but it gets the job done. And then as far as automation goes, I mean this last quarter with SHIFT agents like doing their thing, I think I'm going to be like super powered manual hacker in 26 for sure using that. So just this past like case study that I did just like blew my mind and it's going to completely change the way I hack.

[00:55:58.38] - Joseph Thacker
I think you gotta remember to do it. That's the thing. That's what I needed to do. That's what's.

[00:56:03.48] - Justin Gardner
Yeah, yeah. Well, I've got the muscle memory for it now too, which is, which is good. Like, I mean it just got the key binding set up and like, you know, like I know what kind of stuff SHIFT can handle versus stuff I need to do myself. And I know how to give SHIFT the tools it needs to be able to like reproduce the things that I want it to reproduce. So a lot of the volume goes to SHIFT now and I get to focus a little bit more on the anomalous stuff.

[00:56:27.01] - Brandyn Murtagh
Yeah, it does raise the question. And I just thought about this speaking to you guys as like we sort of grow and progress and as the community levels up as hackers, is automation simply going to be a new name for remembering to like capture that context in A prompt. Is that just going to be automation? To an extent. Moving on.

[00:56:47.42] - Justin Gardner
Because like I like the way Justin.

[00:56:50.34] - Joseph Thacker
Said it, I like the way he said AI powered manual hacker, because I think that's more of what he's doing and I think that that's like where it's going to shine in 2027 or in 2026. Like I think maybe in 2027 or 2028 and beyond we might have more AGI type hacking. But I think like Justin's big finding was because he pointed out a specific thing, right. He knew on this subdomain this thing is a little bit unique compared to the rest of the scope that I normally hack on. And he even told it what type of bug class to look for on that, on that cookie name. Right. And so I think like that type of him using his expertise to know where to look and then giving the, the ability to try lots of things which would save him so much time is really why those types of things worked out for Justin. So I think. No, I think when I think automation, Brandon, I still think of like stuff running over on my. Right. I would say, I would say what Justin labeled there is what I would call like, you know, AI powered manual hack, hacking or whatever.

[00:57:48.32] - Justin Gardner
Yeah.

[00:57:48.96] - Brandyn Murtagh
So for the, for the sake of this conversation, would you say that comes under organization? I'm trying to find a mental model.

[00:57:55.84] - Justin Gardner
Where I think it's all automation. It's automation, yeah, it's AI automation. AI automation. No, it's definitely still automation, guys. Like a computer's doing the work. Like.

[00:58:08.11] - Joseph Thacker
Yeah, it's like manual automation rather than full scale automation or something.

[00:58:12.88] - Justin Gardner
Yeah, but I mean you would still consider like, you know, if you had like four or three bypass or something like that, that's automation. It's still the same thing. You know, like, like, I mean is, is freaking fuff anime or you know, automation. Like of course, yeah, of course, automation. So what's the difference between shift. I mean it's using an LLM. They're all just, you know, matrix multipliers. It's, it's all, it's all automation. But the, the, the, you know, the, there is definitely a difference between hard code and AI stuff. I mean if we want to differentiate there. And I think like you said, there's two main boosts that AI brings. Brings allowing us to create better hard code. Right. And then also being able to use the AI to actually do the hacking itself. So. Yeah.

[00:58:54.98] - Brandyn Murtagh
All right, good stuff.

[00:58:56.34] - Justin Gardner
Let's, let's look at these next couple metrics. How much Time. Can you put into Bug or can you put into Bug Bounty? Where's your motivation at? Actually, we'll stick with those two first. So like, for me personally, I probably only have like 20, 25 hours a week of, of effort and time I can put into, you know, Bug Bounty on average, probably maybe closer to 25, but not a ton of time right now with, with other ventures that I want to be doing, the lifestyle that I want to live, you know, spending time with my wife and kids, you know, boundaries on my work life. Yeah, I think, think that we're just personally, you know, in the familial environment right now. We're, we're trying to do some things that take time and are challenging with parts of our family. And I think that's going to come first. And then, you know, obviously I've got hardcore commitments to like Kaido and, and ctbb. And then, you know, Bug Bounty is going to be a massive part as well, but it's probably only going to look like 25 hours or so.

