In this video, Nathaniel Shere, a professional penetration tester (ethical hacker), shares insights into the daily routine of a cybersecurity expert. Working closely with developers to testing vulnerabilities in networks and applications, Nat provides a unique perspective on how cybersecurity professionals secure data before attackers can exploit weaknesses.
Here is your fully cleaned transcript in paragraph form—no filler words, no timestamps, corrected casing (StrongDM), and formatted as natural transcript paragraphs:
Or prevent all data breaches. Or my personal favorite—after a data breach: “We take your security seriously.” After they’ve already been breached. Then the news comes out about the shortcuts they took and the times security asked for more budget and didn’t get it. But somehow they still take security very seriously. I have serious trust issues with that.
Hey everybody, welcome to another episode of John Has Trust Issues, where we talk about issues relevant to authorization and zero trust. My name is John Martinez. I’m the Technical Evangelist at StrongDM, and today I have the pleasure of speaking with Nat Shear of Kraft Compliance.
To start out, we always talk about a trust issue. Nat shared that while unsolicited LinkedIn messages are an easy answer, his broader trust issue is cybersecurity marketing as a whole. He pointed out the common slogans like “we ship with zero vulnerabilities” or “prevent all data breaches,” and how those claims often fall apart when breaches happen and companies respond by saying they take security seriously. He highlighted the disconnect between messaging and reality, especially when reports later reveal ignored warnings or underfunded security teams.
We discussed his background beyond LinkedIn. Nat grew up in Indiana and spent five years in New York for school, where he met his wife. After experiencing Manhattan rent, they moved back to the Midwest, where he began his career in security consulting as a penetration tester. He later transitioned into a role working directly with developers, which allowed him to not only identify issues but collaborate on fixing them. This gave him a deeper understanding of development priorities and the importance of collaboration between security and engineering teams.
The conversation shifted into penetration testing. Nat explained that pen testing is essentially security-focused quality assurance—finding vulnerabilities in applications and systems before attackers do. A typical day involves minimal meetings and a lot of hands-on work: analyzing code, understanding application logic, testing roles and permissions, and studying how systems behave. He emphasized that it’s not like the movies—there’s no constant stream of dramatic breakthroughs. Instead, it’s careful, methodical analysis and problem-solving.
He described how testing often involves comparing behavior across multiple user roles and examining how systems respond to unexpected inputs. It’s detail-oriented work that requires patience and a strong understanding of how systems are supposed to function versus how they actually behave.
We then discussed his philosophy as an ethical hacker. For Nat, the goal is making the internet safer for people. He emphasized that security isn’t about achieving perfect metrics like zero vulnerabilities—it’s about enabling people to safely use systems. The internet provides enormous opportunity for education, work, and access to information, but that only works if people trust it. If users believe their data will be stolen every time they go online, they disengage entirely, losing access to those opportunities.
This led into a discussion about usability. Security often creates friction, but overly restrictive systems become unusable. Nat pointed out that availability is a core component of security. If a system is secure but inaccessible, it has failed. Denial-of-service scenarios illustrate this clearly—security must ensure systems are both protected and usable.
When asked about zero trust, Nat described it as a mindset of continuous verification. Even client-provided information isn’t assumed to be correct. In his work, he often discovers additional assets that clients didn’t know existed, or even assets that don’t belong to them at all. During testing, nothing is taken at face value—everything is validated.
He shared an example of a checkout system that allowed negative values. Developers believed it wasn’t exploitable, but testing revealed that while the application allowed it, a third-party processor blocked the transaction. The vulnerability still existed—it just manifested differently than expected. This reinforces the idea that assumptions must always be tested.
The conversation moved into identity security. Nat explained that most issues he finds involve user roles and permissions. Even simple systems frequently have gaps that allow unintended access. In more complex systems with numerous permission combinations, the likelihood of issues increases significantly. Zero trust in this context means continuously verifying both identity and authorization at every step.
We also talked about how clients respond to penetration testing reports. Some organizations are genuinely focused on security and welcome findings as opportunities to improve. Others approach testing as a compliance checkbox and challenge every issue. For clients who prioritize security, the process becomes collaborative, with draft reports, discussions, and refinements that ultimately strengthen both the product and the process.
We then discussed reframing zero trust in a more positive way. Instead of focusing on restriction, Nat suggested concepts like “zero friction,” “zero concerns,” or “zero distractions.” He referenced a scene from Ex Machina where access is simple—if a door opens, you’re allowed in; if not, you’re not. There’s no punishment or suspicion, just clear boundaries. Good security, in this sense, enables people rather than obstructs them.
The conversation turned to career advice. Nat emphasized the importance of connecting with recruiters to understand current market demands, taking advantage of opportunities in your current environment, and demonstrating curiosity and initiative. Whether through school, internships, or collaboration within a current role, hands-on experience is key. Certifications can help open doors, but ultimately it’s skills and experience that matter most.
When asked what he’s most proud of, Nat shared that it’s being a husband and a father. He spoke about his son turning five and how meaningful that role is to him.
As we wrapped up, Nat encouraged listeners to connect with him on LinkedIn, noting that he shares insights regularly and contributes to a biweekly cybersecurity newsletter through Kraft Compliance. It’s a way to stay informed without overwhelming your inbox.
That’s another episode of John Has Trust Issues, brought to you by StrongDM, the modern access management platform that enables continuous zero trust authorization for your infrastructure.
