Security Spotlight - Yunus Umsu, Principal Consultant

Our Security Spotlight series is all about the people behind the scenes, and how they bring cyber security to life in practice. This month, we’re featuring Principal Consultant, Yunus Umsu.

‍

Can you please briefly introduce yourself?

I’m an offensive security professional and penetration tester. I’ve spent around nine years across IT, with more than eight years focused on penetration testing.

I currently lead and deliver security testing across web and mobile applications, internal and external network assessments, and broader offensive security engagements such as red and purple teaming, phishing exercises, wireless assessments, and social engineering where appropriate.

My day-to-day is a mix of hands-on testing, scoping and kick-off discussions with stakeholders, and producing clear reports that work for both technical teams and executive audiences; along with supporting remediation to meaningfully improve security posture.

‍

What first sparked your interest in cyber security, and what path led you into a technical leadership role?

I’ve always been curious about how systems really work, and security was the natural extension of that curiosity, understanding not only how technology is built, but how it can be misused, bypassed, or broken under real-world pressure. Early on, I was drawn to the adversarial mindset: thinking like an attacker to help organisations defend what matters.

My path into technical leadership came from doing the work consistently; running assessments end-to-end, learning from every engagement, and improving how outcomes are communicated and actioned. Over time, I moved beyond simply “finding issues” to helping clients and internal teams understand risk, prioritise fixes, and build practical security improvements into the way they deliver technology.

‍

What experiences most shaped your approach to security today?

A few experiences shaped my approach in a lasting way:

• First, working across a wide range of environments web, mobile, internal, external, and security testing that includes red/purple teaming taught me that real security is never just one control or one team. You have to look at the whole attack surface.
• I’ve learned that the most valuable security work is the work that drives change. That means evidence-driven findings, realistic exploitation paths, and remediation guidance that teams can actually implement.
• I’ve seen that strong security is as much about communication and trust as it is about tools. Clear scoping, consistent updates during testing, and reports tailored to the audience make the difference between a document that gets filed away and outcomes that materially reduce risk.

‍

How has the threat landscape evolved since you started, and how have you adapted?

When I started, many organisations were heavily focused on traditional application security, web apps, a smaller number of platforms, and clearer boundaries. Today, the landscape has shifted dramatically.

Organisations are now far more aware of advanced, persistent adversaries and attack chains that blend techniques - identity compromise, cloud misconfigurations, social engineering, and lateral movement. At the same time, modern environments have moved towards cloud and SaaS, and now increasingly AI-enabled platforms, which changes what “attack surface” even means.

I’ve adapted by staying hands-on and continuously learning, expanding depth in mobile and web testing, maintaining capability across internal/external assessments, and applying the same attacker mindset to cloud and modern delivery models. I also lean on a combination of manual testing and proven tooling where it adds value, such as Burp Suite, Nessus, and Netsparker, while keeping the focus on real, exploitable risk rather than tool output alone.

‍

What is the most rewarding part of your role? What are you passionate about?

The most rewarding part is seeing the impact of the work, when an engagement results in tangible improvements: reduced risk, better engineering practices, stronger controls, and teams who feel more confident about what they’re shipping.

I’m particularly passionate about high-signal testing and real attacker simulation, work that goes beyond checklists and finds the issues that matter. That includes deep dives into mobile application security, complex web application logic, and realistic scenarios that combine technical vulnerabilities with human and process weaknesses (such as social engineering, where it’s in scope).

I also care a lot about raising the bar through continuous learning and disciplined methodology. I’m an active learner in the offensive security community, and I’ve pursued recognised training and certifications such as OSCP, CRTO and OWASP application security certification, alongside specialist training in red teaming.  

‍

What advice would you have for students looking to get into cyber or individuals who want to shift their career towards cyber?

My advice is simple and practical:

1. Build strong fundamentals. Understand networking, operating systems (Windows and Linux), and how web and mobile applications are put together.
2. Practise consistently. Hands-on learning matters. Use safe training platforms and labs, and treat it like going to the gym; small, regular effort beats occasional bursts.
3. Learn to communicate. Technical skill gets you in the door, communication builds trust and influence. Being able to explain risk clearly to different audiences is what accelerates your progression.
4. Focus on real-world value. Don’t chase “tool knowledge” alone. Tools change, but attacker thinking, disciplined testing, and strong reporting stay relevant.
5. Pick a niche, then broaden. It’s fine to start with a focus area (web, mobile, cloud) and go deep; just keep widening your perspective over time so you can connect weaknesses into realistic attack paths.

If you’re transitioning into cyber from another field, your prior experience is not wasted - whether it’s software engineering, IT operations, support, or networking. Security needs people who understand how organisations actually run.