LockBoxx

Book Review: "Agentic Artificial Intelligence"

2026-04-04T09:03:00.000-07:00

"Agentic Artificial Intelligence: Harnessing AI Agents to Reinvent Business, Work, and Life" by Pascal Bornet. This book was written at the very beginning of the agentic AI wave, looking at early adopters of using LLMs in agents to have generic language models drive computer tools. It has some great lessons learned on implementing agentic systems, but it’s largely non-technical, likely because it was written before these systems became standardized.. I listened to this on Audible at about ~$15 for roughly 10 hours (on 1.5x speed). At nearly 500 pages it's a pretty heavy read, although I personally found the first two parts the most impactful in terms of AI theory and implementation insights. The final three parts shift toward business building, enterprise adoption, and long-term societal impact. While the end of the book seemed to depart from reality a bit (talking about Universal Basic Income once agents take over the majority of jobs), I thought the beginning was fascinating and eye opening in terms of planning and reasoning with agents. Overall I'm going to give this 5 out of 10 stars. I recommend this to people wanting to get more theory and guidance when building out agentic systems, although I'm not sure I would recommend this if you were looking for a technical book. The book has no real mention of actual technology needed to implement these ideas. There is almost no mention of specific models, structures, or even the types of agents that could be run to automate these goals. In that sense the book left a lot to be desired, it was almost purely theory. That said, I did enjoy the first two parts of the book. The following are the chapters of the book so you can get a better idea of it's contents before picking it up:

Introduction
Part 1: The Rise of AI Agents
Chapter 1: Beyond ChatGPT: The Next Evolution of AI
Chapter 2: The Five Levels of AI Agents: From Automation to Autonomy
Chapter 3: Inside the Mind of an AI Agent
Chapter 4: Putting AI Agents to the Test
Part 2: The Three Keystones of Agentic AI
Chapter 5: Action: Teaching AI to Do, Not Just Think
Chapter 6: Reasoning: From Fast to Wise
Chapter 7: Memory: Building AI That Learns
Part 3: Entrepreneurship and Professional Growth with AI Agents
Chapter 8: A Practical Guide For Building Successful AI Agents
Chapter 9: From Ideas to Income: Business Models for the Agent Economy
Part 4: Enterprise Transformation Through Agentic AI
Chapter 10: Human-Agent Collaboration: Leadership, Trust, and Change
Chapter 11: Scaling AI Agents From Vision to Reality
Chapter 12: Case Study and Use Cases of Agents Across Industries
Part 5: Future Horizons For Work and Society
Chapter 13: The New World of Work
Chapter 14: Society in the Age of Agents
Conclusion

I struggled with parts of the book, because it repeatedly argues that agents should take action, but rarely explains how that action is implemented.. Should agents be calling APIs in a microservice architecture, or should we be giving agents full control of systems with local tools like ClawdBot? Is it better to give agents skills on how to use specific tools, or should we continue using MCP servers for up-to-date information on the tools? There is a ton of implementation details the book conveniently glosses over. The book also glosses over memory in a similar way, which in my experience if done wrong can make an agentic system much worse. Memory has lots of core questions, like storage location and structure, as well as retrieval quality and embedding limitations. It's a pretty hard thing to get right, so I'm surprised it didn't dive into any of the technical edge cases there. One technique the book does mention in depth is using an extensive RAG library or even a wiki or onboarding documents to support the agentic system if it needs to lookup context or understanding around a process. The book is also very idealistic. From it's estimations on agentic reasoning capabilities (nearly a year after it was written and these models still make regular mistakes) to it's predictions around Universal Basic Income when many common jobs are automated, it honestly makes me a little worried what a more grounded future might look like when I see these as proposed solutions.

On The Rise of AI Augmented Writing

2026-04-01T09:25:00.000-07:00

Welcome back Internet people! Lately I've seen a rise in AI generated articles, blog posts, and even book content. I need to say loudly, as a reader, this is a major turnoff. If a reader can tell that something was written by AI, then the tools are being used poorly. Please don’t pass off LLM output directly as human writing. It makes your work output feel cheap. AI should be used as a writing tool, it shouldn't be replacing human writers altogether.

When writers use LLM output verbatim the result is often stale and lacks clarity. In many cases, it actually makes ideas harder to understand. Current LLMs struggle to maintain consistent, logical models of complex ideas. So while the writing may sound polished at first, it sometimes misrepresents concepts or drifts into conflicting, multiple definitions. Moving past the coherency issues, it's often obvious when a writer has an overreliance on verbatim LLM output. There are many obvious tells. From the overuse of the em dash, to the nonsensical use of the colon; AI generated content sticks out to those who use frontier models often. Certain phrasing patterns also stand out. For example: “It’s not X, it’s Y.” As a writer, this often feels like filler. Just write about Y. Just because these are the current form of these tells doesn't mean these are universal or ubiquitous tells. Quite the opposite, these will change over time as the models change, but the heavy users of the models will very likely recognize their output when used verbatim.

