Here you will find Shearwater’s latest news, security updates and media releases.

Bigger and better than ever: What you missed at the 2019 Shearwater AppSec Hackathon

There’s nothing quite like the thrill of a hackathon for refining or showcasing IT security skills. When you give coders, students and security experts the opportunity to solve real-world problems in a time-bound challenge (with a healthy dose of competitive spirit thrown in), it creates a highly immersive and engaging learning experience. 

Now in its fifth year, the Shearwater Application Security Hackathon has gone from strength to strength, attracting more and more teams as it supports the development of Australia’s cybersecurity industry. 

Quickly becoming one of Australia’s largest AppSec training events, Shearwater’s Hackathon offers a hands-on learning event with unmatched realism to develop essential security skills. The event was promoted by AISA and AusCERT, and sponsored by nib Health Funds and IT distributor Arrow ECS ANZ



1 day, 150+ participants

On Friday 15 November 2019, more than 150 high-calibre developers, cybersecurity experts and students nationally came together to test their skills in a ‘capture the flag’ style security challenge.

The 2019 Shearwater Application Security Hackathon saw teams and individuals competing to complete 55 challenges including:

· SQL injection
· Vertical and horizontal authentication bypass
· Various crypto challenges.

The national event attracted participants from Sydney, Melbourne, Canberra, Brisbane and numerous remote sites across Australia, with representation from top corporates, federal government and leading universities.




The challenge

The Hackathon centred around an intentionally vulnerable social media website, InstaFriends. The challenge involved a real site with simulated traffic, technologies and vulnerabilities that represent actual application behaviours. 

With support and guidance from application security experts, participants were immersed in a search to uncover vulnerabilities. By applying hacking techniques in a sandbox environment, they raced to complete the challenge while building valuable skills needed to keep data safe.


Congratulations to our 2019 winners

Shearwater is pleased to recognise the winners and runners up of the 2019 Hackathon. 

First place – [University of Queensland - Cyber A]

First place – [University of Queensland – Cyber A]

· Thomas Malcolm
· Tim Kallioinen 
· Haoxi Tan
· Ruiqing Li

UQCyberA took out the Shearwater Hackathon Trophy and walked away with $1000 worth of JB HIFI Gift cards for the team.

Second place – The A Team

Second place – The A TeamSecond place – The A Team

· Jason Macri
· Luke Humberdross
· Joshua Lehman

The A Team was awarded $600 worth of JB HIFI Gift cards for the team.  


Third place – Team Woolies

Third place – Team Woolies

· Srinivas Karlhik Putlur
· Sarah Emami
· Jon Clark
· Scott Contini 

Team Woolies was awarded $400 worth of JB HIFI Gift cards for the team. 


Jesse Nguyen

Jesse Nguyen achieved the highest rank of any solo player in the competition and received a $100 JB HIFI Gift Card.  

Shearwater’s ethical hackers provided technical support on the day. They said they were particularly impressed by the skills on display at this year’s hackathon, as well as the number of repeat participants (which reflects Shearwater’s commitment to continuously improving the event experience). 

Importantly, it was encouraging to see participants bringing a deeper level of cybersecurity knowledge to the table this year. Cyber threats are becoming more advanced and complex. And the fact that we’re seeing so many IT security professionals and students who can rise to meet those challenges – as demonstrated by the 2019 Hackathon – is a reassuring thing. 


Join us again in 2020

Shearwater’s AppSec Hackathon is an annual event open to cybersecurity professionals, developers and students. You can participate as an individual or in teams of up to four people. 

We hope to see you at our sixth hackathon in 2020! PRE-REGISTER


Introducing Margueritte Saboungi: Winner of the Katie Duczmal Memorial Scholarship

Margueritte Saboungi, a 3rd year student at Western Sydney University, is the inaugural recipient of Shearwater Solution’s Katie Duczmal Memorial Scholarship.

The scholarship is the centrepiece of Shearwater’s commitment to encourage greater female participation in the cybersecurity industry.

As one of two female students in the initial cohort undertaking the Bachelor of Cyber Security and Behaviour degree, Margueritte is a true trailblazer. She was instrumental in founding the university’s Cyber Security Association (CSA). The association provides students a space to share knowledge, collaborate on projects and network with industry professionals. As CSA President, Margueritte organises regular events whilst providing information to fellow students about certifications, workshops and updates on everything happening in the cyber world. 

