UniversidaddeCádiz

Winning an ethical hacking competition is not only a matter of technical knowledge, but also of methodology, intuition, and the ability to solve problems under pressure. Pedro José Navas Pérez, a student at the University of Cádiz who has emerged as the winner of the Capture The Flag competition at the SecAdmin 2025 conference, represents a new generation of cybersecurity specialists trained at public universities. In this interview, he addresses key issues related to the work of ethical hacking professionals, the role of UCA in his education, and his views on the current and future challenges of digital security.

You recently won the Capture The Flag competition at the SecAdmin 2025 conference on ethical hacking. The concept of ethical hacking still generates some confusion outside the technical field. Do you think there is a lack of social awareness about what it really is and why it is so necessary today?

Absolutely. The stigma that associates hackers with criminals still persists, when in reality our work is based on a principle of proactive defense. The idea is simple but powerful: instead of passively waiting behind our walls for an attack to occur, we move ahead to identify and neutralize threats before they strike. Ethical hacking is, essentially, quality control taken to the extreme. Just as in industry a product is subjected to stress tests to ensure it will not fail in the worst-case scenario, we “crash” digital systems against simulated attacks in order to strengthen them. We are not the attackers; we are the team that tests the resilience of the structure so that, when a real attack comes, it finds no weak points.

For citizens, this work is critical. In a geopolitical context in which cyberspace has become established as the fifth domain of warfare, ethical hackers are responsible for ensuring that the systems sustaining everyday life—from electricity supply to the privacy of our data—are resilient. It is a necessary preventive task to ensure that the digital environment is safe for everyone.

What does it mean to you to win a competition of this level at a leading cybersecurity conference and to receive its emblematic katana?

On a personal level, it is an incredible source of pride. On the one hand, it meant a lot to me because it brings me a bit closer to Ángel Suero Campano, who has been one of my role models. He has won this distinction twice, and for me it was a personal challenge to reach that level. In addition, the fact that the trophy is a katana amused me because it reminded me of my years practicing Aikido. In the end, martial arts and CTFs share something fundamental: training, discipline, and staying calm when things do not go as planned. It is a detail that meant a lot to me because it connects my youthful interests with what is now my profession.

Before this competition, you had already achieved victories in other events such as Talent4Cyber and national and international CTF competitions. What specific lessons have those previous experiences taught you?

They taught me how to combine instinct with discipline. With experience, you develop a certain technical “nose”: you learn to identify patterns and intuit where the vulnerability lies as soon as you see the challenge. But I also learned the hard way that instinct without structure is useless. In my first competitions, I wasted a lot of time trying things chaotically, and from that I learned the importance of having a strict working methodology. I learned to document in real time what I am doing—if you do not write down what you have already tried, you end up repeating mistakes. That mix of quick intuition and orderly execution was key at SecAdmin, where technical problem-solving had to be combined with writing and submitting reports.

How has your education in the Master’s Degree in Research in Systems and Computer Engineering and your undergraduate studies at UCA influenced your preparation for these challenges? Which aspects of your training do you consider most valuable?

To be completely honest, when I won the competition I had only been in the Master’s program for a few weeks, so the technical preparation for this event came from my undergraduate degree and a lot of self-learning. However, what the Master’s is giving me now is a fundamental research perspective: it allows me to see how different technologies are applied in research and enables me to explore new alternatives.

The technical foundations were really built during my Bachelor’s degree. Looking back, there are courses that were key: Networks and Operating Systems are the basis of almost everything. Then there are others, such as Computer Architecture, which gave me the theoretical grounding to tackle much more complex challenges. Obviously, the goal of the Bachelor’s degree is not to teach you how to hack. It is about acquiring a comprehensive view of engineering: advanced algorithms, databases, distributed systems, among many other things. In the end, understanding how these systems are built is an essential prerequisite for later being able to look for vulnerabilities.

There is also another crucial factor I take away from my degree: the ability to go to the original source. During the Bachelor’s program, you are often forced to solve problems by reading official technical documentation or complex bibliography—a habit that is unfortunately being lost due to the overuse of quick tutorials and AI. That discipline makes a difference, because it reminds us that engineers are here to build solutions, not to copy them.

