Why do you think you gravitated to the issues of hacking and
cybersecurity initially?

1. I’ve always been curious about how things work. In college, while
   studying Business Administration, some 20 years ago, I once read or
   heard the word ‘Hacker’ and started reading about what it meant to
   be a hacker and what skills were required. At that time, Windows 98
   was in use, and terms like ‘hacker,’ ‘cracker,’ and ‘phreaker’ were
   popular. Besides, Kevin Mitnick was an idol, and the movies Matrix
   and Takedown were released. That atmosphere of deep knowledge was
   what led me to change careers and start on the path of
   cybersecurity.

Why did you read Aleph One’s article about exploitation if you didn’t
know anything about computers?

1. If you searched in Altavista (the Google of 20 years ago) for terms
   related to ‘hacking,’ that was one of the results. That article was
   launched in Phrack magazine, which is still a reference point for
   security issues.

How and when did you discover Fluid Attacks? What were the
requirements to fulfill at that time to become part of the company?

1. Before Fluid Attacks, I had a cybersecurity company, but it was
   not successful. Fluid Attacks was created by some friends in 2001.
   When they found out that my company was closed, they interviewed me
   and asked me about my knowledge. By that time (ending 2002), the
   experience I had acquired (in Linux, security, and hacking) by
   studying on my own was enough to get me into Fluid Attacks.

What kind of skills and knowledge do you think a person should possess
to achieve this OSCE certification?

1. The CTP course is designed to help you think in a creative way
   when you are doing an intrusion. Knowledge is gained through study
   and discipline, but the key is the ability to think outside the box
   to resolve problems.

You told us that you did the CTP course modules several times. Why did
you do that?

1. Because there are many variables to take into account when creating
   an exploit. You have to understand every step, every instruction,
   and why. Every application is different, and you can’t apply ‘by
   heart’ attack patterns. You have to understand the reason for each
   step, and that is accomplished by repetition.

What is it that changes so much between the laboratory in the course
and the exam?

1. The techniques to solve the exam are taught in the course. However,
   the exam exercises are not solved in the same way as the course
   exercises. It is necessary to understand the problem, understand the
   target’s environment, and reuse what has been learned creatively.

How does the ‘Hack The Box’ machines’ difficulty level compare to
these lab and test exercises?

1. Hack The Box machines do a great job making you think
   out-of-the-box. These machines use different techniques, commonly
   employed on CTF challenges, but are uncommon in the real world. On
   the other hand, the CTP course has exercises to exploit real
   applications and real vulnerabilities using fuzzing and reverse
   engineering techniques and focused on finding 0-days.

Which were the most complex challenges in the exam?

1. Due to Offensive Security certification policies, students can’t
   talk much about the exam details. However, all of the exam points
   are not straightforward. You have to really understand what’s going
   on before attempting to create a solution for the challenge. Reading
   the objectives in detail for each exam point will give you a better
   understanding of how to approach the solution.

What would you recommend to those who want to obtain this
certification?

1. As I mentioned in the blog post, you should
   perform extra self-training after the CTP course. I, for instance,
   exploited several known vulnerabilities from scratch, using my
   methods and exploits. Furthermore, although it’s not required to
   have the OSCP certification to obtain the OSCE, I strongly
   recommend it. Offensive Security certifications are meant to be
   hard, and having experience with other certifications before OSCE
   will be an advantage.

Regarding certificates, what is the next goal you have in mind?

1. The current version of OSCE certification will disappear this
   year. It will be replaced by 2 different certifications that, along
   with OSWE, would be a new OSCE. However, those 2 new
   certifications are not ready yet. For now, I already have a spot for
   the Advanced Windows Exploitation course that will take place in
   London in April 2021. That is the course required before attempting
   to obtain the OSEE certification, which is regarded as the most
   difficult exploitation certification in the world.