Bio
Amitoj Singh is a student of Information Technology at York University. He completed a Cybersecurity Analyst Co-op at RBC under the Adversary Emulation Team. Amitoj is certified as a GIAC Red Team Professional (GRTP), and GIAC Security Essentials Certification (GSEC). He was top 15 on HackTheBox in 2023, and top 3 on Vulnlab in 2024. Amitoj is an esteemed graduate of the Cyberstart initiative at the Catalyst, a free, immersive, gamified learning experience that helps students develop cybersecurity skills while having fun.
Discovering cybersecurity through CyberStart
In his final year of high school, Amitoj Singh received an email through his Google Classroom portal, addressed to all Grade 12s. The post was from a guidance counselor. It introduced the Catalyst and the CyberStart Canada initiative. “I read the email,” says Amitoj. “I was reading about gamified cybersecurity, and I thought: ok. I’m in.”
At the time, Amitoj was particularly interested in what he refers to as CTFs. A CTF stands for Capture the Flag, a cybersecurity competition and training exercise where participants attempt to find hidden text strings called “flags” that are secretly embedded in vulnerable programs, websites, or systems. These competitions are used to develop and refine cybersecurity skills in a gamified, hands-on environment. According to Amitoj, these are simulation programs, such as CyberStart, where you play for fun, compete, and try to solve problems. He was hooked.
Although he went to a sci-tech school, there was no influence or engagement in the cybersecurity realm at the time. There weren’t any cyber programs, and there weren’t any clubs. “I would like to think that if any school had it, it would be this one, but it didn’t.” He developed the interest independently.
It was completely up my alley. 100%.
Making cybersecurity feel local
“Honestly, the thing that I found the coolest was that it was local,” says Amitoj. Most of the games he played were based in Europe and interacted with different parts of the world. “It never really felt that impactful,” says Amitoj. However, the opportunity to play in Canada and the school system’s delivery of the game motivated him to participate. “It made it tangible that I could be involved in the Canadian scene,” says Amitoj.
Learning by doing
Amitoj explains that in a gamified learning approach, you teach yourself solutions by engaging with the problem organically. He offers an example: if he wanted to teach somebody about a web application vulnerability, a common way to do so might be to show a slide deck and say, ‘Here’s the problem, here’s the solution. Here’s how you find it, here’s how you fix it.’ A gamified version would let you lean into the problem. Amitoj says, “You bang your head against the wall, try all kinds of options, and research, and eventually solve the problem. When you do, you don’t forget it.”
You’re learning the same materials that you would have learned elsewhere, except it’s more intrinsic to you. Because you had to fight for that knowledge.
From curiosity to career
This past summer, Amitoj worked as a co-op student at RBC. “I can say a lot of what I did involved operating and researching small, unique, and sometimes undocumented problems and technologies.” From there, Amitoj says, the task is to prototype solutions rapidly. It involves learning about something that you have to teach yourself. You have to try things. You have to fail at things. You have to iterate on your solutions.
You need to have that muscle of being able to solve problems with unknown variables.
The appeal of Offensive Security
Amitoj’s interest lies in offensive security, and specifically red-teaming. He explains that in the field of offensive security, professionals emulate real-life cyber adversaries by creating and conducting malicious attacks and campaigns against organizations. Such behavior enables the organization to train their responses and gain visibility as to where their problem points are.
“I would describe it as a cyber vaccine, where we’re emulating a real adversary that an organization can spar with and learn from.” The organization is in a respond-and-react mode. But the difference is they have a chance to reflect. If this happened in real life, how would we respond? How did we do? What parts do we need to work on, and how do we get better?
Catalyst connections and career growth
Amitoj says he got his role at RBC through the Catalyst. He received the GSEC certification after his first year of university, and the team at the Catalyst asked him where he wanted to go in the future. “I told them I was looking for a co-op opportunity for the following summer, and they connected me to their contacts at RBC.” Amitoj secured a role on the adversary emulation team.
Competing, learning, and leading
When Amitoj joined CyberStart, the leaderboard motivated his competitive side. He wanted to be at the top. Amitoj chipped away at the challenges, completing a few per day for weeks; he was having a lot of fun. Soon, he had completed all of the challenges.
Amitoj reflects on what he would say to another student interested in CyberStart. He says CyberStart is a genuinely invaluable resource for students in Ontario. “The challenges give you a lot of exposure to different aspects of cybersecurity in a very curated manner that is pretty difficult to access by just going on Google or YouTube or trying to expose yourself to those concepts.” Additionally, Amitoj states that the relationship between Cyberstart and the SANS Institute is invaluable. For him, access to the GFACT and GSEC training gave him an understanding of cybersecurity at such a broad level that he’s been able to contribute to professional organizations and student clubs and advise family and friends on security issues.
Tenacity and the drive to fill the gaps
“Being a security professional, it’s making the world a better place, right?” says Amitoj. “I think cybersecurity is a place where you can do that.” Amitoj says being a Red Teamer is a challenging endeavor, but he really likes doing it and will continue to pursue it. He enjoys facing complex challenges, particularly when going up against highly secure organizations with mature defenses. “I think overcoming those problems is the most rewarding and fulfilling,” he says.
The number one trait necessary for succeeding in the field, according to Amitoj, is tenacity. “It’s being able to try any route to the summit, being able to try ten times, one hundred times, or one thousand times for a way to solve a problem,” he says. Often, there’s no formula. Amitoj emphasizes that you need to trust your skills, knowledge, and tenacity to solve the problem and create the necessary impact. The reason this approach is so essential is that if you’re not tenacious enough, you could give up on a problem. He says that if you throw up your hands and say something’s secure, a threat actor will be more tenacious than you. If they dig harder, fight harder, and find a vulnerability, then they’re going to complete their attack. “Ultimately,” says Amitoj, “that’s because at the end of the day, you left the gap.”
A pathway opened by the Catalyst
Amitoj intends to continue finding and filling gaps. And for him, that drive to find and fill the gaps began with one of his own — a missing pathway into cybersecurity that the Catalyst opened for discovery.