A Conversation with Maxie Reynolds: The Art of Attack

0:00 0:00
Maxie Reynolds, founder of Subsea Cloud, discusses some of the key principles in her book, The Art of Attack: Attacker Mindset for Security Professionals

In this episode, Mike welcomes Maxie Reynolds, founder of Subsea Cloud. Join us as Maxie shares some of the key principles, laws, and insights behind her book, The Art of Attack: Attacker Mindset for Security Professionals.


Welcome to In Scope, the healthcare security podcast. In each episode, we bring you insightful interviews, informative technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem with host, Mike Murray.

In today’s episode of In Scope, host Mike Murray welcomes guest and diverse thinker Maxie Reynolds, author of The Art of Attack. With a diverse background, Maxie was an ROV pilot for a decade for the company Subsea 7. During this time, she assisted pipeline surveys and offshore infrastructure. Now, as the founder of Subsea Cloud, she works to build, deploy, and maintain subsea data centers.

Maxie found herself cast into a world where she was constantly on the defensive for attackers. While there was much discussion about the attacker mindset, no one could determine who these attackers actually were. Doing her own research led her to answering many of her own questions about this topic and led her to understand the objectives of attackers. These findings led her to writing her book, advising others on how to determine what an attacker wants, what they can do to you, and how you can protect yourself from them. Since she was the first to write about this topic, she didn’t have many resources available to pull information from.

The Art of Attack is framed by four key laws. The first law is to determine the objective in the mind of the attacker. Second is to continually gather information to leverage and weaponize it as you go. Thirdly, never break pretext or show yourself as a threat. Slightly more difficult to understand, Maxie explains a pretext can disguise you as a threat. The fourth role is to ensure that everything you do is for the good of the objective. Essential skills include curiosity, persistence, information processing, mental agility, and self awareness.

There is a certain stoicism to this mindset which allows for versatility. The fact is that you can’t prevent something you are unaware of. It’s crucial to see opportunities where others may see obstacles. As Maxie sees it, attacker mindset is everywhere in the world and most commonly referred to as expertise. We see it prevalent with athletes, doctors, lawyers, and more. It’s a matter of knowing your environment so well that you are unafraid of being caught off guard. The information to embody the attacker mindset is there, it’s just a matter of knowing how to adopt it.

Then, Mike and Maxie discuss the objectives hidden behind these attacks. Many healthcare professionals don’t understand why an attacker would want to access such data. Maxie explains that, in the case of healthcare, hackers obtain classified information as an opportunity to use it against the person they belong to. She shares her own concerns that a hacker may obtain her father’s health information and use it against her in the future.

Maxie’s laws and the skills of an attacker are exactly the same laws and skills which make a good startup founder. As a recent startup founder herself, Maxie vouches for the necessity of the curiosity and persistence she previously spoke about. Finally, she highlights her own startup company.


– Mike Murray welcomes guest Maxie Reynolds.

– Maxie introduces herself.

– What led Maxie to writing her book?

– The four laws which frame Maxie’s book.

– The most difficult thing about the four laws.

– Discussing the attacker mindset.

– What are hacker objectives?

– What prevents people from adopting this mindset?

– How do these skills translate to startup founders?

– Maxie discusses her new startup.

0:00:02.7 Speaker 1: Welcome to In Scope – The Healthcare Security Podcast. Each episode, we bring you interviews, technical tips and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.

0:00:19.3 Mike Murray: And welcome to this episode of In Scope – The Healthcare Security Podcast. As always, I’m Mike Murray. And as always, I’m excited to have a guest, but this one’s particularly interesting. With us today is Maxie Reynolds, who is someone that I’ve just gotten to know, but one of the most diverse thinkers, and you’re gonna find this out as we go through the podcast, that I’ve happened to meet in the past couple of years. And I really just have a million questions. So Maxie wrote a book recently called The Art of Attack, that is absolutely phenomenal. As I told her before we started, I read the whole thing cover to cover, and I have a million questions. But before we get there, Maxie, do you wanna introduce yourself and tell the world about you?

