HackerOne Blog

The Security Researcher Who Thinks Like a Pastor

Maggie Miller
Senior Director, Corporate Marketing
White Tech Background

On the surface, the work of a pastor and the work of a security researcher might appear not just unrelated, but incompatible. One is built on trust, the other on suspicion. One invites openness, the other assumes systems will be tested until they fail.

 

Evan Connelly argues they begin in the same place: presence, remaining with people and systems long enough for curiosity to become meaningful. He works across two disciplines, conducting security research part time while serving full time as a pastor.

 

In both roles, his work begins the same way. Connelly pays attention to what others pass over, to moments when the surface explanation feels incomplete. In security research, that might be a system behaving slightly differently than expected. In pastoral care, it might be a concern that sounds familiar but does not fully explain what someone is experiencing. 

 

For Connelly, curiosity is not abstract interest. It is the discipline of staying with a question long enough to understand who might be affected if it goes unanswered.

Learning to Stay With the Question

That discipline took shape early. As a kid, Connelly gravitated toward systems he could dismantle and analyze. 

Evan Connelly headshot

 

"I was always taking stuff apart. I didn’t even know what I was doing. I was just curious.”

 —Evan Connelly

 

The appeal was not destruction or control. He watched what changed when something small was removed, adjusted, or behaved differently than expected.

 

Over time, that habit matured. Curiosity stopped being about tinkering and became a way of orienting himself to complexity. Connelly learned that the most important signals often appear before anything is obviously broken, and that ignoring those signals rarely keeps problems contained. Small issues, left alone, tend to surface later in ways that affect people more directly.

Curiosity as Diagnosis

In security research, Connelly does not start with a checklist of known vulnerabilities. He starts with how a system functions.

 

“I’m not thinking about issues,” he explains. “I’m thinking about impact and attack scenarios.”

 

He works backward from consequence, asking what a system allows before anyone has decided to misuse it. If a system moves money, he looks for paths that allow money to move without authorization. If it stores sensitive data, he looks for ways that data could be misused.

 

This approach draws him toward systems where failure is not abstract. Over time, Connelly focused more on banks and telecom platforms, places where a misstep does not just break a feature but alters someone’s life. “There are issues where you see wide-scale impact,” he says. “Things that could actually hurt people.”

 

Here, curiosity is about reducing the likelihood that someone else absorbs the cost of a preventable failure.

Patterns Propel Action

The overlap between security research and pastoral care is not exact, and Connelly does not present it as such.

 

In counseling, people can choose whether to engage. They can resist, deny, or ignore what surfaces. In security research, systems do not get that choice. Code behaves the way it was written, whether anyone wants to confront the implications or not.

 

“So often what we think is the issue is not actually the issue,” Connelly reflects.

 

In pastoral counseling, that realization often unfolds slowly. Someone arrives focused on a conflict, an anxiety, or a breakdown in trust. Over time, patterns emerge, responses shaped by experiences long before the current problem appeared. The visible issue is real, but it is rarely the whole story.

Speakers on a stage
Connelly (center) joined other security researchers to speak at HackerOne's Security@ event in Charlotte.

The same dynamic appears in technical systems. A vulnerability that shows up in one place is often the result of an assumption made early and repeated widely. Once identified, it tends to appear elsewhere. The danger is not the first instance. It is how long the pattern goes unnoticed, and how many people are affected before it is addressed.

 

Curiosity, in both cases, is what keeps the work from stopping too soon. Once Connelly identifies a pattern, his attention turns to explanation.

 

“How can I unpack this in a way that makes sense?” he asks. “How can I explain why this needs to be fixed before it becomes urgent?”

 

In security research, explanation often determines whether a risk is addressed early or rediscovered later under worse conditions. A missing authorization check is just a detail until someone understands what it enables and when it matters.

 

In pastoring, explanation serves a different purpose but follows the same logic. People change when they can see the pattern they are inside of and understand what it means for their lives and relationships.

 

“You can’t tell people what to do,” Connelly says. “You want them to see it.”

 

Curiosity opens the door. Clarity allows someone to act in time.

The Discipline of Prevention

Connelly is drawn to work where intervention happens early, before damage becomes unavoidable. In security research, that bias pulls him toward systems where small failures can scale quickly into financial loss or privacy harm. In pastoral care, it shows up as attention to minor signals that might otherwise be dismissed.

 

Preventative work rarely announces itself. When it succeeds, nothing happens because someone noticed early enough to spare others from its impact.

 

That invisibility is part of the discipline, and also part of what makes the work difficult to justify after the fact. Much of what Connelly does is meant to keep people from ever realizing how close a problem came to affecting them.

Responsibility After Seeing

Pastoring and security research may appear opposed, one centered on trust, the other on scrutiny. In practice, both hinge on the same threshold: the moment when something previously unnoticed comes into view. A quiet signal that, once seen, requires a response.

  • In technical systems, that moment arrives when a quiet assumption opens the door to harm.

  • In human systems, it arrives when a minor struggle reveals a deeper pattern shaping a life. In both cases, the optimal intervention comes before damage is done.

Once a pattern is recognized, indifference is no longer neutral. Seeing creates responsibility, whether the system is made of code or people.

What motivates Connelly across both domains is not the satisfaction of being right, but the chance to help someone avoid harm they never see coming. His work begins in that space before crisis, where attention still has the power to change outcomes. The costs of that attention are rarely visible. The costs of its absence usually are, but only later, when they are harder to undo.

See something worth fixing? Join HackerOne and turn careful attention into real impact.

Security Research

About the Author

Maggie Miller Headshot
Maggie Miller
Senior Director, Corporate Marketing

Maggie Miller is the Senior Director of Corporate Marketing at HackerOne, where she turns complex cybersecurity stories into clear, compelling narratives.