Marina Ciavatta: Going after the human error. [Social engineer] [Career Notes] - CyberWire Daily

Episode Overview

Podcast: CyberWire Daily
Host: N2K Networks
Guest: Marina Ciavatta, Social Engineer, CEO of Hackerty Inc.
Date: August 31, 2025
Episode Title: Marina Ciavatta: Going after the human error. [Social engineer] [Career Notes]

This episode spotlights Marina Ciavatta, a renowned Brazilian social engineer and CEO of Hackerty Inc., as she recounts her unconventional journey from aspiring writer and journalist to cybersecurity and social engineering. Marina provides candid insights into the pivotal role of human error in organizational security and the nuances of physical penetration testing. The conversation offers both personal anecdotes and practical advice for those interested in social engineering as a career.

Key Discussion Points & Insights

1. Early Aspirations and Background

Childhood Dreams:
- Wanted to be “so many things,” notably an astronaut and a writer.
- Developed a lifelong fascination with technology and storytelling.
On Writing and Communication:
- Maintained a passion for writing and storytelling from a young age.
- Was encouraged by a teacher to pursue communication due to her skill.
Disillusionment with Journalism:
- Grew up “punk, anarchist and revolted,” and became critical of journalism due to corruption in Brazil and the media’s complicity ([03:40]).
- Sought to enter journalism to change it from within, despite little interest in traditional journalism careers.

2. Path Into Technology and Security

Professional Pivot:
- Turned to technology-related content creation by writing critiques for a geek website ([08:00]).
- Landed a job as a technology content producer for an IT company, discovering cybersecurity and hacking as distinct specialties.
- “The people from the company were very surprised with my ease to write about security and hacking. And I got the job.” ([09:45])
Falling in Love with Hacking and Social Engineering:
- Immersed herself in the hacking community and events throughout Brazil.
- “You have to learn the stories to be able to tell the stories.” ([10:20])
- Organized over 250 infosec events, which she describes as “hacking for people like me” — those with humanities, not purely technical, backgrounds.
- Social engineering was appealing because it focuses on culture and behavior rather than just technical knowledge.

3. Becoming a Social Engineer

First Penetration Test:
- Transitioned into social engineering through a colleague’s invitation to assist with a physical penetration (pen) test ([12:30]).
- “Break and enter and steal stuff and I'm not going to go to jail. Yes, let's do it.” ([13:05])
What the Job Entails:
- Her role is to test all layers of security in organizations, with a special emphasis on human factors.
- “I'm going after the human error to take advantage of someone who left a door open or that will believe me and try to help me... I'm gonna test how they respond to my mischievous acts.” ([14:00])

4. The Art and Challenge of Social Engineering

Human Behavior is Key:
- Explains that her work is about identifying and exploiting lapses in human judgment—like gaining access through someone’s kindness or distraction.
- “If you're waiting for me at a door for checking my credentials, I'm just jumping through the back. I'm not there to pin to the door with your permission.” ([15:20])
Advice for Aspiring Pen Testers:
- Recommends networking—“Try to find people who will help you. It is very hard to do this by yourself. You gotta go to the events, you gotta know people, you gotta start asking around because this is a huge field and it changes so fast.” ([15:50])
- Encourages young women: “Try to find other social engineers to mingle. It's in the name. We are social creatures. We won’t push you away. Quite the contrary.” ([16:15])

5. The Importance of Self-Control and Ethics

Power and Responsibility:
- Emphasizes the need for self-control in social engineering.
- “A lot of people ask me about self-control and I gotta say, it is really hard if you don't have very good self-control. You may get unhinged, and that's very dangerous because you realize how powerful you can become.” ([16:40])
- Stresses the necessity of sticking to ethical boundaries: “You really have to stay to your script. Stay very truthful to why you're doing that.” ([17:00])

Notable Quotes & Memorable Moments

On the Misconceptions About Social Engineering:
- “Most people think I'm 007, you know, like just like Mission Impossible, I'm coming from the ceiling with a rope and stealing stuff in the dead of the night. But it's not.” ([01:33])
Finding Fulfillment:
- “That's when I noticed, okay, I have to work with something, because I guess that's what makes me happy.” ([08:30])
Humanities Background as an Asset:
- “I was interested in the culture and the behavior, the way people express themselves. And social engineering just spoke very loudly to me.” ([11:55])
On the Power and Danger of Social Engineering:
- “You may get unhinged, and that's very dangerous because you realize how powerful you can become.” ([16:45])

Timestamps for Key Segments

| Timestamp | Segment | |---------------|--------------------------------------------------------| | 01:33 | Marina introduces herself and the misconceptions about social engineering | | 03:40 – 05:20 | Growing up in Brazil; disillusionment with journalism | | 08:00 – 09:45 | From writing geek critiques to entering IT and security| | 10:20 – 11:55 | Falling in love with hacking culture & event organizing| | 12:30 – 13:05 | First physical penetration test | | 14:00 – 15:20 | Testing human error and describing her social engineer role | | 15:50 – 16:15 | Advice to future social engineers, especially women | | 16:40 – 17:00 | The importance and challenge of self-control |

Tone & Language

Marina is candid, humorous, and authentic throughout, using vivid storytelling and analogies to demystify social engineering. Her advice is practical, inclusive, and supportive, especially towards young women considering security careers.

Summary Takeaway

This episode delivers a compelling look into the personal journey and mindset required for a career in social engineering. Marina Ciavatta spotlights the significance of human error within cybersecurity, underscores the indispensability of networking, and shares vital reminders on ethics and responsibility. Her story is both a blueprint and an inspiration for those interested in blending storytelling, curiosity, and technology in their professional lives.