[01:00:03.17] - Joseph Thacker
So, yeah, before I'll, I'll go next just because it's a hard ditto. I mean, I'm in the same situation as you, right? Yeah, yeah, we got kids busy doing advisor stuff. Almost exactly the same. Right. 20, 25 hours, I think. And honestly, I just wonder if that's like a hard max for me. Like, I think it was kind of, you know, maybe slightly less, but that's what I was doing when I was full time or whenever I was like working full time somewhere else. And I also find myself, when I tried to do more than that, feeling like a little burned out or just like, like, you know, mindlessly watching YouTube videos. So I think that like, that is like such a sweet spot for me personally in that amount of hours.

[01:00:41.71] - Brandyn Murtagh
Yeah, yeah, I would. And I've done some reflection on this. At the start of this month, mine I couldn't even give you an average. It is so all over the place. Like really all over the place. And then I got into the, into the questioning of do I need to be more disciplined around what I'm doing? But then I had a counter argument with myself that this is the Bug Bounty lifestyle, you can do what you want. What's your actual goals? So basically I was arguing myself. I must have looked crazy if you drove past me. But yeah, I don't know. I don't know. I don't know how many hours, unfortunately. I really have thought about this, but I even asked my partner as well. It just bounces so much Depending on if there's events.

[01:01:21.57] - Justin Gardner
What's. I think there are weeks I put in 60 hours. You know, I don't think it goes over 60. Probably.

[01:01:28.96] - Joseph Thacker
Yeah, 60 hours is more than people think. Like you know, I had to actually work 60 hour weeks whenever I was in a previous job a few years ago. And it's, it's a lot more than you think.

[01:01:38.25] - Justin Gardner
Yeah, yeah. I think there are days during the life hacking events when I'm really, really, really going ham. And the family stuff is going okay, you know where I can put in 60, you know, probably 10, it would probably be six tens, you know.

[01:01:52.17] - Joseph Thacker
Yeah.

[01:01:54.34] - Justin Gardner
But very rare, you know. And then the rest of the time it's. It's much lower for me.

[01:02:01.53] - Brandyn Murtagh
Yeah, I would, I would say when I'm doing those longer stints I'm starting to get all sorts of weird problems now that I never used to get when I was younger. Like my eyes literally cannot focus if I do over 10 hours. Like I come out and I'm partially blind a little bit. So I'm a little bit more conscious of things like that. But yeah, I, I agree.

[01:02:20.82] - Joseph Thacker
You know, why don't we do these rapid fire since we're running a little low, get through a bunch.

[01:02:25.19] - Justin Gardner
That's true. Yeah, I guess. Give me a quick metric on Yalls motivation levels right now. Like obviously you guys both had some sick years, you know, how are you guys? You got your motivations going up right now. What do you. Where are you at, Brandon?

[01:02:39.78] - Brandyn Murtagh
Yeah, yeah, it's definitely on the up. I mean when I sat down last week and looked at some of my stats and spoke to Rezo and Monkey briefly about some of these things, I was like, you know what? All in all this has been fantastic. And I found that doing stuff outside of Bug Bounty but are like hacking security adjacent definitely fill up another bucket which fuels this bucket. So I'm going to tap into that more. But yeah man, I just want to pwn some stuff.

[01:03:13.19] - Joseph Thacker
Yeah, I mean same. I just like I'm extremely grateful for this year. Every time I think about it I try to rest in that gratefulness because it's so easy to run past it as like highly ambitious people. It's so hard to just like, you know, be content. And so I think I feel that exact way. Right. It's like one the, the good stuff that has happened this year has driving me to do even more of it. And then also just being ambitious, I'm like oh, I need to do more, I want to do more. And so yeah, I Definitely am stoked to do a lot more hacking, a lot more AI stuff, a lot more automation. Like, it's hard during this downtime, like during breaks. Like, I'm trying to take these, these, these couple of weeks off. I think you are too, Justin. And it's like I was just itching to be hacking. Like, I'm just itching to be on my computer to, like, find bugs, build stuff, do things.

