Dr. Katie Paxton-Fear is an API security expert and Principal API security researcher at Traceable, in her words: she used to make APIs and now she breaks them. A former API developer turned API hacker. She has found vulnerabilities in organizations ranging from the Department of Defense to Verizon, with simple API vulnerabilities. Dr. Katie has been a featured expert in the Wall Street Journal, BBC News, ZDNet, The Daily Swig and more. As she shares some of the easy ways hackers can exploit APIs and how they get away without a security alert! Dr. Katie regularly delivers API security training, security research to some of the largest brands worldwide. She combines easy-to-understand explanations with key technical details that turn API security into something everyone can get.

 

Hi, thank you so much to Dr. Katie Paxton-Fear for joining me. You’re a bounty hunter with HackerOne, a lecturer at Manchester Metropolitan University, and a YouTuber. Maybe we could start with you introducing yourself? You’ve described your entry into cybersecurity as accidental—can you tell us more about that moment?

Yeah, sure. So I actually knew about bug bounty hunting while I was at university—some of my friends were doing it—but I was never really that interested in cybersecurity. I wasn’t one of those people who always knew what they wanted to do. I had the chance to do cybersecurity in my final year and I turned it down because it sounded hard and I wanted to make life easier for myself!

Then, when I had my first job as a developer, we had a ransomware incident. And because I knew absolutely nothing about security, our only solution was basically to just cut off the server and hope for the best. That was a moment when I thought, I’d actually like to know more about this stuff.

It stayed in the background though. I was still working as a developer when I had this realisation one day that I really hated my job. It wasn’t a bad job—I was paid fine, the work was OK—but I just thought, I don’t want to do this for the rest of my life. So I decided to do a PhD. Problem was, it was November, and most PhD programs had already closed. There were only two left—one in London and one not in London. I didn’t live in London, so… cybersecurity it was! At that point, I didn’t think of myself as a “cybersecurity person.” I was an AI person, applying that to cyber. That was my mindset.

Then, midway through my PhD, a friend from uni who was into bug bounty hunting told me about a HackerOne event in London. I initially said no—it sounded hard, I didn’t know anything about hacking. But eventually, I was persuaded to go, mostly because I hadn’t seen my friends in years and thought it’d be nice to catch up. I also had a friend—another PhD student—who was really excited about bug bounty hunting and really wanted to go. I kind of became her ticket because I knew people organising it. So I thought, I’ll do this for her—it’ll be a great opportunity.

I remember being on the train saying to her, We’re not going to find anything. Don’t get your hopes up. Let’s just network, learn a bit. I’d never done any kind of hacking before. Never used Burp, never really seen how websites worked at that level. I didn’t know what a vulnerability looked like.

And yet… I found one. Actually, two. The customer was Uber, and somehow I found two valid vulnerabilities in their apps. I didn’t really know what I was doing—I was just trying stuff out. Then someone from HackerOne came over and said, “Katie, we’re going to give you a bounty.” I was like, What? You’re giving me a bounty? My hands were shaking—I couldn’t believe it.

After that, I got invited to an event in Vegas. And as a PhD student, going to DefCon in Vegas? That’s wild. But I went, even though I still felt like I didn’t really know what I was doing. I found two more vulnerabilities there—this time in Yahoo—and realised, maybe I’m actually good at this?

I also noticed there were newer hackers there, and I was already further along than they were. That’s when I decided to start making YouTube videos to help others. That’s what I’ve been doing ever since—I’ve got about 90,000 subscribers now. I work as both a lecturer and as a principal security researcher at a security company. Hacking is now my job, and I love it. There is no rush like finding a vulnerability. It makes you feel like the smartest person in the room.

 

What was it like discovering vulnerabilities in a platform as big as Uber so early in your journey? And what advice would you give to someone who wants to get into bug bounty hunting?

I think what really helped me quite early on in my journey is that I came from a place of not really knowing anything about bug bounty hunting—which sounds kind of weird. When I speak to a lot of newbie hackers, they often idolise bug bounty hunting a bit. And the fact that I knew nothing about it, and just thought, “I’m going to give it a go and see how I do”, actually helped me a lot. I wasn’t someone who was super in-depth. Like, I was a technical person—I was a programmer, a developer—but on the security side, I wasn’t doing CTFs, I wasn’t immersed in the cybersecurity world.

