About Andy

Andy is a hacker(ハッカー) at heart, an adversarial architect, an offensive security leader, an engineer and a consultant who has always been interested in taking things apart and sometimes even putting them together again (in fact, he spent a good few years in computer repair and data recovery).

In his day job, Andy Gill is a security consultant who focuses on offensive security; as of 2024, he has been in the security industry for over 14 years! He is passionate about offensive security and specialises in red teaming and simulated attacks. He strives to further defensive technologies to assist clients with technological and strategic issues.

In recent years, he has focused more on contextualising risk and findings from pentests and similar engagements to help clients prioritise remediations, with a greater focus on cloud technologies such as Microsoft Azure.

With a hunger for knowledge and a desire to pay it forward, Andy actively helps grow the community by mentoring and educating the masses on security awareness, paired with his excellent consultancy skills.

Accolades

Andy has previously held CREST’s CCT Infrastructure certification, which is highly sought-after; he has also previously held CHECK Team Leader status. He is also a Certified Red Team Operator. He is working towards attaining several Microsoft Azure cloud certifications to bolster his achievements and accolades.

To back up his years in the industry, he holds several other certifications and accolades, including OSCP and OSWP.

Coupled with his day job, Andy also participates in bug bounty programs, having reported bugs to over a hundred vendors, including high-profile targets such as the US Dept. of Defense, MindGeek, Facebook and Oracle.

He has also published two books aimed at those looking to get into security, and both follow along different areas showing paths and areas to look at. They can be purchased on both Amazon and Leanpub:

• Breaking Into Information Security: Learning The Ropes 101 - Amazon |Leanpub
• Expanding Your Security Horizons: Learning The Ropes 102 - Amazon | Leanpub

Passing on Knowledge

For those that don't know Andy, he is a firm believer in passing knowledge on and supporting the infosec community. He does this by providing tutorials on his blog (/), and running his local DEF CON Chapter. He also helps out at DEF CON as a SOC Goon (Red Shirt) each year (since DC25), assisting the SOC with operations and people flow.

Both his book and blog have won awards:

• UnsungSecHeroes 2021 - Best Cyber Writer
• EU Cyber Security Bloggers Award 2020 - Best Personal Security Blog

He can be found on most internet mediums as @ZephrFish and is always happy to help folks if they have questions. DMs are open on Twitter.

Podcasts

Aside from the blog and book, Andy has started a podcast with one of his good friends, who is learning the ropes.

Dave & Andy's WeegieCast [NSFW]

• About Page
• WeegieCast is on most major podcast platforms and is updated mostly monthly or every other month. If you are interested, here are our platforms.

Other Podcast Guest Spots

• CodeCraftCast Episode 2. Pentesting
• Human Factor Security- Ep 101: Andy Gill
• Offensive Security Podcast EP08 - Andy Gill
• TMHC Podcast 102: Go Do Crime: Andy Gill

YouTube Videos

Alongside this blog, his book and other platforms, he also has a YouTube channel that discusses and teaches an overview of different security topics.

Technical Talks

Below is a list of all the recorded public talks that Andy has delivered; as a prewarning, most, if not all, are not safe for work!

🎤 Talks:

2024

• SecuriTay 2024. - Measure Twice, Cut Once - The Importance of Lab-ing out Attack Paths

2023

• SecuriTay 2023. - Demonstrating Actionable Value, Why the Business Hates Pentesters
• Steelcon 2023. - Adversaries Have It Easy. Live FAFO Pwning A Network
• BSides Leeds 2023. - Pentests: The Jason Bourne Approach Turning Regular Biros Into Weapons

2022

• G3C 2022 - Bridging Your Horizons - So What?
• Steelcon 2022 - Paving The Way To DA – A Live(Hopefully) Path of Pwnage
• SecuriTay X 2022 - Accidental Insider Threats - HoneyPoC Part 2

2021

• BSides London 2021 - F*** Around Get Found Out - Disinformation As A Service

2020

• SecuriTay 2020. - So You want to learn Red Teaming
• DC44141 April 2020. - So You Want To Learn Red Teaming
• TUDublin HackerSoc. Red Team Talk
• CRESTCon 2020. Nijūshiho - A Year Targeting Nippon