[01:03:53.34] - Justin Gardner
And that's exactly where we want to be, right? You know, and that is exactly where we want to be with, with, you know, the Franz episode back in the day. One of the things he said that was one of the key drivers for him was when he's right about to find something, right about to pop something, he closes the laptop and walks away. And then he never do that. He teases himself, you know, it makes him like, you know, desire to come back, you know, with more passion and energy and. Yeah, I think that's, I think that's the kind of energy you got to bring into these breaks. Like, man, like, let's go get it. After we, after we get back. I will say I freaking love Bug Bounty. It is, it is, you know, super amazing. And I'm very passionate, very motivated right now for it. For the first time in my life this year, I think I found something else that I love and that's product, guys. I really like designing products and I've been getting a little bit of a taste of this with Kaido and building out shift a little bit. And I'm like, man, I would really like to be ahead of product somewhere. So I don't know, man, you gotta.

[01:04:52.61] - Joseph Thacker
Do it for your own product. You can't just go get hired to be ahead of product somewhere.

[01:04:55.65] - Justin Gardner
No, no, I think so. I think it could go either way. Head of product. I mean, if you find a product you really love, right, Like Kaido, for example, you know, it's not my product, but it is like, you know, my baby. I love it, right? So I would like to be head of product somewhere at some point. I don't know if it's. That's something I do this decade or if I do it, you know, in the future.

[01:05:16.44] - Joseph Thacker
But I will, I will say in case, in case this does affect some future timeline. You're on Justin. I will say, as I'm also an advisor for Kaido, you know, disclaimer for everyone. Seeing how Justin is an advisor makes me think that he would be incredible ahead of product. Like, you are way more in the weeds than it makes any sense from Like a financial perspective.

[01:05:40.40] - Justin Gardner
Yeah.

[01:05:40.76] - Joseph Thacker
I don't understand how you care so much. I care a lot. I love Kaido. I use it all the time. I love those guys. They're my friends. I care a lot. And somehow Justin cares like five times more. He's like asking like intimately deep questions of the Kaido team and like intimately like questions about the product. And I just don't even understand how your brain got there, let alone does it make any financial sense given everything that is a part of that decision. And so anyways, yeah, I think that. I think that I have seen that passion, I guess I should say, in the last few advisor meetings.

[01:06:10.05] - Justin Gardner
Thanks, man. I appreciate that. And I. And I really do. Yeah, totally. It doesn't make any sense, but I love it. And, and so I'm going to do it anyway, so we'll see, we'll see where that lands. But I love like just working on the user experience and obsessing over the user experience inside of an app. Like, I think that is super fun. So, yeah, we'll see, we'll see where it goes. But I just wanted to say, like, I don't think there's anything that I've ever. That's really actually made me think like, maybe I'd rather do this than, than Bug Bounty. And this is the first time like that thought snuck into my head, which is kind of crazy. And it. Because. Because it does scale a little bit better too, right? Like Bug Bounty, certainly, you know, I could build automation, make it scale a little bit better, but Bug Bounty, you know, you're doing the work manually and it's work that you love, so you can't complain. But it doesn't super scale. Being head of product and having equity in a, in a startup would scale. So interesting thought. There's. I know we're short on time. I just want to ask and reso, if you have to drop, that's fine too. And Brandon, I can close out the episode, but what are your overall goals for Bug Bounty in general? Like, what is. Why are you doing Bug Bounty? And. And what? Yeah, what do you want out of it? And I'll answer first so you guys have some time to think. But for me, I want to find cool villains and achieve mega impact. Like, I just, I love the technical challenge of it. I love the fact that I can say, wow, I just hacked that company and like, now I'm looking at somebody else's pii. Like, this is crazy. I want to do Bug Bounty within my, my defined work hours. I don't Want to let it run over my whole life like it did in the past when I was a younger hacker. I want to not be consumed by it, but let that, that distance, right, like that not being consumed fuel the fire even more, you know, and just have this kind of tug, you know, relationship with bug bounty. And I want to have fun with my colleagues, right. Like I want to spend time with other smart people that are going to make me better as a hacker. And I feel like I have a great way of doing that in the book bounty world.