And I actually think that helped because it wasn’t built up in my head to be this massive achievement or this impossible mountain to climb. It was just “I’m going to try this thing and see how it goes.” That attitude helped way more than people realise. You can really get in your own head and think, “I’m not good enough to find a bug.” But I didn’t have that. I was realistic in the sense of, “I probably won’t find anything—I don’t really know what I’m doing.” But I never had that “I’m not smart enough” or “I don’t belong here.” It was always just, “Let’s give it a go.”

When it comes to bug bounty hunting—or hacking in general, really—I think you have to be an opportunist. You can’t set yourself a clear, linear path and expect to follow it. Nobody’s path in security is linear. Everyone’s journey involves different twists and turns. I mean, I did my PhD and expected to be a lecturer for my whole career. Now I work as a researcher in a company, and I do teaching kind of on the side—it’s like my part-time job. That shift happened because when I got an opportunity to do cybersecurity research, I said yes. I didn’t really know where it would lead—it was a risk. Same with the HackerOne event—I almost said no! But saying yes to things, even when you’re not sure how they’ll turn out, is really important.

You also kind of have to be selfish. You have to say, “This is my opportunity.” Especially nowadays—there are lots of women-in-computing groups, and I often hear people say, “I don’t want to take advantage of being a woman.” But the truth is, we’ve had enough disadvantages in our lives and our careers—why not take the one advantage that might come your way? Because honestly, it might be the difference between you getting into cybersecurity and building a career you never imagined. And cybersecurity does afford you some truly unique opportunities—you just have to be ready to say yes.

“Hacking is now my job, and I love it. There is no rush like finding a vulnerability. It makes you feel like the smartest person in the room.”

 

You’ve got a big following now, but cybersecurity can still feel really intimidating from the outside. How do you use storytelling to make the field feel more accessible?

I think a lot of it’s the fact that I’m British. I think it’s kind of—it’s like British humour. You don’t take yourself too seriously. You’re quite happy to call yourself an idiot. You’re quite happy to recognise, “Hey, I don’t really know what I’m doing yet I have a job anyway.” And I think that kind of humour—that very dry British humour—really helps people engage with my work. Because I will gladly say, “I don’t really know what I’m doing.”

And I don’t think anybody—even the top bug bounty hunters that earn millions of dollars—I don’t think they really know what they’re doing either. What they’re doing is working, but that doesn’t mean they’re these strict professionals who are super organised and, like, know exactly what they’re doing.

So I really think that helps a lot—just admitting and knowing, “Hey, I don’t really know what I’m doing,” and that’s fine. Like, nobody really does. And actually, not knowing what you’re doing can be really helpful in bug bounty hunting because you’re not making assumptions about how a web application is built. You’re opening your mind up to the possibility of, “Hey, this could be vulnerable,” rather than thinking, “This company spends millions on their cybersecurity every year—there’s no way I’m going to find anything.” So I think that helps. That helps a lot.

I think as well, one of the things I really try and do with my content is—because I come from an academic background: I went to university, I went into the PhD, I worked as a lecturer, and I still teach a few courses at my local university—I really wanted my content to be like the bug bounty 101 course that no university would ever teach. So I think a lot of the folks who come from that more traditional educational background really like my content because it fits with how they know how to learn. They’re used to having material delivered that way. And for them, it helps them approach it from a very easy-to-learn perspective.

 

So would you say that you focus on people who have a background in, like, computer science? Or—what is this—is it a misconception that you need to have like a PhD to enter cybersecurity?

Oh, 100% misconception. You know, I always tell my students: degrees in cybersecurity are really new. When I went to university—and I’m not that old, I went to university like 12 years ago—when I went, cybersecurity degrees didn’t exist. Most people who are senior in security roles—cybersecurity degrees were not a thing. They don’t have one. 

There are lots of different routes into cybersecurity. However, there is one thing you cannot ignore. If you want to get into cybersecurity, you have to join the community. You have to be active. You have to be networking. Because in this industry, the way you get jobs is often about who you know far more than what you know—far more than having a degree or formal education.

