I’ve always had a strong interest in computers and all associated fields of study, partially because I’ve always had a fascination with complex systems and the nuances of their operation and partially because computers were largely how I interfaced with the world while growing up. Like many stereotypical “nerd” kids, I found the burgeoning internet of the late 90s/2000s to be a generally more agreeable form of social interaction than in-person interaction (imagine unironically spending time with your friends in person in 2021 and not socially distancing like introverts have been doing for decades). Most of this time was spent in forums and online chat rooms with other like-minded weird kids (and on Neopets...and on fanfiction boards), and it was in these places that my interest in hacking began.
As anyone with any knowledge of these message boards during this particular era of the internet will know, drama was widespread and common. Oftentimes, during such periods of drama, admins/moderators of these message boards would create new accounts with admin/mod privileges, claiming to be “hackers” who had compromised the board and proceeded to either antagonize specific community members the person in question didn’t like or just stir up some juicy drama on the board in general. This was so common that I was once the “secret mod”; I convinced (these days I’d say “socially engineered”) an admin of a board I frequented daily to make me a moderator in secret so I could “fight the hackers” who had been plaguing the board lately and who oddly the admins seemed to be able to do nothing about. Though I didn’t really “hack” anything here, I got my first taste of “illicit” digital behavior in this manner and it urged me to attempt to do more.
On a completely different board I also frequented, I was a member of an exclusive “in-crowd” of turbo-nerds who had access to a password-protected room on the forum. Knowing this password, I attempted to use the same password to login to the account of the administrator who had created this exclusive board in the forum, and I was successful. I was then able to make a new administrator account and generated a bunch of that ever-so-delectible forum drama for myself. These days I’d call this vulnerability “password re-use” and characterize it as the most significant security vulnerability that exists in the digital space. I’d also call this my actual first “hack”, though at time I just thought I’d guessed a password and that it wasn’t really “hacking” (It was, though. That’s like at least 50% of what I do for a living now, honestly).
Eventually, I achieved my first actual “hack” that I considered as such at the time on an InvisionFree Power Board forum (a common message board CMS at the time) when I was about 13 or 14 years old. I simply decided I wanted to “hack” this forum by any means necessary (I hated the administrators for the typical reasons for which you’d expect an omega-virgin teenager to hate someone on the internet) and started Googling things. I learned about something called “SQL injection” that was discovered to be possible on Invisionfree Power Board forums, and I also found a script written in Python that purported to exploit this vulnerability. Confidently, I ran this script (without the slightest care in the world that it might be malware) against the target forum, and lo and behold: I was able to extract the administrator password like magic and subsequently login to their account, from which I proceeded to wreak all the havoc that occurred to my spicy little middle class Catholic school kid brain. The forum actually went offline entirely as an eventual result of my mayhem, something in which I took tremendous pleasure as a child.
Now, I enact similar mayhem in a much more controlled manner, and I even do it ethically for the most part. It took me some time to make my way into the field––through Air Force pilot training and generic IT work and so on––but eventually I remembered that feeling of successfully SQL injecting the administrator password and logging into their account and how it had supercharged my rail-thin teenage body a decade prior––with hormones that probably would have been more healthy were they brought on by a girl my age––and considered that I might like to do that kind of thing for a living. And now I do, under the moniker of “Alh4zr3d”. This is a reference to Abdul Alhazred, the “Mad Arab” of the fiction of H.P. Lovecraft. Abdul Alhazred is the fictional writer of the similarly fictional Necronomicon, a grimoire full of eldritch wisdom and rites to terrible gods not meant for human eyes. Like my namesake, I transcribe the black magicks and lunatic knowledge of hacking for my audience. In no uncertain terms, hacking is modern-day sorcery and we should consider it as such.
I love the cyber security community and I’ve been involved in it in relatively small ways for quite some time, but mostly not to a degree that I considered sufficient. I founded the InfoSec Prep Discord server back in 2018 as OSCP Prep: it was originally intended to simply compose a small study group of Offensive Security students (myself included) to work towards the common goal of the Offensive Security Certified Professional (OSCP) certification. Today, that same Discord server has over 20,000 members, is a Discord Partner, and has expanded to encompass the whole wide range of information security education. Though I was the founder, I take no credit for how much it has grown; I fully attribute its success to my sterling team of admins and mods, who remained fully committed to it even during those times I was more interested in other pursuits. I strove to make my mark on my industry in my own much more deliberate way.
