Fast and Curious: From Red Teams to Race Cars A Conversation with TrustedSec CTO Justin Elze

Some people follow the standard path into cybersecurity. Others get hooked early on, by their first computer, a healthy dose of curiosity, and even a few iconic movies.

Justin Elze is one of those people. He's always been drawn to how things work, and more importantly, how they break. That mindset took him from building and breaking systems as a red teamer to stepping into the CTO role at TrustedSec, where he's now helping lead both technology and strategy. But he hasn't left the hands-on work behind entirely. Whether it's running a research project, diving into a pentest, or tuning up a car, Justin's still in it for the details.

In this interview, he talks about what pulled him into offensive security, what it really takes to make a red team work, and how his technical background shapes the decisions he makes as a leader. We also get into the tools he loves, how he uses Hunt.io and AttackCapture™, what's on the horizon for offensive security, and yes, how digging into race car data isn't all that different from breaking into systems.

Justin, can you share with us how you first got involved in cybersecurity? What sparked your interest in the field?

Justin: I grew up in the age of the internet becoming a thing. The first time I used a computer, I was hooked, and from there, the natural evolution was to understand how to build and break things on a computer. One of the other significant drivers was movies like Sneakers and Hackers coming out. Sneakers portrayed a career in breaking into and testing security systems for a living, and Hackers highlighted the lifestyle and the curiosity side of it all.

You've made a name for yourself in offensive security. What drove your decision to focus on this area over defensive?

Justin: Finding creative ways to break security products and complex systems designed to keep people out has always been much more enjoyable. There is always a competitive nature to it as well. Offense, at least during the time I have been doing it for a living, has seen a period where it was "easier," but defense has matured substantially.

The bar for offense rises every year, keeping things interesting, and there is no shortage of companies putting computers onto stuff like cars, toasters, and whatever else they think needs to be on the internet.

In your experience, what technical skills are critical for excelling in red teaming that might not be as emphasized in other areas of cybersecurity?

Justin: The team aspect of red teaming often gets overlooked. Environments today are incredibly diverse, and nobody is an expert in all the technologies you encounter. One of the most critical pieces is ensuring you have a team that works well together, and each person brings a different viewpoint and understanding of technology into the fold.

It's nearly impossible to go alone; no single rock star hacker will make your company successful without a strong team.

Over the years in red teaming and penetration testing, what tools and/or techniques have you found are most effective?

Justin: The most consistent technique I have found effective is leaning into common mistakes people make or ones I would have made when I was a systems engineer. Vulnerabilities come and go, but human-driven mistakes like leaving sensitive information in documentation, overly permissive wikis, and people leaking information onto the internet like GitHub, Forum posts, or wherever have been consistent over the years.

The more I can understand an environment before getting in or after landing on one system, the more likely I can accomplish my goals as an attacker and make more informed decisions to avoid detection.

What's your favorite way to use Hunt.io?

Justin: Primarily, I use Hunt.io for open directory hunting, it's mainly because you never know what you're going to find between pentesters leaving things open to actual threat actors and a little bit of everything in between. I like to dabble in reversing malware, so working with random samples in those directories is always fun.

What has been the most surprising threat you've uncovered with Hunt?

Justin: Sadly, many security professionals accidentally leave directories open. The main contributors are people using Python to set up a temporary web server in their home directory on an internet-facing machine. This is something that is taught in basic hacking classes as an easy hack to share a directory; however, someone is always watching. Even if these are short-lived, they get indexed quickly.

Give us some power AttackCapture™ tips on how to get the most out of it.

Justin: One of the features I have been leveraging the most lately is code search. Normally, I find some examples of a tool/IoC leaked in an open directory and can use code search to pivot into other similar examples.

I'm also big on utilizing a lot of the filtering features to identify things hosted in the US for larger, more legitimate providers because I'm often poking around at what other red teams are doing.

Lastly, AttackCapture™ Explore has extremely nice tagging, making it quick to identify really specific things like CobaltStrike servers or pentest tools when I'm in a hurry and have less time to manually explore the identified open directories.

Looking forward, what are the most interesting developments or trends you see emerging in the offensive security space?

