Sign in Subscribe
12 min read

AI, Hacking & Mentorship: A Conversation with Betta Lyon Delsordo

AI, Hacking & Mentorship: A Conversation with Betta Lyon Delsordo

Betta is an accomplished application security penetration tester at Coalfire, a dedicated cybersecurity mentor, and a true leader in the community. I had the privilege of speaking with Betta about her inspiring story and adventurous career.

Read on to hear her thoughts about:

  • Transitioning from web development to application security
  • Mentoring and cybersecurity education
  • Certifications and degrees
  • Artificial Intelligence
  • And more!

Hi Betta! Please introduce yourself and share a bit about your background

Hello! I'm Betta and I'm currently an Associate Application Security Pen Tester at Coalfire. I specialize in web, cloud, AI, and API hacking. And my journey started all the way back when I was 13.

I started teaching myself to code. And for some reason, I chose JavaScript as my first language. I think I thought it sounded cool, the name maybe.

But I got into web development that way and I started building apps too. I got my Android developer license when I was like 15 and I made a very silly little app. But in high school, I started building websites for small businesses.

I got involved with a group of women entrepreneurs in my hometown of Montana. And they all wanted me to help with their websites. And that kind of grew into my own little web development business that I did through high school and college.

Eventually though, they started asking me security related questions like, “how do I keep bots off my website?” and “how do I make my passwords better?” And I was like, I don't know.

I always say that cyber security, especially hacking, is like a superpower.

So I started learning these things and also looking back at my own code and being like, actually, I don't think I know what I'm doing in terms of application security. I began teaching myself and discovered ethical hacking and even tried to hack some of my own things. And I was like, this is way more fun! And once you've gone offensive, you can never go back because you start doubting everything you build and you're like, oh no.

You know, you start thinking so much about the attacks that you can't build anything. So I also went up, I interned with a hacking firm and I was like, this is definitely what I want to do. And I found out I was pretty good at hacking websites because I’ve seen the other side.

Fast forward to today - I just finished my master's in cybersecurity from Georgia Tech. I got into a program through the NSA where they paid for a bunch of certifications. I did an internship with KPMG and another as a learning assistant in graduate school. And then, yeah, I'm in this current job and still learning, getting very involved in AI and doing some projects around that as well.

A very happy Betta at DEFCON

That's super exciting! Speaking of web development and coding, was that a pretty simple transition going from development to application security or were there any obstacles you encountered?

It was kind of natural for me because everything has been mostly self-taught, following my own curiosity, and doing what was needed in order to learn. And I think it was just the way I learned coding because I was curious and I started learning about websites because I was curious. I also started learning about security that way.

It was just a matter of Googling things, watching videos, finding tutorials, and learning things. But I think it also kind of broke up some misconceptions about coding because it's like, oh, it's just easy. You can just do this.

But honestly, it made coding so much harder now that I had to think about security every single time. I'm like, oh, my God. Now I have to research this.

Every single line of code that I write, I have to think about if it is secure? And in my computer science degree in my undergrad, also realizing that a lot of stuff I was being taught in class wasn't secure and having to be able to speak up in class and be like, actually, this is not the way you should do this.

Cybersecurity is so broad, you can't specialize in everything.

And also realizing that most developers out there aren't taught anything about security. It's not necessarily people's fault that they write insecure code. They just have never had that education.

Fortunately, I think it's really easy to educate yourself. It just takes time and motivation because unfortunately, no one’s going to hold your hand and teach you. You kind of have to teach yourself.

So, that was sort of the moral there :)

Jason: Nice! That's a really good point. I went through an undergrad computer science program as well. And yeah, I didn’t know anything about security. It was all low-level programming.

Speaking of teaching, I know you're very active online. You're an active mentor and advocate for cybersecurity. What motivated you to give back to the community and join all these groups?

I'm super involved with getting more girls and women into technology because I want to be the mentor that I didn't have when I was thirteen and trying to get into this. I didn't even know ethical hacking was a thing until I was far into my tech journey. And I just want to be a role model and mentor to anyone who's trying to get into this.

Also, I really believe in placing myself in a chain of mentorship. Having people that I can look up to and learn from and understand how to get to the next place in my career and then pass that information on to others.

