{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,26]],"date-time":"2026-03-26T16:02:11Z","timestamp":1774540931059,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":65,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,11,30]],"date-time":"2023-11-30T00:00:00Z","timestamp":1701302400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,11,30]]},"DOI":"10.1145\/3611643.3613900","type":"proceedings-article","created":{"date-parts":[[2023,11,30]],"date-time":"2023-11-30T23:14:38Z","timestamp":1701386078000},"page":"1669-1680","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":11,"title":["Understanding Hackers\u2019 Work: An Empirical Study of Offensive Security Practitioners"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0000-2484-0109","authenticated-orcid":false,"given":"Andreas","family":"Happe","sequence":"first","affiliation":[{"name":"TU Wien, Vienna, Austria"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8619-1271","authenticated-orcid":false,"given":"J\u00fcrgen","family":"Cito","sequence":"additional","affiliation":[{"name":"TU Wien, Vienna, Austria"}]}],"member":"320","published-online":{"date-parts":[[2023,11,30]]},"reference":[{"key":"e_1_3_2_2_1_1","unstructured":"[n. d.]. Acunetix: Web Vulnerability Scanner. https:\/\/www.acunetix.com\/ Accessed: 2022-09-30"},{"key":"e_1_3_2_2_2_1","unstructured":"[n. d.]. BloodHoundAD: Six Degrees of Domain Admin. https:\/\/github.com\/BloodHoundAD\/BloodHound Accessed: 2022-09-30"},{"key":"e_1_3_2_2_3_1","unstructured":"[n. d.]. Conti cyber attack on the HSE Independent Post Incident Review. https:\/\/www.hse.ie\/eng\/services\/publications\/conti-cyber-attack-on-the-hse-full-report.pdf Accessed: 2022-09-30"},{"key":"e_1_3_2_2_4_1","unstructured":"[n. d.]. Conti\u2019s Hacker Manuals \u2014 Read Reviewed & Analyzed. https:\/\/www.akamai.com\/blog\/security\/conti-hacker-manual-reviewed Accessed: 2022-09-30"},{"key":"e_1_3_2_2_5_1","unstructured":"[n. d.]. Delve: Software Tool to Analyze Qualitative Data. https:\/\/delvetool.com\/ Accessed: 2022-10-01"},{"key":"e_1_3_2_2_6_1","unstructured":"[n. d.]. DirBuster. https:\/\/www.kali.org\/tools\/dirbuster\/ Accessed: 2022-09-30"},{"key":"e_1_3_2_2_7_1","unstructured":"[n. d.]. GhostPack\/Certify: Active Directory certificate abuse.. https:\/\/github.com\/GhostPack\/Certify Accessed: 2022-09-30"},{"key":"e_1_3_2_2_8_1","unstructured":"[n. d.]. gobuster: Directory\/File DNS and VHost busting tool written in Go. https:\/\/github.com\/OJ\/gobuster Accessed: 2022-09-30"},{"key":"e_1_3_2_2_9_1","unstructured":"[n. d.]. https:\/\/nakedsecurity.sophos.com\/2021\/07\/16\/more-printnightmare-we-told-you-not-to-turn-the-print-spooler-back-on\/. https:\/\/nakedsecurity.sophos.com\/2021\/07\/16\/more-printnightmare-we-told-you-not-to-turn-the-print-spooler-back-on\/ Accessed: 2022-10-03"},{"key":"e_1_3_2_2_10_1","unstructured":"[n. d.]. Invicti: Web Application Security for Enterprise. https:\/\/www.invicti.com\/ Accessed: 2022-09-30"},{"key":"e_1_3_2_2_11_1","unstructured":"[n. d.]. Metasploit: Penetration Testing Software. https:\/\/github.com\/rapid7\/metasploit-framework Accessed: 2022-09-30"},{"key":"e_1_3_2_2_12_1","unstructured":"[n. d.]. Methodology for Top 10. https:\/\/groups.google.com\/a\/owasp.org\/g\/leaders\/c\/pFLxDLE28ZA Accessed: 2022-09-30"},{"key":"e_1_3_2_2_13_1","unstructured":"[n. d.]. Nessus Vulnerability Assessment Solution. https:\/\/www.tenable.com\/products\/nessus\/nessus-professional Accessed: 2022-09-30"},{"key":"e_1_3_2_2_14_1","unstructured":"[n. d.]. Nmap: the Network Mapper \u2014 Free Security Scanner. https:\/\/nmap.org Accessed: 2022-09-30"},{"key":"e_1_3_2_2_15_1","unstructured":"[n. d.]