When you purchase through links on our site, we may earn an affiliate commission.Heres how it works.
The Kali Linux project is maintained and funded by Offensive Security.
Chief content and strategy officer Jim Elwood OGorman leads the Kali team.
Jim was joined in the interview by Ben g0tmi1k Wilson.
Besides being a Kali senior developer, Ben is an OffSec live instructor.
He also maintains the Exploit Database and is the founder of VulnHub, a platform for hands-oncybersecurity coursetraining.
Kali Linuxs tagline is: The quieter you become, the more you are able to hear.
You have 30 seconds to explain what Kali is and why he should use it.
Its built to be as useful as possible out of the box for everyone in that user base.
He put together a Linux distribution with tools on it and then compiled other tools as needed.
By the end of the engagement, he had a working distribution that he shared with friends.
It kinda grew from there.
In that era, compiling tools was an extreme pain in the rear end.
Just having an InfoSec-focused distribution like BackTrack/Kali was enough.
Its what everyone was searching for.
Over time, thats changed.
Tool compilation became easier.
You talk about people pooh-poohing, saying they can just run tools in Debian, and thats completely legitimate.
you might run Metasploit [framework] and most of the time they now compile out of the box.
However, with Kali we do something above and beyond.
For example, we have multi-platform support as first-tier, so ARM is updated right alongside x64.
Ben g0tmi1k Wilson: I got involved with Kali through the Cisco CCNA class in high school.
I found it mind-numbingly boring.
The only practical thing I did was learn how to crimp an Ethernet cable.
I discovered BackTrack through a classmate.
I downloaded it, joined the forum, and learned by teaching others.
I became active on IRC, making connections and a lot of good friends.
OffSec was much smaller back then, so I worked in various departments before focusing on Kali.
Jim: I was involved in the information security world as a pen tester.
I met Mati and we became friends.
He had a talent for making people want to help him that was his superpower.
My background was in forensics, so I contributed to BackTrack 5 by adding the forensic boot mode.
My involvement grew from there.
Why did you settle on Kali?
Jim: I could give you a highbrow answer or tell you the truth!
We were in Vegas at Black Hat [cybersecurity conference] just talking about what would work.
We also wanted something meaningful, that didnt have many confusingGooglehits.
Ever since I got married, my wife and I have had cats.
Wed always name them after different gods, like right now mine are called Ares, Apollo and Jupiter.
What is pen testing but breaking something to make it stronger?
We later found out that kali is also a Filipino martial art focused on offence.
Weirdly enough, our organization does a lot of work in the Philippines.
It also means fierce in Swahili.
So theres a lot of ways of interpreting the name depending on whats meaningful to you.
LXF:What led you to choose a Debian base rather than Ubuntu?
Was this just for stability reasons?
Jim: One time we were teaching at Black Hat.
We were walking around and realizing that people had installed BackTrack on their desktop machines.
At the time there was an exploit that affected all Linux OSes and BackTrack was vulnerable to it.
Ubuntu had a lot of stuff it were doing that made it hard to customize and update.
We realized wed made a mistake and wanted to go a different route.
Is there any aspect of the latest version youre particularly excited about?
Ben: Were preparing to release Kali 2025.1 at the moment.
Kali is a rolling distro, so we ship updates as soon as theyre ready.
Point releases are catalogued, then we issue them four times a year just to let people know.
Jim: Im particularly excited about the relaunched forums.
Real-time chat has taken over in this industry lately but its not always the right platform.
Weve tried previously to direct people to our bug tracker but thats a little formal for some users.
Im hoping we can redirect a lot of that activity over to the forums.
That way you have nice indexable, searchable items.
We dont want to turn those people away.
The forums are a nice on-ramp for those who want to learn.
LXF:Kali strikes us as a mammoth undertaking!
What would you say have been the main challenges in building and maintaining Kali (if any)?
Jim: Thats a good question and there are a couple of ways of processing it.
There are technical challenges, community challenges in getting people involved and contributing.
There are also organizational challenges in justifying OffSecs funding of the project.
Were very grateful that OffSec has been so supportive of Kali over the years.
There are a lot of features we build that are core aspects of Kali but dont get much attention.
We have a mechanism in Kali to containerize legacy software.
Ben: From a technical perspective, Kali is based on Debian testing.
When a package becomes available, we pull it into Kali.
We have to operate on their timelines.
Another example is Python.
Certain InfoSec tools like Nmap have been around forever.
But sometimes someone will create a tool for Kali to address a certain vulnerability.
LXF:What do you think are the main reasons that Kali is arguably the most popular choice?
Jim: There are a lot of good competitors and that makes Kali better.
Many have come and gone over time.
Sometimes they have their own codebase and do something fresh.
At other times theyre just reskinned versions of Kali.
I think Kali sustains for a few reasons.
Number one is being first to market Kalis just a continuation of BackTrack.
Weve been around forever and have been able to demonstrate strong consistency.
We listen to feedback, engage with users and take our position seriously.
Our community management has been strong, and we treat everyone with respect, even noobs.
It puts the user first and OffSec has never got in the way of that.
LXF:Can you tell us a little more about future 2025/26 roadmap for Kali?
We certainly dont want to be slaves to a calendar.
Ben: A good recent example is the new WSL [Windows Subsystem for Linux] distribution architecture.
This might be a dirty word for theLinuxworld butMicrosofts WSL team told us about the new format.
We want to get Kali as close to the people as possible, so we jumped on it.
This meant we were the first Linux distribution to support the new WSL architecture.
LXF:Do you have any favorite stories about seeing Kali used in unexpected or amusing ways?
Its also meaningful to see people get Kali tattoos.
It shows their commitment to the project.
Ben: Ive gone to a few conferences over the years.
At one point there was the joke: Can it run Doom?
Ive seen similar challenges like: Can you escape this kiosk?
And the USB stick they always seem to boot from is Kali.
Ive seen these big, big screens and rather than see them crash, theyre running Kali on them.
I always think thats the peoples choice, as it runs!
LXF:What advice would you give to people who want to get into penetration testing?
Jim: We have free courses, such asKali Linux RevealedandOffSecs Metasploit Unleashed.
InfoSec is a wonderful, empowering field.
Many people can build a strong career.
There are many free and paid resources they can use.
Kali provides a nice, stable foundation to build on that but you cant buy your way in.
you better join the community and talk to people.
Build a web connection you’ve got the option to work with and learn from.
Its not just about the tech, its the people.
Ben: I recommend attending BSides conferences [https://bsides.org].
Tickets are often free or low-cost.
Theyre great for connecting with the community and hearing from enthusiastic InfoSec professionals.
Conferences are springing up all over the world.
Kali also includes built-in vulnerable apps like OWASP Juice Shop for practice [see tutorial, page 76].
There are countless walkthroughs and guides out there to let you actually do things and have fun!
We’ve listed the best Linux distro for beginners.
