Skip to content



You heard it right! Thinking like a criminal is one of the important ingredients for security testing aspirants or enthusiasts who want to reach the next level of hacking. I quote this always in my talk – To become a better hacker, think like a criminal while you have self-control to not commit the crimes. Some of the examples that I would like to share with the audience of my thinking experience as a hacker,

• I have tried to break-in my school when I was 8 years young and stole the question papers for the exam. I used a duplicate key to open the lock.

• I have hacked some of the dial-up networks and used the dial-up package of someone else when I was 16. I did this with the help of “iOpus Password Recovery”.

• I have hacked some of the yahoo accounts as I wanted to know if my girl was reading my e-mails or not. I did this using “Keylogger” installed in my college cyber café.

Sometimes I think that, security testing was in my blood since my childhood days. If I were running a school of hacking, then I would build an infrastructure and give the practical exercises to the kids where they can bypass the security, break open the doors and lot many things. That’s kind of nutrients that I want to give for kids to become hackers. That’s what I call as “Nurturing” the growth of a hacker or a security tester or a penetration tester.

“Start thinking like a criminal now”


I started hacking a girl’s account and she was my crush. This was long back in the year 2001 when I was schooling. I also tried hacking my best friend’s account. I do not know why I chose them, but I felt they can understand my intention behind it instead of doing it for someone unknown. So, it was like practice session for me hacking my friends account. After I hacked them, I was happy about my skills however; I returned the account to my friend whenever I hacked. I did not look into the data after hacking, but just logged out and that was a billion dollar feeling for me.


Since childhood, kids are taught not to play with some other kids because they think their kids would get spoiled. Well, I have something different to say here when they grow up; let them go out and learn things so that they can become better and live their life in much better fashion.

Likewise, if you are an ethical hacker and want to learn more; it might be one of the important attribute to mix with unethical (Black-hat) folks and learn from them. However, it is not as easy as getting chocolate from a shop. Blackhat folks will not agree if someone ethical wants to meet them or talk to them. For those things, one needs to build the trust and yet it is not guaranteed that blackhat folks would agree to talk to you.

I can only say, give your best to interact with unethical hackers.


To become a better hacker, it is blend of technical skills as well as social engineering skills. Most of them do not understand the importance of social engineering. Let me give you an example: If you want to hack the data which is in a different building, one of the easy way could be do get there and get the hard disc while technical skills might take a bit longer. However, there is a risk involved with it. It’s a matter of, “Whether you are game for it or not”.

In my experience, I have bypassed several organizations security checks by social engineering. One of the example is, I built a great rapport with the security guard at the entrance and was speaking his language and agreeing to whatever he was saying. That made him closer to me and he started liking me just because I was agreeing to whatever he was saying and was speaking to him whatever he likes. Finally he said, “Sir, you seem to be a very good person and I will let you in without the access card as you are visitor. There is no need of approval or calling the escort”.

Wow! That was a cakewalk.

Start practicing these exercises in shopping malls, hotels, supermarkets, hypermarkets, organizations and anywhere which has security checks. You will see that getting access to physical infrastructure is a cakewalk in India at least.

Happy breaking!


Remember this very well, “Humans are the weakest links” in the “Security World”. Let me give you a better example,

Let us say someone kidnaps your loved ones and later the kidnappers call you and ask you to reveal your password to some account which has sensitive data. At that time, you would be emotional and you just give away the password. However, computers cannot be asked to reveal password by just kidnapping something which is related to computers; they do not have emotions while humans have.

Another example could be, “Someone points gun on your head and asks you to reveal password and you will”. However, doesn’t work the same when someone points gun to computer and demands to share the password.

If you learn to manipulate the minds of people, then you have cracked some layer of hacking to reach to sensitive data. And I bet that it is so not so easy! After lot of practice, I could social engineer at least 6 people out of 10 with whom I converse. Well, not for evil purpose, but educational.


