Note: This summary is AI-generated and may contain inaccuracies, errors, or omissions. If you spot any issues, please contact the site owner for corrections. Errors or omissions are unintended.
This podcast interview from Miho’s “Make It Happen Online” podcast features Anant Shrivastava discussing his journey from researcher to security professional to trainer, and the transition from offline to online trainings.
Guest Background
Anant Shrivastava: Close to 15 years corporate experience, about 17 years training experience
Living and breathing information security: For about 12 years now
Before that: Server admin, hooked up to geeky stuff Linux since 2000 onwards
Active in community circuits: Ranging from older days of Linux user groups to current scenarios of NULL, Garage for Hackers, OWASP, other initiatives
Equal contributor: In corporate space and community space
Defines self: As researcher, trainer, and infosec professional
Open source projects: Tamer Platform (dedicated around Android security), Code Vigilant (around code-assisted pen testing), Hacking Archives of India (collects anyone and everyone talking about infosec in public spaces)
Teaching and training: For very long time - starting from Linux Administration to nowadays dealing with Android security, web application security, infrastructure security, DevSecOps, supply chain security, niche areas
Trained at: Smaller events like private gatherings, Indian conferences (NULLCon, KOKON), International conferences (Black Hat, DEFCON), bunch of different places
Key Topics Discussed
Journey from Researcher to Security Professional to Trainer:
2000: Introduced to Linux - “cool thing” to do
Initially: Programming was never area of focus - started focusing on admin piece
Microsoft crackdown (2005-7): Gujarat government promoted open source, books changed from Windows to Ubuntu
First company: Server admin, reached bottleneck with offshored night work
2010: Started looking at security - “I know how to configure systems, why not focus on what is in that space?”
Defense is hard, attack is easy: True but controversial statement
First infosec job: SOC and log analysis, then moved into pentesting roles
2017 time frame: Joined NotSoSecure, grew team from first employee to 60-70 people
First Training Experience:
2006-7: Teaching RHCE to class of 20 people with 20 years Unix experience
Key learning: “If don’t know something just say it out, get back to them”
Prerequisites: Very important - don’t teach basics if not target audience
Cracking Conference Trainings:
Trainings is business: Conferences earn money from it
Hands-on preferred: People prefer doing hands-on training over lectures
Finding events: cfptime.org, social media hashtags (#CFT), Google alerts, looking at trainer resumes
Approach conferences: Worst thing is won’t get selected - some conferences started trainings because approached them
Transition from Offline to Online:
Biggest challenge: Companies wanted 4 hours/day instead of full days - employees couldn’t focus with emails/Slack open
Communication tools: GoToMeeting/Zoom crap at chatting - needed Discord/Slack/Teams
Teams as dark horse: Auto-translate feature useful for multilingual trainings
Cultural differences: Asian culture doesn’t want to ask questions publicly
Private channels: Created private channels for individual Q&A with trainers
Gamification: Challenges with dedicated end result goals, scoring system, leaderboards
Five Things for Offline to Online Transition:
Convince people online equals offline quality
Choose right tool for content complexity
Gamify and make engaging
Provide support in multiple ways (personal, group, video)
Keep in touch after session, build accessible community
Support Ratio:
15 people max per support trainer
170-person class had about 10 support staff
Introduce support trainers as equally capable
Siphonoid Research:
Research-powered training company
Courses: Attacking Android Applications, Breaking and Fixing Real Web Applications
Research areas: Decentralized web, supply chain security, DevSecOps
Key Insights:
Journey: Linux (2000) → Server Admin → Security (2010) → Trainer/Team Lead (2015-2021)
Defense is hard, attack is easy
First training was “ragging session” with 20-year Unix veterans
Prerequisites are crucial - don’t teach basics if not target audience
Trainings is business - conferences earn money from it
Multiple ways to find training opportunities: cfptime.org, social media hashtags, Google alerts, looking at trainer resumes
Ask conferences - worst thing is won’t get selected
Support ratio: 15 people max per support trainer
Biggest challenge moving online: companies wanted 4 hours/day instead of full days
Teams has auto-translate feature - useful for multilingual trainings
Different cultures have different expectations about asking questions
Gamification important for online trainings
Siphonoid: Research-powered training company
Actionable Takeaways:
Don’t idolize people - everyone has own journey
Be open saying “I don’t know” - but then figure it out
Prerequisites are crucial for trainings
Trainings is business - understand market space
Multiple ways to find training opportunities
Ask conferences - worst is won’t get selected
Support ratio: 15 people max per support trainer
Full days better than 4 hours/day for online trainings
Teams has auto-translate - useful for multilingual