[01:08:11.09] - Joseph Thacker
Yeah. So I would say my goals are, you know, obviously pretty similar. The first is just like the most metrics based one is just like keep the current pace of earnings. You know, I just don't have another year like I did this year. It's, you know, it's fantastic. I don't feel the need to like massively jack it up or anything, but if I made the same amount this year as I do or next year as I did this year, I think that would be incredible. Definitely continue to prioritize faith and family and like you said, work within those work hours. I, you know, I have made that a goal this past year and basically stuck to it. It was a part of kind of the, you know, the deal with my wife with going full time was that it would stay between those because it is so easy to be like I could just go make more money. I just go make more money. And so I think that's cool. And then I just want to do cool stuff worth talking about. Like, you know, the, I think the mantra for everyone should be do, do cool, do cool stuff and tell people about it. And that's like the best way to kind of succeed as a human. And also not just succeed, like success isn't the end all, be all, but I think also just have a high level of satisfaction with your, with your work. And I think, yeah, I think so. You know, for you obviously it's like finding crazy bugs. I think for me it is too. But I think like just do cool stuff this year. Whether that's, you know, finding crazy bugs or whether that's finding crazy collaborations or building crazy automation that finds cool bug. Just like do cool stuff that's worth talking about.

[01:09:31.03] - Justin Gardner
Brendan?

[01:09:32.96] - Brandyn Murtagh
Yeah, for me I feel like I really like the aspect of growing technically in bug bunny. So like, and I will give some context to the listeners and viewers. But when we first started our mentorship, Justin client side was like unfathomable for me. Like it was just like why did, why, like why how And I was very much a server side guy. And not that that didn't treat me like good. I found a lot of really cool surfside bugs there. But the technical aspects of grammar bug bounty, like only last month it must be, or the month before I started learning mobile hacking. And on this I just had my first mobile paid out as a high.

[01:10:17.64] - Joseph Thacker
Yeah.

[01:10:18.13] - Brandyn Murtagh
Which was 4K. So let's go. That, that growing and the, the personal challenge of growing and doing things that I didn't think I could do before does a lot for me as a person that's inside a bug bounty but also outside. So that's good. And other than that, I just maintain a good level of earnings to give me the flexibility to explore other things I also enjoy doing.

[01:10:42.36] - Justin Gardner
Yeah, that makes sense. Ben, what kind of bug was it in the mobile?

[01:10:46.68] - Brandyn Murtagh
So it was a bit of a funky one. So essentially there's an insecure deep link handler which could allow me to inject something to then attack an AI. I will say no more because it is private.

[01:11:02.92] - Justin Gardner
I love it, man. I love it. All right, so Rezo, I want to be respectful of your time. At the end of this episode, we were going to do our, you know, call our shot for the next year. Right. With some of these goals and we also wanted to do predictions for the upcoming year and that sort of thing. Sweet.

[01:11:23.18] - Joseph Thacker
You mean to run down these?

[01:11:24.63] - Justin Gardner
Yeah. Why don't you try to hit all of these and then if you need to drop, you can. And then Brandon and I will go back.

[01:11:30.06] - Joseph Thacker
My family's here. But I will do this in the next few minutes and then drop. So they'll be fine. Who would I like to collaborate with? I would love to continue to collaborate with all my good friends. So I'm just going to name someone that I haven't collaborated with that I would love to, and that would be Matt Brown. I think it'd be really fun to do something hardware related. I know you and I and him will hopefully pull something off the next year. I would like to continue to spend, you know, 25 hours per week in general. I think that making better use of my time would be an insane. Would be like a really great goal. Right. And I think that that would be fixed by another answer to one of these questions is by having a better anchor program. Like basically having something that I return to. It's like I sit down in the morning, check my messages and then I'll get to work on that program. If I don't have like an H1C or something else going On, Right. And so, yeah, I think that what, what I like to hack on what program or platform. I'd like to have some anchor programs and so, you know, probably will be Google plus, you know, two others or something. But I would love to, yeah. Work with you on that. Like, even if you just want to like, message me once a month and be like, did you pick one yet? You know, or make sure you spend time on the anchor program. As far as hacker motivation, I think just the same as this year, right? Just like keep doing cool stuff and talk to people about it. That'll stick. Money I'd like to earn. I already mentioned just the same amount that I made this year. How many bugs I would like to submit. But I think, yeah, I don't think that this is like a good metric for me. I think more it's like hours worked and like time in. Because I don't. I, you know, if I had submitted 160, like Brandon, I'd been proud of it. And if I'd made as much as I made this year and I had submitted 50 bucks, I'd be proud of it. So I don't really think that that like, matters much to me. I would love to eventually get on the top 100 on hacker1. You know, I think being spread out and having bigger bounties and like a higher impact score is good. But it would be awesome to be on the top 100 for hacker1 because like you said, being in the top, like, you know, 1 or 2% of earners feels amazing and actually is what matters to my family. So numbers are just numbers, right? They're made up Internet points. But I would love to be on the top 100. Page severity, distribution. I don't really care. I like finding Heisencrits, but it doesn't matter that much to me. And oh, research. I would like to publish some research on markdown to HTML impact. Like research specifically from like an AI perspective. I've been working with Valentino and Bus Factor on this and we haven't made anything publishable or even really that actionable. So I think that that would be one thing I would love to do for.