0:01:00.1 Maxie Reynolds: Well, you’ve set me up for failure. You’ve just said I’m infinitely interesting. Damn it, Mike. [chuckle] Yeah, so I am of average interest. No, sorry, my name is obviously Maxie Reynolds, and I have a diverse background. I was an ROV pilot for a long time, for about a decade, and that is remotely operated vehicles, so I was a subsea engineer. We built robots essentially, put them to the bottom of the ocean, had a look around. We surveyed things like pipelines and wellheads, like offshore infrastructure. And then I started to change over and go towards cybersecurity. And I had a few mishaps. I shut down an entire city’s water supply before, which was a brilliant move. Got arrested as a Russian spy, a few things like that.

0:01:52.3 MR: And then I came back to America, where I thought I was gonna be safer and I was not. I got into social engineering with a company that sort of is one of the only companies to do what it does. And so we were breaking into places as essentially corporate spies, and it was fun, it was good. You got chased with guns and weapons, and you had to volley over fences, that was great. And then my body started to get a little bit old for those things, and I decided to go back to my roots in subsea engineering. And so right now, what I’m doing is subsea data centers. I’m starting to build, deploy and maintain subsea data centers. So, I don’t know if that’s interesting to anyone else, but let’s see. Let’s see what the feedback is.

0:02:40.0 MM: Well, it’s definitely interesting to me, but before you got to subsea data centers again, you decided to write a book about this.

0:02:48.3 MR: I did.

0:02:49.7 MM: Why did you decide to write this book?

0:02:52.1 MR: So, that’s a really in-depth question for me. And I know it’s probably, it should be succinct, but what happened was, I was cast into this world where we were constantly defending against attackers, and the question that always sprung to mind was, “Who are these attackers? I don’t understand. And if I know what they’re doing, I know why they’re doing it, but who am I really fighting against here?” And nobody could answer the question, but everyone talked about attacker mindset. And so I started to think about that and I’m kind of a disciplined thinker when I need to be, so I went in deep on that, like, “Okay, what are attackers doing?” And they were doing exactly what I was doing but for bad, and so I started to answer some of these questions that I myself had come up with. And finally thought, “Okay, I get it. I get what an attacker is. I get their objectives. I think I can broadly categorize them so that no matter where you are, what industry you’re in, whether it’s healthcare or cars or airplanes, aeronautical, it doesn’t matter. You can think about what an attacker wants from you, which is really the most important thing, what they can do to you and how you can fend against that by finding out how they think.”

0:04:15.6 MR: So that was kind of the basis of the book. And no one else had done this before and I didn’t know why. And as a human and as someone who sort of suffers from anxiety, sort of self-anxiety, I was thinking, “Have people not done this for a reason? Am I an idiot? Am I walking into something here?” [chuckle] But no, it was just no one had written it yet, so it was interesting. It was good in some ways. I got to write. There was no one to say, “You’re wrong on this,” and there’s no literature before to say, “Actually, that’s completely wrong.” But at the same time, there was no place to take information from. There was no place to go and check if I was right, if my thinking was right.

0:05:00.5 MM: I have to say, having read it as I said, I actually think most of your thinking was right. And maybe we should start out with telling the listeners a little bit about what they should expect and specifically, you frame the book around four laws. Do you wanna walk us through them?

0:05:14.7 MR: Yes. Absolutely. So I will start out by saying that you don’t need to know… There are skills and there are laws. You don’t need to know the skills to understand the laws and you don’t need to know the laws to use the skills. So keep that in mind. The first law is to start with the end in mind. Any attacker will do that. They have an objective. They form that, and everything else hinges off of that. The second law is actually to continually gather information and leverage it, and weaponize it as you go. So it’s not just gather information before the attack, it’s to keep gathering information as you go in the attack and keep using it. It’s sort of your bullets, if you want, as an attacker. You keep using that information, keep using that against your target environment.