. Nuclei: Fast and customizable vulnerability scanner based on simple YAML based DSL.. https:\/\/github.com\/projectdiscovery\/nuclei Accessed: 2022-09-30"},{"key":"e_1_3_2_2_16_1","unstructured":"[n. d.]. OWASP Zed Attack Proxy (ZAP). https:\/\/www.zapproxy.org\/ Accessed: 2022-09-30"},{"key":"e_1_3_2_2_17_1","unstructured":"[n. d.]. PTES Technical Guidelines. http:\/\/www.pentest-standard.org\/index.php\/PTES_Technical_Guidelines Accessed: 2022-09-30"},{"key":"e_1_3_2_2_18_1","unstructured":"[n. d.]. sqlmap: automatic SQL injection and database takeover tool. https:\/\/sqlmap.org\/ Accessed: 2022-09-30"},{"key":"e_1_3_2_2_19_1","unstructured":"[n. d.]. Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34527). https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2021-34527 Accessed: 2022-09-30"},{"key":"e_1_3_2_2_20_1","unstructured":"[n. d.]. Zero Day Initiative. https:\/\/www.zerodayinitiative.com\/blog Accessed: 2022-09-30"},{"key":"e_1_3_2_2_21_1","unstructured":"2016-07-06. DIRECTIVE (EU) 2016\/1148 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CELEX:32016L1148 Official Journal of the European Union L 194 (2016-07-06) 1\u201330."},{"key":"e_1_3_2_2_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/3180155.3180180"},{"key":"e_1_3_2_2_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/3417113.3422153"},{"key":"e_1_3_2_2_24_1","volume-title":"The Conscience of a Hacker. Phrack, 7","author":"Blankenship Loyd","year":"1986","unstructured":"Loyd Blankenship. 1986. The Conscience of a Hacker. Phrack, 7 (1986), Jan., http:\/\/www.phrack.org\/archives\/issues\/7\/3.txt"},{"key":"e_1_3_2_2_25_1","first-page":"34","article-title":"Educational exploiting the information resources and invading the security mechanisms of the operating system Windows 7 with the exploit Eternalblue and Backdoor Doublepulsar","volume":"14","author":"Boyanov Petar","year":"2018","unstructured":"Petar Boyanov. 2018. Educational exploiting the information resources and invading the security mechanisms of the operating system Windows 7 with the exploit Eternalblue and Backdoor Doublepulsar. Association Scientific and Applied Research, 14 (2018), 34.","journal-title":"Association Scientific and Applied Research"},{"key":"e_1_3_2_2_26_1","volume-title":"Reflecting on reflexive thematic analysis. Qualitative research in sport, exercise and health, 11, 4","author":"Braun Virginia","year":"2019","unstructured":"Virginia Braun and Victoria Clarke. 2019. Reflecting on reflexive thematic analysis. Qualitative research in sport, exercise and health, 11, 4 (2019), 589\u2013597."},{"key":"e_1_3_2_2_27_1","volume-title":"Cambridge International Workshop on Security Protocols. 55\u201361","author":"Bukac Vit","year":"2014","unstructured":"Vit Bukac, Vaclav Lorenc, and Vashek Maty\u00e1\u0161. 2014. Red queen\u2019s race: APT win-win game. In Cambridge International Workshop on Security Protocols. 55\u201361."},{"key":"e_1_3_2_2_28_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-018-9625-6"},{"key":"e_1_3_2_2_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/2663716.2663755"},{"key":"e_1_3_2_2_30_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2016.02.008"},{"key":"e_1_3_2_2_31_1","volume-title":"What is an adequate sample size? Operationalising data saturation for theory-based interview studies. Psychology and health, 25, 10","author":"Francis Jill J","year":"2010","unstructured":"Jill J Francis, Marie Johnston, Clare Robertson, Liz Glidewell, Vikki Entwistle, Martin P Eccles, and Jeremy M Grimshaw. 2010. What is an adequate sample size? Operationalising data saturation for theory-based interview studies. Psychology and health, 25, 10 (2010), 1229\u20131245."},{"key":"e_1_3_2_2_32_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-28865-9_18"},{"key":"e_1_3_2_2_33_1","volume-title":"Competing paradigms in qualitative research. Handbook of qualitative research, 2, 163-194","author":"Guba Egon G","year":"1994","unstructured":"Egon G Guba and Yvonna S Lincoln. 