Margueritte has an exemplary academic record. During the course of her studies, she has developed many of the technical skills required by those in cyber security, as well as gaining an understanding of psychology.

“As far as I know, this Western Sydney University degree is the only one that incorporates the ‘behaviour’ aspect within it. I believe that in cyber security you need the technical skills, but you also need to get into the mind of the hacker and understand what’s happening,”

“The awareness you gain from psychology can help deter attacks. With psychology we can help implement strategies to protect us from all kinds of cyber-attacks,” she said.  

This initiative from Shearwater awards one final-year female student the opportunity to undertake a paid internship, during which they receive extensive on the job training in a variety of different cybersecurity functions. These include penetration testing, security operations and compliance consulting.

The scholarship also reimburses the student for the tuition costs of their final year of study.

Margueritte’s demonstrable enthusiasm for cybersecurity stems from a childhood love of ‘Kim Possible’, the animated series about a cheerleader who, along with her computer-wiz friend Wade, saves the world from supervillains. More recently, participation in numerous hackathons, including CySCA (Cyber Security Challenge Australia), have helped develop her skills, standing her in good stead as she pursues her dream of becoming a penetration tester.

When asked what, as a female, motivated her interest in cybersecurity, Margueritte stated: “Since birth I always went to all-girls schools. So I have always been surrounded by girls and that gave me a sense of empowerment and a feeling that I am no different from anyone else. That was definitely beneficial to me because it helped me become the way I am now”.

Despite suffering a hearing impediment, Margueritte has not let that get in the way of her ambitions. Her positive attitude to life has won her the admiration of her teachers.

“Margueritte has a wonderful sense of humour and is the main ‘organiser’ in the cybersecurity program across the university… In spite of whatever is thrown her way, she always overcomes these challenges to acquire the skills and do whatever it takes to obtain the result that she desires. She is confident, playful and committed. I have yet to see her stress about anything – this is all too rare a quality and one that I am envious of. She is a trusted friend and leader (among fellow students)”, according to Professor Alana Maurushat.

This scholarship is offered in memory of Katie Duczmal, a principal consultant in cyber security for Shearwater Solutions. The scholarship aims to support female students who have an interest in a career in cyber security and who are in their final year of study.


2019 AppSec Hackathon

5 Reasons your team needs to be in it.

Attention: Management

You’ve assembled your ‘A Team’ of Security Professionals, Product Developers, Software Engineers and Programmers.

But, when it comes to application security, has complacency set in or are they constantly striving to raise the bar?

The time is right to shake things up and take them outside their comfort zone. Trying something different will provide them, and your organisation, with real advantages.

Have you considered adding some interactive and ‘hands on’ training as part of your team development? The Shearwater AppSec Hackathon is the ideal event to help you do just that.

These events are hives of activity involving intensive learning and problem solving. They bring together some of the most innovative minds. People who think outside the box.

Best of all, they inject an element of collaboration and competition, serving as the perfect vehicle for professional development.


5 reasons why you should send a team to the Hackathon:

1. Creative Destruction:

Creative-DestructionCreative destruction is the process of dismantling long-standing practices. It’s the antithesis of the usual day-to-day brief, but an invaluable exercise in building more secure applications.

Exploiting vulnerabilities in this way offers your team the opportunity to see a piece of software through the eyes of a Hacker. Having your team break our dummy site in a controlled environment allows them to acquire new knowledge that will help them build more secure applications in the future.

The objective of the learning experience is to bring application security to the forefront when developing. Your team can even add some shiny new techniques to their cybersecurity repertoire.


2. Keep Them Motivated

Keep-Them-MotivatedDon’t let your staff get stuck in a rut of repetitiveness.

All too often IT and cybersecurity jobs don’t lend themselves to motivating or engaging staff. Without stimulation, you run the risk of breeding complacency in your team, or even the risk of increased employee churn in a market of scarce talent.

That doesn’t have to be the case.

Shearwater 2019 AppSec Hackathon simulates the types of activities that probably motivated your staff to get into the industry in the first place. A winnable competition in which they earn recognition is sure to appeal to the gamer instinct in them.

What’s more, it encourages them to upskill prior to the event, so they perform to their best of their ability.