0:06:04.5 MR: And then the third law is that you never break pretext. You never show yourself as a threat. It’s an interesting one, but basically a pretext, it shields you from being seen as a threat, and that can be through how you disguise yourself as traffic on a network, and it could be if you walk into a bank as a banker, rather than a robber, but you really are a robber, but let’s just go in as the banker sort of thing, you never show yourself as a threat.

0:06:31.1 MR: And the fourth law is actually kind of subtle, but it really does matter. It means everything that you do is for the good of the objective. You can’t get too interested in other things, you have to keep your mind’s eye on the objective. You have to keep going towards that, keep trying to fulfill it, sort of thing. I see a lot of the time when I go out into the field with other social engineers or other hackers, ethical hackers, that they get so interested in things that have nothing to do with us. “That’s not an objective. Yes, it’s very interesting. I also want to see whatever that is, but come on, head back in the game.”

0:07:12.5 MR: So those are the four laws, and I’ll quickly say the skills, as long as you don’t mind. The skills are, you have to have curiosity. You have to be curious. You have to have persistence. Your curiosity will not pay off without persistence. You have to be able to process information, because it goes back to the first and second law, which is you have to have the objective, and you have to be gathering information all the time on that to make that objective possible. You need mental agility, which is just a fancy way of saying process the information in ways that are creative, I suppose. And then you have to have self-awareness. The self-awareness is particularly important if you’re going in, in person. If I was to walk into a prison as a guard, trying to get into prisons, which we’ve done before, nobody’s gonna believe that. I have to go in as the delivery person. I look 15 years old with… Yeah. And I speak like I’m 15 years old. It’s just never gonna work. So you have to have that level of self-awareness to know where you are bound and where you will accelerate.

0:08:22.9 MM: So as someone that’s done a whole bunch of this myself, and I don’t think that the audience necessarily knows that I’ve done a lot of social engineering in my day… Wow, I sound old… [chuckle] Back in my day… Back when I wasn’t this old guy who does company stuff, but… No. What I was gonna say is one of the things that I think is really wonderful that you talked about doing a lot in the book, but you didn’t specifically call this out, is that the third and fourth law really are reinforcing and allow you to break the rules. Law three being, never break pretext.

0:09:00.9 MR: Correct.

0:09:01.0 MM: And then you talk about all the times when you switched pretext within the context of an engagement, right?

0:09:05.0 MR: Yeah.

0:09:05.4 MM: And I think that that’s a hard thing for most people to understand that the art of this is keeping outcome-focused so well that you’re willing to break the laws in order to do it.

0:09:18.1 MR: There’s an interesting one with that, in particular. So the third law, it has this subtlety to it. When I’m breaking one pretext to go into another, I still do not show myself as a threat, but I have just broken my own law sort of thing, it’s really interesting. You’ll see hackers do that on networks. They pivot all the time so as not to be caught. It’s the opposite of what children do. It’s when you catch your child doing something, so they stand still, they’re like, “I don’t know how the fancy ball got on the lamp. I have no idea. I don’t know how the dog got dessert. No idea, Mom. It must have opened the fridge itself.” They don’t switch quickly enough. And I use children as an example because they’re hilarious, but also because they don’t have the same agility that we do. So it’s really interesting to see people try these four laws and try to keep them continuous in their practice. It is really difficult, I admit.

0:10:21.2 MM: For people who haven’t done it before, it’s a really hard thing. People come in to that profession, whether it’s penetration testing on a network or whether it’s attacking physically in the real world, and in my experience, the hardest thing for those people is to get the understanding of mental agility and to not be dogmatic about the way they approach things.