I think my content works just because it’s the way people know how to learn. Think about school—having a teacher at the front who’s telling you information and then you go and do it yourself. That’s kind of how we’ve all learned how to learn—as kids. Which is why I think my content works for people. But certainly, I don’t think you need to [go to university]. I personally loved university—there’s a reason why I have a PhD. It’s not because I really wanted “Doctor” in front of my name. I enjoy that learning environment. I thrive in that environment. Not everyone does, and that’s fine. I’ve failed every single exam I’ve ever taken in my entire life. I have never successfully passed an exam before. Doesn’t matter.

 

How do you think your academic background—or your particular PhD journey—shapes your approach to bug bounty? And how would it be different for people coming from different backgrounds?

See, I don’t actually think it has shaped it—not the way I hack anyway. So really, the—what really affects the way I hack is being a developer. Knowing how applications are built.

My style of hacking is very much me asking myself: “If I was a developer, how would I have messed this up? How would I have introduced a vulnerability? How would I have done this wrong?” And when I look at an application, I’m thinking about what’s behind it. I’m thinking about, “Oh, that’s an airline booking application, so that’s going to have a database, it’s going to have a list of flights, it’s going to have a list of passengers,” and my brain is going, “OK, can I get the list of passengers? Passengers—that’s going to be in that database.”

I’m making a lot of assumptions about how an application is actually built, and from those assumptions I am then, you know, making the—the leap of “This is what would be broken,” or “This is some of the ways it could be broken.” I don’t think you need to think that way, and I think one of the advantages of bug bounty hunting is having a diverse set of people who will hack your applications—because they’ll all think that way, but no two bug bounty hunters will think the same way. They’ll all have a different point of view.

I remember just when I—HackerOne telling me about another hacker who used to be an Uber driver. And he found out that if he was driving his car down the street really slowly, he could actually activate surge pricing. And he contacted Uber support, who said, “Hey, this is a security issue. Submit it to our bug bounty programme.” And he did. And he got like—he really enjoyed hacking after that.

And that—being an Uber driver—was kind of like instrumental to how he thinks about things. And so I think that there’s a lot of space in this industry for people who think differently.

I will say, I do think the more traditional kind of pen test people don’t tend to thrive in a bug bounty environment because, to be honest, it’s very chaotic. It’s not very organised. It’s not very structured.

But I think if you’re like me, and actually you don’t have the focus to sit and do hacking for like a week straight on just a single application and test every single vulnerability, and you just want, like, quick hits of dopamine as you find stuff—I think bug bounty hunting kind of suits you a lot better than doing pen testing.

And CTF is something else as well, so CTFs really work if you like problem solving and puzzle solving. And so I think there’s space for everybody in our little niches in the community.

And certainly I don’t think having, like, an academic approach helps. One way I think it does help me in particular is my note-taking. I am very big on note-taking. I’m very big on, you know, how do I make notes that are going to be useful to me—how I don’t try and learn things in my head. I put them on paper. Like, that is the way. And I have it so it’s indexed and searchable. And so that way, when I am doing some hacking and I come across maybe a piece of software that I’m not familiar with, I can go back to my notes and see, “OK, is this something I’ve seen before?” And that really helps.

“We cannot secure things unless we understand the threat model. And to understand the threat model for the entire world, we need to hire the entire world.” 

 

And so we said how diverse perspectives are crucial in uncovering vulnerabilities. So what changes would you like to see in the future—how the cybersecurity industry supports women and underrepresented voices? Is there some practical advice you could give?

I’m actually gonna steal this from my friend Dawn, who is also a HackerOne hacker. She—you know, at the moment, we talk a lot about mentorship. We talk a lot about having a mentor, being involved in mentorship programmes, etcetera. And that’s great. Like, mentorship is fantastic.

However, that’s only really great at the start of your career. Long term, you need both a mentor and a sponsor—so somebody who will put their neck out on the line for you. Somebody—maybe it’s your manager—who will advocate for you and give you opportunities that you wouldn’t have necessarily had if you were just working on your own.