1994. Competing paradigms in qualitative research. Handbook of qualitative research, 2, 163-194 (1994), 105."},{"key":"e_1_3_2_2_34_1","volume-title":"How many interviews are enough? An experiment with data saturation and variability. Field methods, 18, 1","author":"Guest Greg","year":"2006","unstructured":"Greg Guest, Arwen Bunce, and Laura Johnson. 2006. How many interviews are enough? An experiment with data saturation and variability. Field methods, 18, 1 (2006), 59\u201382."},{"key":"e_1_3_2_2_35_1","unstructured":"Aaron Guzman. [n. d.]. OWASP Firmware Security Testing Methodology. https:\/\/scriptingxss.gitbook.io\/firmware-security-testing-methodology\/ Accessed: 2022-09-30"},{"key":"e_1_3_2_2_36_1","unstructured":"Aaron Guzman and Cedric Bassem. 2020. OWASP IoT Security Verification Standard. https:\/\/github.com\/OWASP\/IoT-Security-Verification-Standard-ISVS\/releases\/download\/1.0RC\/OWASP_ISVS-1.0RC-en_WIP_.pdf"},{"key":"e_1_3_2_2_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3611643.3613083"},{"key":"e_1_3_2_2_38_1","unstructured":"Richard Harang and Felipe N Ducau. 2018. Measuring the speed of the Red Queen\u2019s Race. BlackHat: Las Vegas NV USA."},{"key":"e_1_3_2_2_39_1","unstructured":"Carlos Holguera Bernhard M\u00fcller Sven Schleier and Jeroen Willemsen. 2022. OWASP Mobile Application Security Verification Standard. https:\/\/github.com\/OWASP\/owasp-masvs\/releases\/latest\/download\/OWASP_MASVS-v1.4.2-en.pdf"},{"key":"e_1_3_2_2_40_1","volume-title":"In 30th USENIX Security Symposium.","author":"Huaman Nicolas","year":"2021","unstructured":"Nicolas Huaman, Bennet von Skarczinski, Dominik Wermke, Christian Stransky, Yasemin Acar, Arne Drei\u00df igacker, and Sascha Fahl. 2021. A large-scale interview study on information security in and attacks against small and medium-sized enterprises. In In 30th USENIX Security Symposium."},{"key":"e_1_3_2_2_41_1","unstructured":"(ISC)2. 2022. (ISC)2 CYBERSECURITY WORKFORCE STUDY 2022. https:\/\/www.isc2.org\/\/-\/media\/ISC2\/Research\/2022-WorkForce-Study\/ISC2-Cybersecurity-Workforce-Study.ashx Accessed: 2023-04-28"},{"key":"e_1_3_2_2_42_1","doi-asserted-by":"publisher","DOI":"10.5555\/1519340.1519350"},{"key":"e_1_3_2_2_43_1","unstructured":"James Kettle. 2019. HTTP Desync Attacks: Request Smuggling Reborn. https:\/\/portswigger.net\/research\/http-desync-attacks-request-smuggling-reborn Accessed: 2023-08-18"},{"key":"e_1_3_2_2_44_1","unstructured":"James Kettle. 2022. Browser-Powered Desync Attacks: A New Frontier in HTTP Request Smuggling. https:\/\/portswigger.net\/research\/browser-powered-desync-attacks Accessed: 2023-08-18"},{"key":"e_1_3_2_2_45_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.im.2003.08.001"},{"key":"e_1_3_2_2_46_1","unstructured":"Sydney Lake. 2022. The cybersecurity industry is short 3.4 million workers\u2014that\u2019s good news for cyber wages. https:\/\/fortune.com\/education\/articles\/the-cybersecurity-industry-is-short-3-4-million-workers-thats-good-news-for-cyber-wages\/ Accessed: 2023-04-28"},{"key":"e_1_3_2_2_47_1","volume-title":"Research dilemmas: Paradigms, methods and methodology.. Issues in educational research, 16, 2","author":"Mackenzie Noella","year":"2006","unstructured":"Noella Mackenzie and Sally Knipe. 2006. Research dilemmas: Paradigms, methods and methodology.. Issues in educational research, 16, 2 (2006), 193\u2013205."},{"key":"e_1_3_2_2_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/ESEM.2019.8870147"},{"key":"e_1_3_2_2_49_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2004.84"},{"key":"e_1_3_2_2_50_1","unstructured":"Elie Saad and Rick Mitchell. 