Sam Hilliard

Hi, I’m Sam!
Developer
and web security enthusiast.

Practical web application security for developers.
Pentesting workflows and security methodology.

Get updates

My skills

Web pentesting

I use Burpsuite Pro and my knowledge of OWASP top 10 vulnerabilities to test applications for vulnerabilities.
Part-time bug hunting has taught me how to map an attack surface and professionally report findings.

Security Champion

I manually test for security vulnerabilities early in the SDLC, create threat models, run Fortify scans, and keep myself educated.

Quality Engineer

I test the functionality, accessibility, and performance of applications. I write automated tests using Playwright.

Developer

I fix bugs, write production code in TypeScript, and lead my own projects. I give Knowledge transfer sessions and work closely with my scrum team.

Biography

I specialize in developing and testing agentic applications at ServiceNow. With experience as both a QE and Developer, I have a unique perspective that allows me to write quality code. As my team’s Security Champion, my role also includes incorporating security best practices early in the pipeline.

With a focus on web application security, I continually study real-world vulnerabilities and testing techniques. On the side, I bug hunt and share what I learn through detailed blog posts.

Blog

  • Building a Recon Toolkit with Docker

    With the rise in popularity of bug bounty hunting, there’s been a lot of great tools developed. ProjectDiscovery‘s suite of tools and contributions made by Tomnomnom certainly come to mind. With the amount of tools, however, comes the complexity of managing them: keeping them up to date, making sure dependencies are installed, keeping your bounty

    Read more →

  • Automating HackerOne Scope Parsing with qsv for Bug Bounty Recon

    Before you start bug hunting on a new program, you need to feed the right assets to the right tools for automated recon. Sorting through the scope and getting your environment setup is a tedious (and delicate) process. No one should want to do this manually. Especially since manual sorting can lead to mistakes. And

    Read more →

  • How to Refine Your Web Application Testing Methodology for Effective Attacks

    When I first started out bug hunting, I was decent at recon and had a sense for what targets I wanted to go after. But once I got to exploring the target, I didn’t have a set methodology. I just wandered around on the site until something caught my eye in Burp. Without a structured

    Read more →

Get updates

The latest on how you can leverage your developer knowledge to applied web pentesting.