Don't get me wrong, I'm not saying don't use LLMs to help you write. I previously wrote about how to use AI in your technical writing, such as creating templates, voice files, and dynamic prompts to generate rich content. It also makes for a great editor! But one of the key takeaways there is in the last paragraph, where I emphasize heavily modifying and adapting the output. You can't use the output verbatim; frontier LLM output is just too recognizable.

I recently read this great and thoughtful article titled "Don't Let AI Write For You", where Alex Woods lays out that the point of writing is to develop and cement thoughts worth communicating, not simply generating words or content. I couldn't agree with this more. I often use LLMs to help expand on ideas, or think about edge cases I might be considering. I use it to help me refine my writing prompts and generate starting points. But very rarely do I use the ideas or output verbatim. It's an incredibly useful tool, but in my opinion it shouldn't replace the art all together.

So I'll repeat it, and I hope somewhere out there other writers take it to heart. When writers use LLM output verbatim it comes across as incredibly lazy. And frankly, why would anyone read that? A reader could just prompt the model themselves and get the same result.

Book Review: "Adverserial AI Attacks, Mitigations, and Defense Strategies"

2026-03-18T04:07:00.000-07:00

I recently finished "Adversarial AI Attacks, Mitigations, and Defense Strategies: A Cybersecurity professional's guide to AI attacks, threat modeling, and securing AI with ML/SecOps" the book by John Sotiropoulos. The book is a deep dive into adversarial machine learning, focusing heavily on how AI models can be attacked across their lifecycle, from training and supply chain to deployment and inference, using techniques like poisoning, perturbations, and model extraction. The book is a great deep dive on model-level security and the various mode-level adversarial attacks. I grabbed the book for about ~$30, mostly because they were a fellow Packt author, and read it over the course of a long weekend. Overall, I'm give this book 6 out of 10 stars. At over 600 pages, it’s a dense read, and even though it’s divided into a handful of major parts, the structure doesn’t always make it easier to navigate. I'm sure this type of content is useful to some kind of academic or maybe a company actually making and hardening the models themselves, but I'm not sure general security practitioners could apply most of this book. It strikes me as the difference between cryptography security (attacking the algorithms) and applied cryptography security (attacking systems using crypto). The former would have an extremely small audience and applicability, whereas the later is very useful to most security engineers. This book is the former, but for AI. The quality isn’t the issue, it’s more that the content doesn’t map well to the needs of most security practitioners.The book is clearly focused on a model-centric view of AI security, and that shapes both its strengths and weaknesses. A large portion of the content is focused on algorithmic attacks against machine learning models themselves, using techniques such as poisoning, evasion, extraction, inversion, etc. The book goes into meaningful depth on how these techniques work, which is neat, but these feel very much like academic attacks to me as a practitioner. That makes it a strong resource for understanding how models can fail at a mathematical or behavioral level, and introduced me to a lot of resources to that extent, such as the Adversarial Robustness Toolbox. This gives the material a practical edge and makes it easier to reproduce attacks in a controlled environment, allowing you to see the techniques for yourself. In my typical style, here are the chapters of the book, so you can get a better understanding of the content:

