Today, we’re sitting down with Anormalix to discuss the importance of higher education for breaking into cybersecurity and ethical hacking. We’ll also explore the potential dangers of sharing hacking tutorials online, and how the benefits of accessible information ultimately outweigh the risks.
A few words about Anormalix
Anormalix is the creator behind popular cybersecurity channels on YouTube and TikTok where he teaches hacking and cybersecurity topics in Spanish, helping people get better at ethical hacking.
His channels have racked up over 250k subscribers from his mix of complete, hour-long ethical hacking tutorial videos as well as quick tips and hacks on everything, from reversing to prompt engineering. If you understand Spanish, definitely check out his huge library of videos on these topics.
Outside of being an influencer, Anormalix is a cybersecurity specialist with over 5 years of experience under his belt. He previously worked as a Specialized Services Analyst at SecureSoft, where he handled vulnerability management and analysis. These days, he’s an ethical hacker at Deloitte & Touche, carrying out penetration tests for clients in finance, education, energy, and more.
As an offensive security specialist, he has conducted pen tests on web applications, mobile applications on iOS and Android, Wi-Fi networks, and many other systems, and holds the eWPT, eJPT, Qualys, Az900, CEH Master, CPTE, ISO 27001 Auditor, and Lead Professional in Cybersecurity certifications.
In a world where cyber threats are constantly evolving, the demand for skilled ethical hackers has never been higher. We asked Anormalix about his journey into the industry and the challenges he faced along the way.
On breaking into the industry
You’ve taken all sorts of courses — from major certifications to smaller ones. Were there any standout platforms that really worked for you, or any that fell short and why?
Anormalix: I’d put Udemy, YouTube, and INE at the top of my list. These have a ton of really good content.
For total beginners, YouTube is perfect for grasping the basics and finding interesting entry-level courses. Not to mention all the helpful walkthroughs for HackTheBox and TryHackMe machines. Then there’s Udemy with its huge variety of courses at pretty affordable prices — you can find some great instructors who are true professionals in the field.
As for INE, that’s ideal for more experienced learners. The big plus is you get access to testing environments and prep for their certifications.
On the flip side, I didn’t have great experiences with platforms like Platzi, Openwebinars or Backtrack Academy – mainly because their hacking content felt limited for what they charge. Backtrack in particular was disappointing since their courses are over 10 years old and they don’t seem to update or support them anymore.
For someone trying to break into cybersecurity but with limited time and resources, what would be the top must-have certifications you’d recommend they focus on first?
Anormalix: More than anything, you absolutely need to have a passion for computers, an insatiably curious mindset, and the ability to think really creatively outside the box. The technical skills can be learned over time. But what really makes a hacker is that relentless quest for knowledge and unconventional way of approaching problems.
As for certifications, I’d say the eJPT, CEH, EWPT and OSCP are among the most essential to aim for. Those tend to carry a lot of weight in the industry.
It feels like one could get most of the core cybersecurity skills through self-study, but when it comes to actually getting hired, how essential was getting a traditional degree?
Anormalix: I don’t think a formal degree is absolutely essential for cybersecurity, but it definitely helps a ton. Even today, companies over here still place a lot of weight on having a professional degree. While you can demonstrate your knowledge through certifications and company exams, having that degree gives you a better shot at higher salaries and more advanced roles. I’m speaking from experience — at my current job, you need a professional degree to qualify for any management position.
The fact that I’m currently pursuing a cybersecurity master’s at VIU kind of reinforces how much degrees still matter in this field. I’ve seen the value it carries firsthand.
So while learning solely from YouTube might limit some hiring options, that’s not to say there aren’t a ton of really great hacking tutorials on YouTube, including some you can find on Anormalix’s channel. Let’s discuss that.
On the YouTube journey (and risks of hacking tutorials)
You’re running a YouTube channel called Anormalix. Is there an interesting story behind that name?
Anormalix: Yeah, the story behind the name is actually pretty simple and kind of funny. A few years back, there was this trend of adding an “x” to the end of words, because of something called “Amixers” that was popular here in Peru but not really seen in a positive light.