0:10:45.2 MR: Yeah, I think that, that’s very true. There is a sort of… There’s this dogmatic side of being an attacker, but I don’t know if this is just gonna sound very, very dumb… Maybe, but let’s see, shall we? There’s a sort of stoicism to this mindset, and it’s basically like an undertone that allows versatility. So, stoics think about the worst case scenarios and they do that because they know that setbacks are a fact of life. Unexpected blows actually sometimes mostly feel the heaviest and feel the worst. You can’t prevent something that you’re unaware of and you have to be prepared because you have to see opportunity where others see obstacles.

0:11:34.2 MR: That is how attackers think as well. And I’m giving you a set of parameters and saying be creative within these, and that’s really difficult for most people. Most people want to think their own creative way and be agile however it is natural to them, and you may have a very slight amount of mental agility. My partner has a very slight amount of mental agility, but he navigates his way through life by following the algorithm, and he follows it very well, whereas I get through life dodging that. My mental agility is scary. It’s seeking this balance to be agile and to be able to look at information, take it the way that other people cannot.

0:12:19.5 MR: It’s a really delicate balance because you also have to be able to think about all the things that you don’t know. You have to be able to think about what happens if you do get caught. You have to be able to think about the opposites of those which are when you get your objective, when you catch the client out, there’s all of these things that go into it, and so it’s this really, again, delicate balance, and it’s a very strange thought process.

0:12:43.8 MR: The other thing that I would say is, attacker mindset as I see it is actually also paradoxically everywhere in the world. Lawyers have it, athletes have it. It’s most commonly referred to I think as expertise. It’s a way of knowing your environment so well that you’re not afraid of the setbacks, you’re not afraid of the unexpected blows. You know that things can jump out at you and you can be caught off-guard, but you’re not scared of that environment. You’re not scared of a little bit of adventure, I suppose, and you can’t be for our job. So you did it physically, I will assume, and how long did it take you to settle into the role, so to speak?

0:13:31.9 MM: I think, like you, I came to it with a lot of those skills. And I’ve been breaking into computers since I was in college, so the mindset around how to do that makes sense to me, and then it was just a skill set after that.

0:13:49.6 MR: And it’s really difficult. This is sort of who the book is written for. It’s not really written for us. I think you and I read it and go, “Well, obviously.” But the skills that we have that we developed, for whichever reasons we did, they’re part of our identity, I think. I can’t separate myself from the way I think, but most people, and I say most people, I really think the majority of people do not think like us, but there is a chance for you to. And again, it begins with curiosity, persistence, mental agility, self-awareness and being able to process the information right in between there. So it’s a book that I honestly think if you’re not familiar with our line of work, that you have to read a couple of times and highlight like crazy. The information’s there, you just have to learn actually how to use the information from it. But it is there, it does exist, and then there are people who will help you. Did you have help? Did you have mentors?

0:14:53.5 MM: Oh, absolutely. Of course.

0:14:55.5 MR: Yeah. Other people who make it okay to think the way that we do is very helpful. It’s really, really helpful because I often see the world, not bleakly, not bleakly at all, but I see information and can figure out quite quickly how it can hurt an organization or a person, and not everyone does. It’s just not normal so, yeah.

0:15:20.3 MM: And with that, you set yourself up because…

0:15:22.3 MR: I did. I see your face. [chuckle]

0:15:23.5 MM: You’ve totally set yourself up because… And I told you we were gonna do this beforehand…

0:15:28.3 MR: Yeah.

0:15:29.3 MM: And because I think you said something really important, most people don’t really understand the way attackers think. And especially when I talk to a lot of our healthcare customers and the people in healthcare, everyone understands why you would deploy ransomware. There’s a monetary value there, but I find… And even people in security, in our line of work, especially when I talk about health records, they don’t necessarily understand why you would steal someone’s health information and so, I figured it might be a fun game for us to play. I’ve got some answers for this, I told you…

0:16:04.8 MR: Yeah. Okay, good.