Chapter 1: Getting Started with AI

Chapter 2: Building Our Adversarial Playground

Chapter 3: Security and Adversarial AI

Chapter 4: Poisoning Attacks

Chapter 5: Model Tampering with Trojan Horses and Model Reprogramming

Chapter 6: Supply Chain Attacks and Adversarial AI

Chapter 7: Evasion Attacks against Deployed AI

Chapter 8: Privacy Attacks: Stealing Models

Chapter 9: Privacy Attacks: Stealing Data

Chapter 10: Privacy-Preserving AI

Chapter 11: Generative AI: A New Frontier

Chapter 12: Weaponizing GANs for Deepfakes and Adversarial Attacks

Chapter 13: LLM Foundations for Adversarial AI

Chapter 14: Adversarial Attacks with Prompts

Chapter 15: Poisoning Attacks and LLMs

Chapter 16: Advanced Generative AI Scenarios

Chapter 17: Secure by Design and Trustworthy AI

Chapter 18: AI Security with MLSecOps

Chapter 19: Maturing AI Security

Where the book does particularly well is in drawing a clear distinction between recognition-based AI systems and generative AI systems, and explaining how different their attack surfaces really are. The treatment of traditional models, image classifiers, NLP predictors, and similar systems, focuses on adversarial examples and perturbation-based attacks that manipulate outputs without changing the underlying model. In contrast, the discussion of generative AI shifts toward prompt injection, jailbreaking, indirect attacks through retrieved content, and abuse of tool integrations. This distinction is important, because it highlights how generative AI expands the attack surface to language driven control of systems, which is particularly relevant today with the rise of agents. There is also a really good history of the evolution of these systems throughout the book, which is helpful historical context to get. Another thing the book does pretty well is give the reader a hands-on introduction to generative models, particularly GANs, before moving into how they can be abused. It doesn’t just stay conceptual, it walks through building a GAN from scratch, explaining the generator–discriminator dynamic and how they’re trained against each other. The book walks you through building your own naive GANs for things such as deep fakes, which is certainly fun although I'm not sure how truly useful. Further the defensive content is generally less detailed and less operational than the attack content. There is comparatively little guidance on how to implement security controls in real GAN pipelines, how to monitor for abuse, or how to use AI to improve existing cloud and application security practices. To me, the audience is clearly people doing research in adversarial machine learning or teams that are actually building and hardening their own models from the ground up. For that group, the depth on model-level attacks is probably useful. But for a general security practitioner, especially someone working on real-world systems that integrate AI rather than build it, much of the content feels difficult to apply. The scenarios are often centered on directly attacking or manipulating models in ways that just aren’t relevant if your organization is primarily consuming third-party models through APIs like ChatGPT or Claude. That model-centric perspective is also reflected in the book’s implicit assumption that organizations own and train their models. Much of the threat model revolves around scenarios like model theft, training data poisoning, and tampering with serialized model artifacts. While these are valid concerns, they are less aligned with how many enterprises actually use AI today. Most organizations are consumers of models rather than builders, relying on APIs from foundational models. In those environments, the attack surface shifts away from model internals and toward things like API misuse, prompt injection, data leakage through retrieval, and access control failures. As a result, some of the book’s most detailed attack scenarios can feel somewhat removed from the day-to-day risks faced by most security teams out there. We can hear John talk below about the OWASP top 10 AI risks :

Defensive Refusal Bias in LLMs is Hurting Infosec

2026-03-05T07:49:00.000-08:00

Last year a few of us in infosec met up for the National CCDC competition and did some LLM research while at the competition. We gathered data from both the defenders and the attackers on their ussage of LLMs and how well the technology aided them in the competition. This research goes on to show that these LLMs really aren't helping the blue teams, especially when paired with the evolutionary direction i've seen ALCCDC go. We can see a clear bias towards tools like Claude Code enabling offensive tool development and helping attackers, to the extent that the agent swarm will activly hack for the attacker, whereas the blue teams are struggling to get simple questions answered from LLMs like ChatGPT for the fear that the information may be abused.

What we found became the basis of our research on Defensive Refusal Bias, but the story has only gotten more interesting since then. During the competition we collected thousands of real prompts from both blue and red interacting with LLMs. The results showed something counterintuitive: modern safety-aligned models were far more likely to refuse legitimate defensive questions than they were to block creative offensive questions. Blue teams trying to analyze malware, harden systems, or investigate suspicious processes were frequently blocked because their requests looked “too much like hacking.” Meanwhile, attackers could often get what they needed simply by framing their prompts as experimentation, scripting help, or development work.

Fast forward to spring 2026, and the gap appears to be widening. After just completing events like ALCCDC last weekend, tools like Claude Code are rapidly evolving into autonomous agent swarms, capable of developing deep offensive capabilities, writing exploit scripts, chaining reconnaissance tools, and iterating quickly on offensive tooling. Not only that, with some clever prompting and abstraction, Claude Code will drive an offensive agent swarm as an operator, doing fully automated hacking and post-exploitation of victim systems. In practice, what this means is that attackers can now spin up something closer to an offensive agent collective, a set of automated assistants that will explore systems, write exploits, refine attacks collaboratively, and move to post exploitation activities. They will also leverage their own post exploitation for creative attack chains moving forward. Instead of just answering questions, the model increasingly acts as a co-developer and operator for offensive tradecraft, where defenders are getting stopped when asking simple analysis questions.

Defenders are often stuck fighting the safety rails. Ask a model to help analyze a piece of malware or break down how an exploit works, and there’s a decent chance you’ll get a refusal or a heavily sanitized answer. The irony is hard to miss: the same guardrails meant to prevent misuse are often slowing down the people trying to defend systems, where the attackers are using the readily available, professional models today at blazing speeds to auto-hack.

ALCCDC 2026 Review

2026-03-04T08:40:00.000-08:00

This was another amazing year for At Large CCDC, or Virtual CCDC as I've come to call it. We had our event this last weekend, Feb 28th and March 1st. I lead the red team again this year (last year's writeup faithful reader) and the core CIAS team hosted the environment for teams to attack/defend. Overall the competition was intense and engaging. We had 5 blue teams this year and just around 10 individual red teamers. We played zone, in the sense that we essentially hacked across all the teams in an equal manner, targeting specific services with sweeping exploits and laying down equivlent persistence. This is opposed to "man-to-man" or playing in a way where we pair specific red team members to specific blue teams, much the way we do nationals.

