OnDefend Welcomes Tim Tomes as Director of Training and Programs

Tim’s career spans elite Army Red Team operations, the development of groundbreaking cybersecurity tools, and thousands of hours spent shaping future defenders. His unique blend of deep technical expertise, instructional skill, and mission-first leadership sets him apart as a true force in the cybersecurity world.

 Learn a little more about Tim and the expertise he brings in this one-on-one interview:   

Q: What is your role at OnDefend? 

In my role as the Director of Training and Programs, I’ll be working to elevate the skill set of the entire OnDefend team in the areas of application security and Red Teaming. I’ll also be working to build an external-facing training program focused on providing technical skills development opportunities in engaging and practical environments. In my role as an Associate Program Director, I’ll be working with the Independent Security Inspector team to ensure that entities operate in good faith and protect the interests of the United States through the distribution and functionality of their U.S. applications and infrastructure.

Q: How did you get started in cybersecurity? 

Video games. I know it sounds crazy, but ever since I was a child, I’ve enjoyed video games. Video gaming during the 1980s and 90s was not easy. It required a deep understanding of systems, networking, and in some cases, code. My desire to play video games drove me to study and learn elements of all these disciplines. The technical skillset gained from an effort to play video games led to a degree in Information Systems and a commission in the U.S Army, where I eventually found myself as a team leader on the U.S. Army Red Team. This is where I discovered that everything technical I had learned was from the perspective of how things were supposed to work. The Red Team taught me to think about how things could work, for better or for worse. This changed my perspective on all things technical and launched me into a career in cybersecurity.

Q: Can you walk us through some career highlights?

Sure. The Red Team experience was certainly a highlight. That led to me being asked to lead the development of the Army’s cyber training program (more on this later), and participating in and winning the inaugural SANS NetWars competition at SANS Network Security 2010. Shortly thereafter, I was hired by John Strand as the first FTE for Black Hills Information Security (BHIS), where I helped John grow the company by building out the technical side of the consultancy. While working at BHIS, I created Recon-ng, which is probably what I am most known for in the security community. In an effort to share Recon-ng and other open source projects, I began speaking at conferences, which led to a talk I gave with Violent Python (TJ O’Connor) at ShmooCon 2013 in front of approximately 2500 people. I switched focus exclusively to application security around this time and began teaching web application penetration testing through SANS, and then for my own company in 2017. I’ve trained thousands of people in the public and private sectors and am known in the security community for being an expert in web application security and PortSwigger’s Burp Suite Pro.

 Q: What excites you most about joining OnDefend?

Being part of a team again. Mentorship is very important to me, but I’ve spent the past eight years as a team of one. At this stage of my career, I can better serve the community by passing on what I’ve learned to the next generation rather than applying it to one-off situations. The opportunity to contribute to the growing team of application security professionals at OnDefend is definitely what I am most excited about.

 Q: Is there a project or accomplishment you’re particularly proud of?

After my time on the Red Team, the Department of Defense was ramping up its cybersecurity efforts, and the Army went looking for uniformed personnel who could help build a program to train cyber operators. I was selected by the Commanding General of the Signal Corps to relocate to Fort Gordon and be the principal architect of the Army’s cyber operator training course (255S). I spent several years leading a team of talented officers and civilian personnel to establish what eventually became the basis for the U.S. Army Cyber Corps.

HoneyBadger and PushPin were two open-source software projects I built during my time at BHIS. They both focused on leveraging web-based geolocation technologies to enhance situational awareness. In the years following the release of these tools, I was made aware of situations where law enforcement leveraged these tools to increase the safety of large community events, investigate crimes, collect critical evidence, locate and apprehend fugitives, and recover abducted individuals.

Q: What’s something people should know about you?

I am an apprentice of Jesus, trying to be like him and do as he did. He was a man of action, character, humility, love, and sacrifice who elevated everyone around him. That’s who I want to be. This is what drives me. It’s the highest of standards. Impossible to achieve, but so worth trying.

Q: Where do you hope to see the state of cybersecurity in five years?

I’m not much of a visionary. I tend to focus on what is practical here and now. But if I had to answer that question, I’d say an industry of professionals that are less reliant on AI and abstractions. I do realize that this is the opposite direction of where we are headed, and in completely opposition to where most people want to go, but I’m hoping that we’ll avoid shortcuts, and do the hard right over the easy wrong. Unfortunately, I think we’ll see humanity lean too heavily on AI and lose expertise in the foundational concepts that are used to build underlying systems. A “brain drain” so-to-speak, resulting in less people with the required level of understanding to solve problems. I believe there will be fewer experts, and the gap between users and experts will grow exponentially with AI making it less necessary to understand fundamentals. Look at something as simple as video games. My entire career was built around the struggle it was to make video games work. All my children have to do is press a single button and everything just works. Mind blowing experiences are so easy to attain. Ironically, using tech has become too easy. There are so many layers of abstraction that fundamental understanding is no longer necessary to be a user, and I believe that will have a major impact over time. So, I’m hoping it doesn’t.

Q: Looking ahead, what would you like your legacy at OnDefend to be?  

To leave things better than I found them in every possible way. I want to be remembered as someone that led with humility and character, elevated everyone on the team, and helped to create an accessible source of world class cybersecurity training.

Explore how OnDefend is reimagining security programs and going beyond compliance with experts like Tim Tomes, bringing advanced threat emulation and real-world testing to protect organizations around the globe.

About OnDefend

OnDefend, established in 2016, stands at the forefront of preventative cybersecurity testing and advisory services, a reputation further enhanced by the introduction of its advanced Breach and Attack Simulation (BAS) Software as a Service (SaaS) platform, BlindSPOT. OnDefend is a trusted partner, empowering organizations globally to proactively combat real-world cyber threats. From ensuring compliance with industry standards to building out mature security programs, our mission is to ensure that the security resources our customers invest in are well-utilized, effective, and provide tangible results. For more information about their services and solutions, please visit http://www.ondefend.com/

OnDefend Media Contact:

Lauren Verno, Media@ondefend.com

904-299-3669