0:16:05.3 MM: But I’d love to hear what… Suppose the objective… Well, and this is really a poorly formed objective, because I’m gonna say the objective is to steal health records, but that’s actually never your objective. Your objective is never to acquire an asset, it’s what you wanna do with that asset.

0:16:23.8 MR: Exactly. Exactly. Yeah, you don’t go shopping just for the items. You go shopping for the items to then eat the items. It’s the middle step. God, that was a bad analogy, but keep it in, so people get…

0:16:36.3 MM: No, that was a great analogy actually, yeah.

0:16:37.8 MR: I want people to be able to laugh. [chuckle] So, attacker mindset is honestly, and I know we’ve been all around the houses about what it is, what you need, but if I had to distill it into something really succinct, I would say that it is really nothing more or less than taking information in and applying it to the objective. If you need the information, you need the objective then what do you do? Health information for me, I listed in the book, as elite information and I fully believe it because you cannot change it. I can’t change my blood type. I can’t change any injuries I’ve had, any mental illnesses I may have, and those can be used against me for my entire life. That’s scary to me and we are heading… We are in that place. It’s just… The future is here, it’s just not evenly distributed, and I mean that for the bad, as the saying, not the good. It’s so…

0:17:30.5 MR: Healthcare information is elite information always, and if I get information on someone’s mental state or that they have suffered from something, I get to contact them about that and I get to know something so inherent and so personal to them that they are likely to respond to me. I get to use that against them, so I can pretend to be them. And it’s so much more than their bank account information. I can go and get as many bank accounts as I want. I cannot go and get a new brain. I worried about the Internet of Things and putting medical devices on there. I’m worried that my dad, he’s only 50-years-old and has had a heart attack and has a pacemaker now, I am worried that someone could use him against me, which… Is that something from a movie? You may think so, but it’s actually not. That’s possible. And so, I’m terrified of that. His device, if connected to the internet, could literally be used against me. And so, that was a bleak way to go, but it’s still true. You can always count on me to ruin something magical. [chuckle]

0:18:48.8 MM: No, actually, I think you said all of the really important stuff there. The one that I find that people fail to think about the most is how useful your health information is to blackmail you. And you used mental health and the stigma against that, but I always use a trite but kind of painful, very cringy example of, imagine that you’re married and your medical records shows that you just started taking a bunch of STD tests. What could I infer from that about your life? And what could I do with that information? And we know that there are nation states, specifically China, but others as well, that have long used their intelligence service as fundamentally one of the targets was to gather information that could be used to turn or to leverage against potential agents in a country.

0:19:41.7 MM: Well, health records are phenomenal for that. And we spend all our time talking about ransomware, and what I loved about your book is your book will open people’s minds to be able for them to think, “Oh, why would I want to break into this medical device?” Because so few people that I talk to, they don’t really understand why you would want to compromise a hospital.

0:20:06.2 MR: No one does. It plays into… Now I’m not against the media, that’s not where this is going. It plays into the media’s narrative though, that hackers are just pests and menaces, and they’re just trying to get in our way a little bit, so they are trying to destroy our hospitals. It’s so much more than that. It’s not a bunch of kids sitting around their basements in hoodies, trying to eff up some hospitals. It’s so much more than that. There’s a really good book on Chinese espionage and I think it may intuitively be called Chinese espionage. And in it, it talks about China specifically, you’re so right. If China and Russia had to steal 1000 grains of sand from a beach in America, Russia would show up in the middle of the night in a submarine, shovel it in, and be on their way. China would send 1000 agents to pick one grain each, and then use it against us somehow later.

0:21:07.5 MR: And I see that when I have applied to nonprofits and things, they want to know my background. And I’m so happy to give them that, but they never ask for my mental health records. If they did, and there was something on there that I’d suffered from something, lesions, hemorrhages, mental health, something like that, that could so much more easily be used against me because people are far more private about that because of the stigmas than they are like my debt. Go ahead. I’m just hoping someone pays it for me. [chuckle] I’ll start a crowdfund. But there’s nothing that can be done about this information that exists because of my DNA. And so it’s very overwhelming to think about, but very underrated out there, in terms of what we put out there in information and cybersecurity worlds.