3. Up-Skilling Opportunity

Up-Skilling-OpportunityA Hackathon encourages a pooling of ideas. It’s a collaboration hub, far removed from the mental silos in which we all tend to get stuck.

In this dynamic environment, where engagement levels are high, every member of staff is likely to pick up new skills and knowledge. Even junior staff can benefit from exploiting a range of vulnerabilities that are aimed at all skill levels. They’ll also have the chance to team up with more senior colleagues, benefitting their professional development.

When your team acquires new skills in a hands-on environment, you have the potential to benefit from far higher engagement and meaningful participation compared to other, less interactive, training initiatives.

You’re giving them the perfect opportunity to showcase their talents. You can uncover previously unknown skills in your team, and you’ll identify any skills gaps in a safe environment.


4. Enhance Teamwork

Enhance-TeamworkHackathons are great opportunities to encourage teamwork.

While a Hackathon may be a pressure-cooker environment, it requires participants to work in a concentrated and tireless manner with the rest of their team. This level of intensity is great for instilling in your team a strong work ethic and a culture for collaboration. What manager doesn’t want that?


5. Identify Future Leaders

Identify-Future-LeadersWhen the pressure is on, it becomes clear which members of your team demonstrate strong potential as future leaders. Those who are able to motivate their colleagues to go the extra mile, or those who assist people who are struggling, have the potential to take on future leadership roles.

People who are willing to try different solutions to problems could end-up applying that mindset in other areas of your business.

Great future leaders aren’t only those with the strongest skills.

They can be those team members who are willing to accept personal responsibility for their decisions and actions – especially if they don’t result in success. Learning and growing from their errors will inspire others within the organisation.

During the course of the Hackathon, it should become clear who the potential leaders of your team are.


Ensure both your team and your organisation enjoy all the advantages that come with participating in these great events by joining Shearwater’s 5th Annual Hackathon this November 15.

Places are limited –  CLICK HERE  to register today!


Why participate in Hackathons?

Turning up with your laptop for a day of pen testing may not seem like everyone’s idea of a good time.

Sure – it may not be quite as thrilling as jumping into the UFC ring with Connor McGregor. But when you’re up for a serious adrenaline rush – joining a Hackathon comes a close second.

Hackathons are a great way to learn new skills. More importantly, they are a great way to network with people. You spend almost an entire day in the same room with loads of developers, cybersecurity and IT professionals. So, it’s the perfect opportunity to introduce yourself and let others see what you can do.

You never know – you may end up meeting a great contact and landing an awesome job.

The concept of a Hackathon is pretty straight forward. Teams of up to four people need to identify vulnerabilities in a dummy site. Some of the vulnerabilities are easy to find, some are more complex. You earn points for each vulnerability found, with the more complex vulnerabilities earning more points. Whichever team earns the most points in the allotted time wins.

When Shearwater ran its annual Hackathon in 2018, Macquarie University student, James Goddard was close to completing his Bachelor of IT, Cyber Security. Together with three mates, Joseph Hardman, Ethan Hillas and Paul Hossack from the Optus Macquarie University Cybersecurity Hub, they formed a team called ‘ComeExploitMe’.

After 8 hours uncovering vulnerabilities, the team scored an impressive 3rd place – Not bad for a group of students up against seasoned pros!

We sat down with James to discuss his experience participating in the Shearwater Hackathon, how it helped him develop new skills and the benefits of Hackathons to his career.

Team ComeExploitMe, AKA James Goddard, Joseph Hardman, Ethan Hillas & Paul Hossack take 3rd place.


Q & A

Thanks for chatting with us James. What motivated you to participate in the 2018 Shearwater Hackathon?

Shearwater is a prominent, recognised leader in cyber security. Their annual Hackathon has developed a strong reputation. Macquarie University regularly sponsors groups of students to participate, so I was glad when the opportunity arose for me to join.


What aspects of the Shearwater Hackathon did you enjoy?

As a purely web-based Hackathon, I really liked the fact that when we identified a vulnerability, the flags/points were automatically awarded to our team. In other Hackathons, this doesn’t happen automatically, you need to submit a hash manually to earn your points and capture a flag.

The other unique aspect I really liked about the Shearwater CMD + CTRL Hackathon was the presentation before the challenge started outlining the variety of exploits we would be seeing.