I frequently have Twitch streams on while I work (I require endless background noise to remain productive), and I absolutely adore the overall culture of Twitch. My brother is a Twitch streamer and has been doing it for over a year now (he plays video games; imagine playing video games on Twitch in 2021), and it was from him that I originally got the seed that would grow into my own Twitch community. I was also inspired by other creators such as IppSec and TheCyberMentor; the latter actually gave me my first taste of livestreaming by platforming me on his stream early in his own time as a streamer. I taught buffer overflow exploitation and regaled his audience with stories of my recent red teaming exploits. I was very popular within his small, early community and it was suggested by a few that I start my own stream. My only regret is that I didn’t do it sooner.
In late 2020, I was suffering from feelings of isolation like many during the COVID-19 pandemic and––in my thoughts on how I could get more social interaction––I began entertaining thoughts of being a Twitch streamer myself. In-so-doing, I could make a modest name for myself and give back in some small measure to the thriving online hacking community. I considered creators such as IppSec, TheCyberMentor, and John Hammond and identified that as much as I enjoyed these creators, two things were of note:
I then decided that there might be a niche for a content creator that did hacking challenges live and blind, with no fore-knowledge (and thus showed the real, unfiltered hacking process) and was able to do so while keeping things entertaining, interacting with chat, and embracing the “livestreaming” medium on Twitch––memes, emotes, and all.
Before long I decided to give it a try: I set up a basic streaming configuration and announced on InfoSec Prep that I’d be doing this livestream experiment. On October 15th, I fired up the stream for the first time and did two hacker challenges––one from TryHackMe and one from HacktheBox––for a small audience who had tuned in from InfoSec Prep out of curiosity. Even with my poor mic and camera, the positive response I garnered from that stream for my energy and knowledge was so absolutely overwhelming that I did it again. And again. And again. And then got a better camera and a proper mic. And now I just do it regularly, and I guess I’m a real streamer now.
I’ve done my absolute best to foster an inclusive community that is as welcoming as possible to new hackers of all skill levels and walks of life. My personal values exalt the pursuit of knowledge and tenacity to persevere, so anyone who embraces those virtues will be more than welcome in our ranks regardless of any ethereal qualities such as age, gender, country of origin, sexual orientation, and so on. We are all naught but primitive, smooth-brained apes in the eyes of the dark god, Cthulhu, and thus all of us are in a constant state of inadequacy, driving us to grow evermore knowledgeable in the dark arts regardless of our relative skill levels.
Hacking is an esoteric and poorly understood topic, so my content focuses on demystifying it and showing its practical application in order to educate other hackers and encourage future sorcerors to begin learning the craft. I typically take on various hacking challenges called “Capture the Flags” (CTFs) on stream; this is almost always done blind so that the viewers can see my thought process, tinkering, and enumeration as well as the struggle and frustration when things go wrong. This is the reality of hacking, and it helps my viewers to see a professional in the field struggle and pull his hair out like they are often wont to on their own.
I don’t play video games on stream often (though I have a handful of times), but I do occasionally take part in competitive CTFs with my viewers purely for fun and memes. If I’m not streaming, I’m probably working my full-time job, exercising, working to improve my own tradecraft, or working to improve the stream.
I had a brand in mind before I first streamed at all, though I’d say the personality that shines through on stream is very much my true self. “Hacking” in the modern day is spoken of in the same tone as sorcery or black magic, so it seemed natural to embrace that idea right from the beginning. My favorite author is H.P. Lovecraft, and I’ve always been enraptured by his stories and the Cthulhu Mythos borne from them. All of this seemed like a completely natural fit right from the beginning, and it’s become my personal calling card. No one else in the cybersecurity industry is doing “cyber-Cthulhu”; it’s an image that represents me personally, and I embrace it. Despite that, I don’t have a “character” or “persona” on stream; everything you see on Twitch is really who I am in person.
As for channel growth, I had a bit of a boost at the start because I announced my first stream on the large Discord server I founded several years prior: InfoSecPrep. I only did this once––that server isn’t for advertising my personal content––but it did get me past that 1-5 viewers stage instantly and I quickly had a handful of viewers that began to accumulate into a community before too long. From there, it was purely a matter of consistent improvement in content and listening to what my viewers want to see. I also hang out with my viewers in my Discord off stream, often doing CTF challenges with them and offering mentorship and even friendship.