“The image of the isolated hacker is no longer real; cybersecurity is, above all, a team sport”

Cybersecurity is a very demanding and constantly evolving field. What technical and personal skills do you think are most important to succeed in this area? What competencies are essential today beyond purely technical knowledge?

Technically, the key is having solid fundamentals. Many people who try to enter the field become obsessed with mastering every option of a specific tool without understanding what is really happening “under the hood.” Tools change every year, but if you understand the underlying logic, you can adapt to whatever comes next.

On a personal level, I believe success depends on a key triangle: insatiable curiosity, to avoid becoming obsolete and to stay motivated to understand what lies behind every system; lateral thinking, to look for solutions outside conventional logic where others do not look; and bomb-proof persistence, because in this job you fail many times before finding the key.

Finally, I would add communication and collaboration. The image of the isolated hacker is no longer real; cybersecurity is, above all, a team sport. No one knows everything, and today we need to rely on colleagues and be able to explain why a technical finding represents a risk to a non-technical audience. That mix of technical mindset, collaboration, and communication is what defines the modern professional.

During your career in cybersecurity competitions, what has been the most difficult challenge you have faced?

It is difficult to choose just one, because difficulty has many dimensions. In terms of infrastructure and coordination, without a doubt, Locked Shields. Without going into details due to the military nature of the exercise, the scale of the deployment is overwhelming. In that context, the challenge goes far beyond the technical aspects: it demands soft skills related to communication and crisis management under pressure—skills that no laboratory can teach you.

In terms of pure technical intensity, I would highlight the period of international competition with my team, Flaggermeister. Although we are currently on pause, I vividly remember being at four in the morning with four or five teammates, all of us fighting in parallel against a single web challenge. I do not recall the exact name of the CTF, but I do remember the surprise when reading the write-up two days later: the solution involved a zero-day vulnerability in the web proxy. That level of demand is brutal and requires sacrificing a great deal of personal time, but the satisfaction when you finally solve it is unmatched.

If we talk about a specific technical challenge that truly pushed me out of my comfort zone, I would mention the Faraday machine on Hack The Box. It was particularly complex because it combined binary exploitation, web exploitation, and forensics in a single scenario. Currently, I am immersed in a hacking lab focused on industrial environments (OT), also offered by Hack The Box. It is not that it has an “insane” level of difficulty, but it forces me to learn something new with every step I take. In the end, difficulty is a matter of perspective: what today seems like an impossible mountain, tomorrow—once you have the right knowledge—looks much smaller. The important thing is to never stop climbing.

In today’s hyperconnected society, cybercrime is increasingly common. Is there any real possibility of preventing it? What is the best way to reduce the risk?

We have to be honest: zero risk does not exist. Absolute security is a myth. The real question is not whether cybercrime can be prevented 100%, but how we can manage risk to minimize it. The most effective form of prevention lies in understanding that, today, the most frequently attacked link is the human one, not the machine. For a cybercriminal, it is much cheaper and easier to trick a person into giving up their password than to break a complex encryption system.

This is evident in many of the data breaches and large-scale attacks we see in the news. In many cases, when we analyze the kill chain, the initial entry vector is social engineering or credential reuse. That is why the most effective defense is a combination of “digital hygiene” and education. From a technical standpoint, basic measures such as enabling two-factor authentication (2FA) and keeping systems up to date close the door to most opportunistic attacks. From a human perspective, we need to develop a healthy skepticism: learning to verify before trusting, and to pause before clicking.

Looking ahead, what professional goal would you like to achieve in the field of cybersecurity? Would you like to focus on research, industry, or another area?

After almost five years in industry, I realized that the work often focuses on immediate results and on repeating established methodologies, frequently driven more by regulatory compliance than by a deep pursuit of security. I felt that I was stagnating. I found myself at a crossroads: in order to find the technical challenges I was looking for, my options were either to join a Red Team or to move into research.

What tipped the balance was the environment. Being surrounded by PhD candidates with very strong technical profiles made me realize that academia is the ideal place to generate new knowledge and tackle complex problems without the constraints imposed by the market. Since teaching has always motivated me as well, I felt that this was where I belonged. For that reason, my goal is clear: after completing the Master’s degree, I will begin a PhD focused on Cybersecurity and IoT, where I can combine in-depth research with the training of future professionals.

Beyond academics, what has your time at the University of Cádiz meant to you on a personal level? What memories or lessons will you carry with you forever?