[01:13:45.06] - Justin Gardner
I want to see that on the lab, man. I want to see that on the lab website.

[01:13:47.75] - Joseph Thacker
Yeah, it needs to be on there. I mean, yeah, it should be already. So anyways, that's it.

[01:13:51.51] - Justin Gardner
Good. Good stuff, man. Did you have any, like, predictions for 2026 you wanted to shoot out or. Or you want to leave that to us?

[01:13:59.18] - Joseph Thacker
I do think that 2026 could be the year of the AI assisted manual hacker. And I think that with the latest SHIFT and SHIFT Agent being stable, I think that that is something that is going to be massive this year, both for the community and for you and I. And I don't know if I have any other big predictions. I think that, you know, 2025 was supposed to be the year of agents and it really was. I mean, people adopted Claude code and Codex en masse and that was really awesome. So, yeah, I don't know. I. Yeah, I don't think that I have any other like crazy predictions.

[01:14:32.82] - Justin Gardner
Very good, man. All right, I love you guys.

[01:14:34.98] - Joseph Thacker
Merry Christmas. Happy New Year everyone. It's been an incredible year and I'm excited to keep doing it.

[01:14:39.27] - Justin Gardner
So peace. Thanks for joining us today, man. Bye. All right, Brandon. Yeah, let's kind of work through the same, the same thing he had here and kind of go through each one of these ourselves. The first ones are like, what are some areas you would like to grow as a hacker? And for me, um, I would like to be a little bit more reactive when stuff is released that I, I could go hack on. I, I think a lot of times I have my plan and I, when you know, some opportunity comes up, like either I don't have the flexibility in my life due to like, you know, family stuff or other things to go like reactively hack on it or you know, I've just got my like thing I'm hacking on right now and I'm like, I can't be pulled away. And, and this whole react to shell thing kind of slipped by me because of the timing with family stuff that was going on. But I would love to be able to react to that and, and jump in on those opportunities this year.

[01:15:35.68] - Brandyn Murtagh
Yeah, 100%. So for me I, it's interesting because like my next year goals always start in December a little bit because I, I'm more pre planning. The same happened last year. I was pre planning how to message. No, the year before I was pre planning how to message you and all sorts. But for me, like mobile hacking I've recently started doing because I think it's a really nice peripheral scope increaser. And like in one of the most recent events I've done, I submitted mobile bugs and outside of that event I've submitted mobile bugs. So peripheral scope is definitely something I want to improve on mobile in that aspect and I've been doing a load of AI this year. I feel like that's something I want to maintain and if I can increase in terms of, throughput definitely a lot of that because yeah, it's, it's worth. Well, I mean, it's just so nice to hack. It's fun to hack and everyone has something.

[01:16:35.89] - Justin Gardner
I don't know, man. I just. I don't find it that fun to hack, to be honest. It's getting more fun to hack now, you know, with these sandboxes that are hooked into them and all the tools and stuff like that. I just like. I don't know, man. I just. I like something. I like something a little bit meatier, I feel, and a little bit more deterministic. But I agree there is really fun AI scope, especially when it integrates more traditional aspects of computing like file systems or database connections or HTTP interaction, something like that. I could definitely see that. But that's definitely not my go to focus for this upcoming year. As far as people, the next one on the list here was who would I like to collaborate with. I'm not going to try to list everyone, but I have enjoyed these collabs this year. Matthias, Franz Shubs, Gretmi, Rezo, Exorcist, Dr. Lupin and Monke. And if I left you guys out, I'm so sorry. These are just the ones I rattled off my head when I was prepping. But it's been a fun year for collaborations. I think I learned a lot. I'm still going to continue doing my solo thing and then collaborate when it makes sense. But. But those are kind of the ones that I had in my list. Oh, and Bus. Bus, of course. Yeah.

