On this episode of CYBR.HAK.CAST, Tim Medin joins hosts Michael Farnum and Phillip Wylie to talk about offensive security, the evolution of penetration testing, and why defenders need to stop relying solely on compliance checklists and start thinking like attackers. Along the way, the crew swaps war stories about old-school hacker culture, Dallas conference history, and why cybersecurity still misses the basics despite years of progress.
SHOW NOTES:
Things Mentioned:
- Red Siege: https://redsiege.com/
- Upcoming CYBR.SEC.Community events: https://www.cybrsecmedia.com/conference/
- CYBR.SEC.Careers: https://www.linkedin.com/company/cybr-sec-careers/about/ fundraisers:
Episode 13 Timestamps:
00:00 – Welcome and CYBR.HAK.CON. hype
Michael Farnum and Phillip Wylie open the show, joke about football rivalries, and discuss the upcoming CYBR.HAK.CON. conference in Dallas. Tim Medin joins the conversation and talks about why Dallas has long needed a larger hacker-focused event.
07:10 – Cybersecurity community and workforce development
The hosts discuss the mission behind CYBR.SEC.Careers and their nonprofit work supporting youth and veterans entering cybersecurity through mentorship, education, and community programs.
10:15 – CYBR.HAK.CON. speakers, villages, and AI CTFs
Phillip and Michael preview the conference lineup, including Jason Haddix, Dustin “Wirefall” Dykes, and Larcy Robertson. They also discuss the AI Village, lockpicking, ham radio activities, and an AI-focused capture-the-flag challenge.
14:45 – Tim Medin’s origin story
Tim shares how hacking curiosity started with bypassing school computer restrictions to play Wolfenstein in the early 1990s. He talks through his path from electrical engineering and OT systems into networking, penetration testing, and eventually founding Red Siege.
24:30 – Acuvant, FishNet, and merger chaos
The group laughs about the infamous Acuvant/FishNet rivalry and the awkward branding chaos that followed their merger into Optiv. The discussion turns into a nostalgic look at old-school security culture and industry evolution.
34:00 – “Offense for Defense” and the problem with checkbox security
Tim explains the philosophy behind his CYBR.HAK.CON. talk, focused on teaching defenders how attackers actually operate. He discusses tools like BloodHound and PingCastle and argues that many organizations still miss foundational weaknesses because they focus too heavily on compliance instead of attacker behavior.
44:20 – Why “assume breach” changes penetration testing
The conversation shifts into modern penetration testing methodology, including assumed breach scenarios where testers start with stolen credentials or internal access instead of trying to break in from scratch. The hosts explain why this more accurately reflects how real-world attackers operate today.
57:00 – Security culture, budgets, and uncomfortable truths
The group discusses how some organizations intentionally avoid testing systems they know are vulnerable because they fear accountability more than compromise. Tim argues that security culture failures often become more dangerous than technical weaknesses.
Do you have a question for the hosts? Reach out to us at media@cscgroupllc.com
Keep up with CYBR.SEC.CON.:
Keep up with CYBR.SEC.Media:
Check out our Conferences and Events:
Support or apply to our Scholarship Program:
Subscribe to the podcast:
In this episode:
- Host: Michael Farnum
- Host: Phillip Wylie
- Guest: Tim Medin
- Production and editing: Lauren Andrus
- Music by: August Honey
