The Good Tech Companies - QA Is the New Red Team: Why Ethical Hacking Starts in the Testing Phase
Episode Date: July 10, 2025This story was originally published on HackerNoon at: https://hackernoon.com/qa-is-the-new-red-team-why-ethical-hacking-starts-in-the-testing-phase. QA engineers are bec...oming ethical hackers—embedding security testing early with tools, AI, and attacker thinking to catch breaches before they happen. Check more stories related to cybersecurity at: https://hackernoon.com/c/cybersecurity. You can also check exclusive content about #qa-security-testing, #ethical-hacking-qa, #owasp-zap, #ai-in-software-testing, #test-automation-security, #red-team-qa, #secure-cicd-pipelines, #good-company, and more. This story was written by: @jonstojanjournalist. Learn more about this writer by checking @jonstojanjournalist's about page, and for more stories, please visit hackernoon.com. In 2025, QA isn’t just about features—it’s about security. Elvira Khusainova shows how testers now simulate attacks, use AI to find vulnerabilities, and bridge the gap between QA and red teams. With tools like ZAP, Burp Suite, and GPT, testing is evolving into the first—and most vital—line of cyber defense.
Transcript
Discussion (0)
This audio is presented by Hacker Noon, where anyone can learn anything about any technology.
QA is the new red team. Why ethical hacking starts in the testing phase, by John Stoyan
Journalist. By Elvira Kusinova, Senior Test Automation Engineer at Deutsche Telekom ITTC
Hungary Greater than, security isn't a department anymore. It's a mindset,
and testing is where it greater than begins. Elvira Kusinova in 2025,
it's no longer a surprise when your mobile app gets breached. What's surprising is how early
in the process those breaches could've been stopped, if right people had been asking the right,
destructive, questions, those people? Increasingly, their QA engineers. And more of us are embracing a new identity.
Part tester, part ethical hacker.
Testers WHO think like attackers' traditional QA was all about confirming expected behaviors.
But that's only half the story.
What if the user isn't just a user, but an adversary, a test that only proves something
works is incomplete?
A real test must oustry to prove it can be broken, Elvira says.
In her current role at Deutsche Telekom, Elvira blends Selenium-based UI automation with OWASP
Zap, Burp Suite, Postman, and even tools like Metasploit.
Her test scripts don't just validate buttons.
They simulate brute force attacks, check for misconfigured JWTs, and fuzz APIs for XSS and CSRF risks.
QA tools are turning into security tools where seeing an accelerating trend,
testing frameworks and QA platforms are being infused with features once exclusive to penetration
testers. According to Elvira, many tools used by QA engineers now double as security assets.
Here's how that shift looks in practice.
Selenium WebDriver is still the go-to for UI testing,
but now it's often used alongside OWASP, ZAP,
or Playwright for deeper analysis.
Postman, a staple of API testing,
is increasingly paired with Hopscotch or Burp Suite
to simulate unauthorized access or injection attempts.
Jenkins and GitLab C aren't just for test automation anymore.
They now run embedded security checks
like OWASP dependency check as part of the build process.
Even test specs are evolving.
Elvira's teams supplement BDD with threat modeling,
converting user stories into potential attack trees
before the first line of code is even written.
AI is accelerating the shift in her team's latest initiative.
Elvira led the use of LLMs to generate attack simulations and identify potential business
logic vulnerabilities.
This wasn't just about test coverage, it was about thread discovery.
We trained a local GPT agent on past exploit data.
It began surfacing edge cassess scenarios our regression suite missed for years.
Here's how Yai is redefining her QA strategy. Automatic generation of malicious user flows.
Auto conversion of requirements into attack trees. Simulated user behavior under duress,
load plus intrusion. The QA security culture GAP despite the benefits, there's still a gap.
security culture GAP despite the benefits, there's still a gap. Many organizations silo security and toe-isolated audit teams.
Elvira argues this is outdated, by the time a security review happens, it's already too
late.
QA should own security from day one.
She advocates for cross-training, giving junior testers exposure to tools like Kali Linux
or OWASP Juice Shop, and embedding basic threat modeling
into Agile's print planning.
What comes next?
Elvira sees a future where every QA hire knows how to run a vulnerability scan.
C pipelines fail not just on broken features, but on open ports or weak auth.
Security becomes a shared language, not a handoff.
Her next project?
Embedding accessibility testing,
performance under exploit, and secure by default test frameworks into enterprise release cycles.
Final T hot testers have always been defenders of user experience. In 2025, they're also defenders
of trust, data, and uptime. It's not just about, does it work? Anymore? It's about, can it break us?
And that's a question QAs should be asking first.
Thank you for listening to this Hacker Noon story,
read by Artificial Intelligence.
Visit hackernoon.com to read, write, learn and publish.