This year Dakota state won again. It wasn't even really that close, they are getting really good. I would go out to say Dakota state dominated, playing a near perfect game relative to the other teams. I would also say the remaining teams were fairly closely grouped, with the next two teams being fairly equivalent in the middle, and the last two teams being fairly equal in last. I would argue the other teams should do their best to learn from the DSU playbook, because it is a winning model. They have a ton of infra for hosting your own CCDC-style attack and defense competition. There are a ton of great resources there for up-ing your personal game and emulating the way DSU plays.

On to what I really want to write about from a pentest perspective. The competition is becoming dominated by AI written tooling, agents, and agent swarm pentesting. I'm not convinced yet, often times these tools are much sloppier, more reckless, and harder to control. If you thought pentesters were reckless and hard to control these agent swarms are so much worse. They also do incredibly obvious and silly things that will easily get caught, in an adversarial competition you can't really afford to make those kinds of silly mistakes. One person suggested it was because these haven't been post-tuned in a real world environment and thus were not battle tested. I would need to see these things get remarkably better from an operator perspective before allowing them again, they often don't apply attacks evenly or fairly which is a key feature of our red team at CCDC. Further, I wonder if they could understand how well a blue team is doing and adapt their attacks to level of skill. Regardless, it's a trend I want to comment on. From what I’ve observed so far, AI-enabled pentesting tools generally fall into two categories.

1. AI-Assisted Tool Development

The first approach uses AI like Claude Code to help write pentesting tools. Operators prompt a model to generate scripts, exploit logic, automation helpers, or reconnaissance tooling. The human still controls the attack, but AI accelerates the process of building the tools. Sometimes the model is helping set up the project directly, but I find it's often more productive when the human does the architecting and guides the features they want, and simply uses the AI to script the advanced features, like an LKM in-memoery loader, or similar features, as opposed to using the LLM to guiding those features. These systems tend to work quite well. In fact, some of the most interesting tooling I’ve seen recently has come from this approach. You get creative automation and rapid tool development without sacrificing operator control. This results in stable tools are develop quickly with extremely powerful features.

2. AI-Pentester Operator Agent Swarm

The other approach I've seen uses AI agents that do the cognition and drive the tools. These tend to be more unhinged, and I imagine burn thousands of tokens just in the cognition of the attacks, which feels like less sustainable than using the tokens to write the tool. These are the systems that tend to behave the most erratically. Even the agent swarms that abstract the cognition through layers of agents have issues, such as sub-agent permissions, logging, runaway tasks, emergent behavior, and several other operational challenges that become very apparent once these systems are running in a live adversarial environment. I think a lot of the Claudius experiments show this, as powerful, amazing, and fast as the agents are they just aren't there yet in terms of planning and metacognition. Models are almost always better when you give them very narrow tasks, and thats what the agent swarm attempts to do, break up the the scope of the tasks into smaller, and smaller context windows of focused tasks. On top of that, the second approach feels like it just burns tokens in a crazy way, especially when the agent swarm becomes misfocused or off-task.

I will have a lot more thoughts on these tools and this evolution of pentesting in the coming weeks to months. Stay tuned and let me know in the comments if you have thoughts or find this content interesting

Wild West Hacking Fest Review (Denver 2026)

2026-02-15T14:32:00.000-08:00

We just wrapped this year's 'Mile-High' Wild West Hacking Fest. This was my second time attending the Denver event (distinct from the Deadwood conference), and the growth year over year has been impressive (read about the first one here). It keeps the laid-back, community-driven vibe that made it great to begin with, but the conference experience itself has leveled up in a big way. I personally like this one (over Deadwood) as I think it's much more accessible in downtown Denver, although I've never actually been to the other event. There are so many amazing features of this conference I want to highlight.

To start, the conference app deserves a callout. It’s wasn't just a flat / static schedule, you can browse, and even watch presentations streamed live. If you can’t physically make it to a session, you can still follow along. That level of accessibility really sets it apart. They also run an active Discord server with dedicated channels for every track, workshop, and game. Slides get shared in real time, and conversations continue well beyond the talk itself. It makes Q&A more engaging and helps you connect with other attendees organically. I even joined a pickup team through Discord to compete in a CTF later.

I definitely want to highlight the pre-conference training as it was amazing. You can read my review here. Not only do they offer dedicated training before the conference, but the trainings are also streamed over the app. There are also free workshops during the event that anyone can drop into. And the content spread is excellent. There are advanced sessions diving deep into topics like shellcode curation, alongside beginner-friendly talks and workshops for those newer to the field. It was nice to see the conference strike more of a balance this year.

Speaking of a better skill spread, there were three CTFs this year and felt like something for everyone. There was an intro CTF, an electronic badge challenge, and a full Attack/Defense competition. I think this was really nice as people could engage at any level of experience. Beyond the talks and CTFs, there’s was a very lively vendor area, plus some seriously fun lockpicking challenges. The speed-picking competition alone is worth watching as people get intensely competitive.