Beyond academics, what I truly take with me is the human quality of the people who have accompanied me along the way. I must mention three professors who have been fundamental: Antonio Molina, Juan Boubeta, and Roberto Magán. With Roberto, I have a very special memory of having created Colors, the school’s first CTF team, together before he moved to the University of Granada; it was a very meaningful early stage.

Antonio was one of the people “responsible” for my fully committing to this field. I remember showing him a RootMe challenge—something related to Bluetooth, I think—and he was one of the first to encourage me to take cybersecurity seriously. Juan has been my main support within the department, giving me the key opportunity to work as his Student Collaborator.

My relationship with Antonio and Juan has gone far beyond the classroom. Yes, they supervised my Bachelor’s thesis, we wrote papers together, and Juan will be my PhD supervisor, but for me they are a major source of support in this field. They have accompanied me to conferences, celebrate every victory as if it were their own, and support each of my projects. That is what I take with me: having gone from being a student sitting at a desk to feeling that I have their backing at every step.

And, of course, I have not walked this path alone. My classmates have been a very important part of the journey; without them, it would have been very different. I may forget someone, but there are people who marked every stage. Roldán, Lagares, Barquín, Raúl Arcos, Teresa, and Álvaro have been my friends since the beginning—support that went far beyond exams. In the specific cybersecurity path, Alejandro and Carlos have been my inseparable travel companions. With them, I have traveled across half of Spain; they are part of my CTF team, and I share victories and moments with them. And now, during the Master’s program, Carlos, Iván, Diego, and Alberto share my outlook on many things and have been an incredible source of support. In the end, that is what university is about: the people you grow with and with whom you begin your professional career.

What advice would you give to other UCA students who are interested in getting started or advancing in cybersecurity and technical competitions?

They should lose their fear of breaking things. Cybersecurity is a practical craft; it is not learned just by reading slides. I would tell them to build their own labs, to make mistakes, and above all, to seek out a community. This path is very tough to walk alone.

That is precisely why I encourage them to get involved with UCAnHack, our student association. This year, we are promoting the creation of a new CTF team to carry on the legacy of what once began with Colors. We want to revive that spirit of competition and camaraderie, creating a space where we can train and learn together. Joining initiatives like this accelerates your learning exponentially, because you learn from how others solve problems.

“Dispensing with the human factor is extremely costly, because when it comes to understanding complex business logic or responding to a critical incident, AI will not save you. Engineers will.”

In the current context, marked by the rise of artificial intelligence, how do you think it is changing—or will change—the work of cybersecurity professionals and ethical hacking?

I see it with optimism, but also with caution. AI is here to optimize time, but it will not perform miracles. In day-to-day penetration testing, there is a great deal of tedious work, such as writing reports or running automated tests. In that area, AI is a perfect ally to automate part of this “technical bureaucracy” and free up time for deeper analysis. A clear example is using AI to quickly translate a complex technical explanation into more accessible language for a client.

From a technical standpoint, AI should be seen as just another tool in our arsenal, much like vulnerability assessment scanners (VAS). They help, but they do not replace an engineer’s judgment. In fact, hacking requires lateral thinking and the ability to deviate from the script—something AI simply does not have. It is true that we are seeing companies make the strategic mistake of reducing human teams while blindly trusting automation. However, reality usually puts things back in place: dispensing with the human factor is extremely costly, because when it comes to understanding complex business logic or responding to a critical incident, AI will not save you. Engineers will.

In recent years, there has been increasing discussion about the rise in cyberattacks against public institutions and strategic companies. From your point of view, are we technically and educationally prepared to face this scenario?

First, we need to understand the geopolitical context: Spain is not neutral. We are a key ally of NATO and the European Union in recent conflicts, and that has consequences. By taking a position, we become a direct target for powers with very advanced offensive cyber capabilities, such as Russia or state-sponsored groups.

That said, I would like to highlight the excellent work being done within the public sector. Alignment with the guidelines of the CCN-CERT is raising the maturity level of public administrations, and the coordination provided by INCIBE and the CSIRT network is essential. I have experienced this firsthand: I have reported vulnerabilities to official bodies—including the University itself—and the response and handling were highly professional.