[01:17:50.02] - Brandyn Murtagh
How could you miss bus, man?

[01:17:51.47] - Justin Gardner
I know, dude. What am I doing? I gotta add. I'm gonna put them in right here. No one's gonna know. The document's gonna reflect it too.

[01:18:01.31] - Brandyn Murtagh
Yeah, for me, I would say the clients are gang pretty much. A lot of the people you just listed from the CTB I've collabed with I think have good relationships with. We have a lot of fun. There's a lot of knowledge transfer there as well. So with those guys, I think as well, if it comes up, I did do a small collab with Franz, Sean, Jay, Mr. Jonathan Bowman, and. And those guys in the event, if I can collab with them more, that would be great. Just such a high level and high caliber of just like militant pwning is fantastic to see. Ben as well. Nom Sack is another guy I like to collab with ads, but he. Yeah, ADS is where we done an event together. I'm just trying to get all the names up together. See, here's the thing. As well. What I mean about growing as a hacker, I didn't do much collaboration at the start because I was still like very unsure if I could deliver value in the collab. And like I was still going through that process of like coming to terms with bug bounty full time. Now I would say next year will probably be a lot more collab now I've sort of gone through that journey, so.

[01:19:11.01] - Justin Gardner
That sounds great, man. I'm excited for that. As far as the next question is how many times per week would I like to hack? For me, I would like to hack 32 hours a week. I probably will try to set a minimum around 20 and I'll probably hit around 25 again. But yeah, I would love to work on, you know, bug bounty hunting more. It just stuff gets in the way. Yeah. What about you? Where would you like to, how many hours would you like to put into bug bounty?

[01:19:38.63] - Brandyn Murtagh
Ideally yeah, I think a good spot would be five to six hours a day because sometimes I do that because sometimes I end up accidentally doing some stuff on the weekend as well if I get nerd sniped and alongside. Obviously you yourself have various other projects and income streams that you need to work on, as do I. I'm building them out. So I think that would put me in a good spot to give me a little bit of flex with the other ones as well.

[01:20:04.21] - Justin Gardner
Nice. That's good. I think as far as managing hacker motivation, which is the next one, I think prioritizing other things outside of bug bounty will increase that yearning. Right. Like we talked about for, for bug bounty. So I think that'll be good. As far as money I would like to earn, I'm going to keep it at the same amount that I did last year. I missed. I was under my, my stretch goal by like 5% and I might make it this year if, if some of the crits that I have right now pay out. We'll see inside this year but most of the people are off for the rest of the year in the US so I doubt they'll pay out. But it was, it was a, it was a fun year for that and I'm going to keep the, the, that target at around the same. And I kind of agree with Rezo. I'm not sure the like number of bugs I would like to submit is a great metric, but I would kind of like to see that go down and the earnings stay the same or go up. Right. I feel like that would be. Be kind of fun to see. So around 100 is probably about good for me, but I would like the earnings to either go up or stay the same. So. And then passing that off to you, Brandon, that is hacker motivation. How do you plan to manage that this year? If you would like to say, you know, ranges or give some rough estimate on how much you would like to earn and then how many bucks you like to submit.

[01:21:29.17] - Brandyn Murtagh
Yeah, hacker motivation. I touched upon this earlier, but recognizing now that buckets adjacent to bug bounty but are still sort of related, really do a lot because I go somewhere, I speak about bug bounty, some of the bugs I've done, some of the cool stuff I'm doing, or I speak to someone that's really interested in bug bounty or runs a security program or a CISO with problems, and I'm just like, ah, there it is again. Just the urge to hack something, it just comes back and strikes. So that's a big one for me. So I'm definitely going to tap and start going into next year. How much money would I like to earn? So from bug bounty alone, I would like to keep that at the same level that I have done this year with the caveat of increasing my other income streams. And just for everyone listening, I pretty much overdone my two goals that I've done. I crushed them both. In hindsight, maybe I set things a little bit too low, but my earnings goes got well and truly beaten the crap out of, which is good to say, fantastic to say. And bug submit, I mean, I'm not even going to comment on this one because I try and adapt to the target very much. So if that means I do a load of volume and not much impact based off of the decision and constraints I'm in, so be it. I have no problem with that. Now, I'm not precious about it.

