To kick off my new series, Cyber Chat, I had the pleasure of sitting down this past week with Harrison Richardson - better known in the cybersecurity world as rs0n.

If you haven’t stumbled across his Bug Bounty YouTube videos or Live Streams yet, you’re missing out. Harrison is a seasoned Cybersecurity Professional, expert Application Security Engineer, and skilled Bug Bounty Hunter.

We talked everything from his career journey to advice for aspiring professionals, his current projects, and what’s next for him.

Here’s my conversation with rs0n.

Who are you and what do you do?

My name is Harrison Richardson, but I also go by rs0n. I've been working in cybersecurity for well over 10 years now.

I've done all types of different things - worked in the military, worked in the civilian world, startups, and most recently I've started a company called Ars0n Security where we focus on services, research and education.

We focus specifically around helping SaaS companies find and resolve vulnerabilities in their web applications and cloud infrastructure. On top of that, we provide services to help educate teams on how to make sure that those vulnerabilities are not introduced into their environment in the future.

How did you end up in the Cybersecurity Industry initially?

Well, I was working in the restaurant industry at first, but then I decided I wanted to join the Army. And when you join the Army, they make you take an aptitude test. I did fairly well on it, so they gave me a few different options.

I ended up going into a technology field and was given the opportunity to specialize in cybersecurity if I was able to pass the CompTIA Security Plus certification - which I passed.

That shaped my military career from there.

I was a high school dropout, didn't really know what direction I wanted to go in my life, and when somebody brought up cybersecurity and the idea of being the person that would stop some little hacker that's sitting in their mom's basement - I really liked the idea of that. I've always liked the idea of that.

That’s what kind of drew me to it. And I dove in headfirst.

[Ryan]: That’s very much like me too - I jumped in initially because I liked the idea of fighting against the bad guys.

Yeah, it gives a purpose right?

I think it's pretty common in our generation - people aren't as interested in just working for the sake of working anymore.

Certainly there's pride in doing a good day's work, but I think people want to know that the work that they're doing has a purpose, that they're making an impact in the world.

I personally feel that with my job, and hopefully you do too.

What does your day-to-day look like?

Ars0n security is something that I started in my free time as an additional source of income. With inflation and everything going on over the past few years, I wanted to make sure that I was taken care of.

Throughout the day, I work on what I need to do with my day job. Then I focus on my business in the evenings and on the weekends.

But generally during the week, after I finish up my work for my day job, I’ll have dinner with my family, walk the dog, and then I usually have about three to four hours set aside to do whatever I need to get done.

Typically it'll be a lot of penetration testing or writing a report. Occasionally I'll have meetings, although I typically try to schedule those on the weekend - which is something I share with my clients up front.

I typically help very, very small companies - LLCs that just have one or two people that typically would be overlooked by the major cybersecurity companies, and I'm able to provide them with very reasonable cost because I don't have any overhead.

I’m trying to create a win-win scenario for everybody and it seems to have worked out so far.

What does your tech-stack look like?

I have a few micro-SaaS tools that I pay for that allow me to automate a lot of processes that I would usually need to hire somebody for - think G Suite, Shopify, and Canva.

There’s not a huge need to hire out anymore - for better or worse, all these AI apps and tools make many things so easy these days.

The machine that I use is a Windows machine, and I use VirtualBox and Kali Linux to do the majority of my testing.

I use an isolated sandboxed virtual machine for every engagement that I do - all the data never leaves that sandbox. It’s retained for the retention period that is agreed upon before the test, and then after that, it’s destroyed.

I use Burp Suite to conduct a majority of my testing.

I also have a bug bounty hunting framework that also can help enumerate the attack surface. That has a lot of custom scripts, but depending on the engagement, any open source tools or anything that I would need to do to provide them the best service.

Tell us more about the current state of your Framework, and the future

The framework started when I was writing a bunch of scripts to help myself do bug bounty hunting.

Eventually, I built a front end and tied it to a database. It just came about from needing to automate different problems to try and go quicker.

So when I started doing YouTube videos, which is something that I always wanted to do, I got so many comments of people asking what that tool was, I decided to package it together in a deliverable product.

I set it up exactly the way I use it as opposed to how software is typically delivered these days, and it was very well received.

But Version 1 of the tool had some issues.

MongoDB had really strict processor requirements. Plus, with about 40-50 different open source tools packaged up, it’s very difficult to make a system that can run on any platform. If any of those change, it can cause inconsistencies.

I’ve been working on Version 2 for over a year now, and I’m hoping to have that Beta go live at DEF CON 2025.

- Today’s Sponsor -

Looking to break into Application Security or level up your Bug Bounty game? The Ars0n Framework is a powerful, modular tool designed to automate common bug hunting processes while teaching real-world AppSec concepts. It’s the perfect way to learn, earn, and sharpen your skills. Check it out below.

Learn More

The purpose for the tool has shifted over time, and now I have a clear vision of what I want to create.

The goal is that somebody can pick up my framework and start conducting bug bounty hunting right away, no experience needed. The tool itself is entirely dockerized, with each tool running in its own docker container as well. I’ve built out a React front end and switched the backend from Python to Go.

Essentially, it'll run on any system as long as the processor supports it.

I’ve also created detailed lessons and instructions that help you learn as you go.

It automates all of the processes of building out and scanning for the attack surface, to identifying attack vectors. All those things that are really difficult for beginners to do or people that don't really know where to start - the framework will automate it for you.

My goal is for this to be the go-to software for people who want to learn bug bounties, but also to include features that will support much more experienced developers.

