whoami

Jonathan is a results-driven Cybersecurity Leader with over eight years of experience specializing in offensive security strategy and strategic risk management. His career has been defined by his ability to bridge the gap between deep technical analysis and executive-level execution.

He is dedicated to driving transformative security outcomes and mentoring high-performing teams and also finds great fulfillment in teaching, guiding, and inspiring the next generation of security professionals. By sharing a unique blend of governance and offensive expertise, Jonathan helps organizations identify and mitigate complex, evolving threats.

Beyond the "war room," Jonathan embraces a life of high-intensity adventure as an avid Scuba Diver and Snowboarder. A firm believer in continuous learning, he maintains that the discipline of staying calm under pressure is a necessary skill—one just as vital for navigating the pressures of the boardroom as it is for exploring life beneath the waves.

Despite these global adventures, his favorite way to recharge remains grounded: relaxing at a local kopitiam with a large cup of Teh O Kosong Ice.

Background

Let’s start at the very beginning. How did you get into cybersecurity? We understand that you did Aviation Management in poly, then pivoted to IT with a major in Cybersecurity in university. How did you go from stuff that flies to stuff in files? What was the inspiration and what is your origin story?

Unlike many in the field, cybersecurity wasn't my first passion—aviation was. I studied Aviation Management with the goal of becoming a pilot, but eventually realized it wasn't my true calling. I was quite lost on my next steps until my father casually suggested looking into IT over dinner one evening. That single conversation changed my trajectory.

I started exploring the space and became deeply intrigued by the offensive side of security. It was with my parents' support and blessing that I dove headfirst into the deep end and never looked back since then.

In your case, you got into cyber relatively early, right after poly. For those who are a ways into their career, or perhaps even mid-career, do you think that they should consider pivoting into cyber? If so, do you have any suggestions on how they can successfully do so?

Compared to the newer generation who start career planning the moment they enter polytechnic, I might not even consider my start 'early'.

My main advice for those looking to pivot mid-career is this: Do it for the right reasons. It shouldn't just be about the industry's growth or salary potential. The learning curve is incredibly steep and expectations are high. Without a genuine passion for the subject, the constant need for upskilling can lead to burnout.

However, if the curiosity is there, start by identifying your transferable skills—project management, analytical thinking, or risk assessment—and bridge the gap with hands-on labs to prove your technical appetite.

I’ve seen this firsthand while mentoring a friend who made the switch from an audit and accounting background. He spent countless nights and weekends grinding through the various technical labs and certifications with incredible determination. Within a year, he was able to secure his first role in cybersecurity. While technical credentials were the “key” that opened the door, but it was his previous work experience managing client expectations and navigating complex stakeholder environments that secured him the role.

You've evidently done great as a pentester and then moved into the role of Head of Offensive Security at Sekuro. Naturally, plenty of pentesters will want to know how you earned that title. Are there any skills that you focused on to reach the next level?

As you transition to a leadership position, your success is no longer measured solely by your ability to find vulnerabilities, but by your ability to manage people and outcomes.

Soft skills become the primary driver of your impact. You have to master people management in every direction—up to the board, sideways to other departments, and down to your own team. Essentially, your role changes from finding problems to providing the strategic leadership required to solve them.

You were in that role for 3 years, and you got to experience the difference between being an individual contributor and a leader. What aspects do you enjoy about each, and do you have any guiding questions to help those who are at a similar crossroads determine if they would truly enjoy a leadership role?

As an Individual Contributor, I loved the 'thrill of the hunt' and the immediate, direct impact of solving a technical puzzle.

As a Leader, my fulfillment shifted to being the 'enabler.' There is nothing more rewarding than watching a junior consultant's confidence bloom as they move from being purely technical to effectively managing a client conversation on their own.

For those at this crossroads, ask yourself: Where do I want my impact to be? Do I want to find the 'zero-day,' or build the team that finds ten of them?

Also, you have to be okay with not being the smartest technical person in the room anymore; your job is to make sure your team is.

Day in the Life

##Skillset

Certifications in the cybersecurity industry can be a contentious subject. It is generally understood that certifications are a way to get a foot in the door and/or demonstrate a particular skillset, preferably with some documented projects. Is there a disconnect with the skills that you learn in certifications and what you use in a day-to-day role?

Definitely, the environment is quite different.

In certifications, you are attacking a 'box' that is designed to be broken, often without consequences. In a day-to-day role, you are assessing live systems where business continuity and strict Rules of Engagement are paramount.

However, certifications are still vital. They are excellent for validating knowledge and developing the right mindset—instilling not just persistence, but the creativity to think out of the box required to succeed in a day-to-day role.

If there's a disconnect between the skills that you learn in certifications and the skills you actually deploy in an engagement, do you think it's still worth pursuing these often expensive certifications?

To a certain extent, yes. While practical experience triumphs in the long run, certifications remain a structured way to build a foundational knowledge base. Beyond learning, they serve a vital professional function: they are a primary metric during the 'Resume' stage, alongside CTFs, CVEs, and passion projects.

They aren't the 'end-all, be-all,' but they are a key piece of the puzzle that helps get you through the door so you can start gaining real-world experience.

What are some soft skills that you have found invaluable as someone on the offensive side?_

It is always important to be able to contextualize the information you are trying to convey. Not everyone will have the same level of technical knowledge or the same priorities.

To be effective, you must tailor your language and focal point to your audience, clearly distinguishing between technical security risks for engineers and financial or operational business impacts for executives.