It was also good to have coordinators available at the event to troubleshoot problems with the exploits or help point participants in the right direction.

There was a heavy focus on learning outcomes.


What level of experience did you have at the time with penetration testing?

I did not have a lot of previous experience apart from a class at uni. I had been testing myself on the ‘HackTheBox’ platform. I had also been using ‘VulnHub’ boxes to further develop my skills. The only other Hackathon I had participated in was CySCA 2018.


How complex did you find the challenges?

Most of the challenges were moderately complicated. Sometimes we were able to use the same tactics to exploit multiple vulnerabilities within the challenge.


Were the challenges appropriate for your level of experience? Would you have preferred the challenges to be more difficult or easier?

Overall, I think the challenges were appropriate for someone with my skill level and they ramped up in difficulty as you progressed through the challenge.

Even though some of the same vulnerabilities could be found multiple times in the challenge, it was a valuable experience to get into the real-world mindset of “okay this exploit works here, now where else will it work?”


Was the time allocated for the challenges appropriate?

Yes, the timing was good. The pressure was there to make you work hard.


How were the networking opportunities?

Pretty good. If you have prior knowledge and skills that you demonstrate during the Hackathon, other attendees will recognise that. I was able to connect with other participants who will be good contacts throughout my career.


Did you learn new skills? If so, was it as a result of your own efforts or through collaboration? How have you benefitted from these new skills?

Yes – I did learn new skills, both from my own efforts and through collaboration. I learnt a lot through researching potential vulnerabilities and gained more in-depth understanding about common problems. Collaborating with teammates allows you to target separate points of the website and achieve more in a shorter period of time.

I’ve also had the opportunity to us these new skills in my studies.


Has participating in the Hackathon added value to your CV?

Yes – I include my participation in the Shearwater Hackathon on my CV. It shows that I take initiative to develop practical pen testing skills. The fact I was part of the team that ranked 3rd in a well-known Hackathon demonstrates to prospective employers that I have core competencies.


What would you say to other cyber security students considering participating in a Shearwater Hackathon?

Hackathons are a great way to network and learn in a team. It is extremely satisfying working in a team to achieve a certain goal.



The 2019 Shearwater Hackathon takes place on 15 November across Sydney, Melbourne, Brisbane and Canberra. You can also join remotely from any other location Australia-wide.

REGISTER NOW   to take advantage of SPECIAL STUDENT RATE: $49.00




2018 AppSec Hackathon Highlights!

Solo Player from Brisbane Claims Victory

Over 100 cybersecurity professionals, code developers and students walked in the shoes of a cybercriminal for the day to test their skills and learn new ways to defend against cyberattacks at the 4th annual Shearwater Application Security Hackathon.

Growing in popularity, and with many returning participants (we thank you for your continued support), the Hackathon expanded this year to include venues in Sydney, Canberra, Melbourne and Brisbane, as well as the opportunity to participate remotely.

Attracting cybersecurity specialists and software developers from a mix of commercial, government and consulting roles, plus a number of talented university students, participants went head-to-head in this Capture the Flag competition and unique style of training event.

At the end of the day the results were as follows:

2018 Winners

First Place Team Menace Ian Esplin – Security Analyst, Acumenis, Brisbane
Second Place Team YDT James Dickens – Software Developer, Your Development Team, Melbourne
Matthew Cullen – Cybersecurity Graduate, Telstra, Melbourne
Third Place Team ComeExploitMe James Goddard 
Joseph Hardman 

Ethan Hillas 

Paul Hossack
(All Macquarie University Students)

Powered by CMD+CTRL from Security innovation, this year’s challenge featured 2 fully functional targets including an eCommerce and HR website, with over 70 intentional vulnerabilities for participants to find and attempt to exploit.

Shred Retail, e-Commerce Website Comprising 35+ Vulnerabilities.

Account All, HR Website Comprising 40+ Vulnerabilities.

The challenges were designed to cater to a range of abilities and each challenge (ranging from SQL injection, password cracking, XSS, authorisation and business logic bypass, cryptanalysis, cipher cracking and more) was carefully chosen to simulate the vulnerabilities commonly found in commercial applications today.

Together, the participants solved 39% of the challenges in Account All and 33% of the challenges in Shred, finding 65% of the Basic, 54% of the Easy, 32% of the Medium and 19% of the Hard issues with many achieving the strongest point in the Security Misconfiguration category (56%).

