My timetable said Maths, Physics and Chemistry. My evenings said something else.
Those subjects taught me to think in systems. Programming taught me to build them. Cybersecurity taught me to break them. It was always the same mind, just pointed in a new direction.
For two years in high school, while my classmates were revising equations and periodic tables, I was writing code for fun. No syllabus, no deadlines, no grades. Just a screen, a keyboard, and problems I wanted to solve. I wasn’t learning how to code. I was learning how to think.
Then came university, and with it, Isaac Musungwa.
Isaac was the first person who made me see that writing code and writing good code are two completely different things. He had this quiet precision about him. Clean logic, clear structure, intentional naming. He didn’t just write programs. He wrote programs that other people could read, extend, and trust. That rubbed off on me permanently.
Around the same time, my program was drilling us in data structures. Almost every semester, there it was again: arrays, trees, graphs, sorting, searching. At the time it felt repetitive. Looking back, it was the best thing that could have happened to me.
If you can organize it, you can build it.
That mindset made me a versatile developer. I’ve always been a bridge between frontend and backend, seeing projects from ideation to completion without getting lost on either side. Although Python is my language of choice, I’m comfortable across the full stack, from embedded and low-level systems all the way up to high-level application development. The language changes. The thinking doesn’t.
Now the interesting part.
About five years ago, I began transitioning into the cybersecurity space. I started as an analyst, quickly moved into security engineering, and have since found my home in offensive security.
And here’s the thing nobody tells you when you make that shift: everything you built as a developer becomes a weapon.
Understanding how applications are constructed tells you exactly where they break. Knowing how data flows through a system tells you where to intercept it. The same brain that debugged backend logic for hours is now the one hunting for misconfigurations, chaining vulnerabilities, and writing exploitation paths. The domain changed. The discipline didn’t.
The most important thing I learned early on: it’s not about the tools. It’s about the process.
How well do you understand the scope of the problem? How strong is your foundation in networking, scripting, operating systems, vulnerability assessment, and report writing? How disciplined are you with testing methodologies, knowing when to go wide with enumeration before you go deep into exploitation? Those are the questions that separate good security professionals from great ones.
I don’t recall ever sitting down and Googling “how to use Burp Suite.” I learned it by doing real work. Every tool I use today has the same origin story. That’s not a flex, it’s just how it happened.
The first time I used Burp meaningfully, I was doing reconnaissance on a system with open ports and a Windows web server. I had already done my enumeration: mapped the services, fingerprinted the stack, identified potential entry points. Then came the exploitation attempts. Standard SQL injection failed. Time-based SQL injection failed. After digging deeper into the request structure, I realized I needed to intercept the HTTP request, forward it to Burp’s Repeater, and inject the payload there. Crashing the backend database and corrupting the session cookie in that single session taught me more about Burp Suite than any course could have. I’d covered its most important features without even setting out to learn it.
That’s how I learn. That’s how it sticks.
The same story could be told about Nmap, Metasploit, Gobuster, Wireshark. Every tool in my arsenal has a war story attached to it. I didn’t study them. I needed them. And that difference matters more than people realise.
Platforms like TryHackMe and HackTheBox have been great proving grounds, structured enough to sharpen methodology and open enough to let you experiment and break things. If you’re transitioning into offensive security, get on them. The reps matter.
I’m currently pursuing my Master’s in Cybersecurity at the Katz School of Health Sciences, with a focus on offensive security. It’s been an incredible chapter.
The deeper I go, the more I believe that structured thinking is the real edge. How do you move from reconnaissance and enumeration to exploitation cleanly? How do you document findings in a way that’s genuinely useful to a client or an internal security team? How do you tell the story of a vulnerability in a way that gets it fixed?
Those are the skills I’m sharpening right now.
My next peak: the OSCP. The methodology, the discipline, the hours on machines that refuse to give themselves up easily. The preparation alone has been one of the most rewarding experiences of my career. And I haven’t even sat the exam yet.
Twelve years in.
Two disciplines.
One direction.
Still climbing. Far from done.