Some of the most talented hackers lead surprisingly ordinary lives. Behind their keyboards, they may be hunting on well-known systems and discovering critical vulnerabilities you’ve never heard of, but in their day to day, they’re simply your colleague or friend. P3t3r_R4bb1t, or Francois Gaudreault, exemplifies this duality—he’s a Senior Manager in Risk Management by day and a skilled (part-time) hacker by night.
The everyday life of P3t3r_R4bb1t
P3t3r_R4bb1t has hacked for seven years, and it has become an integral part of his conventional lifestyle..
“Outside of hacking, I’m a very normal citizen to be honest, and I like it that way! I do normal stuff like go to the grocery store, mow the lawn, plow the driveway, etc.,” he says. “When I travel for work or visit public places, no one has any idea what kind of talent I have.”
This low-key existence seems to suit him well, though he can’t resist offering a warning: “Friendly advice, never ever leave a laptop unattended near anyone. You never really know who is beside or behind you!” As his case demonstrates, sometimes, it’s the most normal-appearing citizens who secretly have the greatest talents.
Like many in the field, P3t3r_R4bb1t’s journey began with a natural inclination toward testing boundaries.
“I probably fell in a bucket of magic potion when I was younger. I always had this tendency to break things, not obey rules, and be very curious,” he explains. “My main origin story involves a group of high school friends. We spent some nights wardrivi— … sorry, performing very accurate ‘weather measurements’ (that was our escape line).”
He credits his initial interest to popular hacking films, noting, “I always suspected the final spark came from one of those hacking movies, not sure which one, but this must be it.”
A generalist asking the fun questions
When asked about his specialty, P3t3r_R4bb1t describes himself as “a very decent generalist” with an intuitive talent for spotting unique vulnerabilities.
“I do, however, have a special intuition to detect weird bugs just by looking at web applications,” he claims. “If you were in my head, you’d hear stuff like, ‘This thing is so confusing. It must be broken,’ ‘No way I can’t get this product for free,’ or my favorite, ‘Admin can’t be the highest privilege.’”
When it comes to tooling, P3t3r_R4bb1t keeps it simple and straightforward.
“Outside of masscan, which I naturally discovered when I didn’t want to spend 3 hours in the middle of the night in a data center performing PCI DSS segmentation testing with Nmap, Burp is the only tool I need. Perhaps I’ll include Caido once the platform grows in functionality,” he claims boldly. “Everything else is pointless.”
Pushing past what lies in front of him has served him well in his successful bug bounty career, which he began in 2018.
Red teaming: It’s as exciting as you imagine
Beyond hacking, P3t3r_R4bb1t occasionally engages in red team operations, which he describes as fundamentally different from standard penetration testing.
“Covert operations are the difference. Do not get caught (and as a second rule of engagement, do not break anything),” he emphasizes. “The techniques and the required skill sets are also different. You can’t just go into a red team engagement and use Nuclei! You must know your paths; be creative and be much sneakier.”
He notes that red team engagements are typically more extensive than conventional penetration testing: “Typically, a conventional penetration testing engagement would last between say 4 to 8 days (excluding the reporting). Red team engagements can span over multiple months and require a completely different approach and techniques.”
The intensity and complexity of these operations create unique challenges. “Some engagements may even require planning, just like the real army thing. The blue team is authorized to kick you out, you have the EDR to evade, and all countermeasures are active, so it’s obviously normal to take slightly longer to hit targets,” he explains.
A “Mini-CISO”
In addition to hacking part-time, in his professional career, P3t3r_R4bb1t serves as a Business Information Security Officer (BISO).
“The industry usually jokes about that role, saying a BISO is a ‘Wannabe CISO,’ or more accurately, a ‘Mini-CISO.’ The second term is about right,” he says.
When communicating the magnitude of security concerns to business leaders, he emphasizes pragmatism over fearmongering if you want to be heard: “The key here is to sharpen your communication style and really focus on the real and measurable risks. No fluff, no exaggeration—just the common sense impact.”
He criticizes security professionals who rely on exaggeration to get their points across: “I’ve seen too many people trying to explain situations that were not even tied to business processes or exaggerating the monetary impacts just to add FUD (fear, uncertainty and doubt) and justify their egos.”
Instead, he advises, “Know your machine (the company you work for) and the environment (the industry) your machine is involved in. Take the time to really understand what could make the machine break. Do this, and you’ll be in a much better position to succeed.”
The AI tradeoff
When it comes to the impact of artificial intelligence (AI) in cybersecurity, P3t3r_R4bb1t sees both opportunities and challenges.
“AI, or in my definition, a layer of SaaS software to overlay a machine learning model, will change a couple of things in the industry,” he believes. “One of them is speed. I’m not the best at coding, but with AI, it takes me only minutes to build a fully working Python script. It just makes people more agile.”
Nevertheless, he acknowledges the double-edged nature of this advancement: “The other thing is removing the barrier to entry, which may or may not be a good thing, depending on the angle from which you look at it. It’s great for more junior analysts who need a bump, but it’s less great for old-timers, since all of our accumulated experience is becoming less important in delivering results.”
No pressure
For those considering hacking as a career path, P3t3r_R4bb1t offers a relaxed perspective on balancing the pressure.
“I simply avoid doing bug bounty full time. Instead, I treat this activity as an extra hobby and not guaranteed variable income, just like having a side startup ‘to compensate,’” he explains. “Less stress, lower risk of burnout. People are putting a lot of pressure on themselves.”
This approach allows him to enjoy both his conventional career and hacking without sacrificing his mental health—a balance that many struggle to achieve.
As for what’s next? Simple: “Finding a new job.” Even successful hackers continually seek new opportunities. Let this be encouragement for you to take a chance
