From getting hacked at 12 to becoming a cybersecurity expert – Meet Sam Eizad, co-founder of Cyloq

Sam Eizad has spent more than half his life uncovering vulnerabilities in digital systems. Today, he is one of the co-founders of Cyloq – a cybersecurity firm delivering high-quality offensive security testing that helps organizations reduce their real-world risk.

Sam’s journey into cybersecurity didn’t start with a job or a degree. It started at home, in front of a computer, when he was just 12 years old.

“I got hacked. But instead of being scared, I got curious. How did that malicious code get in? I started retracing my steps, what I downloaded, and eventually pinpointed the file that caused it. Then I dove headfirst into learning. I was searching forums, reading everything I could. I just had to understand how it all worked.”

At 15, he began building websites, and it was during this time that his interest in web applications grew. A year or two later, he started participating in bug bounty programs, searching for vulnerabilities in large organizations. When he saw Google on the list of companies with bug bounty programs, it became a personal challenge.

“I spent hours digging through Google’s apps. Eventually, I found a vulnerability in one of their services. That’s when I realized if Google can have weaknesses, others definitely do too.”

So he kept going, testing systems, joining hacking competitions, and refining his skills. And he hasn’t stopped since.

From curiosity to impact

Now, Sam is 29 and is still driven by the same curiosity, but with a new goal.

“Now it’s about helping organizations become truly secure. Knowing that our work helps our customers sleep better because we found a critical vulnerability, that’s what motivates me.”

When Sam runs tests, he almost always starts by investigating access controls. He looks for the deep, complex flaws that require multiple steps to exploit, the ones that bypass tools and slip through previous assessments.

“I nearly always start with access and permissions. That’s where the worst flaws tend to hide. Just because an app has been tested before doesn’t mean it’s secure. Many vulnerabilities are buried in specific features or user flows, the kind that automated tools just don’t catch.”

Even in large applications, broken access control is one of the most common (and dangerous) issues. Logical flaws can give a user access to someone else’s data, or even admin rights. In cloud environments, misconfigurations can expose entire systems, especially when developers rely on default settings without realizing the risk.

“These flaws rarely show up in automated scans. You need manual analysis. You need to know what to look for.”

When Quality Leads the Way

Over the years, Sam has seen a lot, from shallow tests to unclear reports to critical issues missed entirely. That’s what led him and Andreas Gjelset to start Cyloq.

‍

“Too many tests came back with vague reports, unverified findings, or no real indication of whether the vulnerability was actually exploitable. We wanted to do things right. At Cyloq, all our senior testers collaborate during assessments to maximize findings. Every vulnerability we report comes with a working PoC, a clear risk evaluation, and concrete remediation steps.”

At Cyloq, no assumption is left unchecked. Just because something was tested before doesn’t mean it’s secure, and experience proves that many previous tests miss what matters most.

“We’ve tested systems that had supposedly been assessed before. Even without any new functionality, we found severe vulnerabilities.”

Delivering on this level takes more than experience. It takes discipline, curiosity, and the integrity to never settle.

“We assume that every system has flaws – no matter how many tests it’s been through. We combine different techniques, brainstorm together, use both tools and manual methods. And we question everything. That’s how you grow.”