Episodes

  • Hacking at the Weeds with Felix Boulet

    Hacking at the Weeds with Felix Boulet
    May 14 2025
    In this episode of The BlueHat Podcast, host Nic Fillingham and Wendy Zenone are joined by Felix Boulet fresh off his participation in Zero Day Quest. Felix talks about his unique journey from industrial maintenance to becoming a full-time vulnerability researcher, and how that background fuels his passion for hacking and bug bounty work. He explains his method for finding bugs in Microsoft products—particularly in identity systems—and why identity is such a valuable target for attackers. Felix also shares highlights from the Zero Day Quest event, where he focused on building connections, learning from Microsoft engineers, and experiencing the collaborative side of the security community. In This Episode You Will Learn: Why identity-based bugs are especially valuable and dangerous in the security world When breaking identity controls can be the key to pivoting through an entire system How SharePoint's concept of "virtual files" impacts vulnerability validation Some Questions We Ask: What was your first bug bounty experience? Can you explain what the flash challenges were and what your experience was like? Do you think sharing bug ideas could cost you a bounty? Resources: View Felix Boulet on LinkedIn View Wendy Zenone on LinkedIn View Nic Fillingham on LinkedIn Related Microsoft Podcasts: Microsoft Threat Intelligence Podcast Afternoon Cyber Tea with Ann Johnson Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts The BlueHat Podcast is produced by Microsoft and distributed as part of N2K media network.
    Show More Show Less
    33 mins
  • Evolutions in Hacking with Marco Ivaldi

    Evolutions in Hacking with Marco Ivaldi
    Apr 30 2025
    In this episode of The BlueHat Podcast, host Nic Fillingham and Wendy Zenone are joined by Marco Ivaldi, co-founder and technical director of HN Security, a boutique company specializing in offensive security services, shares his journey from hacking as a teenager in the '80s to becoming a key figure in the security research community. With nearly three decades of experience in cybersecurity, Marco digs into the ongoing challenges, particularly in Active Directory and password security, highlighting vulnerabilities that continue to pose significant risks today. He recounts his unexpected path into bug bounty hunting, including his involvement in Microsoft's Zero Day Quest and his passion for auditing real-time operating systems like Azure RTOS. In This Episode You Will Learn: How Marco taught himself BASIC and assembly through cassette tapes and trips to local libraries Why mentorship and positive leadership can catapult your cybersecurity career When measuring network response times can unintentionally leak valuable info Some Questions We Ask: Do you remember the first time you made code do something unexpected? What was your experience like in the Zero Day Quest building for those three days? How are you thinking of approaching fuzzing after Zero Day Quest? Resources: View Marco Ivaldi on LinkedIn View Wendy Zenone on LinkedIn View Nic Fillingham on LinkedIn HN SECURITY Learn More About Marco Related Microsoft Podcasts: Microsoft Threat Intelligence Podcast Afternoon Cyber Tea with Ann Johnson Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts The BlueHat Podcast is produced by Microsoft and distributed as part of N2K media network.
    Show More Show Less
    49 mins
  • From Facebook-phished to MVR Top 5 with Dhiral Patel

    From Facebook-phished to MVR Top 5 with Dhiral Patel
    Apr 16 2025
    In this episode of The BlueHat Podcast, host Nic Fillingham and Wendy Zenone are joined by Dhiral Patel, Senior Security Engineer at ZoomInfo and one of MSRC’s Most Valuable Researchers (MVR). Dhiral shares how a hacked Facebook account sparked his passion for ethical hacking. From web development to penetration testing, Dhiral has become a top bug hunter, landing multiple spots on the MSRC leaderboards. Dhiral reflects on his early MSRC submissions and lessons learned. He also discusses the importance of mastering web security basics, practicing on platforms like TryHackMe and Hack the Box, and staying connected with the bug bounty community. In This Episode You Will Learn: The importance of mastering web security basics before diving into bug bounty hunting Why hands-on platforms like TryHackMe and Hack the Box are perfect for beginners Dhiral’s journey from blogging to freelancing and security research Some Questions We Ask: How do you balance competition and collaboration in the bug bounty community? Can you explain what clickjacking is and if it still works today? Why did you start with Power BI, and how did it lead to your journey in security? Resources: View Dhiral Patel on LinkedIn View Wendy Zenone on LinkedIn View Nic Fillingham on LinkedIn Related Microsoft Podcasts: Microsoft Threat Intelligence Podcast Afternoon Cyber Tea with Ann Johnson Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts The BlueHat Podcast is produced by Microsoft and distributed as part of N2K media network.
    Show More Show Less
    42 mins
  • AI & the Hunt for Hidden Vulnerabilities with Tobias Diehl

