From High School Exploits to Leading a Team: Fero's 10-Year Journey at Citadelo

Fero isn’t the loudest guy in the room. But he’s thoughtful and focused. He’s always been curious about how things work—and how to make them work differently. That mindset led him to hacking. He started exploring the topic in high school, ran his first attacks at university, and now leads a team and trains devs at Citadelo. In this interview, we talk about his 10-year journey, the security blind spots he sees in companies, and how he keeps his skills sharp.

How did you get into hacking?

I started looking into hacking back in high school. I was curious how things worked, and I wanted to try things out myself. But I really dove deep into it during university. I studied Information Systems Security at the Faculty of Electrical Engineering and IT at STU in Bratislava.

What do you enjoy most about it?

I love figuring out how things work. But I enjoy it even more when I can make them do something else—something they weren't meant to do, but that I want them to do. That’s the best feeling.

Pentesters are a special kind of community. I like how we're always inventing, questioning, and bending things.

I’m also into open-source tech, Linux, cryptography, mobile app security, and offensive security in general. My path to Citadelo happened naturally, and I’ve been here for 10 years now.

What kind of technologies do you test, and which projects do you enjoy the most?

I love testing mobile apps and web applications. I also enjoy training developers on secure coding. For me, it’s key that everything is properly prepared at the start of a project. No delays, just smooth collaboration. That gives me the time and space to dive in and find as many vulnerabilities as possible.

What are the top security risks you see in companies today?

The biggest one? Lack of security perspective in software development. Developers are under pressure to make things work and deliver features. That’s understandable, but security needs to be built into the process from the start.

Most new developers don’t have much security knowledge. They make the same mistakes developers made ten years ago. I think companies should prioritize secure development early. The longer you delay security thinking, the more time attackers have to exploit weaknesses.

Looking ahead, I think security will improve thanks to automation and AI—not just in vulnerability detection, but in development as well. Less human error means fewer ways in for attackers.

What would you tell companies right now about security?

Educate your developers and your people—not just on paper, but in practice. Security can’t be an afterthought in development. You need to give testers and fixers time. Attackers have unlimited time. The more space you give them, the more damage they can do.

What’s the hardest part of your job, and how do you deal with it?

Keeping up. Everything changes fast—new technologies, new vulnerabilities. You don’t have to know everything in depth, but you have to understand how things work. The deeper your knowledge, the better. But that takes time. There’s no way around it: you have to carve out time to study, read, and test things out.

What are your current challenges as a senior ethical hacker?

To keep improving. Even after ten years in the field, there’s always room to grow. In the beginning, it’s easier to learn fast. But over time, progress slows down—and to keep growing, you have to go deeper. That takes focus and time.

What value do you bring to the client as an ethical hacker at Citadelo?

I give them a deep, manual security review of their systems. That gives them the most relevant and actionable insights for improving their defenses. After implementing the fixes, the risk of being compromised goes down significantly. It’s about strengthening their systems—and their reputation.

What makes Citadelo unique in your eyes?

One thing I really appreciate is our flexibility. When something needs to be adjusted or handled differently, we always find a way—whether internally or with the client.

What’s the team and environment like at Citadelo?

Good—otherwise I wouldn’t have stayed for 10 years. Pentesters are a unique bunch. I love how we’re always inventing, questioning, and bending things. There’s always something new to learn.

Where can aspiring ethical hackers start learning or leveling up?

I’d recommend starting with PortSwigger Academy and the OWASP Security Project. Also, GitHub and YouTube—follow people who share writeups and links. The key is being able to learn and test things yourself, not just chase certificates.

Speaking of certs, I’d personally recommend Offensive Security ones like OSCP or OSWE. You can start working on those even before your first job in security.

How manageable is Citadelo work alongside university studies?

I worked as a developer during university, which is pretty common among students. I didn’t get into pentesting until the end of my studies, but it was doable.