But importantly, guided by cheat sheets, learning labs and application security and penetration testing experts from Security Innovation and Shearwater Solutions, participants experienced how quickly and easily a poorly protected application’s security can crumble.

This was demonstrated at this year’s Hackathon by several participants. In this year’s exciting finale, Ian Esplin, a solo player from Brisbane, jumped to the top of the leader board, ahead of second half leader Team YDT (James Dickens and Matthew Cullen, from Melbourne) with a last-minute creative SQLMap exploit to gain control of the HR target’s database.

Team Menace, AKA Ian Esplin, IT Security Analyst, Acumenis, Brisbane takes 1st place, plus the solo player award.

Following last year’s impressive win by Sydney’s Optus Macquarie University Cybersecurity Hub Students, the Hub returned, with their new team ComeExploitMe (James Goddard, Joseph Hardman, Ethan Hillas, Paul Hossack) taking 3rd place. Another of this year’s student teams, Stuxxy, 2 cybersecurity students from Deakin University (Daniel Deliva and Daniel Le Souef), deserve an honourable mention for leading the first half of the day, demonstrating the talent of Australia’s up-and-coming cybersecurity professionals.

Team YDT, AKA James Dickens & Matthew Cullen win second place.

Team ComeExploitMe, AKA James Goddard, Joseph Hardman, Ethan Hillas & Paul Hossack take 3rd place.

Team Menace wins the Shearwater Hackathon Trophy, a $1000 JB Hi-Fi gift card + the solo player award (North Face backpack.)

Team YTD wins a $600 JB Hi-Fi gift card

Team ComeExploitMe wins a $400 JB Hi-Fi gift card.

Shearwater’s annual Application Security Hackathon is open to individuals and teams of up to four participants. Register for 2019 Hackathon >>

Return to top

Phriendly Phishing Review in ITWire

No matter the protections you have in place, the last defence for cyber security rests with the end user. But how do you educate in a respectful, engaging way?

David M Williams, CIO, tried out Shearwater’s Phishing Awareness Training & Simulation Solution, Phriendly Phishing, built on this very premise, finding it reduced risk and exposure to phishing and that his users enjoyed the process.

Read about his experience in ITWire.

A Milestone for Microsoft Australia and Shearwater

We are very excited about Microsoft’s announcement that the Australian Signals Directorate (ASD) has certified a number of Microsoft’s Australian based online services offerings.

The majority of these newly certified services are simply not available from any other cloud service. With these certifications, Australian hospitals, educators and government agencies at federal, state and local level can all take advantage of sophisticated capabilities like machine learning and analytics, internet-of-things, and advanced threat protection – all in the cloud – with the confidence that these services are verified and certified by the Australian government.

We are proud to say that the Shearwater team with their combined expertise have played a key part in enabling this milestone. and in helping Microsoft demonstrate compliance with the Australian Government requirements for ICT systems.

In his LinkedIn article, Microsoft’s Chief Technology Officer, James Kavanagh, wrote “ We chose to engage an Australian company called Shearwater to lead that (IRAP) assessment because of their reputation for rigour and expertise. They performed their work in multiple stages and then presented their reports to Australian Signals Directorate.”

Engagements such as these are incredibly exhaustive. Our Canberra Team has worked tirelessly in Australia and the US to understand each cloud service architecture, review documentation and processes, interview stakeholders, and to validate that the right controls are in place and effective.

Our senior consultants have the necessary ASD IRAP experience and were able to execute on a methodology that successfully addressed Microsoft’s and ASD’s IRAP program requirements. They have handled what was a really complex set of objectives and demonstrated the wealth of experience and expertise that sets us apart from the crowd.

No two engagements are ever the same; the ability to use multiple tools and tailor a solution that delivers the best possible outcome for customers means that we’re always able to inform a strong, successful strategy.

Microsoft’s exciting announcement is just the start of a new and more connected future for government and business. We couldn’t be more delighted to be involved in the journey to guide one of the world’s most influential organisations through Australian Government ICT security requirements.

Well done team for delivering on our values of offering a magical customer experience and owning the outcome.

For more information on Microsoft’s latest offering, please check out these links:

Computer World
The Australian
Australian Financial Review