Agnes is ctrl:cyber’s Head of Penetration testing, and has built an environment where curiosity is encouraged, feedback is honest, and growth is personal. The result is a team culture that thrives on collaboration and client engagements that go beyond technical findings to deliver real value.

In this Q&A, Agnes shares what drives her, her approach to mentoring and growth, and why offensive security is about more than ticking a box.

 

Q. Let’s start with your role. What does leading the Pen Testing team at Ctrl actually look like day to day?

A. On a good day I get to do about four hours of uninterrupted testing, which is honestly the best part. But most days, I’m jumping between scoping calls, engagement kick-off meetings, pre-delivery Quality Assurance reviews for reports, and internal team catch-ups.

 

Q. You started at Ctrl as a Penetration Tester and now lead the team. What’s helped you grow into that leadership role and what’s stayed the same about how you approach the work?

A. I think it was the attitude of taking initiative and wanting to improve things. If something wasn’t right, I was eager to fix it or ask questions about it. Day to day, my main goal wasn’t just to complete my tests but improve the quality of our delivery services and efficiency of our internal processes. Just as important though, is being in an environment that recognises potential and supports it. I was given this opportunity because Ctrl saw potential in me, and I am grateful for that.

 

Q. You lead a high-performing team. What’s your approach to mentoring or developing emerging talent in offensive security?

A.Understanding each person, how they learn, and what they are good at, and then giving honest feedback and guidance based on that. Everyone learns differently. Some people prefer taking courses and being guided before trying something new, while others like to jump straight in and figure things out as they go. Some are hands-on and learn by doing, while others are more theoretical and need to understand the “why” behind everything. There’s no one-size-fits-all approach and once you understand that it becomes a lot easier to shape clear development plans and goals that actually work for the individual.

 

Q. How do you keep sharp in such a fast-moving space? Any habits, tools, or team rituals that make all the difference?

A. It’s the passion and curiosity for the field that helps me personally, I often find myself going down rabbit holes trying to learn about a certain topic or reading blogs, writeups, or the latest news just out of genuine interest. Information sharing within the team also plays a big role, especially in a talented team like Ctrl with varying skillsets, interests, and knowledge. I always encourage my team to reach out and ask others questions and not shy away from that. We do daily stand-ups to make it easier and to share anything interesting that has come up through testing or latest attacks we’ve seen.

 

Q. When working with a client, what’s front of mind – and what makes a great engagement?

A. The client – what they need, what they’re worried about, and what in their environment appeals to threat actors. Some know their attack surface and crown jewels, so it’s just about recommending the right engagement. Others are less cyber-mature, so we explore that together and tailor an approach that fits their needs, maturity, and budget.

Findings are always the main goal, but the client also needs to understand their risks and how to remediate them. That means collaboration; whether it’s calls during testing, post-delivery support, or rounds of retests. If the environment is more secure and the client feels supported, that’s a success.

 

Q. What do clients often misunderstand about penetration testing, and where do you see the most growth?

A. For a long time, pentesting was just a compliance tick-box. Better than nothing, but not enough. Real value comes when it’s ongoing. I try to help clients shift from a once-a-year, 30-day test that dumps a long remediation list, to smaller, regular checks — after major updates, migrations, or through monthly vuln scans. It keeps them on top of things and makes the annual test far less overwhelming.

It’s less about industry and more about awareness and priorities. Finance and tech are generally more mature, with strong internal teams and clear motives to invest. They’re moving from standard tests to bigger engagements like red and purple teaming. Healthcare and education are catching up but still have ground to cover.

 

Q. What’s your favourite type of engagement? Is there a particular style or scenario that gets you excited to dive in?

A. Web and Mobile Applications – there is always so much to uncover there, especially when you start diving into business logic flaws as it varies with every test. There is nothing as exciting as making an application do something it’s absolutely not meant to do, or buying things for free – feels like a superpower or magic trick.

 

Q. What’s the most rewarding part of your work?

A. On a personal level, it’s the enjoyment of doing what I do – I genuinely enjoy the work and find it so interesting, I can get lost for hours. On a more communal level, knowing that I am helping orgs identify blind spots in their environment and providing practical remediation advice. The appreciation we get from clients for highlighting attacks or risks they never knew existed or were possible is always the best.

 

Q. Outside of Ctrl, what can we catch you doing? Any hobbies, routines, or unexpected talents we should know about?

A. A sport of some kind for a much-needed serotonin boost and some movement – I enjoy CrossFit, pole acrobatics, bouldering, and a bit of running as well. I also happen to have a talent of being able to fall sleep anytime anywhere, so I could also be doing that – depending on how my day was.

Agnes doesn’t just lead by example but builds people up, brings curiosity to every engagement, and keeps the team moving forward. Her impact is a reminder that leadership is about more than a title; it’s about setting the standard and lifting others along the way.

Explore more Ctrl In Focus interviews to meet more of the Ctrl Team ↗