Leonard Matara is a skilled penetration tester with over three and a half years of hands-on experience in offensive security and more than five years in the broader cybersecurity field. He began his career as a cyber defence analyst, gaining a strong foundation in threat detection and response before transitioning into pentesting.
Though his academic background lies outside of computing, a passion for technology and a self-taught journey led him into cybersecurity. Driven by a deep curiosity and a lifelong fascination with systems, he believes that breaking things is often the best way to truly understand how they’re built.
We had the chance to sit down with Leonard for an interview, where he answered five key cybersecurity questions on behalf of businesses.
What are some of the top mistakes you see regarding pentest remediations?
“A frequent oversight is the failure to retest after implementing fixes. Organisations may apply patches or configuration changes without verifying their effectiveness, leaving vulnerabilities unaddressed.” Says Leonard.
“More often than not, even after an initial fix is applied, we still find exploitable paths due to organisations opting for a ‘quick’ solution or prioritising convenience over robust security in their infrastructure or applications.”
He then continues to express why OnSecurity’s approach to testing is so valuable. “OnSecurity’s approach to offering clients free retest requests post-engagement enables us to tackle the root cause and deliver a thorough, long-term approach to security”.
Don’t Overlook Low-Risk Findings
Leonard then expresses that the tendency to overlook low-risk findings is another common issue.
“While these may appear minor in isolation, attackers often chain multiple low-severity issues to achieve serious compromises. Understandably, attention is typically directed towards high-risk vulnerabilities, but we frequently encounter cases where a low-risk issue significantly impacts the exploitability of a higher-risk one.”
“For instance, the difference between a straightforward cross-site scripting (XSS) vulnerability and full account takeover can come down to overlooked configurations, for example, the absence of secure session cookie attributes or the failure to implement CSRF tokens correctly.”
Mediate Your Reliance on Automated Tools
He concludes by noting that too many organisations rely solely on automated tools for remediation, overlooking the nuanced human-logic insights that manual testing provides.
“This has become increasingly common with the growing use of AI, but such an approach often misses complex vulnerabilities that require human judgment and contextual understanding. That’s why striking a balance between automation and human expertise is so critical for comprehensive testing.”
What advice would you give to a business seeking to effectively enhance its security strategy post-pentest?
According to Leonard, after a penetration test, businesses should adopt a systematic, risk-informed approach to improving security. Remediation efforts should be prioritised based on risk, starting with high-impact findings. However, security professionals should not ignore medium and low-risk issues as they may form part of a broader attack chain.
“A collaborative approach is essential, with clear communication between the business and the pentest vendor to ensure a thorough understanding of the remediation steps and their implications. Businesses have diverse and complex needs, which must be aligned with security requirements. In my view, ongoing communication with the penetration tester is invaluable in strengthening the organisation's overall security posture.”
Adopt Continuous Security Monitoring Tools
Leonard highlights that adopting continuous security monitoring tools and practices enables businesses to respond to emerging threats in real-time. “The way the intelligence of current threats is accelerating, it’s crucial for businesses to implement continuous security monitoring tools and practices.” He explains that these tools help identify vulnerabilities before they can be exploited, but also enable real-time detection of emerging threats such as zero-day attacks, phishing attempts, or unusual network activity.
A proactive approach, where monitoring is in place 24/7, allows organisations to respond quickly to potential incidents, reducing the impact of any security breaches.
Education is Key
“If I could reiterate one thing, it would be to educate internal teams on common attack patterns, secure coding practices, and the importance of timely patching.
A well-informed internal team is one of the most effective defences against cyber threats. Educating employees, especially those involved in development and IT operations, on common attack patterns such as phishing, SQL injection, and cross-site scripting (XSS) can reduce the likelihood of successful attacks.”
“Also, training on secure coding practices ensures that vulnerabilities are avoided during the development process, making the application more resilient from the outset.”
He summarises that enforcing a culture of timely patching within the organisation is vital. Regular updates to software, systems, and dependencies can close security gaps, preventing cybercriminals from exploiting known weaknesses. By implementing a proactive security mindset, businesses can reduce their exposure to threats while creating a more secure environment.
How do you stay up to date with new vulnerabilities or techniques?