[01:22:54.69] - Justin Gardner
But.

[01:22:54.97] - Brandyn Murtagh
Yeah, that's what I would say.

[01:22:55.97] - Justin Gardner
That sounds good. All right, last couple of questions and then we finished the marathon of the personal hacker inventory. What platforms or programs would you like to hack on? What automation would you like to hack on or like work on? What research would you like to do and how would you like to contribute to the community? Yeah, go ahead.

[01:23:15.13] - Brandyn Murtagh
So programs, I as from my previous episodes, I do have a hit list that I keep up to date, a hit list of targets that I'd like to hit. And that's very much still under. Under works. What I would say is the notable one that will be a next year target is Google for sure. It has to be. I have to do it now. I'm getting, I don't get FOMO often But I'm getting FOMO with Google so I'm going to hit that with automation. I'm going to continue building out some of my frameworks I've done. You will have access to one of them soon, very soon to trial out and also carrying on the vibe coding and I will say as well, codifying my knowledge into prompts a little bit more to do more things with Shift. I'm going to put that under automation because it is in a sense automation that you need to sort of of crack.

[01:24:09.21] - Justin Gardner
Totally. I think for me, the platforms and programs I would like to hack on, I'm pretty, pretty pleased with what I've got with, you know, Capital One, Epic, Google and some Amazon. I would like to try T Mobile this year. I've heard a lot of people having success on T Mobile so that one could be kind of interesting. I am US based so that I can go like, you know, get one from the store and like set it up pretty easily, which is good. So I think I might try that. Automation is going to be largely shift agents for me this year, I think and I'm not sure I'm going to do much else from an automation perspective. I don't plan to go back into the recon game. I was thinking about it, but I think probably not as far as research goes. I really enjoyed that new relic thing like that was really fun and I think I will try to do more client side research if I'm going to do research. And then as far as contributing to the community, I think I'm just going to keep on doing the podcast, man. The podcast is like, you know, I think about all I can manage from a contribution perspective to the community and I'm going to keep obviously working with Kaido, releasing plugins, crafting that product to serve the community in that way. And I think that's about all I've got on the docket. I think that'll keep me plenty busy for 2026.

[01:25:26.50] - Brandyn Murtagh
Oh yeah, man, absolutely, absolutely. I think research wise it will be bug bounty ish for me. What I would want to do is release some research under my company however, because that's a very good. It's a double hitter. It's research I get to perform and do and it's also marketing material which I get to represent under my company for some certain things. I've got some things in the notepad when I'm off. I'm gonna, I'm gonna bounce and bounce some ideas around and, and see what I come up with.

[01:25:53.73] - Justin Gardner
Yeah, the other thing I would like to do is I would like to do another enterprise app like zero day search really quickly. I was talking to somebody in the CTBB community about like that whole Grafana thing I did back in 2020 and I had a lot of fun with that. So I might do that again. I might just pick like a, a high target, you know, like often found across the bug bounty scope. You know, enterprise app, grab the source code, reverse it, try to find a unauthenticated zero day. I think that'd be pretty fun. Just, just as like a, a fun thing. As far as predictions for the upcoming year goes, I think that I, I agree with, with Rezo that Shift agents and you know, hacker supplemented or yeah, AI supplementing manual hacking is going to be a necessity by the end of 26 I think and Shift is going to need to grow a little bit as a product I think before then. But I think it's 90% of the way there right now and I've already had really good success with it. I plan to continue using it. I think source code review is going to change a lot too. Client side source code review with cloud code or Gemini or whatever it is. I think we'll really be super helpful this year. Yeah, besides that I don't really have any other massive, massive predictions. I think the bounties will continue to go up. Overall, I think bug bounty isn't going anywhere. Do you have any thoughts for predictions for the next year?