0:22:00.6 MM: So have you ever considered… This just crossed my mind and I hadn’t planned to ask you this, but have you ever considered that people who think this way, that the majority of people don’t think this way because it takes you to a very dark place? I often say, I think the difference between people who are in our field and normal everyday people is when you can see it when they walk into a casino in Vegas, 90% of the people on the planet, when they walk into a casino in Vegas, they see the lights and the blinking and all of the machines. And I can pretty much guarantee, even though you and I have never been in the same room, that when you walk into a casino in Vegas you can tell me where every camera is ’cause I can tell you where every camera is.

0:22:42.4 MR: Exactly! Exactly! Observation is key. And most people learn to stop observing because it doesn’t… What good does it do you to observe more than is needed to get around your daily life? So I have to let the majority of people off for that. And then there’s this secondary thing that’s more annoying, more sort of pernicious and pervasive, which is that people do not have the attention span or maybe curiosity to learn about how to help themselves based on what is overwhelming. So when I tell my mom and dad about these things, in their mind and to me, in very Scots language, they’ll say, [chuckle] “We don’t care. There’s nothing we can do about it.” There is. There’s so much you can do about it, but it takes education. And it takes curiosity and persistence to want to do something about it. And for those who who don’t want to, fine. We will try to do it for you, but you are so much better at defending yourself than we are.

0:23:45.2 MM: So you said something earlier that I think is so interesting. As you were walking through the laws and the skills, all I could think about was that they are exactly the same laws and skills that make a good startup founder. And I know you’re at the beginning of a new startup journey…

0:24:00.8 MR: Yes.

0:24:03.6 MM: And I mean, literally, everything you talked about, even the idea of people wanting to get distracted on the way to the objective, that’s pretty much five of my conversations every day. “Hey, we could do this.” “Yeah, I know, we could do that. We could do anything, but we’re going this way, we’re not going that way.” So I’d love to hear how you think this serves you as a startup founder as well.

0:24:27.0 MR: It serves me throughout life everywhere. It’s the curiosity and persistence things, that list of things. Imagine a pilot not having them, and you’re flying over America and they’re like, “Yeah, we’re going to New York.” “You know what, guys, we had a change of heart and now we’re in Florida.” You’d be like, “No! Of all the places.” So you’re right, as a founder of a company, you more than anyone have to be steadfast, but you still have to remain curious, and persistence pays off big time, even when you really just want to lie down and have a little cry. But I have found that my curiosity is actually my driving force in life, and it goes against me. I am a curious sort, but what that does is actually alienates a lot of people. I find it difficult to have mainstream conversations a lot of the time. And not because I’m not interested just because… When someone says something that is somewhat mainstream and normal, it threads a needle of something that I’ve read or seen, or been thinking of somewhere, and I take them there, and they’re like, “Oh, for God’s sake, do we have to?” So it does go against me, but just not at work. You’re laughing. Does this happen to you, or are you just laughing at me? [chuckle]

0:25:48.8 MM: Every single day. I think that it’s part of my own neurodiversity that leads me in all of those same directions. And we talked about that when we chatted last. I know you’re busy, you’re starting a new startup. First of all, tell us about the new startup, ’cause I think it’s freaking cool. And it has nothing to do with security, but it’s so cool that we just have to talk about it.

0:26:12.1 MR: I can tie it into security, watch me. Okay, so basically what I am currently doing, as a subsea engineer coming out of social engineering, I was very much trying to get back into that, and I was thinking about the largest problems that we have. And having broken into some data centers in my time, I knew how easy it was. It’s so easy. God, you don’t even really have to physically go in. A drone that can carry a payload will do a lot for you. Bad cybersecurity will do everything for you. But also you can physically get into these places and it’s game over.