“Keeping up to date isn’t easy. It involves a proactive combination of continuous learning, hands-on practice, and active community engagement.” Leonard says. “Prioritise staying informed by regularly attending industry-leading cybersecurity conferences and webinars whenever possible. These events offer valuable insights from experts and allow me to network with peers and learn from real-world case studies and emerging trends. In addition, I subscribe to various threat intelligence feeds, which keep me up-to-date with the latest threats, vulnerabilities, and attack techniques.”
Keep Sharp with Gamified Learning
“To complement this, I believe in the importance of hands-on experience, which I actively pursue through platforms like Hack The Box and TryHackMe. These platforms offer a great way to apply theoretical knowledge in a practical, real-world environment, constantly challenging me to solve complex security puzzles and sharpen my skills.”
“I also prioritise ongoing professional development through courses and certifications, which help me deepen my expertise and stay competitive in the field.”
Join the Infosec Community!
Beyond formal learning, the cybersecurity community plays a crucial role in Leonard’s and the entire pentesting team’s ongoing education.
“The infosec community is incredibly resourceful, constantly sharing blogs, articles, videos, and new techniques. By actively participating in professional forums and engaging with fellow experts, I can exchange knowledge, discover better ways of doing things, and learn about new tools and methodologies that help keep my skills and strategies fresh.”
What’s a common security mistake you see companies make over and over?
Leonard pauses to think. “A recurring issue is the lack of comprehensive asset management within organisations. Many businesses maintain incomplete inventories of their digital assets, leaving systems unmonitored and unpatched. This oversight extends to the application layer as well, where we frequently discover vulnerable areas that developers or clients have forgotten about.”
I ask him how clients react when pentesters report these findings. “Honestly, they’re often surprised when we report these findings, as these assets are sometimes entirely overlooked in their scope. These forgotten areas are not typically included in penetration testing scopes and can easily be missed.”
Continuous Client Engagement: The Key to Robust Asset Management
“These kind of gaps in asset management creates significant security risks, as they leave potential entry points open for attackers that have not been tested or secured.”
I’m curious: how can clients overcome this?
“Well, take our platform for example. What clients like so much about it is its ability to facilitate close collaboration with clients throughout the engagement. Whenever we (the pentesting team) identify unscoped assets or areas, we can immediately flag them, ensuring that no vulnerabilities are left unaddressed.”
What he’s referring to is OnSecurity’s real-time reporting feature, which enables immediate feedback between clients and their pentesting teams. You can read more about OnSecurity’s real-time reporting feature, as well as our other features, here.
“This approach helps to mitigate the risk of overlooking critical components, offering more thorough coverage and ultimately strengthening the organisation's security posture.”
Beware of Testing Simply to ‘Tick Boxes’
“Additionally, many companies rely excessively on compliance checklists, mistakenly viewing them as sufficient security measures. While compliance with industry standards and regulations is undoubtedly important, it often provides only a baseline level of security and can give organisations a false sense of confidence.
“Simply ticking boxes to meet compliance requirements doesn’t necessarily mean the organisation is resilient against sophisticated, real-world attacks. Compliance frameworks are often static, and may not account for emerging threats, advanced attack techniques, or vulnerabilities that are specific to the organisation’s unique infrastructure.”
What’s the most outdated practice you still see in enterprise environments?
“One-off, annual penetration testing is still a common but outdated practice. Relying on a single penetration test conducted once a year or only after major changes in the infrastructure fails to account for the myriad of cyber threats. Cybersecurity is not static, and the threat environment constantly shifts, with new vulnerabilities, attack techniques, and exploits emerging regularly.”
This fixed approach to testing causes a false sense of security for organisations, exposing them to threats between tests. Attackers are continuously developing and refining their methods, often targeting new vulnerabilities before organisations can address them.
“Penetration tests should be conducted on an ongoing, as-needed basis, particularly whenever there are significant changes in the infrastructure, application features, or systems. Adopting a more dynamic approach to testing, one that aligns with the pace of change in the organisation, helps ensure that security remains robust and resilient against emerging threats”, Leonard concludes.
Thank you for taking the time to answer our questions, Leonard!