It also still feels really small. With roughly 300–500 attendees across just two floors of a single hotel, it feels intimate and approachable. You can strike up conversations with speakers, organizers, and fellow attendees without fighting crowds. It reminds me of the old DerbyCon days, tight-knit, accessible, and community-focused, but with even more structured content and activities.

If you’re looking for a conference that combines strong technical content, hands-on activities, real community engagement, and a relaxed atmosphere, you should seriously consider going to Mile-High Wild West Hacking Fest, It’s one of the few events that still feels small in the best possible way, while delivering a big-conference experience.

Course Review: Breaching the Cloud With Beau Bullock

2026-02-12T09:22:00.000-08:00

I recently took an Antisyphon training, Breaching the Cloud With Beau Bullock, at the Mile High Wild West Hacking Fest 2026. I thought this was a fantastic training for intermediate infosec practitioners, and want to detail a few reasons why. The training was very cheap compared to other industry trainings, with most SANS or black hat trainings ranging from 2-5k. This course comes in around $575 which makes it similar to trainings like The Certified Cyber Defender in terms of price and access (its also available on demand). That alone makes it accessible in a way most “elite” trainings simply aren’t. You do get a certificate of completion for this, but unlike the CCD because there is no exam it doesn't hold too much weight in terms of a verification that the person knows the material. That said, certificates are always nice to get along w/ the sticker price. One aspect I wanted to callout is that Beau goes pretty fast through the content, and there is a ton of content. There are over 420+ slides and 18 hands-on labs throughout the course. The course is only 2 days of in-person, so I get why he has to go fast. Personally, I like it because it is enough to cover the material but let students dig in on their own time if they want more. As a pretty experienced infosec practitioner, a decent amount of the material was also review for me, so it was nice to rip through it from that perspective as well. The material is modern and relevant, comfortably within the last 2–5 years of cloud pentesting tradecraft. This isn’t recycled theory or checkbox cloud security, the course is packed with high-impact tools and techniques for initial access, cloud-native reconnaissance, lateral movement, and privilege escalation across real cloud environments. The course is dense with practical tooling and techniques: tons of scanners, identifying cloud-native weaknesses, pivoting through an organizations roles, and understanding where identity and access failures really hurt. There’s very little time wasted on low-impact “cloud vulnerabilities” that look scary in a scanner report but don’t meaningfully move an engagement forward. This is another great review that really encapsulates that, "You're paying for the experience of the instructor", not simply more rote pentesting content. And Beau is one of the best operators that has been doing this for several decades, so his hands on experience really cuts through a lot of the fluff out there. In my typical review style, the following are the hands on labs in the course to help you get a better understanding of the content:

Lab 1: S3 Bucket Pillaging
Lab 2: Password Spraying
Lab 3: Pillage Code Repos for Secrets
Lab 4: Microsoft Device Code Phishing
Lab 5: Azure Situational Awareness
Lab 6: Backdooring an AWS Account
Lab 7: Azure Service Principal Backdoor
Lab 8: Using AzureHound to Find PrivEsc
Lab 9: AWS Privilege Escalation w/ Pacu & Obtaining Web Console Access
Lab 10: ScoutSuite AWS Scanning
Lab 11: Screenshot Web Services
Lab 12: Exploiting SSRF to Gain IAM Keys
Lab 13: Extract Password Hashes from VM Storage
Lab 14: Dumping Azure Key Vaults
Lab 15: Exploiting Amazon Elastic Container Service (ECS)
Lab 16: Exploiting AWS Lambda Functions
Lab 17: Azure App Services Phishing w/ Illicit Consent Grant
Lab 18: ROADTools Entra ID Analysis w/ CAPS

The course has a big focus on both Azure and AWS. Many cloud classes go deep on a single provider and leave students mentally trapped there. This one does a good job showing the parallels, how the same underlying identity, application settings, and misconfiguration patterns appear across cloud platforms. I found there was a decent bit of overlap with FalconForce's "Advanced Detection Engineering in the Enterprise", in terms of some of the offensive cloud techniques presented, although that had more of a focus on the defensive techniques and it was only looking at Azure. I really like that the course gave you a lot of custom terraform such that you could host the testing environments yourself. You’re not just clicking through someone else’s pre-baked lab, you’re learning how these environments are actually built, broken, and you could even fix the vulns yourself. The course also heavily leveraged CloudGoat for some terraformed vulnerable cloud environments, which is an absolutely fantastic project that I also leveraged in CPTC2023 and while training for my AWS Cloud Specalist cert. The class even covers many parallels with GCP, although it doesn't have us host any GCP infrastructure to pentest. There’s also strong coverage of cloud-to-on-prem and on-prem-to-cloud attack paths, which is where real organizations still get burned. This isn’t cloud-in-a-vacuum theory, it’s hybrid red teaming grounded in real world examples. While the course doesn't implement a ton of best practices in it's own lab setup, Beau makes a point of highlighting good cloud theory in terms of the envs we are pentesting and the recommendations. The labs modeled proper group structure and role assumption workflows the way large organizations actually operate. The slides also cover the use of secrets managers and key vaults instead of hardcoded credentials or lazy storage patterns. Theres also a ton of coverage on cloud specific technologies, like writing security policy in AWS or leveraging Entra ID for better subscription management.