For eight years now, I've been a mentor in the Technovation Challenge, an international competition where teams of girls build apps or AI models to solve community problems. I've had two teams make it to the international semifinals!

I think as AI gets smarter it'll be just as if you were social engineering a human.

Recently, I spoke at the global celebration this summer to kind of encourage everyone to keep on their projects. And it's something I really care about. I'm really involved.

There's so many wonderful organizations out there like Rewriting the Code, Women in Security and Privacy, Women in Cybersecurity, Women in the Society of Cyber Jitsu. I try to do what I can to give back because I think it's really important.

I always say that cyber security, especially hacking, is like a superpower. It can be used for good or for evil. And we need people from everywhere and all backgrounds and all types of people to have that power to protect their communities.

If it just stays in the hands of a few people, we're not doing the most good. So, I think it's really imperative that everybody learns about cyber security. Because when you learn about it, you go teach your friends and your family some basic stuff that makes them more secure.

Betta and colleagues at a Women in Cybersecurity Event

Do you recommend people learn how to code before pursuing a  cybersecurity role?

I think it really depends. I think you don't have to, but if that's where your background already is, it'll help you. I think one thing that I always try to teach people is that cyber security is so broad, you can't specialize in everything.

You have to have a specialization - especially when you're talking about finding a job.

You have to be able to say, “I'm good enough at a specific skill to do that every day professionally”. And if you've just done a tiny bit of everything, something from incident response, something from policy, something from application security, I think it's not enough.

So, I think picking your specialization early and being able to say, I'm really good at secure coding. Or I'm really good at reverse engineering. I'm really good at analyzing cyber laws.

Whatever it is, it doesn't have to be any one thing in particular. But whatever's of interest to you and whatever you're willing to put that much time into and get good at, it's all good. For me, that was secure coding, application security, because I already had that background.

But it could be anything. Whatever interests you.

How can cybersecurity professionals utilize artificial intelligence in their day-to-day career to be more productive?

AI is something I’m super passionate about and I'm trying to incorporate it into everything I do. 

I recently did a research project where I used AI to improve our secure code review process at Coalfire. Being able to use a LLM, such as generative AI, to analyze code review results, they usually have a ton of false positives and are not very specific. It just takes us a lot of manual time to go through them.

Assisting my team more information about what to focus on, being able to chat with an AI about specifically, tell me more about this, and then generating text like, provide some remediation instructions for the report, or give me some examples of CVEs that might apply to this, or explain the severity of this. And I think that's what AI has to be able to do - those manual things that we do as pen testers that are kind of wasting our time, such as writing reports, copy pasting things, searching through lists of output - the AI can do that so much faster. We're just going to have to evolve to do that.

So I'm excited to see what everybody else comes up with. I did a presentation at my company about how I built this, and everybody had so many more ideas, like, I want to do this when I'm looking through logs, or I want to do this, look through all my notes of all the tips that I've written down. And I think everybody knows there's that one thing that you do and you hate, and it's really manual, and you just want to speed it up.

Do that with AI. And it's actually much easier than I thought. I'm studying right now for the AWS AI certification, and learning about all the different AI services that they have.

They made it super easy. You don't even need to know how to code. You can just basically drag things together, kind of like the app builders that I use for the girls that I teach.

I want to be realistic with people that cyber takes a really long time to get into. It's not something you can just do for a couple months, buy a course, and then suddenly you have a high-paying job.

You can essentially place the puzzle pieces together and now you have an AI application! I would encourage anyone, if you're even curious about it, just go look at it, and there's so many different levels of depth and customization. 

I’m also really invested in learning how to attack AI and I've been doing a lot of prompt injection testing. And for that, what's been interesting is to find that the really malicious, obvious prompts are usually blocked, because most people are starting to add filters and other defenses, so you have to be a little bit creative with your bypasses. 

For example, what's something that a company might not want their AI to say, but isn't totally malicious? Like, say something bad about the company in an indirect way, or reveal some information about the model: how it was built, how it was developed, what kind of things it was supposed to not talk about. I think that's usually where people go with prompt injection.

You have to be a little more tricky about it sometimes.

Jason: Okay, so it's a bit of an art?