Another key aspect of this growth that I believe separates me from other content creators in cybersecurity is my embrace of the livestreaming medium and the Twitch culture. I actively encourage and promote memes and high-energy content in general, with the knowledge that people learn most effectively when they are entertained at the same time. Consistent, repeated jokes and memes as well as banter with chat keep things lively and spirited as well as foster a sense of community, and have done a good job of separating me from my contemporaries.
All in all, my growth has been very rapid by just about any measure. I reached affiliate almost immediately thanks to the built-in Discord community who came to that first stream out of curiosity, and I was Partner after about four months. Furthermore, other streamers have begun to pop up on Twitch doing similar content to mine, inspired by me. I seem to have inadvertently given rise to a whole Twitch community of streamers making similar content. I am not full-time with streaming (I work 40 hours a week at a cybersecurity consulting practice), but already people have asked how long before that happens. At this moment, I don’t know if it will ever happen. Being a “professional red teamer” gives me a lot of legitimacy in my community and makes me an authority in teaching people hacking. Until I grow my persona and impact on the cybersecurity/Twitch community more, I don’t feel comfortable dropping my full-time job.
I stream three days per week (Tuesday, Thursday, Sunday), and considering my full-time job those days can feel really full. My audience is scattered all over the world (something I’m quite proud of), and I try to stream as early as I possibly can in order to be accommodating to those viewers, particularly those in the EU. I work from about 8 AM EST to about 4:45 EST, then close my work laptop and fire up the stream. I don’t have much of a pre-stream process, other than to throw on a hoodie (wearing a hoodie is part of my brand image), take a bio break, get a few things set up for that day’s content, fill my water glass, and so on. From there, on most days just about everything is right off the cuff. I don’t get days off very often; the only day per week I don’t work or stream is Saturday, and I spend solid chunks of those days working on CTFs with my community.
Part of the reason I started streaming was to get more social interaction in the COVID era, so it was initially a substitute for normal social interaction. Now, though, I find it its own form of social activity altogether and honestly I think I need some time away from the computer now and then to feel like less of a social pariah. Most of my real life friends––or at least those who know are familiar with Twitch––are supportive and passingly interested. My family doesn’t really understand what I do (other than my brother), though.
As for how long I intend to do this, I don’t really have long-term goals or an endgame in mind right now. I’m just taking it day-by-day, stream by stream, making sure I remain educational and entertaining. What I generally say on stream is that I’ll do this for as long as people want to watch, but I’m open-minded for whatever the future brings. I’m just happy to be giving back to the cybersecurity community I love so much.
I use Streamlabs OBS for my streaming software, though I’ve started looking at other options and eyeing them up for some interesting features. My donation software is simply Paypal. The only Twitch bot I currently make use of is Nightbot, but I have ideas to start coding my own bots to help improve the quality/entertainment value/viewer interaction of the stream. I’ve made a separate Discord server for my own content, and that’s been growing steadily into a nice, thriving hacker community. My graphics/overlays mostly come from Streamlabs, but some were commissioned on Fiverr or Reddit. I’m not too knowledgeable on extensions or anything yet (I still find my Twitch setup fairly basic all things considered). I do look at my analytics (particularly the countries of origin of my viewers, for instance) to make streaming decisions, though.
VirtualBox for my hacking tools, Discord for communicating with and coordinating my cultists/apes, and of course Streamlabs OBS.
My story is hardly the classic Twitch story, so I’m not sure how valuable my advice can be to the traditional video games streamers, but I will try.
Keep things spicy. Like seriously, keep the memes hot and actively banter with chat. It keeps things entertaining and helps really tap into that unique “Twitch” energy. Encourage your viewers to clip your streams and spread them around your community and others. Don’t do “chill streams” with no facecam where you don’t interact with chat. At that point, your viewers would be getting the viewer interaction they’d expect from a YouTube video. The whole point of livestreaming and the Twitch culture is that high energy meme power that keeps things interesting and keeps people coming back to see you, your personality, and your community. You’re a livestreamer, not a YouTuber. Act accordingly.
Just let me say I’m doing my challenges “blind” again; I still don’t know how the hell I should phrase it now to get the same point across succinctly in my titles.