##Management:

How do you communicate the findings to management to ensure impact? Any tips that you use beyond the usual Fear, Uncertainty, Doubt?

I move away from fear and focus on context. I start by understanding the specific KPIs and goals of the management team—whether they are financial, operational, or reputational.

From there, I tailor the narrative. Instead of overwhelming them with technical jargon, I map the vulnerabilities directly to the business objectives they care about. This ensures they see the findings not as abstract threats, but as concrete obstacles to their own goals that need to be removed.

##Operational

In external pentest cases, what are some of the most common ways that you gain an initial foothold? How common is it to fail to gain a foothold? In such cases, how do you proceed with the client?

Typically, for external perimeter engagements, the most common vectors would be weak or leaked credentials. It is actually fairly common not to gain a foothold. In an ideal world, all unnecessary ports are closed and patching is up to date, which will greatly limit the surface of attack.

Have you ever encountered shadow IT or a threat actor already on the network during an engagement? How do you proceed?

No (Thankfully). If this were to happen during an actual engagement, we would drop everything and escalate to the client immediately.

What are some of the least liked aspects of your role in offensive security? On the flip side, what are some of the most rewarding aspects of your role?

The most frustrating aspect is definitely the 'compliance checkbox' mentality. It’s disheartening when offensive security is treated as a 'tick-and-forget' exercise rather than a continuous improvement process. Too often, the true business impact of a vulnerability is downplayed or ignored just to get a clean report.

On the flip side, I thrive on relationship building—both with clients who appreciate the strategic insight we provide, and with my own team. Seeing a junior member evolve into a capable consultant who can handle both difficult conversations as well as complex technical challenges is easily the highlight of my role.

Perspective

There are quite a few firms coming up with AI pentesting. What do you think the new dynamic between these firms and pentesters/red teamers will be?

I feel that the anxiety regarding AI taking over jobs is common across all industries, not just Cyber. However, I am a strong believer in the irreplaceable 'human element' of penetration testing—specifically intuition and context.

Instead of replacing us, I believe the new dynamic will be one of empowerment. With AI acting as a co-pilot handling the volume and speed of testing, it frees up the human to focus on creativity, logic, and business context. AI won't replace testers; it will simply raise the baseline of quality, allowing even junior members to perform at a much higher standard.

Understandably, there's significant apprehension around AI replacing folks. Do you have any advice for new or junior pentesters on how they can safeguard their jobs and careers from being replaced by AI? For example, are there any skills they should look into or mindsets that they should adopt like "Try Harder" or "Git Gud"?

Understand the 'Why,' not just the 'How.' AI is excellent at executing the 'how'—it can run scans and generate scripts with speed—but it struggles with the 'why.' Don’t just run tests for the sake of checking a box; understand the underlying logic and business impact.

The 'Try Harder' mindset still applies, but instead of just bringing a bigger hammer, often the answer lies in the angle at which you strike the nail. If you focus on creative problem-solving and contextual analysis, you aren't just a pentester—you're a security consultant.

While AI can simulate risk analysis, it lacks the organizational empathy and nuanced accountability that a human leader provides.

On the same note, we're seeing the bar rising rapidly as the younger cyber folks display pretty 1337 skills and certifications, and are hunting for internships ever earlier. Do you have any suggestions on how one can stand out in such a competitive field?

First off—stop spoiling the market! Just kidding. But in all seriousness, if you don’t have a massive budget for every certification under the sun, don't panic.

Shift your focus toward applied skills. Well-documented passion projects and CTFs demonstrate a genuine hunger for the craft. Internships offer a glimpse into 'operational reality' that certifications often miss. These experiences give you the stories and technical depth you need to ace the interview. Focus on showing what you can do, not just what you've read.

There is a lot of hype about the usage of AI by threat actors. What aspects are you concerned about and where do you think folks should start paying attention?

I am most concerned about how AI is erasing the 'red flags' we rely on for defense. We have moved past the era of the clumsy 'Prince of Nigeria' scam; AI can now generate thousands of context-perfect, error-free phishing emails instantly.

When you combine this scale with AI-driven impersonation—such as real-time voice cloning or deepfakes—it becomes nearly impossible to verify who is on the other end of the line. We are reaching a point where technical detection is failing, leaving us to rely on intuition alone—and on a bad day, that is simply not enough.

To counter this, we must operationalize the 'Trust, but Verify' mentality. We need to establish human 2FA protocols—essentially Out-of-Band verification. If you receive a sensitive request, even from a trusted voice, verify it through a secondary channel—like a secure text or a return call. We have to normalize the idea that 'checking' isn't rude; it's required.

We're seeing a rise in the interest of hacking hardware, and in tools like Flipper Zero. As with most things hacking, this too sits in a grey area. What is your take on such tools and how folks should conduct themselves when it comes to testing out such capabilities?

I find these tools fascinating as they make hardware hacking accessible to the broader community. However, accessibility does not change the responsibility of the operator.

The tool itself is neutral; the intent is what matters. You must always adhere to strict Rules of Engagement. Just because you have a device that can interact with a system doesn’t mean you have the permission to do so.

My advice: adopt a 'Home Lab' mentality—test on your own equipment, in your own space, and never touch anything out of scope.

Quick Fire Rounds

Daily driver OS?

Windows

Kali or Parrot?

Kali

Most hilarious way you’ve gained a foothold or privesc-ed?

Not me, but I hear people still keep their passwords written down or on their Desktops...