When it comes to security and vulnerabilities, it can be difficult to understand how vulnerabilities are found and how different vulnerabilities can be strung together. Whether you want to be a penetration tester, move into application security, or just understand how this all works, the first essential step is thinking like an attacker. This is an often repeated idea in the secuirty industry: to excel at defending, you must understand the attacks, and vice versa. Switching into an offensive mindset takes effort and practice. This switch requires breaking old habits and ideas. Instead of testing if an application will accept the intended input, you need to learn to twist your usual thinking and look for ways errors and different functions can be abused. This can be difficult to do when you are accustomed to only thinking about what your intended user will do with the application. This presentation will discuss basic concepts used by security researchers (e.g. fuzzing) and how penetration testers, and less friendly attackers, will attempt to break an application for their own designs. The presentation will include demos of a couple of offensive tools and stories detailing how attackers were able to map the design of an application and abuse it.