2020. OWASP Web Security Testing Guide. https:\/\/github.com\/OWASP\/wstg\/releases\/download\/v4.2\/wstg-v4.2.pdf"},{"key":"e_1_3_2_2_51_1","volume-title":"The layers of research design","author":"Saunders MNK","unstructured":"MNK Saunders and PC Tosey. 2013. The layers of research design. University of Surrey."},{"key":"e_1_3_2_2_52_1","unstructured":"Sven Schleier Bernhard Mueller Carlos Holguera and Jeroen Willemsen. 2022. OWASP Mobile Application Security Testing Guide. https:\/\/github.com\/OWASP\/owasp-mastg\/releases\/latest\/download\/OWASP_MASTG-v1.5.0.pdf"},{"key":"e_1_3_2_2_53_1","doi-asserted-by":"publisher","DOI":"10.1145\/2568225.2568305"},{"key":"e_1_3_2_2_54_1","doi-asserted-by":"publisher","DOI":"10.1109\/VL\/HCC50065.2020.9127203"},{"key":"e_1_3_2_2_55_1","volume-title":"Technical report","author":"Strom Blake E","unstructured":"Blake E Strom, Andy Applebaum, Doug P Miller, Kathryn C Nickels, Adam G Pennington, and Cody B Thomas. 2018. Mitre att&ck: Design and philosophy. In Technical report. The MITRE Corporation."},{"key":"e_1_3_2_2_56_1","volume-title":"How hackers think: A mixed method study of mental models and cognitive patterns of high-tech wizards","author":"Summers Timothy C","unstructured":"Timothy C Summers. 2015. How hackers think: A mixed method study of mental models and cognitive patterns of high-tech wizards. Case Western Reserve University."},{"key":"e_1_3_2_2_57_1","volume-title":"Fuzzing for software security testing and quality assurance","author":"Takanen Ari","unstructured":"Ari Takanen, Jared D Demott, Charles Miller, and Atte Kettunen. 2018. Fuzzing for software security testing and quality assurance. Artech House."},{"key":"e_1_3_2_2_58_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICWS.2011.96"},{"key":"e_1_3_2_2_59_1","doi-asserted-by":"publisher","DOI":"10.1109\/MS.2018.2875989"},{"key":"e_1_3_2_2_60_1","unstructured":"Niek Jan van den Hout. 2019. Standardised Penetration Testing? Examining the Usefulness of Current Penetration Testing Methodologies. Ph. D. Dissertation."},{"key":"e_1_3_2_2_61_1","unstructured":"Andrew van der Stork Brian Glas Neil Smithline and Torsten Gigler. 2021. OWASP Top 10:2021. https:\/\/owasp.org\/Top10\/0x00-notice\/"},{"key":"e_1_3_2_2_62_1","unstructured":"Andrew van der Stork Josh Grossman Daniel Cuthbert Elar Lang and Jim Manico. 2021. OWASP Application Security Verification Standard. https:\/\/github.com\/OWASP\/ASVS\/raw\/v4.0.3\/4.0\/OWASP+Application+Security+Verification+Standard+4.0.3-en.pdf"},{"key":"e_1_3_2_2_63_1","unstructured":"Chris Wysopal Lucas Nelson Elfriede Dustin and Dino Dai Zovi. 2006. The art of software security testing: identifying software security flaws. Pearson Education."},{"key":"e_1_3_2_2_64_1","doi-asserted-by":"publisher","DOI":"10.1145\/3287075"},{"key":"e_1_3_2_2_65_1","doi-asserted-by":"publisher","DOI":"10.1145\/3140587.3062386"}],"event":{"name":"ESEC\/FSE '23: 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering","location":"San Francisco CA USA","acronym":"ESEC\/FSE '23","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering"]},"container-title":["Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3611643.3613900","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3611643.3613900","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:36:03Z","timestamp":1750178163000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3611643.3613900"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,30]]},"references-count":65,"alternative-id":["10.1145\/3611643.3613900","10.1145\/3611643"],"URL":"https:\/\/doi.org\/10.1145\/3611643.3613900","relation":{},"subject":[],"published":{"date-parts":[[2023,11,30]]},"assertion":[{"value":"2023-11-30","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}