    AI & the Hunt for Hidden Vulnerabilities with Tobias Diehl
    Apr 2 2025
    In this episode of The BlueHat Podcast, host Nic Fillingham and Wendy Zenone are joined by security researcher Tobias Diehl, a top contributor to the Microsoft Security Research Center (MSRC) leaderboards and a Most Valuable Researcher. Tobias shares his journey from IT support to uncovering vulnerabilities in Microsoft products. He discusses his participation in the upcoming Zero Day Quest hacking challenge and breaks down a recent discovery involving Power Automate, where he identified a security flaw that could be exploited via malicious URLs. Tobias explains how developers can mitigate such risks and the importance of strong proof-of-concept submissions in security research. In This Episode You Will Learn: Researching vulnerabilities in Power Automate, Power Automate Desktop, and Azure The importance of user prompts to prevent unintended application behavior Key vulnerabilities Tobias looks for when researching Microsoft products Some Questions We Ask: Have you submitted any AI-related findings to Microsoft or other bug bounty programs? How does the lack of visibility into AI models impact the research process? Has your approach to security research changed when working with AI versus traditional systems? Resources: View Tobias Diehl on LinkedIn View Wendy Zenone on LinkedIn View Nic Fillingham on LinkedIn Related Microsoft Podcasts: Microsoft Threat Intelligence Podcast Afternoon Cyber Tea with Ann Johnson Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts The BlueHat Podcast is produced by Microsoft and distributed as part of N2K media network.
    Show More Show Less
    35 mins
  • Bug Hunting from the Beach with Brad Schlintz

    Bug Hunting from the Beach with Brad Schlintz
    Mar 19 2025
    In this episode of The BlueHat Podcast, host Nic Fillingham and Wendy Zenone are joined by Brad Schlintz, independent security researcher and bug bounty hunter. Brad shares how he transitioned from a decade-long career as a software engineer to hacking Microsoft products while traveling the world with his wife. He recounts his early days tinkering with RuneScape bots, his experience working in SharePoint and Azure at Microsoft, and the moment he first encountered a real-world cybersecurity incident. He also discusses his journey into ethical hacking and his qualification for the upcoming Zero Day Quest, showcasing how he turned bug hunting into a lifestyle that allows him to work from anywhere—including a stunning island in Brazil. In This Episode You Will Learn: How a single discovered bug can lead to finding multiple vulnerabilities in the same area The importance of exploring app integrations when searching for security vulnerabilities Why building on prior discoveries can make it easier to uncover more hidden security issues Some Questions We Ask: What guidance can you share with other researchers and hackers on how to find vulnerabilities? Why did your background in software engineering help you in your bug bounty work? How did you transition from working on the website incident to more full-time security research? Resources: View Brad Schlintz on LinkedIn View Wendy Zenone on LinkedIn View Nic Fillingham on LinkedIn Related Microsoft Podcasts: Microsoft Threat Intelligence Podcast Afternoon Cyber Tea with Ann Johnson Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts The BlueHat Podcast is produced by Microsoft and distributed as part of N2K media network.
    Show More Show Less
    39 mins
  • PoCs, Patching and Zero Day Quest Participation with Michael Gorelik