2019

• BSides Leeds 2019. Hacking Companies For Internet Glory While Not Dying In A Sarlacc Pit
• Steelcon 2019. Hunting Sh*t Up - "Red Team" with a Bug Hunter's Mindset
• Steelcon 2019. PwnShop LollyPop - Workshop
• G3C Glasgow 2019. Sniffing Routes to Pwnage - An Introduction to Bloodhound
• Cyber Careers Summit 2019. Learning To Test Pens 101

2018

• Leanpub.com. Leanpub Interview - LTR101
• BSides Leeds 2018. Hacker of All Trades: Master of None
• BSides Glasgow 2018. Internet of Death: Modern Murder
• Steelcon 2018. Breaking Into Information Security: Learning The Ropes 101

Additional Talks were not recorded, sadly :(

• Hack in the Box: Haxpo 2015, All Your Hostnames Are Belong To Us (Slides)
• BSides London 2018. Learning The Ropes 101 - Was not recorded :(
• Cyber RE:Coded. A ***cking Introduction to Offensive Security - Was not recorded
• GCU Ethical Hacking Society. A Day in the Life of a Pentester - Was not recorded
• Abertay Ethical Hacking Society Oct 2019. A ***cking Offensive Introduction to Security - What The F**k is pentesting - Was not recorded
• BSides Leeds 2020. - GoTtA gO fAsT - Zoom Zoom Hax - Was not recorded

Security Research

Andy also participates in bug bounties and security research; the links below show his public profiles and published research.

• CVE‑2020‑5980
  - Write Up
• CVE-2017-3528
  - Link to Exploit
• HackerOne Profile
• BugCrowd Profile
• HoneyPoC - A research experiment as to why you should not run random binaries on the net!

In The Media

Andy is frequently involved in helping educate and encourage people to learn the arts and has been featured in several media articles, some of which are below.

2022

• 'Sliver' Emerges as Cobalt Strike Alternative for Malicious C2
• Iran-linked Cobalt Mirage extracts money, info from US orgs
• SC Magazine
• FBI: Business Email Compromise attacks led to more than $43 billion in losses since 2016

2021

• GCU Newsletter - Security Serious Unsung Heroes Awards 2021

2020

• ABERTAY SET TO HOST EUROPE’S LARGEST STUDENT CYBERSECURITY CONFERENCE
• Infosecurity Magazine - Life Of: A Pen Test Report Writer

2019

• CafePress Breach - Andy Gill Quoted in Forbes
• Google Chrome 76 Dangers - Quoted in Forbes
• DoxDirect Feature
• Portswigger Daily Swig Feature 2019
• STV Scam Awareness & Phishing
• Blog Your Passion Feature
• BBC News Car Alarm Hacking & BBC Click Gone In Six Seconds

2018

• BBC Clickmas Xmas Special 2018
• Inside Cyber Issue 3 - My Journey Into Cyber
• How To Minimise Cybercrime - Telegraph Feature
• Speaking to Scottish Gov About Cyber Security
• Cyber Security Challenge Feature 2018
• Portswigger Daily Swig Feature 2018
• CSC Careers Blog 2016
• DEF CON Coverage on BBC Click

Non-Technical Things

However, aside from all the technical goodness, his life isn't wholly spent behind a terminal as he also enjoys training martial arts; holding a 1st Dan black belt in Karate with over nineteen years of experience, during which he has fought and competed at full contact level with an amateur record of 1 win, 1 loss and 2 draws.

People must escape from the keyboard with the work of pentesting or any home-based security role!

Andy is also a keen photographer who loves getting out and about and taking pics of all sorts.

If you would like to see my photos, I have a photos blog, https://photos.zsec.uk

Internet Self

If you're interested in Andy Gill's other work, feel free to reach out on Twitter (it is the best place to get me, usually, and my DMs are open).

• Github
• Twitter
• LTR101 Book
• LTR102 Book