Transcript

A (0:02)

You're listening to the Cyberwire network. Powered by N2K.

B (0:14)

The DMV has established itself as a top tier player in the global cyber industry. DMV Rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington D.C. area. Join us on Thursday, September 18th to connect with the leading minds shaping our field and experience firsthand why the Washington D.C. region is the beating heart of cyber innovation. Visit DMVRising.com to secure your spot. Risk and compliance shouldn't slow your business down. Hyperproof helps you automate controls, integrate real time risk workflows and build a centralized system of trust so your teams can focus on growth, not spreadsheets. From faster audits to stronger stakeholder confidence, Hyperproof gives you the business advantage of Smarter compliance. Visit www.hyperproofio to see how leading teams are transforming their GRC programs.

A (1:33)

Hi, I'm Marina Chavada, I'm from Brazil and I'm a social engineer and CEO of Hackerty Inc. Most people think I'm 007, you know, like just like Mission Impossible, I'm coming from the ceiling with a rope and stealing stuff in the dead of the night. But it's not. I wanted to be so many things. Astronaut, you know, the, the good old. I want to be an astronaut when you're a little kid. I want, I wanted to be a writer for a very long time and because of that I kind of steered my way into journalism, my first degree. So very far away from where I am today. I didn't even went to get my diploma. I still don't have the diploma. I'm finished, I'm graduated and all, but I just never used it ever. Growing up I was, you know, a little nerd. Still a big nerd actually now because of that. Gadgets, you know, video games, computer, they have always been near me. Sci fi is very big when you're a nerd, being a little geek. Technology is part of your day to day and you always wanted to know, tear things apart, get to know how they work. At least I was like that wanted to be an astronaut when I was a kid turned into a passion for astrophysics. And because of that I've always been quite close to technology. I always liked storytelling. I've told you for a very long time as a kid I wanted to be a writer. I actually wrote a book with six years old. So I carried that dream of communication and storytelling through school. And one of the teachers, she was like, if you don't do anything related to communication. You're just going to waste your life because you're very good at it. But I was also a very punk and anarchist and revolted little teenager. I had a very deep hate against journalism because back in my country, you know, corruption is very big. It's a poor country. And a great part of that is how media handles the, you know, politics around the country. And I could see that very clearly. And that would really make me very mad. So I was like, okay, if I have to go to communications, not to waste my life, I plan on going to journalism. That way I can change the way things are from inside out. I can graduate into a journalism and I can go into the communication and try to make things a little bit better for us on the other side of this chain. I really disliked journalism as a career. Everything, every path that was presented, that you could be a journalist, a sports journalist, or a fashion journalist, or just a news reporter or all of those options, even radio, which I really liked, they just didn't seem like good career paths for me. I always wanted to work behind a computer mostly because even though I was in communication, I was always quite weird and socially dislocated. I would always have like social anxiety going to places and all of that. So I didn't want to work close to people. But writing was quite a passion, so I thought maybe I can be an editor or something. At that point, I've given up of the writer dream because I already knew that writers would starve and make no money. So yeah, going through college, I had a really rough time on figuring out what I wanted to do. I started working in this little geek website where I started to building critiques on video games and web series that I liked. It paid pretty much nothing, but I would have lots of fun with it. That's when I noticed, okay, I have to work with something, because I guess that's what makes me happy. I saw this job posting from a information and technology company in need of a content producer. And I was like, oh, okay, I maybe can write about technology. And at that point I had no idea that security, infosec and hacking were a complete different part of technology. The people from the company were very surprised with my ease to write about security and hacking. And I got the job. It's where I had my first contact with hacking and security. And I started just falling in love completely with the subject. You have to learn the stories to be able to tell the stories. So you have to really dive yourself into the culture and what people are like. I just started to get intoxicated with hacking social engineering. My first contact with it was I started to organize a bunch of hack and infosec events around the entire country. I have organized more than 250 events and I was like, oh, that's kind of like hacking for people like me. Because I was not technical at all. I had a humanities background and I never dove into the technical field. I was interested in the culture and the behavior, the way people express themselves. And social engineering just spoke very loudly to me at the time. But I didn't became a social engineer until a few years later where a friend of mine was dealing with this client and the client asked for a physical pen test. He came to me and he was like, hey, you're very good with people. Do you want to come and help me with this assignment? Do you want to like actually go and do it? Oh, sure, of course. Break and enter and steal stuff and I'm not going to go to jail. Yes, let's do it. And that's how I got my first physical pen testing assignment. My job is to test all of the security layers, especially the human ones at a company and make sure they are indeed prepared and paying attention to security as they should. Because if they're not, I am going to find their flaws. Not only that, but I'm probably gonna make them make mistakes. I'm going after the human error to take advantage of someone who left a door opened or that will believe me and try to help me and put me inside a room that I shouldn't be. Or they will turn away when I steal something and they won't say anything. I'm gonna test how they respond to my mischievous acts. I'm a physical pen tester. If you're waiting for me at a door for checking my credentials, I'm just jumping through the back. I'm not there to pin to the door with your permission. Try to find people who will help you. It is very hard to do this by yourself. You gotta go to the events, you gotta know people, you gotta start asking around because this is a huge field and it changes so fast for young girls out there. They want that, want to be a physical pen tester. Try to find other social engineers to mingle. It's in the name. We are social creatures. We won't, we won't, we won't push you away. Quite the contrary. A lot of people ask me about self control and I gotta say, it is really hard if you don't have very good self control. You may get unhinged, and that's very dangerous because you realize how powerful you can become. You really have to stay to your script. Stay very truthful to why you're doing that.