Ultimately, I highly recommend this course for both the price point and the instructor. The emphasis stays squarely on high-impact red team tradecraft: identity abuse, role chaining, secrets exposure, cloud-to-on-prem boundary crossing, and realistic privilege escalation paths inside mature environments. These are the techniques that materially change the outcome of an engagement. They’re practical, repeatable, and aligned with how real organizations actually operate. There’s a noticeable absence of fluff. The content doesn’t wander into obscure edge cases or theoretical attack paths that rarely survive contact with production environments. Instead, it concentrates on methods that consistently produce leverage. That curation is intentional and it reflects experience. When an instructor has spent decades operating in the field, the signal-to-noise ratio improves dramatically. You get the attacks that work, the patterns that scale, and an understanding of cloud patterns that comes from doing the job repeatedly.

Book Review: "MI6 Spy Skills For Civilians"

2026-01-28T07:39:00.000-08:00

"MI6 Spy Skills For Civilians: A Former British Agent Reveals How to Live Like A Spy - Smarter, Sneakier, and Ready for Anything." by Red Riley is an interesting book that explores some espionage tradecraft. I’m not going to lie, I picked this book up at SpyScape NYC, which is a super fun augmented-reality arcade and spy museum in Manhattan (New York City). I read the book casually over a few days, mostly browsing through the various tips and tricks rather than reading it straight through. I paid roughly $17 for the book in person, and honestly, I wouldn’t really recommend it to anyone. Overall, I’d give this book 3 out of 10 stars. While it does seem grounded in some real techniques, the emphasis and tone surrounding those techniques feel extremely off. There are far better books available for this type of learning. If the book took itself more seriously, it could make for a solid coffee table book or a conversation starter. As it stands, I think I’d just end up cherry-picking a few useful points rather than revisiting it as a whole. I picked this book up hoping it would be like "OSINT Techniques", "Spycraft" or "The Craft of Intelligence" but rather I think this book sells itself less as a serious spy skill book and more as a flashy Hollywood spy book. I think this book tries to sell itself like Clint Emerson's "100 Deadly Skills", but "MI6 Spy Skills" comes off as overly flashy whereas "100 Deadly Skills" comes off as practical in the field. The book constantly references James Bond films, both visually and in how it describes the “danger” agents supposedly face. It’s honestly a bit ludicrous to suggest that the average intelligence officer is regularly getting into life-or-death fistfights while traveling on a train in a foreign country. In reality, that would represent a worst-case scenario. The last thing any real agent wants is a physical confrontation or the attention of law enforcement or any other authority figures. In my typical style the following are the sections and chapters of the book:

Chapter 1: Personal Image
Chapter 2: Avoiding Surveillance
Chapter 3: Mobile Surveillance
Chapter 4: Travel
Chapter 5: Dead Letter Boxes
Chapter 6: Brush Contacts
Chapter 7: Self-Defense
Chapter 8: Innocuous Weapons
Chapter 9: Natural Weapons
Chapter 10: Weapons Defense
Chapter 11: Escape & Evasion
Chapter 12: Subterfuge
Chapter 13: Intelligence Gathering
Chapter 14: Personal First Aid
Chapter 15: Basic Agent Extraction
Chapter 16: Advanced Insertion & Extraction
Chapter 17: Other Helpful Tips & Techniques

Some of the best, and most practically useful, content for red teamers appears in the chapter on Brush Contacts, in my opinion. These sections contain genuinely useful ideas and were one of the main reasons I picked the book up after thumbing through it. Tips such as waiting near elevator banks, escalators, or bus stops can be genuinely effective locations for brush contacts or even cloning physical access badges. This chapter, along with others like the one on dead drops, really emphasizes that parts of the book are grounded in real-world experience. Unfortunately, that grounding is undermined by the nearly 50+ pages devoted to improvised weapons and hand-to-hand combat, which make the book feel unrealistic and far more like Hollywood spy fiction. Don’t get me wrong, this approach probably sells well to the uninitiated. But real intelligence work is often incredibly boring. It usually involves observation, pattern tracking, and note-taking week after week, with very little actually happening. Most agents never want to engage in physical altercations, and many would consider a mission compromised if one occurred at all. That said, there are some good or common-sense tips scattered throughout the book. The guidance on remaining inconspicuous is fairly solid: things like wearing non-distinct clothing, never running, avoiding looking over your shoulder, and minimizing unnecessary interactions. The advice to change your outfit and approach routes when revisiting a location for reconnaissance is also sound. Still, the majority of the book feels like it’s pretending to be an action-movie secret agent manual rather than providing skills actual agents would find useful. I was also surprised by the near total absence of computer skills or technical tradecraft, especially given how central cyber operations are to modern intelligence work. No video for this one, just a friendly reminder that overly flashy and embellished techniques are rarely as real or practical as the boring, non-sexy ones. You should always be wary of anyone claiming to do intelligence work while presenting it like they’re some kind of 007.