A little bit. Kind of like social engineering. I think as AI gets smarter it'll be just as if you were social engineering a human. For instance, normally people will not just give you their password when asked. Sometimes that works, but sometimes you have to be creative about it.

What do you do outside of cybersecurity? Are there any hobbies or interests that you like to partake in?

Yes, I have quite a few! I'm from Montana, and I love swing dancing. That's like a big part of something we learned growing up.

I do like country swing, but I also do enjoy vintage dances like jitterbug. I also know a little bit of salsa and bachata. Yeah, I definitely love dancing, but I also love reading.

I'm on the 10th book of the Wheel of Time. There's 15 books, and so I'm making my way through a very massive series, so I love reading sci-fi and fantasy. And I love cooking.

I just got a cat a few months ago, so I'm really loving just playing with my cat and cuddling with my cat.

Jason: Is it like a rescue cat?

Yes, yeah, a shelter cat. She's a tiny black cat, and I named her Jiji after the cat from Kiki's Delivery Service. It's an animated movie.

Jason: Nice, yeah, I'm a big Studio Ghibli fan as well.

Oh, yay! I wanted the black cat to feel like a witch cat, because hacking is kind of like witchcraft. So I have to be a witch with my cat :)

Jason: Nice. Have you read the book as well?

I haven't actually. No, but I read the book Howl's Moving Castle, so I've been meaning to get through those.

Jason: Yeah, I bought the book Howl's Moving Castle, but I haven't opened it up yet. It's on the list.

It's very good. It's short, so it didn't take that long, but it was really, really entertaining. Very different from the movie, though.

Do you think pursuing certifications and degrees are necessary in order to have a successful cybersecurity career?

Yes! I'm actually giving a talk on this exact subject tomorrow through Rewriting the Code, which is like a women in tech organization. I want to be realistic with people that cyber takes a really long time to get into. It's not something you can just do for a couple months, buy a course, and then suddenly you have a high-paying job.

Unfortunately, it takes a lot of time. You can't always buy your way into knowing this stuff.

It's almost like learning a language. If someone said you can become fluent in Japanese in two months, then it’s likely a scam. That just is not going to happen.

You have to take the time to actually learn. And it can be really hard for people that are already working, or are in school, or have family to take care of. You have to just be realistic with your expectations.

I think for most people it might take like two to three years if you already have a lot of other obligations to go from zero to being employed. 

Fortunately, you can teach yourself. Yes, you could get a degree. I always say don't pay for things. If you're able to get scholarships, then go for it. I got all my degrees covered by scholarships.

Pretty much everything you need to know is available for free online.

TryHackMe and Port Swinger Web Security Academy are both great resources. Additionally, volunteering is a great way to get experience. If you already have enough knowledge, you could teach a class at your local library about cyber security awareness.

Or you could start volunteering with local non-profits and advise them on cyber related things. This way, you can start building out projects and developing your professional network.

Overtime, you can say you have a certain number of years of experience based on your projects, community involvement, capture the flag competitions, and bug bounties. 

Unfortunately, the entry level job market in cyber is really, really competitive.

You really have to stand out. And they'll say they want three years of experience, but you can show them that you’ve been actively studying and applying the concepts for three years. You can show them your portfolio of things you’ve done in the community.

I believe this will significantly improve your chances. And once you're in, it's like you have job security for the rest of your life, but getting that first job can be really hard for people. So don't give up! Just know that it's like a really long process.

If you are a student who is recently about to graduate college, make sure you have a plan. Don’t wait until the end of the semester and think you will magically have a job waiting for you.

Jason: Nice. Are there any specific offensive security penetration testing certifications that you recommend?

Honestly, my advice for people is before you pay for any certification it to look at some job descriptions. Make sure you see that certification listed, like, at least 15 times or something.

And then you'll know that it’s something employers are actually looking for. There's so many certifications out there that you could pay for, but no recruiter would even know what they are. 

Thanks Betta!

Jason: You're very educated. Very well spoken. So, thank you for taking the time out of your busy schedule to sit down and do an interview!

You can follow Betta on her LinkedIn to stay updated on her professional journey!

Want to share your own cybersecurity story and insights with us? Learn how here 👉 https://www.hackerasks.com/share/

Member discussion