    PoCs, Patching and Zero Day Quest Participation with Michael Gorelik
    Mar 5 2025
    In this episode of The BlueHat Podcast, Nic and Wendy are joined by seasoned security researcher, and CTO of Morphisec, Michael Gorelik. Michael discusses his approach to security research, which often begins by exploring PoCs released by other researcher groups and continues through to the release and validation of – sometimes multiple rounds of – fixes. Michael also provides an overview of this BlueHat 2024 presentation from last October and discusses his upcoming participation in the Zero Day Quest Onsite Hacking Challenge. In This Episode You Will Learn: How Michael Gorelik transitioned from security researcher to company founder Deeper motivations driving ethical hackers like Michael Gorelik beyond money The importance of identifying incomplete security patches before attackers do Some Questions We Ask: What are you looking forward to with Zero Day Quest? Did you have a moral dilemma about hacking when you were younger? What was your experience like at Deutsche Telekom Laboratories? Resources: View Michael Gorelik on LinkedIn View Wendy Zenone on LinkedIn View Nic Fillingham on LinkedIn Related Microsoft Podcasts: Microsoft Threat Intelligence Podcast Afternoon Cyber Tea with Ann Johnson Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts The BlueHat Podcast is produced by Microsoft and distributed as part of N2K media network.
    Show More Show Less
    46 mins
  • Secret Herbs, Spices and Hacking Copilot Studio

    Secret Herbs, Spices and Hacking Copilot Studio
    Feb 19 2025
    In this episode of The BlueHat Podcast, host Nic Fillingham is joined by Scott Gorlick, Security Architect for Power Platform at Microsoft. Scott shares his unconventional journey into cybersecurity, from managing a KFC to driving big rigs before landing in tech. He dives into security research in Copilot Studio, discussing how AI models interact with security frameworks and how researchers can approach testing these systems. We also explore his recent training video on YouTube, which provides guidance for security researchers looking to engage with Microsoft’s bug bounty program. In This Episode You Will Learn: What Scott does to ensure Power Platform applications remain governable and secure Why security and software quality go hand in hand in modern development. How security researchers can explore vulnerabilities in Microsoft's low-code AI development platform Some Questions We Ask: What kinds of security issues should researchers focus on in Copilot Studio? Can Copilot help researchers write better reports, especially in different languages? How can researchers get access to Copilot Studio? Is there a free version? Resources: View Scott Gorlick on LinkedIn View Wendy Zenone on LinkedIn View Nic Fillingham on LinkedIn Security Research in Copilot Studio Overview and Training on YouTube Related Microsoft Podcasts: Microsoft Threat Intelligence Podcast Afternoon Cyber Tea with Ann Johnson Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts
    Show More Show Less
    44 mins
  • Automating Dynamic Application Security Testing at Scale

    Automating Dynamic Application Security Testing at Scale
    Feb 5 2025
    In this episode of The BlueHat Podcast, hosts Nic Fillingham and Wendy Zenone are joined by Jason Geffner, Principal Security Architect at Microsoft, to discuss his groundbreaking work on scaling and automating Dynamic Application Security Testing (DAST). Following on from his BlueHat 2024 session, and outlined in this MSRC blog post, Jason explains the key differences between DAST, SAST, and IAST, and dives into the challenges of scaling DAST at Microsoft’s enterprise level, detailing how automation eliminates manual configuration and improves efficiency for web service testing. In This Episode You Will Learn: Overcoming the challenges of authenticated requests for DAST tools The importance of API specs for DAST and how automation streamlines the process Insights into how Microsoft uses DAST to protect its vast array of web services Some Questions We Ask: What's a lesson from this work that you can share with those without Microsoft's resources? Can you explain what the transparent auth protocol is that you mentioned in the blog post? How is your work reducing the manual effort needed to configure DAST system services? Resources: View Jason Geffner on LinkedIn View Wendy Zenone on LinkedIn View Nic Fillingham on LinkedIn Related Blog Post: Scaling Dynamic Application Security Testing (DAST) | MSRC Blog Related BlueHat Session Recording: BlueHat 2024: S10: How Microsoft is Scaling DAST Related Microsoft Podcasts: Microsoft Threat Intelligence Podcast Afternoon Cyber Tea with Ann Johnson Uncovering Hidden Risks Discover and follow other Microsoft podcasts at microsoft.com/podcasts
    Show More Show Less
    46 mins