Course Review: Certified CyberDefender (CCD)

2025-12-30T02:25:00.000-08:00

I recently passed the Certified CyberDefender (CCD). Ultimately I think there is a lot of value in this certification and I think it finds a unique spot within the industry. If you treat CCD as a hands-on validation of blue-team and DFIR skills, it performs well. It's almost like a blue team version of the OSCP, which is funny considering the slogan on the challenge coin is, "Defend Smarter, Not Harder" (vs the classic offensive slogan, "Try Harder"). The combined cost of the labs and exam are approximately $499.99, which I consider very reasonable given the scope and hands-on nature of the material. I spent roughly one week reviewing the course content, followed by four additional days working through labs before attempting the exam. However this may be an accelerated rate for people that are newer to the subject material. The exact contents of the course is here, so you can make sure this specific skill development is what you are looking for.

From a return-on-investment perspective, the labs alone justify the price. Even experienced practitioners will find value in the scenarios, tooling exposure, and repetition across environments. The scenarios require investigation, hypothesis testing, and iterative analysis, much closer to real SOC or DFIR work than most other certifications. If you approach them like a real incident, with partial visibility and incomplete information, they feel authentic and worthwhile. I also like how most of the training has detailed instructions, followed by videos demonstrating the techniques, and finally a lab environment for participants to then try themselves. That said, some of the material and theory leaves a bit to desired. I wrote about some of this in my IR review, I'm talking about getting basic formulas for Risk incorrect or muddling the incident response lifecycle. The full course has similar issues, for example it instructs students to perform live response exercises like log collection and live system triage before capturing memory. In my experience you always want to capture memory first before running more live response tools as they can push evidence out of memory.

Still I thought this exam was great. I like the 48 hour nature of the exam, as well as the multiple sections and environments. This kept it fresh, if I got bored or stuck in one area it was easy to pivot and keep solving challenges. I also appreciated that the exam didn’t artificially gate progress behind single points of failure. My bottom line on this is that the exam is solid for testing hands-on forensic competence across multiple domains. The labs and exam are well worth the time and cost, and the exam format is among the better designs I’ve seen for blue-team certifications.

Book Review: "Good Strategy / Bad Strategy"`

2025-12-17T08:03:00.000-08:00

"Good Strategy / Bad Strategy" by Richard Rumelt is one of the clearest distinctions on what strategy is not that I've encountered. Its very illuminating for anyone caught in melancholy of normal corporate planning cycles. It's a very solid book on how to avoid bad strategy or what the difference is beyond just goal setting. This book attempts to answer how we carve real strategy out of our strengths and opportunities. It tries to take on the challenge of how we get an advantage when accomplishing our goals. One of the classic pitfalls in planning is simply setting forth a dog's dinner in terms of objectives that are hard to hit and don't lend themselves to any type of advantage in that work. I listened to the book on Audible for over 10 hours at essentially $15 or 1 credit. Overall I give it 6 out of 10 stars, for being eye-opening but ultimately lacking to build a clear path out of it's own problem statement. I recommend it to anyone involved in strategic planning or planning in general as I think it is valuable recognizing bad strategy at play. Despite my criticisms that the book doesn't help prepare a strategy, knowing what not to do actually greatly improves the planning process. The book really succeeds in sharpening your strategic eye. Even if it doesn't lay out a methodical process for carving out strategy, it does make you question the effectiveness and strategy of your methods, forcing you to re-evaluate until you land at a better place. In that sense, it really lends itself to red teaming your strategy, looking at it from multiple perspectives and finding both advantages and weakness in the approach. In my typical style, the following are the chapters of the book:

Introduction: Overwhelming Obstacles
Part I: Good and Bad Strategy
Chapter 1: Good Strategy is Unexpected
Chapter 2: Discovering Power
Chapter 3: Bad Strategy
Chapter 4: Why So Much Bad Strategy?
Chapter 5: The Kernel of Good Strategy
Part II: Sources of Power
Chapter 6: Using Leverage
Chapter 7: Proximate Objectives
Chapter 8: Chain-Link Systems
Chapter 9: Using Design
Chapter 10: Focus
Chapter 11: Growth
Chapter 12: Using Advantage
Chapter 13: Using Dynamics
Chapter 14: Inertia and Entropy
Chapter 15: Putting it Together
Part III: Thinking Like a Strategist
Chapter 16: The Science of Strategy
Chapter 17: Using Your Head
Chapter 18: Keeping Your Head