There’s an automation mode that’ll run the entire methodology from start to finish.

But there’s also a hybrid mode that will allow you to pick pivotal movements based on the information found, what specific web server to target, or what type of testing to use. That may all be a little further down the road though.

I also want to be clear - I don’t care if people make a lot of money using this tool. Yes, you can - there is going to be a fully documented API which you can use to build it however you want. If you want to build that into something that makes a ton of money, then great.

But the purpose of this tool is if someone wants to learn bug bounties. I want to eliminate as much friction to getting started and learning those skills as possible.

Tell us about the process of being a solopreneur and your main takeaways from your experiences

Anybody can do it.

If there's one takeaway to anyone reading - if you want to start your own company and you think, “Oh no, because I'd have to hire people and spend all this money” - you don't need to.

Sure, when you're starting, it's going to be a grind. There's going to be a lot of early mornings. There's going to be a lot of late nights. There's going to be a lot of doing tedious things. You are going to have to learn a lot of stuff. There's going to be a lot of fear and anxiety.

But that's natural for anybody.

With an $11 a month Canva account, that gets you everything you need to build professional looking images and thumbnails.

I use Camtasia - they now have AI built in that helps you edit videos.

It’s nothing complicated. It's really just a matter of doing it.

When you start out, it’s all about trust in yourself. Because it's you, you are every step, and you’re taking a step into the dark not knowing if it’s going to work or not.

But you have to trust yourself.

You’re going to fail… a lot. I’ve failed over and over and over again. And I’m going to continue to fail over and over and over again.

But take those moments and celebrate. Learn from them, adjust, and just keep going - eventually it all comes together.

[Ryan]: I think that’s an important sentiment. You hear a lot of stories these days about entrepreneurs or SaaS founders making it big, but what they don’t always tell you is that it wasn’t their first venture - they had to start over, pivot, iterate. But in order to do that, you need to show up every day.

The tech industry is the shiny example that it doesn’t matter if you fail, you’re typically going to fail upwards.

Take the lessons, recognize your mistakes, and adjust. Then go for it again.

What advice do you have for beginners or aspiring Cybersecurity professionals?

All the information is out there and it's all free.

If anybody tells you, “Go and do this, we're going to guarantee you a job” - don’t believe it.

There's so many people trying to sell aspiring cybersecurity professionals something because it's so popular right now, but you really don't have to pay for anything to learn.

But with that said, getting into cybersecurity today is very difficult. There's a lot of people competing with you, so you have to find ways to be creative and set yourself apart.

If you're doing the same things that everybody else is, it's going to be really, really difficult to catch somebody's attention. The reality is, there are thousands of people applying for these roles.

You're going to have to learn some basic coding or scripting. Start a GitHub - GitHub is your resume.

You need to build projects, find ways to demonstrate that you can solve real problems, that you can operationalize the “cool” security technology.

This is a big thing that a lot of people miss.

Everybody loves technology. Everybody loves to be able to build something fancy. But you need to be able to find a way to operationalize that within a business in a way that works into the processes of different stakeholders.

There's so much more that goes into it outside of the technology - but I feel like everybody just wants to learn how to hack and everything.

Cybersecurity is so much more - It's just as much marketing. It's just as much sales. It's just as much soft skills.

All this is so, so important. If you're getting into cybersecurity, make sure that you're developing those other skills in addition to your technical skills, because they can be what sets you apart.

For those looking to specifically get into application security, It’s also important to note that the landscape is shifting. The expectation is that application security is going to include cloud security and AI security as well.

If you look at AWS, services like API Gateway and AWS Cognito are great examples. People treat them like infrastructure, but they're really just web application architecture managed through the AWS GUI.

That's something that I think a lot of people are missing right now.

You have application security engineers that are saying, “That's infrastructure, that's cloud, I don't need to manage that.” Then you have cloud engineers saying, “That's HTTP based, that's all application, so I don't know about that.”

I'm also starting to notice a gap in coverage along with AI integrations - applications are just becoming API calls between little AI systems.

Whether you're looking to get into the industry or already working in the industry - that's something to be cognizant of.

What does the future look like for rs0n?

The company that I'm working at right now, my day job, is fantastic. I'm really happy, so I'll certainly do this for quite a while.

In my free time, I'm focusing on building everything up.

So as opposed to providing just services, I'm focusing more on building the framework now, building up the infrastructure and everything so that when I do eventually get ready to make my next move, I'll have everything prepared.

But I definitely want to own my own company eventually. I don’t know what that looks like quite yet, but I've got a few different ideas. Part of me wants to kind of lean into a nonprofit and focus on building out the cybersecurity industry, and part of me wants to build a company.

I certainly want to build products, I want to build software that solves problems and I want to do the right way.

I want to build a company that's not profit driven. That doesn't mean that it's not profit motivated, but that's not the top priority. I want to build a company where the top priority is building something that will last, that will give everybody that's working there a really great life and to build that up for the awesome engineers that I've met throughout my career.

Where can we find you?

YouTube | Twitch | GitHub | LinkedIn

Securely Yours,

The Cybersec Cafe

Just a heads up, The Cybersec Cafe's got a pretty cool weekly cadence.

Every week, expect to dive into the hacker’s mindset in our Methodology Walkthroughs or explore Deep Dive articles on various cybersecurity topics.

. . .

Oh, and if you want even more content and updates, hop over to Ryan G. Cox on Twitter/X or my Website. Can't wait to keep sharing and learning together!