The problem is not a lack of talent. I know for a fact that there are brilliant professionals on the front lines. In fact, some of the most highly trained people I know currently work at INCIBE or at critical operators such as Iberdrola. The real challenge lies in the structural asymmetry of our work. It is an unfair race: defenders have to get it right 100% of the time, every minute of every day. The attacker, however, only needs to succeed once to cause a disaster.

Which types of threats do you currently find most concerning: ransomware, social engineering, massive data breaches, or attacks on critical infrastructure? Why?

Without a doubt, attacks on critical infrastructure. Other threats have a primarily economic impact, but here we are talking about consequences in the physical world. A realistic scenario that concerns me greatly is a cyberattack on the power grid. Stuxnet already demonstrated that code can cause physical destruction, and the TRITON malware specifically targeted human safety systems in industrial plants to provoke disasters.

We should also not forget cyberattacks on railway networks, where attackers managed to stop trains in the middle of the tracks and paralyze the logistics of entire regions. One has to consider what might have happened if, instead of stopping them, they had prevented them from stopping at all. If we add to this the instability shown by the European power grid last May, the risk becomes evident. If control systems (OT) are compromised, within hours it is not just electricity that is lost—traffic lights, water supply, and hospitals also fail. The security of these systems is the focus of my doctoral research, because a failure in this area can cost lives.

As a young specialist in cybersecurity, what role do you think public universities, such as the University of Cádiz, should play in training professionals in such a rapidly changing market?

For me, public universities are a fundamental pillar, and I am a strong supporter—albeit with some nuances—of their model. Their role cannot be to become “employee factories” that teach the fashionable tool demanded by the market today and rendered obsolete tomorrow. For that kind of fast, purely instrumental training, bootcamps already exist.

I believe the right balance for universities lies in investing in formats such as microcredentials. They are the perfect tool to offer the rapid technological updates that industry demands, without sacrificing the depth of official degree programs. The mission of public universities must be to democratize access to complex knowledge. They must teach the fundamentals of engineering, the science behind technology, and, above all, how to think.

The market changes quickly, yes, but the principles of operating systems, networks, or algorithm design do not change every year. If the university provides that solid foundation and teaches students how to conduct research, it gives them the freedom to adapt to whatever comes next. The role of UCA is to train engineers with independent judgment and adaptability, not mere tool operators. That excellence and rigor—accessible to everyone regardless of their economic means—is what we must protect.

“There are many more ways to combat illegal practices without violating the fundamental rights of all citizens or exposing them to massive data leaks”

In a context of increasing digital regulation and growing concern about privacy, how can cybersecurity be balanced with the protection of users’ rights?

Honestly, I believe we are being presented with a false dilemma. Initiatives such as “Chat Control” simply use security as a pretext for invasive surveillance of citizens. Under the excuse of protection, technical measures are proposed that involve breaking end-to-end encryption. As a technical professional, I have to be unequivocal: there are no secure backdoors. The moment you force a vulnerability into a cryptographic system so that law enforcement can “look inside,” you are creating a hole that cybercriminals or foreign powers can also exploit.

You cannot legislate against mathematics. Weakening encryption does not stop real criminals, who will simply use their own tools outside the law. What it does achieve is exposing the privacy of the general public. There are many other ways to combat the illegal practices being pursued without violating the fundamental rights of all citizens or exposing them to massive data breaches.

Spain and Europe increasingly speak about digital sovereignty. From your experience, do you think this goal is realistic in the short or medium term?

Realistically, in the short term it is a utopia. It is quite ironic to hear constant talk about “European Digital Sovereignty” when the vast majority of computers in public administrations and critical infrastructures depend on Microsoft Windows. In the end, we are building our so-called sovereignty on a foreign, proprietary operating system. As long as the foundation of our operations is a “black box” that we do not control, that independence is purely fictitious.

This is where, as a strong advocate of Free and Open Source Software, I believe the key lies. You cannot have real sovereignty over software that you cannot audit or modify. If a public institution uses proprietary code, it does not have control—the vendor does. I would like to clarify an important point: I am not saying that code is secure simply because it is public; open-source software also has vulnerabilities. The fundamental difference is the capacity for auditing. With free software, we have the power to review every single line to ensure that it does nothing “unexpected,” and the freedom to extend or fix it according to our needs without depending on a third party. That ability to exercise full control is what truly defines digital sovereignty.