Behind the Scenes with Justin, Director of Red Team
Building vulnerability management, compliance, and patching are all important capabilities that help keep Adobe products and services secure, but it’s equally imperative to have our own in-house security experts proactively pressure-test the attack surface from an adversary perspective. Together, Adobe’s dedicated Red Team and offensive security teams play an integral role in protecting the company from real-world attacks by leveraging their expertise in breaking through defenses.
In this blog, we’ll take you behind the scenes to meet Justin, Director of Red Team, to learn more about his career journey and what he enjoys most about working at Adobe.
Tell us about your career journey and background. What initially got you interested in cybersecurity?
Back in high school, I took a computer class on HTML as a part of a career building program. After finishing all the curriculum content early, my teacher gave me a book about the C programming language. I began copying the code from the book and attempting to compile small programs. Once I finished the class, I decided I wanted to explore more about coding, so I started seeking more resources. I ended up discovering Internet Relay Chat (IRC), a place where people discussed various topics, including programming. During my time at IRC, I naturally found myself learning about security topics related to programming.
After working in various food and retail jobs for a couple of years, I found a way to break into the tech industry by getting my first tech job at Geek Squad, doing PC repairs and selling networking equipment. While working at Geek Squad, a private military contractor in a corporate office hired me to provide technical support for the helpdesk. This is where I first heard the term “penetration tester” — I could not believe that getting paid to hack networks was a real job!
After further researching the term, I began relentlessly studying to teach myself everything I could possibly learn about the topic. During this time, the penetration testing community also grew significantly, as many practitioners began posting public research and techniques they used to perform their jobs. Taking advantage of these free and publicly available resources combined with additional hands-on learning ultimately helped me prepare myself for a Red Team job without needing any formal certifications or training. This is where my career kicked off.
A few years later, I left a systems administration position for my first job on an emerging Red Team at Intuit. As its first member, I learned how to translate my knowledge into real-world, hands-on experience. Soon after, I took an opportunity at Microsoft, where I spent a year conducting application security code reviews, followed by four years working in the services pentest group, where I grew my skills in Red Teaming by both participating in and leading operations.
It’s now been two years since I joined Adobe, and I’ve had the amazing opportunity to build our Red Team from the ground up!
What do you enjoy most about your current role?
As the director of the Red Team, I head the planning and execution of Red Team campaigns, lead large-scale offensive security automation efforts, and manage security testing company wide. I have the privilege of providing opportunities for passionate security professionals to work with our offensive security teams to help make a big impact on Adobe’s ability to reduce risk. Having personally enjoyed my time working on offensive security teams in the past, I find a lot of fulfillment in helping others move their careers forward.
It’s energizing and fun to be able to make a significant impact on the company by being the “best adversary” to Adobe. The Red Team, for example, spends a significant amount of time performing shift-right testing and typically reports a small number of security issues compared to other security teams. However, because of our unique strategy and the amount of time we invest into each of these issues, most — if not all — of them have been rated as critical findings. The Red Team also works closely with our detection and response teams to improve Adobe’s ability to defend against real-world threats. I’m incredibly proud of how much the Red Team has been able to grow and accomplish over the past two years.
I’ve also had a lot of fun creating a joint strategy with multiple offensive security teams. Our pipeline is a collaborative effort that helps identify high-risk issues and leads to the opportunity to work with service teams across the company. Every single one of my teams impresses me daily as they tackle the most challenging problems and continually discover innovative solutions.
What is your favorite part about working at Adobe?
The Adobe culture is by far my favorite part about working at Adobe. The freedom to be creative runs deep and seeps into all aspects of the company, and I truly feel like I’m able to be my genuine self every day. Thoughts and opinions can be expressed freely and often lead to greater outcomes. While building a Red Team from scratch, we were given plenty of room to experiment with implementing traditional Red Team philosophies while also incorporating changes to adapt to modern enterprises.
For example, our offensive security team takes a unique approach to testing where we work closely with our partner team, adversary intelligence, which helps collect and correlate data to better understand attacker behaviors. This collaborative approach helps us move from what an attacker “could do” to what attackers “are doing” — and helps focus our testing efforts on attacks that are most likely to occur and will make the most impact.
What is one piece of advice you would give to someone interested in pursuing a career in cybersecurity?
Know where you’re headed by having a role or job in mind. Knowing which job you want to pursue will help you tailor your skills and training to that role. Look for jobs online that match your desired title and take note of the job requirements. Doing this is a way of “reverse engineering” — reverse the outcome to extract the skills required for the job so you can learn them in advance.
Additionally, find a way to publicly demonstrate your skills. You can achieve this by writing a blog, creating videos, or contributing to a public source code repository. In my opinion, nothing stands out more than showing what you can do.
Finally, what is one thing people would be surprised to know about you?
Many people may not know that I’m a big fan of Nintendo! I have a collection of games and systems from the 3DS era. Most evenings, you’ll find me playing Nintendo Switch. I have over 600 hours played on Animal Crossing, and recently, I’ve been spending most of my time playing Splatoon 3.
