From bad game hacker to an elite good red team hacker.
Chris Thompson is a hacker. His journey took him from hacking game controls as a teenager to become the founder of IBM’s first dedicated red team and then global head of X-Force Red. In 2024 he founded and remains the organizer of Offensive AI Con, and in 2025 moved from IBM to be co-founder and CEO at RemoteThreat.
He had a non-standard entrée into and progress within this profession. “Back in high school I got interested in a girl who was into hacking,” he explains. Before then, he owns to have been a bit of a rebel: “Always trying to circumvent or break the rules, whether that was with parents or teachers, the school computer lab or whatever.”
But it was meeting his girlfriend that “got me interested in hacking – in developing malware and cracking computer games and software. I wanted access to Photoshop to create art, or I wanted access to DJ or sound mixing programs. And so, it was looking at how to bypass the activation gates for that software that quickly turned into game hacking and trying to target game servers, multiplayer servers.”
Then he digressed from the usual hacking route. By the time he was seventeen, “I realized I really wanted to help these game server companies lock down their servers and make them more able to withstand my attacks.”
He used contacts at EA, “and got some contracts with them to harden some of their servers and host other infrastructure for them. That just expanded through different connections – News Corporation and others were early clients of mine, back when I was 18.”
He leaves much unexplained in this account. How does an 18-year-old, with no relevant academic background, persuade major organizations that he can improve their security? Why does a young man experienced in breaking security suddenly decide he wants to fix security? The answer probably lies in the strength of his personality and the psychological influence of the growing relationship with his girlfriend.
“I started my own security testing company when I was 18 and worked for the same game companies that I had previously been trying to hack to avoid paying for.” During this period, he traveled the world with his girlfriend, spending almost a year in Thailand, hacking (responsibly) as they traveled. “I wanted to turn it more into a career so we could keep traveling and have the freedom to do so.”
This is probably the key motivating factor, turning a youthful games hacker into a responsible security engineer. He was a young man, a bit of a rebel, who wanted stability and freedom without giving up his hacker love of breaking things. Breaking things legitimately so they can be remade better is the essence of red teaming.
“It’s more about having fun and accepting the challenge without ending up on the wrong side of the law. I thought this was a good way to travel the world, to stay free without having to fit into the typical corporate structure – and enjoy myself while doing it.”
The choice was practical rather than some innate high moral compass. He remains a bit of a rebel to this day. “Some rules are made to be broken, and some laws are questionable – but at the end of the day you must draw the line somewhere. I don’t want anyone to suffer from anything I do, but I still want to have fun doing it.”
Has he ever been tempted by the other path – to sell the vulnerabilities or exploits he discovers on the dark web? “On the dark web? No, never. The great thing about brokerages and bug bounties is they remove that temptation from folks. But I’d like to see the process expanded in the future.”
Right now, he explained, “It’s really just for zero-days. I’d love to see it include unique malware capabilities and techniques as well. If the industry could rise to that challenge and start paying people for new ways to bypass CDR, or to perform lateral movement between systems, these new abilities that are being dropped for free on the internet will start to disappear – because people will have a way to monetize their discoveries and get paid for their research.”
The combination of his hacking ability and desire to do no harm is reflected in his career trajectory. He is now CEO at RemoteThreat, a firm he co-founded for the purpose of using AI to counter the threat of bad actors’ use of AI. His unconventional attitudes have accompanied him along the route. He has a university degree, but it was acquired when he was already an accomplished hacker.
“A friend suggested I take a computer science program to legitimize what I was already doing, so I did that.” He got a Southern Alberta Institute of Technology BA in Information Systems, but it was almost an afterthought to his career, and somebody else’s afterthought at that. When he left college, he immediately started a new pentesting company.
This non-reliance on academic qualifications to define abilities continues.
“Post secondary school education is great for some folks – it gives them structure and introduces them to a wide range of concepts. But some of the best hackers I know didn’t even graduate high school. They just dropped out. Hacking is more about how you push yourself to learn and go down different rabbit holes and graphs concepts.
So, for example, when I hired for X-Force Red, I didn’t care about a college degree. It’s more about, can you prove yourself? Show me. Show me the research you’ve done. Show me how you work collaboratively with others. Show us your deep domain expertise in these areas.
That’s really what I looked for. Can you play nicely with others? Can you collaborate well? Can you deliver on results? Are our clients gonna like working with you? Are you personable and, more importantly, do you have that domain expertise?”
