Sam Hilliard

Hi, I’m Sam!
Developer
and web security enthusiast.

Practical web application security for developers.
Pentesting workflows and security methodology.

Get updates

My skills

Web pentesting

I use Burpsuite Pro and my knowledge of OWASP top 10 vulnerabilities to test applications for vulnerabilities.
Part-time bug hunting has taught me how to map an attack surface and professionally report findings.

Security Champion

I manually test for security vulnerabilities early in the SDLC, create threat models, run Fortify scans, and keep myself educated.

Quality Engineer

I test the functionality, accessibility, and performance of applications. I write automated tests using Playwright.

Developer

I fix bugs, write production code in TypeScript, and lead my own projects. I give Knowledge transfer sessions and work closely with my scrum team.

Biography

I specialize in developing and testing agentic applications at ServiceNow. With experience as both a QE and Developer, I have a unique perspective that allows me to write quality code. As my team’s Security Champion, my role also includes incorporating security best practices early in the pipeline.

With a focus on web application security, I continually study real-world vulnerabilities and testing techniques. On the side, I bug hunt and share what I learn through detailed blog posts.

Blog

  • What I Learned Failing the BSCP Exam

    I failed my first attempt at the Burp Suite Certified Practitioner Exam (BSCP). It definitely hurt and was a blow to my ego. Especially after having studied so much for months on end. For those who don’t know, the BSCP is an exam based on Portswigger’s Web Security Academy training. It’s 100% practical and tests

    Read more →

  • Building a Recon Toolkit with Docker

    With the rise in popularity of bug bounty hunting, there’s been a lot of great tools developed. ProjectDiscovery‘s suite of tools and contributions made by Tomnomnom certainly come to mind. With the amount of tools, however, comes the complexity of managing them: keeping them up to date, making sure dependencies are installed, keeping your bounty

    Read more →

  • Automating HackerOne Scope Parsing with qsv for Bug Bounty Recon

    Before you start bug hunting on a new program, you need to feed the right assets to the right tools for automated recon. Sorting through the scope and getting your environment setup is a tedious (and delicate) process. No one should want to do this manually. Especially since manual sorting can lead to mistakes. And

    Read more →

Get updates

The latest on how you can leverage your developer knowledge to applied web pentesting.