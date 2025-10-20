Matthew Hughes, a security analyst on the SensePost team at Orange Cyberdefense in South Africa, has taken an interesting road into the world of information security.

Many hackers can point to a specific movie or TV show that kindled or fanned their interest in cybersecurity. For those who grew up in the 1990s and 2000s, that film was probably the 1995 cult classic Hackers.

For Hughes, the journey started with the four-season techno-thriller Mr Robot. “Elliot’s day job is within cybersecurity, and it clicked, I can get paid for hacking things?!” said Hughes.

“So, there I was, 15 years old, with a fresh Kali Linux installation, attempting to hack into my neighbour’s Wi-Fi (allegedly).”

Hughes convinced his mother to let him drop out of high school. Rather than paying school fees, he asked her to pay for a cybersecurity certificate.

“I had done some Googling and found a Discord server called HackSouth. After joining, I was contacted by someone from SensePost, and they suggested I apply to their Academy, and that was it,” he said.

“Now I am a high school dropout who’s been to Las Vegas to give training and attend DefCon, who’s done a public talk, and most importantly, is doing something he loves.”

Hughes said he couldn’t have asked for anything better. “Curiosity killed the cat, but it gave this hacker a job!”

In addition to working in Orange Cyberdefense’s penetration testing team in South Africa, Hughes has also become more involved with the company’s training department.

“It started as part of a personal goal to try and get out of my shell and reinforce what I have learnt, by passing on that knowledge to others,” said Hughes.

“Thanks to this, I have discovered that I love training! It’s a fun challenge to explain technical things in a more digestible way to people who may have zero experience in the field.”

Hughes said he hated all forms of public speaking when he was in school. “Probably something I celebrated not ever having to do again when I dropped out,” he said.

However, he soon learned that working in cyberdefense meant interacting with clients and providing feedback after performing a penetration test.

“Just like I had to lean into that ‘bad guy’ mindset, I realised that working with people was a skill — one that I could find ways to lean into — while navigating my internal struggles.”

Hughes said that getting involved with SensePost’s training department helped him overcome his anxiety for public speaking.

An added bonus to being involved with SensePost’s education division is that he got sent to Las Vegas to deliver one of the company’s training sessions at Defcon and BlackHat.

Hughes has been to BlackHat Vegas twice, which he described as “quite the surreal experience”, and was fortunate enough to attend Defcon this year.

“In the same way I like to pass on knowledge through training, we can also do this by showcasing our research by doing talks at conventions,” he said.

Day in the life of a young South African hacker

Matthew Hughes, lead security analyst at Orange Cyberdefense

Since the SensePost team’s offices are in Pretoria and Hughes lives in Cape Town, Hughes works remotely.

Although their regular workday is 08:00–17:00, he said a perk of working for SensePost is it can be flexible if need be.

“If I spent my previous night in a rabbit hole trying to exploit a vulnerability, which led to waking up later than usual, I’m able to make up for any time lost by extending my work day into the evening,” he said.

“As long as I do my job, meet my expectations, and most importantly, look after myself in the process, then all is good.”

Asked about a facet of his job that some may find surprising, Hughes said that people may not expect how long the initial reconnaissance in a penetration test takes.

He explained that active and passive reconnaissance was the first step of a penetration test, where they gather information about the target.

“Passive reconnaissance involves collecting data without directly interacting with the target — think of it as researching a person online without them knowing,” said Hughes.

“Active reconnaissance, on the other hand, means actively engaging with the target, like pinging the network or scanning for open ports.”

Hughes said they follow a specific methodology to conduct their tests and, to achieve their goals with an assessment, they need do things right from the start.

“If it means consuming more time to make sure we fully understand an environment, the better and more information we have to exploit said environment,” he said.

“This may sound a bit bland — and maybe not as exciting as the movies make it seem — but nothing beats the rush of finding a password on a sticky note while you’re walking inside a company building by tailgating somebody.”

Hacking a bank across state lines

Matthew Hughes in Las Vegas with Orange Cyberdefense

This type of reconnaissance can disrupt a typical working day, however Hughes said collaborating with fellow penetration testers on such projects is essential.

“As an example, a colleague was on a Red Team assessment and they asked me to go to a certain banks head office and set up a rogue access point,” he said.

Hughes then had to remain in the parking area until an employee’s phone attempts to connect to the access point, resulting in sharing its password in a hashed format.

“These are the experiences that make me feel very fortunate for the job I have. Not only do I satiate that devil on my shoulder, but I am directly helping a company maintain a healthy security posture,” he said.

“This indirectly ensures that all those thousands, if not millions, of people who use these services and share their valuable data are also safe.”

Hughes said it was similarly satisfying to get a result after spending hours constructing a phishing campaign to impersonate someone on LinkedIn.

He used the example of tricking them into submitting their company logins to view photos from a recent team-building trip.

Outside the realm of social engineering, he said it was also a rush to discover when a company had incorrectly implemented their password reset functionality, allowing him to take over anyone’s account.

“Being a legal criminal is great! I believe all hackers have some form of curiosity that is bordering on that ‘bad guy’ mindset, but that’s the beauty of what we do,” said Hughes.

“We need to be able to think like the bad guy; we’d only be hindering ourselves if we stayed within the four walls that were built around us.”

.dlrow eht egnahc ew yad yrevE