He’s now on the Black Hat Review Board. “I get to see a lot of amazing submissions from folks that never went to university or college, and they simply know they’re just extremely talented individuals, and push themselves to get to that level of understanding. It doesn’t have to come from a degree.”
This raises an unanswerable question. One reason for intelligent people to drop out of education is neurodivergence.
Neurodivergence can often (by no means always) combine social difficulties with high intelligence. Statistically, it has often been noted that a higher than expected percentage of hackers are neurodivergent – more the ASD range (Asperger’s) and ADHD than full-blown autism. The question is, to what extent does neurodivergence figure in the formation of hackers?
“I’ve got ADHD for sure,” comments Thompson: “there’s definitely a few oddities about myself. But, you know, I think that’s more of a superpower for folks in the industry. I work with a lot of neurodivergent people, and they take on challenges differently than those that aren’t; and they apply a degree of scrutiny on how things work, and how they can get around them, and understanding things at a much deeper level than most people. I definitely think this industry attracts folks that are neurodivergent, because they apply a different degree of focus than those who might not be neurodivergent.” And of course, these people may have dropped out of high school.
Neurodivergence probably doesn’t create hackers, but it certainly assists the process of hacking.
Apart from the Black Hat Review Board, Thompson had numerous side gigs while at IBM. One was a stint as an operator focused on contract CNE operations and consultation on electronic warfare and lawful intercept for an unnamed organization (but which required NATO Secret clearance). Another was project sponsor for the MITRE Center for Threat Informed Defense; and yet another was a member of the board of directors at CREST.
One current and ongoing side gig is founder and co-organizer of the Offensive AI Conference. This is interesting since it provides insight on how a hacker believes artificial intelligence is beginning to affect both offensive and defensive cybersecurity. And of course, led to him co-founding RemoteThreat.
AI and hacking
“The use of offensive AI is a really interesting opportunity and threat,” he says. “You’ll have folks that aren’t good hackers, that cannot write their own malware, that can’t write their own offensive security tools, now being able to leverage chat prompts to do that for them. And task agents to do the testing they might not be good at themselves.”
The result is a step change in the speed and quantity (not necessarily quality) of malicious attacks, and the speed and quantity of exploitable vulnerabilities discovered by red teamers. “On the flip side,” he continues, “those who have domain expertise can move a lot faster by offloading some of the more tedious tasks, like domain data analysis and target recon, and can free up their time to look at other things.”
“The smart folks are leveraging AI to not just offload their basic work, but to free up their time to focus on more interesting things. We’ve seen folks leveraging AI workflows to build offensive security tools faster, to find vulnerabilities and weaponize them faster, to find problems and patch them faster. It’s less about just losing the advantage of coding your own malware or exploits, and more about using AI to augment and be a force multiplier for those folks that are good hackers already.”
Of course, the same argument applies to both malicious hackers and offensive red team defenders: cyberwar will increase in both intensity and sophistication, and the stakes will be higher.
“There’s a huge skill shortage in our industry,” he adds. “But there’s also a need to move at a faster pace than ever before. The bad guys and other nation states will be leveraging AI to find vulnerabilities and weaponize them and then use those exploits faster. So, if we don’t also leverage AI to find those same vulnerabilities and patch them; or find those vulnerabilities, weaponize them and use them against adversaries faster, we’re going to be in a really difficult position when there’s a major conflict.”
We live in a time of geopolitical tension, with the temperature rising fast and unlikely to cool down in the short term. Russia already targets destructive attacks against NATO-aligned critical industries, and that’s worrying. But just as worrying is China’s prepositioning within critical networks. It is not, at the time of writing, using destructive attacks from these positions – but Iran, triggered by the current war, targets anyone and everyone that is not Iran; and has already used destructive cyberattacks.
What happens if any of these adversarial nations are assisted by AI in both exploits and pre-positioning to the extent of being able to disrupt critical industries en masse? ’Significant repercussions’ is the term used by Thompson; and AI will be central to both the cause and effect.
Chris Thompson is among the good guy hackers – and his work is increasingly critical to maintain balance on the global cyber battlefield. Offensive security, of the type he undertakes, is fundamental to the concept of cyber deterrence. It’s no longer a case of whether AI should be used in cyber defense, it is a simple statement that AI must be used.
Related: Hacker Conversations: Stephanie ‘Snow’ Carruthers, Chief People Hacker at IBM X-Force Red
Related: Hacker Conversations: Joe Grand – Mischiefmaker, Troublemaker, Teacher
Related: Hacker Conversations: HD Moore and the Line Between Black and White
Related: Hacker Conversations: Chris Wysopal, AKA Weld Pond