I consult for free for, (Feel free to write to me)

• Security Testing Aspirants

• Wannabe hackers

• Security Testing Projects


I have been as a software tester for over 5 years. I am a hands-on tester and I've been winning bug battles & testing competitions across the world. I am a testing enthusiast, who conducts free workshops on security testing across India (Covered locations: Bengaluru, Pune, Hyderabad & Chennai. Invite him to come to your location), and monthly meets for testers in Bengaluru. I am also an avid testing blogger.

My interests include traveling, driving my SUV, health & fitness and many others. I mentor budding entrepreneurs, testers, teams in any profession.

Latest posts by SanthoshTuppad (see all)



  1. shah nida kausar wrote:

    Hey I read ur very blog which in courage me a lot but I want
    To learn work under u bcoz its all most a year that I want to learn many things from u Santhosh sir …..u had been to are clg also and ur very blog has some or the other info…
    Thank u sir

    Wednesday, November 20, 2013 at 3:24 am | Permalink
  2. Arokya Samy wrote:

    Hi, I went through Security Testing Blog, it was pretty impressive. I loved it.

    Now i am working in IBM as Testing Engineer. I am Testing Mobile Applications.

    I would like to do Security Testing for the Mobile Applications. Even i am part of Cloud Testing. Please suggest me how can i take care of all those in security Testing.

    I am eagerly waiting for your reply.

    Thanks in Advance

    Wednesday, November 20, 2013 at 6:32 pm | Permalink
  3. Arokya, Thanks for your comment. With respect to Mobile Security, I have not explored that area. That is on my list and would be starting to learn soon. Looking to start the testers meet-up and you could subscribe to it soon (I will publish the details soon on my blog / twitter /facebook).

    Thursday, November 21, 2013 at 4:31 pm | Permalink
  4. Jayshree wrote:

    a great article again.

    I have also used this social engineering sometimes when I visit my sister’s office. As she works in a research institute all visitors/ relatives need a card. But as I’m her sister and security have seen me coming frequently they allow me to get in even without making an entry when I say it’s a matter of just 10-15 minutes and I would be back. Also if one gets into their transport, it is even easy to spend a whole day there.

    Tuesday, December 3, 2013 at 2:25 pm | Permalink
  5. That’s good to hear that you being experienced it. I have got into Infosys (Mysore) campus while my colleague said, the process to get inside is very stringent :) I have also got into MindTree and several others. However, haven’t committed any crime he he.

    Tuesday, December 3, 2013 at 7:08 pm | Permalink
  6. Rajesh wrote:

    Hi Santhosh,
    This is Rajesh, working as a tester in Chennai, in my current windows based project we would like to do security testing, could you please guide me how to start and tool which i can use,( is it possible for you to share a few knowledge what you have in security testing)

    Note :
    Will you be available to take a session in our organisation, if so when will you be free.


    Friday, February 28, 2014 at 8:24 pm | Permalink
  7. Rajesh, it is more about mind-set & then skill-set. It is hard for me to give straight-forward answer without knowing the context of the software. I mean, what is the software; what modules does it have? and lot other details.

    It would be good if we can have a Skype conversation. Please check with me at santhosh.s.tuppad [Skype ID].

    And about conducting a session in Chennai, I am not sure about the schedule. However, I will keep it in the back of my mind. Thanks!

    Wednesday, March 5, 2014 at 4:28 am | Permalink

3 Trackbacks/Pingbacks

  1. TOP 5 QUICK WAYS TO START SECURITY TESTING | quality Mr. on Thursday, November 21, 2013 at 2:22 pm


  2. Testing Bits – 11/17/13 – 11/23/13 | Testing Curator Blog on Monday, November 25, 2013 at 6:11 am

    […] TOP 5 QUICK WAYS TO START SECURITY TESTING – Santhosh Tuppad – […]

  3. […] Top 5 quick ways to start security testing […]

Post a Comment

Your email is never published nor shared. Required fields are marked *