Scorecarder Spotlight: Segev Eliezer & David Mound

Our “Scorecarder Learning & Development Spotlight” series showcases our talented, driven employees, the incredible work they do, and their quest to continue their development as lifelong learners. 

This month, we’re highlighting two Scorecarder’s who both attended DEFCON at the end of the summer!

Name & Role: Segev Eliezer, Sr. Penetration Tester (Professional Services)
Name & Role: David Mound, Sr. Penetration Tester (Professional Services)
 
 
 
 
 
 
 
 
 

Tell us a little about your professional background.

Segev:
I have been tinkering with computers for as long as I can remember and have been immersed in cybersecurity since I was 16. At the age of 20, I was in the world’s top 0.1% of penetration testers in both HackTheBox and TryHackMe, the two largest cybersecurity learning platforms in the world. Before discovering cybersecurity, my main focus was on chess, which I started at the age of 5. In 12th grade, I earned the national bronze medal, becoming 3rd in the National Scholastic Chess Competition among high school seniors. Strategy, determination, focus, and ambition are important characteristics to have when playing chess and performing pentesting and red teaming services, as these values will result in finding difficult critical/high-severity vulnerabilities.

David:
I have a deep-rooted interest in cybersecurity that began at a young age, which led me into penetration testing and red teaming. Over the years, I’ve worked in a range of environments, from consulting to threat intelligence, and I currently serve as a Red Teamer / Penetration Tester with SecurityScorecard. I’m passionate about improving organizational security, particularly by blending offensive and defensive strategies, which ties into my interest in purple teaming. Outside of work, I enjoy participating in Capture the Flag competitions, American muscle cars, and spending time with my family.

What made you want to attend this year’s DEFCON conference?

Segev:
DEFCON is one of the best cybersecurity conferences in the world. It has presenters coming from all over the world to present novel ideas in red teaming and pentesting. There was also a wide range of activities to perform at the conference as there were 33 different “villages”, each about a different area of expertise within “attacking fields” such as lock picking, car hacking, AI hacking, and much more.

David:
I attended DEFCON to explore the latest advancements in cybersecurity, particularly in the realm of purple teaming, which combines the strengths of both red and blue teams. Given my role and the focus of Proactive Services, I wanted to gain insights into how purple teaming could be better integrated into our service offerings. DEFCON offers a unique opportunity to learn from hands-on experts in the field, and I wanted to explore how these practical approaches could be applied at a broader scale. Plus it’s cool to hang out with like-minded individuals and bounce ideas for the week!

What key takeaways and learnings did you get from the sessions and conference itself?

Segev:
My main key takeaway behind the conference itself was the methodology that presenters described when presenting how they discovered their novel attack vectors. It was inspiring to hear their thought process and how it can be used to find
vulnerabilities in some of the most widely used software applications. Two sessions in particular stood out to me. One of the sessions was about a novel idea in time-based attacks for web app pentesting by James Kettle. This is an advanced attack that can reveal additional vulnerabilities in an application and can result in the discovery of high or even critical-severity vulnerabilities. James Kettle also presented his thoughts on how this type of attack can be used to detect web application firewalls, and potentially bypass them by inputting a large amount of data in the client’s request.

The second session regarded critical vulnerabilities within AWS itself. This research
was conducted by Yakir Kadkoda, Ofek Itach, and Michael Katchinskiy, and highlighted a method that could be used to gain access to the accounts of other AWS users.

David:
One of the main takeaways was the evolving nature of collaboration between offensive and defensive teams. The sessions highlighted that purple teaming is not just about running joint exercises but fostering an environment of continuous improvement through constant feedback and iterative learning. I also learned how automation and adversary emulation can help enhance the effectiveness of purple teams by offering more realistic and timely insights into vulnerabilities. Lastly, a key takeaway was the importance of metrics—quantifying improvements in both detection and prevention based on red team exercises.

How will you apply what you learned to your role and to SecurityScorecard?

Segev:
Using what I learned from DEFCON, I will be able to deliver higher-quality reports to our clients so that they can gain as much value as possible from each engagement. Additionally, this conference has inspired me to conduct my own research and discover security weaknesses to present in future conferences on behalf of SecurityScorecard.

David:
I plan to take the knowledge gained at DEFCON and apply it to develop a more structured purple teaming framework within our service offerings. This includes integrating regular adversary simulations and red team engagements into a continuous feedback loop with defensive teams to improve both detection and response capabilities. We can also leverage automation tools to scale these efforts across multiple clients, making it easier to deliver valuable insights and metrics that demonstrate measurable improvements in security posture. This approach could provide an enhanced, data-driven method of assessing and improving our clients’ defenses.