Justin: This one is easy, it's going to be AI/LLMs, they're a force multiplier for coding and other aspects of red teaming, like making decisions based on large amounts of historical data. During my time in this space, tooling went from open source and readily available on the internet to bespoke and built using internal resources for R&D.

The technology changes with AI will greatly increase the efficiency of building proof of concepts, especially when we often encounter problems in a variety of programming languages, which require faster context switching.

Transitioning from a technical role to management is a significant shift. What motivated this change, and how did you navigate the challenges associated with it?

Justin: I'm not sure I ever successfully transitioned.

You can still find me doing hands-on work, research projects, a couple of pentests a year, and assisting the red team from time to time. The overall change was mainly a natural evolution. I started at TrustedSec when they were much smaller, around sixteen employees, and as the need arose for a CTO, I just kept taking on more responsibilities. Outside of InfoSec, I had a broad IT career, from general IT, system engineering, and network engineering, making me a better candidate for the broader CTO role.

How has your background in red teaming influenced the decisions you make as a CTO?

Justin: Red teaming looks for holes in processes and procedures and often highlights worst-case scenarios. I apply this view to most technology-related things. How can this fail, and what happens if it fails?

Ultimately, I work in a place where we manage technology for a bunch of hackers, and a different group of hackers is also trying to break in; this weighs on just about every technology decision I make, which a lot of times is not overcomplicating things, adding to the attack surface.

How do you balance your time between overseeing day-to-day operations and setting long-term strategic directions?

Justin: Honestly, they're almost the same.

This space moves extremely fast, so taking feedback from the various teams and staying on top of the wider industry is just part of it all. Many people get too far away from what's happening on the ground, which slows the decision-making process because it takes time to push feedback across various organizational levels. Thankfully, I also have a large peer group I bounce ideas off of and regularly talk about what they're seeing and the direction.

When building your research team, what were the key qualities and skills you looked for in candidates? How did you ensure these choices aligned with the broader goals of TrustedSec?

Justin: Research in my organization is mainly built to support offensive operations performed by consultants. I prefer that the R&D team not come from the consulting space. I'm always concerned about people doing things the same way everyone else in the space has been, without pushing completely different viewpoints. This can be things like implant design, plugin design, or general research approaches.

We will always have a big group of consultants who come up the ranks internally or from other consultancies to push feedback towards the research team. Still, it's nice to have people from outside that bubble to question why something was always done X way.

Keeping R&D aligned with the various teams is just having good team leads who regularly meet and discuss priorities, which sometimes are wildly different. I will often jump in and help balance those debates on where we see the best return, but all my team leads are fantastic, and we have a great feedback loop.

In the context of high-pressure red team operations, how do you sustain morale and encourage innovation within your team?

Justin: Morale is easy: memes.

One way we promote innovation is by giving consultants their own R&D time. However, what spurs the most significant improvements is the consultants' debriefing the entire red team and research team after all major engagements, so that everyone can draw from experience and make suggestions. Normally, these calls kick off feature requests or completely new code bases.

Outside of cybersecurity, you have an interesting hobby of building, tuning, racing, and occasionally hacking cars. Could you share more about this passion and how it intersects with your professional skills?

Justin: Yeah, outside of work, I spend a lot of time tuning and racing cars, both my own and those of several friends. Nowadays, race cars are controlled by computers that have extensive data logging capabilities, and as it turns out, a lot of race car people are afraid of computers, so it's a natural fit, and it's far enough away from my day job, it's a nice break. The other part of this is that modern racing is being able to look at a large amount of data quickly and make decisions, which plays well with all the data-driven hacking and research I do at work.

Are there any new projects you're working on? What can we expect to see from you in the near future?

Justin: I have a large backlog of unfinished research and blogs. I don't know what specifically will be out shortly. Still, I would imagine something related to agents in various offensive research workflows. It doesn't have to be groundbreaking, but if I can accelerate the time from concept to usable tool or find variants of a specific attack that bypass EDR with a minimal amount of my time while AI grinds away on it, that will be a win.

Sara believes the human element is often at the core of all cybersecurity issues. Her ability to bridge cognitive/social motivators and how they impact the cybersecurity industry is always enlightening.It's this perspective that brings a refreshing voice to her interviews.