And so I think that a lot of organisations are very quick to introduce mentorship programmes. But a lot of the time, women and underrepresented groups in cybersecurity still aren’t getting the same opportunities because they don’t have a sponsor. They don’t have somebody who will speak out for them in, like, management meetings. They don’t have somebody who’s going to give them opportunities after they’ve kind of got their first job.

You know, I think a lot of the time, we’re very good at the entry level. We’re not so good at, “How do we support women and underrepresented groups throughout their entire career?”

And I should say that, you know, a lot of people talk about diversity as being a morally good thing—which it absolutely is, right? Like, morally, we shouldn’t discriminate against people. That’s bad.

I think in cybersecurity, though, it’s even more important—because it’s not just about, you know, “diversity is good” or “lack of diversity is bad”—but without diversity, we can’t have good security outcomes. We need people who think differently. We need people who come with another perspective. We need people who can challenge the way we’re used to things always being.

Like this example from Facebook, where Facebook had this massive problem that women in India weren’t sharing profile pictures—they were just having black profiles. And they were like, “Wow, this is so weird. How do we fix this?” And it took, you know, them asking a woman in India why she didn’t. And they had to—this was a discovery for them. They could talk to—they could talk to women in different countries to find out why. And for them, it was a security issue. It was that profile pictures can be stolen and then fake accounts created. And this was a real security risk for them.

And Facebook had no idea—because they weren’t made up of women in India. They were made up of usually men who are in the US, usually in San Francisco or Seattle, and have a very different perspective to some of the risks faced by people in other countries—and women.

So it’s not only morally good, but it is also really important from, like, a security perspective. We cannot secure things unless we understand the threat model. And to understand the threat model for the entire world, we need to hire the entire world. Women make up 50% of the population—you know, we can’t just ignore that.

“Try bug bounty hunting. Try going to a local conference. Try a CTF (Capture the Flag). Doing something will always be better than doing nothing.”

 

If someone is curious about cybersecurity—maybe they’re not sure if it’s for them, or they just want to explore it a little—do you have any suggestions for where to start? Any materials, courses, or communities you’d recommend to help them begin the journey?

I think the best thing anyone can do is join their local cybersecurity community. There are meetup groups all over the world, and if you don’t live somewhere with a strong local scene, there are always Discord and Slack groups you can join online.

If you’re not sure where to start, I’d really recommend going to a local conference—or one that’s at least kind of close to you. A lot of local conferences, if you show up and say, “Hey, it’s my first time, I’m really nervous,” the organizers will actually help. They’ll introduce you to people. They’ll say, “Oh, you need a social circle? Come with me—I’ll give you friends!” We love that. We love seeing new people in the industry.

And this can be virtual too. Finding a community online can be just as valuable. DEF CON is a great example—even though it’s based in the US, all of the little villages like the Blue Team Village, the Red Team Village—they all have active Discord groups that you can join year-round. You can start chatting with people in security and get a feel for whether this is something you want to do.

Having a mentor really helps, but I’d say that comes a little later. And honestly, you’ll kind of get one naturally—you don’t even need to ask. The people from your new community? They’ll be your mentors.

I don’t usually recommend specific courses or certifications because it really depends on your situation. In the UK and in a lot of Europe, a degree can actually be a pretty affordable way to get started. But in the US, degrees can be outrageously expensive, and professional certifications might make more sense financially. So it depends on where you are and what your ambitions are.

But no matter what—whether you’re 16 and thinking about your career, or 60 and wanting to get into ham radio—I think the key is to find that community first. Get their support, because they’ll know what’s best. And as a bonus, they’ll also become your friends.

 

If there’s one final takeaway or piece of advice you’d like to leave people with, what would it be?

My final takeaway is: just try it.

Don’t be afraid to try. Don’t be nervous about joining a community—just do it. When I started hacking, I knew literally nothing. Like, anybody reading the article you write will know more than I did back then. And it didn’t stop me. I just did it anyway. So I think—just do it anyway. Just try. What’s the worst that could happen?

Honestly, if you want to get into cybersecurity, do it. Try it. Try bug bounty hunting. Try going to a local conference. Try a CTF. Doing something will always be better than doing nothing.