Sam Eizad has spent more than half his life uncovering vulnerabilities in digital systems. Today, he is one of the co-founders of Cyloq – a cybersecurity firm delivering high-quality offensive security testing that helps organizations reduce their real-world risk.

Sam’s journey into cybersecurity didn’t start with a job or a degree. It started at home, in front of a computer, when he was just 12 years old.

“I got hacked. But instead of being scared, I got curious. How did that malicious code get in? I started retracing my steps, what I downloaded, and eventually pinpointed the file that caused it. Then I dove headfirst into learning. I was searching forums, reading everything I could. I just had to understand how it all worked.”

At 15, he began building websites, and it was during this time that his interest in web applications grew. A year or two later, he started participating in bug bounty programs, searching for vulnerabilities in large organizations. When he saw Google on the list of companies with bug bounty programs, it became a personal challenge.

“I spent hours digging through Google’s apps. Eventually, I found a vulnerability in one of their services. That’s when I realized if Google can have weaknesses, others definitely do too.”

So he kept going, testing systems, joining hacking competitions, and refining his skills. And he hasn’t stopped since.

From curiosity to impact

Now, Sam is 29 and is still driven by the same curiosity, but with a new goal.

“Now it’s about helping organizations become truly secure. Knowing that our work helps our customers sleep better because we found a critical vulnerability, that’s what motivates me.”

When Sam runs tests, he almost always starts by investigating access controls. He looks for the deep, complex flaws that require multiple steps to exploit, the ones that bypass tools and slip through previous assessments.

“I nearly always start with access and permissions. That’s where the worst flaws tend to hide. Just because an app has been tested before doesn’t mean it’s secure. Many vulnerabilities are buried in specific features or user flows, the kind that automated tools just don’t catch.”

Even in large applications, broken access control is one of the most common (and dangerous) issues. Logical flaws can give a user access to someone else’s data, or even admin rights. In cloud environments, misconfigurations can expose entire systems, especially when developers rely on default settings without realizing the risk.

“These flaws rarely show up in automated scans. You need manual analysis. You need to know what to look for.”

When Quality Leads the Way

Over the years, Sam has seen a lot, from shallow tests to unclear reports to critical issues missed entirely. That’s what led him and Andreas Gjelset to start Cyloq.

‍

“Too many tests came back with vague reports, unverified findings, or no real indication of whether the vulnerability was actually exploitable. We wanted to do things right. At Cyloq, all our senior testers collaborate during assessments to maximize findings. Every vulnerability we report comes with a working PoC, a clear risk evaluation, and concrete remediation steps.”

At Cyloq, no assumption is left unchecked. Just because something was tested before doesn’t mean it’s secure, and experience proves that many previous tests miss what matters most.

“We’ve tested systems that had supposedly been assessed before. Even without any new functionality, we found severe vulnerabilities.”

Delivering on this level takes more than experience. It takes discipline, curiosity, and the integrity to never settle.

“We assume that every system has flaws – no matter how many tests it’s been through. We combine different techniques, brainstorm together, use both tools and manual methods. And we question everything. That’s how you grow.”

Andreas Gjelset is one of the co‑founders of Cyloq. Together with Sam Eizad, he started the company in 2022 with a clear idea: challenge industry complacency and deliver offensive security testing that actually reduces risk.

It’s no coincidence that Andreas ended up in this role. He has always been driven by curiosity, taking things apart, understanding how structures and systems work, and finding smarter ways to refine them. This mindset, combined with an interest in IT, led him first to programming, then to defensive security, and eventually to offensive security.

But far too often, he encountered security tests that didn’t go deep enough. Reports that looked polished but said nothing. Tests that confirmed what everyone already knew instead of uncovering what actually posed a threat. That’s when the idea for Cyloq was born, a cybersecurity company built on rigor, integrity, and real results.

“It’s extremely important to us that we can stand behind every single line in a report. We don’t do cookie-cutter deliveries. Every engagement is unique, and we put our soul into every test. Our work should make a difference, it should actually reduce risk.”

Strengthening security cultures

Even after more than 20 years in the IT industry, he’s still driven by the same curiosity and a deep sense of purpose.

“The adrenaline rush of finding something others have missed is unbeatable. The pace is high and no two days are alike. There’s always something new to learn. The work you put in makes a difference, and that’s rewarding. I know that the work we do directly strengthens our clients’ security culture.”

Even though security tests matter, long-term resilience is built through culture. There needs to be an understanding of risks and a willingness to secure the organization properly. Having insurance isn’t enough. By then, the damage has already been done. You need preventative thinking.

“You can’t hand cybersecurity over to the IT department and assume the job is done. It’s a business issue that shapes risk, delivery capability, and regulatory compliance. Once you understand that connection, it becomes easier to make informed decisions. The point is to identify risks early, build security into the process, and avoid treating it as an afterthought.”

Driven to make a real impact

At Cyloq, they’ve turned down projects where clients asked them to “not look too closely.”

“We’re meticulous because we care. If we were to ‘just take a quick look,’ we couldn’t stand behind the results. We actually want to help companies become more resilient and more motivated to strengthen their security.”

Sam and Andreas have built a team of like‑minded specialists at Cyloq, driven, competitive, detail‑oriented, and methodical. A team that puts their heart into every test.

“Our goal is clear. We want to be the first choice in the Nordics for organizations that want security testing that genuinely makes a difference – with measurable risk reduction.”

‍