My nephew and I used to jokingly insult each other with words like “animal”, and he started tacking on that “x” at the end. But for words ending in consonants, he couldn’t do that, so he started saying stuff like “anormalix”, “, “animalix”. When I created my channel, I was stumped on a name, so I just went with Anormalix.
The original channel was actually called “Abnormalix” over 10 years ago, before this second “Abnormalix” channel since YouTube ended up shutting down that first one.
YouTube videos can become a vehicle to share hacking techniques and tools — and propogate malware. We asked Anormalix if cybersecurity content can be misused, even if the intent is to teach ethical hacking.
Many YouTube tutorials — including yours — teach ethical hacking. But someone can take those same skills and apply them illegally. It’s a double-edged sword — do you worry that your content can help the bad guys?
Anormalix: I had some initial hesitation about that, sure. But just like there are courses teaching gun usage that could be misused by people with evil intentions, a couple years ago I realized the only way to effectively train ethical hackers is by teaching the same tactics and methods unethical hackers employ. Ultimately, the key difference between “the good guys” and “the bad guys” is simply how they choose to apply that knowledge.
There is no way to get into pentesting specifically without some kind of hacking experience. And it’s better to learn hacking from someone who knows where to put the guardrails and reminds you to stay within ethical boundaries. Which brings us to our next question.
On pen testing
The global penetration testing market size is expected to reach USD 3.9 billion by 2029. As companies become increasingly aware of their cybersecurity vulnerabilities, the demand for skilled pentesters continues to grow. We asked Anormalix about his experiences working as a pentester across various industries.
Out of the various sectors you’ve done pentesting for — finance, education, energy, and others — is there one that stands out as particularly challenging?
Anormalix: I’d say the financial sector tends to be among the more challenging. They’re more likely to have robust security controls and protocols in place, as well as up-to-date software and systems. Plus, they usually have bigger budgets to invest in serious security measures.
So pentests in finance end up being more complicated. But that’s also what makes them really engaging and interesting as a hacker. If you do manage to find a vulnerability, it’s probably a sophisticated one that hasn’t been widely published or known about for a while. Cracking those types of systems is just more difficult but also more rewarding.
Are AI and automation changing the field of offensive security and how do you think it will evolve, especially for people working as red teamers on a daily basis?
Anormalix: For sure, AI and automation are definitely having an impact on the offensive security field. There are already a lot of tools leveraging AI to make pentesting tasks easier and faster. I think we’ll reach a point where AI can handle most of the activities that are currently done manually.
However, that doesn’t mean humans will be completely replaced. Even as automation becomes more predominant, there will still be a need for human teams to handle certain tasks – like physical social engineering, managing the AI-driven tests, and overseeing projects to ensure all defined objectives are met.
Some tests just won’t be conducive to full AI automation, especially those related to specific business rules and application functionalities spelled out in client guidelines. We’ll still need skilled professionals to verify the accuracy of the AI’s actions, assess risk levels based on factors like CVSS scores or a company’s risk matrices, and validate that identified vulnerabilities are legitimate.
The machine learning and AI world is super fascinating, but I believe there will always be a crucial role for experienced human pentesters to really maximize the potential of these technologies.
So human pentesters are not being replaced just yet?
Anormalix: No, and I think the demand for pentesters will only increase.
About ANY.RUN
ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search, and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.
Advantages of ANY.RUN
ANY.RUN helps you analyze threats faster while improving detection rates. The platform detects common malware families with YARA and Suricata rules and identifies malware behavior with signatures when detection by family is not possible.
With ANY.RUN you can:
- Detect malware in under 40s.
- Interact with samples in real time.
- Save time and money on sandbox setup and maintenance
- Record and study all aspects of malware behavior.
- Collaborate with your team
- Scale as you need.
Try all features of ANY.RUN for 14 days by requesting a free trial →
1 comments
Felicitaciones es un tema de mucho interés para los jóvenes, muy bien redactado y de fácil comprender.