[01:27:27.56] - Brandyn Murtagh
Yeah, I feel so. I was listening to a podcast about how Cloudflare have now entered the browser game a little bit and how they're fundamentally all Cloudflare customers are turning off access to AI crawlers and they're monetizing it. Where content creators get paid for their content in another way and how they've open sourced this agent to agent like payment system. I think that as we progress and we sort of hit that critical mass now a little bit with some of these targets that we're hacking, we are going to start to see a bit more of this third party attack surface that we haven't really had to see before. Whether that comes in new protocols like that, new MCP servers and new like AI related integrations. So if that's your flavor of hacking and you enjoy hacking stuff like that, keep an eye out for it because I would expect to see more things like that coming up. But like I don't want to keep like saying oh yeah I agree with what he said, but I actually do agree with what Yuram Rezai said said about in Terms of like the hacker behavior, I'd say I'm very much in the same bon.

[01:28:37.10] - Justin Gardner
Yeah, yeah, I think that's, I think that's a no brainer. I think we will start seeing, you know, we already saw Expo kind of do their run this year, but I think I would also predict that probably this year we will see, you know, a like bug bounty hunter created autonomous, you know, AI hack bot essentially start really, really, really getting some crazy results. We've seen that a little bit already actually. Some of the niche members of the CTVB community have shared some success with hackbots they've created. But I think we'll see something really, really start to climb the leaderboard in a meaningful way this year. Yeah, and I think the other prediction that comes to mind is that I think it will actually get harder than it already is to compete in the recon games because with the presence of vibe coding changing who can create automation, I think that we will see more competition even than we have in the past there. So the people that are winning in that arena will be the people with access to custom bugs, bugs that other people aren't looking for. So it's going to become a lot more of a research game. One of the things we have done a little bit with CTBB is try to include encourage pairings between recon hackers and you know, researchers. And I think that would be another really fun thing to push this year in the CTB community is like okay, let's try to get, let's spend a couple of weeks trying to find you know, cloud misconfigurations, you know, enterprise software misconfiguration, something that is like not a zero day but is like a common misconfiguration that we can hand to the recon guys and get like, you know, a split up on to generate passive income moving forward. Yeah, I think that, yeah, I think because I think the recon part of that though is going to become a lot less valuable because more people are going to be able to do it because of the, the vibe coding. So it, it I think splits for recon boys will probably be forced down from a market perspective due to more supply in the market.

[01:30:45.72] - Brandyn Murtagh
Agrees. Yeah, it's very. And like you only have to go into the CTB channel and like it feels like the amount of tools and tips and like all these little things that have been vibe coded extensions, burp extensions, they're all just coming out so much quicker.

[01:31:01.36] - Joseph Thacker
Totally.

[01:31:02.89] - Brandyn Murtagh
Like it's reducing friction on workflow. So yeah, I'd agree. I'D agree with that.

[01:31:07.77] - Justin Gardner
Very nice. All right, man, that was a marathon episode. My voice is about to give way. I was just like coughing along out on mute while you're answering that last question. But that is a wrap on 2025 critical thinking. Thank you guys so much for listening this year. It's been amazing. Our viewership has been very supportive. We brought on Brandon as a co host. We'll see you guys in 2026.

[01:31:31.85] - Brandyn Murtagh
See you in 2026.

[01:31:33.93] - Justin Gardner
And that's a wrap on this episode of Critical Thinking. Thanks so much for watching to the end, y'.

[01:31:37.72] - Joseph Thacker
All.

[01:31:37.93] - Justin Gardner
If you want more critical Thinking content or if you want to support the show, head over to CTBB Show Discord. You can hop in the community. There's lots of great high level hacking discussion happening there on top of master classes, hack alongs, exclusive content, and a full time hunters guild if you're a full time hunter. It's a great time. Trust me. All right, I'll see you there.

[01:32:00.65] - Joseph Thacker
It's hard not to just keep talking about stuff, but it's like, oh, it's off the air, gotta wait.

[01:32:04.34] - Brandyn Murtagh
I'm like, have you seen the meme of the guy when he has the veins popping out of his head when.

[01:32:08.22] - Joseph Thacker
He'S trying to talk? Yes. You're like.

[01:32:14.22] - Brandyn Murtagh
That'S exactly how I feel right now.