0:26:46.8 MR: And as a subsea engineer, I started at this strange intersection, where I was like, “Imagine I could put those under water. That would be great.” So I went off on this little journey, and come up with… They’re essentially units, pods that fit just about 800 servers into them, and I can put them down to 12,000 feet. And I would love a little one-on-one with even Putin at that point to go down and get that. You can’t do it with divers. You’re going to need some very disruptive equipment. You can’t do it with a submarine, they don’t go deep enough. So you’re gonna need a vessel and those are very trackable, so there’s that side of security. It takes care of a lot of the physical side of security, and what I’m finding is that a lot of military industries want to use these for their physical security.

0:27:41.6 MR: But what do they do for us, for you and me, for everyone listening is they cut latency down by 95%, because a lot of the world’s population is coastal. They also, which I’m probably most proud of, they cut carbon emissions by 40%, because data centers are the world’s largest consuming asset class. And they stop carbon emissions by 40%, which is… I’m glad of that. It didn’t get me funded, but I’m happy that it’s happening. And so it’s a really interesting journey. I don’t think I’ll do it forever. I don’t think I’ve got that in me. It’s again where my mindset goes against me. In 10 years’ time, I might still be in the know, I might still be involved, but there’s no way I’m running it because I’ve done it now. I want to do something else. Yeah, so questions on that. [chuckle]

0:28:37.6 MM: I have a million, but we’ll save them for some conversation with Phil over Scotch.

0:28:42.4 MR: Okay, perfect.

0:28:43.8 MM: So with that, Maxie, where can people find more of you? How do we find you on the socials, out in the world, if we just wanna hear more about you?

0:28:53.7 MR: I just, just started being… What’s the word? I just started getting active on Twitter, so I’m there. I don’t know what’s cool to say, I don’t know what’s uncool to say. I’m still like… I’m feeling 12 years old again, so forgive me. I’m half on, half off of Instagram. I post OSINT challenges there for those of you who either know what OSINT is already, which is Open Source Information Gathering, or for those of you who have read the book or want to read the book, there’s chapters about OSINT in there and how to do it. On my Instagram, I often post images that you’re to find information about. And I’m on LinkedIn. And LinkedIn is a really good place to get me if you’re looking for help, mentorship. I can put you towards the right people. Don’t ask me for it. There’s just no way you’ll need that. But it’s a really good place to get me to respond. I respond quickly there.

0:29:55.7 MM: Maxie, thank you so much for joining us today.

0:29:58.8 MR: Thank you.

0:29:58.8 MM: This has been awesome. I can’t wait to see where you go with this and what you do next.

0:30:05.9 MR: Yeah, let’s see.

0:30:06.7 MM: Yeah, literally, let’s see. And so with that, this has been another episode of In Scope. Thank you so much, Maxie, and hopefully everybody does your OSINT challenges and we hear more from you again.

0:30:19.5 MR: Thank you so much for having me. It was so nice. Thank you.


0:30:24.4 S1: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode, hop on over to www.scopesecurity.com to sign up. Or you can listen on Apple Podcasts, Spotify or Stitcher. And if you have ideas for topics, guests, or technical tips, please contact us at [email protected]

About Maxie Reynolds


Maxie Reynolds is widely considered one of this generation’s most successful social engineers. She started her career in oil and gas as an underwater robotics pilot and subsea engineer working in Norway, Venezuela, Australia, Italy, Russia, Nigeria, and the US. She then transited into cyber security at PwC in Perth, Australia, working in ethical hacking and social engineering. She later studied digital forensics with SANS and has performed digital forensics for law enforcement, corporate America, and as an expert witness.

She has published articles on complex human behavior and its effect on a social engineer’s ability to influence, and has given speeches on the mindset and science behind the art of social engineering. Her unique experience bridges the divide between the technical and corporate communities. She is the author of a first of its kind security book titled The Art of Attack: Attacker Mindset for Security Professionals.