I have worked as a pentester and eventually a Red Team lead before leaving foe gamedev, and oh god this is so horrifiying to read.
The state of the industry was alredy extremely depressing, which is why I left. Even without all of this AI craze, the fact that I was able to get from a junior to Red Team Lead, in a corporation with hundreds of employees, in a span of 4 years is already fucked up, solely because Red Teaming was starting to be a buzz word, and I had passion for the field and for Shadowrun while also being good at presentations that customers liked.
When I got into the team, the “inhouse custom malware” was a web server with a script that pools it for commands to run with cmd.exe. It had a pretty involved custom obfuscation, but it took me lile two engagements and the guy responsible for it to leave before I even (during my own research) found out that WinAPI is a thing, and that you actually should run stuff from memory and why. And I was just a junior at the time, and this “revelation” got me eventually a unofficial RT Lead position, with 2 MDs per month for learning and internal development, rest had to be on engagements.
And even then, we were able to do kind of OK in engagements, because the customers didn’t know and also didn’t care. I was always able to come up with “lessons learned”, and we always found out some glaring sec policy issues, even with limited tools, but the thing is - they still did not care. We reported something, and two years ago they still had the same bruteforcable kerberos tickets. It already felt like the industry is just a scam done for appearances, and if it’s now just AIs talking to the AIs then, well, I don’t think much would change.
But it sucks. I love offensive security, it was really interresting few years of my carreer, but ot was so sad to do, if you wanted to do it well :(
Definitely, but the issue is that even the security companies that actually do the assesments also seem to be heavily transitioning towards AI.
To be fair, in some cases, ML is actually really good (i.e in EDRs. Bypassing a ML-trained EDR is really annoying, since you can’t easily see what was it that triggered the detection, and that’s good), and that will carry most of the prevention and compensate for the vulnerable and buggy software. A good EDR and WAF can stop a lot. That is, assuming you can afford such an EDR, AV won’t do shit - but unless we get another Wannacry, no-one cares that a few dozen of people got hacked through random game/app, “it’s probably their fault for installing random crap anyway”.
I’ve also already seen a lot of people either writing reports with, or building whole tools that run “agentic penetration tests”. So, instead of a Nessus scan, or an actual Red Teamer building a scenario themselves, you get a LLM to write and decide a random course of action, and they just trust the results.
Most of the cybersecurity SaaS corporates didn’t care about the quality of the work before, just like the companies that are actually getting the services didn’t care (but had to check a checkbox). There’s not really an incentive for them to do so, worst case you get into a finger-pointing scenario (“We did have it pentested” -> “But our contract says that we can’t 100% find everything, and this wasn’t found because XYZ… Here’s a report with our methodology that we did everything right”), or the modern equivalent of “It was the AI’s fault”, maybe get a slap on the wrist, but I think that it will not get more important, but way, way more depressing than it already was three years ago.
I’d estimate it will take around a decade of unusable software and dozens of extremely major security breaches before any of the large corporations (on any side) concedes that AI was really, really stupid idea. And at that time they’ll probably also realize that they can just get away with buggy vulnerable software and not care, since breaches will be pretty common place, and probably won’t affect larger companies with good (and expensive) frontline mitigation tools.
I have worked as a pentester and eventually a Red Team lead before leaving foe gamedev, and oh god this is so horrifiying to read.
The state of the industry was alredy extremely depressing, which is why I left. Even without all of this AI craze, the fact that I was able to get from a junior to Red Team Lead, in a corporation with hundreds of employees, in a span of 4 years is already fucked up, solely because Red Teaming was starting to be a buzz word, and I had passion for the field and for Shadowrun while also being good at presentations that customers liked.
When I got into the team, the “inhouse custom malware” was a web server with a script that pools it for commands to run with cmd.exe. It had a pretty involved custom obfuscation, but it took me lile two engagements and the guy responsible for it to leave before I even (during my own research) found out that WinAPI is a thing, and that you actually should run stuff from memory and why. And I was just a junior at the time, and this “revelation” got me eventually a unofficial RT Lead position, with 2 MDs per month for learning and internal development, rest had to be on engagements.
And even then, we were able to do kind of OK in engagements, because the customers didn’t know and also didn’t care. I was always able to come up with “lessons learned”, and we always found out some glaring sec policy issues, even with limited tools, but the thing is - they still did not care. We reported something, and two years ago they still had the same bruteforcable kerberos tickets. It already felt like the industry is just a scam done for appearances, and if it’s now just AIs talking to the AIs then, well, I don’t think much would change.
But it sucks. I love offensive security, it was really interresting few years of my carreer, but ot was so sad to do, if you wanted to do it well :(
Seeing all these AI ideas, i think security is about to get hugely more important in the near future.
Definitely, but the issue is that even the security companies that actually do the assesments also seem to be heavily transitioning towards AI.
To be fair, in some cases, ML is actually really good (i.e in EDRs. Bypassing a ML-trained EDR is really annoying, since you can’t easily see what was it that triggered the detection, and that’s good), and that will carry most of the prevention and compensate for the vulnerable and buggy software. A good EDR and WAF can stop a lot. That is, assuming you can afford such an EDR, AV won’t do shit - but unless we get another Wannacry, no-one cares that a few dozen of people got hacked through random game/app, “it’s probably their fault for installing random crap anyway”.
I’ve also already seen a lot of people either writing reports with, or building whole tools that run “agentic penetration tests”. So, instead of a Nessus scan, or an actual Red Teamer building a scenario themselves, you get a LLM to write and decide a random course of action, and they just trust the results.
Most of the cybersecurity SaaS corporates didn’t care about the quality of the work before, just like the companies that are actually getting the services didn’t care (but had to check a checkbox). There’s not really an incentive for them to do so, worst case you get into a finger-pointing scenario (“We did have it pentested” -> “But our contract says that we can’t 100% find everything, and this wasn’t found because XYZ… Here’s a report with our methodology that we did everything right”), or the modern equivalent of “It was the AI’s fault”, maybe get a slap on the wrist, but I think that it will not get more important, but way, way more depressing than it already was three years ago.
I’d estimate it will take around a decade of unusable software and dozens of extremely major security breaches before any of the large corporations (on any side) concedes that AI was really, really stupid idea. And at that time they’ll probably also realize that they can just get away with buggy vulnerable software and not care, since breaches will be pretty common place, and probably won’t affect larger companies with good (and expensive) frontline mitigation tools.