The book shows a lot of anecdotal examples of strategies that don't work. The book is big on calling out the misnomer that strategies have been set or applied when in reality there is no actual overarching strategy. The book talks about the active planning cycle and setting conscious thought into how to go about thinking or planning not just accomplishing the goals. I actually thought this was a little too anecdotal. I would have preferred a more repeatable approach to carving out strategies from planning routines. I would have preferred tips and tricks to analyzing a situation for an an advantage, perhaps some principles that could be leveraged in the planning process to better one those muscles or efforts. The book showed me a lot of what not to do, but left me wanting in terms of how to actually plan and formulate an advantage in a scientific way. Ultimately, the book showed more of what not to do, rather than what to do, which still had a ton of value in terms of planning. While the book also anecdotally mentions some entrepreneurs who found great strategic success in iterating or experimenting on their ideas, the book also downplays these motions as a tactic for refining and battle-testing a strategy. The role of experimentation, iteration, and feedback loops can't be understated in domains that require strategy to win. Further, there is often an adversarial component involved in domains where strategy matters more than an engineering plan. In those environment especially it is important to make sure your strategy remains dynamic and adaptable to environmental or situational feedback. If something works or stops working listening to that feedback can be some of your biggest strategic advantage in some environments. The following is Richard discussing strategy on a podcast. Some of the concepts in the interview come from his newer books, but the interview is great so enjoy!

Course Review: Certified CyberDefender - Incident Response Optional Module

2025-12-03T11:50:00.000-08:00

This review is only for the Incident Response module within the Certified CyberDefender course and labs. I plan on doing a full review of the course and certification after I take I sit for the test, but in the mean-time this a review of just the Incident Response Module, in the Optional Modules section. To be honest, this module is why I purchased the course in the first place, as I was looking for an Incident Response primer to roll out to my teams at work. TL;DR this specific module is not great, there is a lot that seems contrary to common cyber security advice, which I break down briefly in this review. While this entire training may prepare a SOC analyst for their day job, I wouldn't say this IR module would prepare someone for an actual Incident Response. To be honest, I found the incident response module very lacking, both wrong on several traditional definitions, as well as not as focused in terms of tradecraft, as I would like to see. As a result I am writing my own training for the team in conjunction with several industry peers, but i wanted to call out several of the reasons I wouldn't use this module as a formal training. Lets start w/ some of the most egregious examples of getting traditional definitions wrong. Very early on in module they have a formula for Risk that seems very wrong.

They state:
Risk = Threat x Vulnerability
However the traditional equation from the field of Risk Analysis is:
Risk = Likelihood x Impact

It's a very weird definition to change even if they explain it their terms. By changing these definitions it risks training a new set of people on different definitions for no apparent reason. And this isn't a definition of risk that the security industry made up either, this was a formula that the security industry adopted from financial risk actuaries, so using security specific terms like threat and vulnerability really make less sense in that context. Similarly when they break down the traditional three prime locations to do modern detection and log aggregation, they give four locations. The fourth domain comes from calling one area 'systems telemetry' and another 'edge systems telemetry', seemingly drawing the distinction between internal network telemetry and the edge network analysis. I think this is a weird distinction to make and especially trivial in the context of an incident response effort, beyond maybe finding the root compromise. Further, when we do edge security analysis it often isn't traffic analysis such as netflow or pcap, it's typically application logs or en-mass observability statistics. In general the module puts a large focus on network analysis, which includes some really good labs, using tools such as Suricata, Zeek, Velocialraptor, and RITA. These are great and powerful tools for real network analysis and automated detection, although modern incident response has shifted to largely using EDR solutions and some kind of unified identity log collection. I would have really liked to see more tradecraft around tracking an incident, documented compromised hosts, and using this to fight an active infection. A bigger focus on reporting in general could be helpful as incidents often coincide with breaches and understanding the difference is often critical to an incident responders job. The layout of the content is also unclear and generally confusing. The website tries to break the module up by "phases" of the IR lifecycle, only chunked together. This would work if it stayed to it's own self defined phases, such as:

Phase 1: Preparation
Phase 2: Detection and Analysis
Phase 3: Containment, Eradication, and Recovery
Phase 4: Post-Incident Activity

But instead it jumps all around these topics, having random sections such as "Remediation / Eradication" and 'Restore, Validate, and Monitor" in the middle of the previous phases, staying neither consistent in the naming nor the layout. The resulting module layout muddles the IR life cycle, how the engagement should proceed, and when to move between phases or apply different strategy. Finally the quizs are pretty simple for the IR module specific content, each quiz simply consists of 3 questions which you can challenge any number of times, making it an easy thing to blast through. That said, I can understand how the real test is supposed to be the certification exam, but seeing as how this is an optional module it would be nice to see real tests associated with this content. All that said, check back in as I challenge the certification and post a full review of the course. This other review I've read says the course isn't for beginners and was rather difficult, but I've actually found it great for those moving from novice with solid background into a SOC analyst role specifically. Check back soon!

Book Review: "Cybersecurity Tabletop Execercises"

2025-11-16T07:43:00.000-08:00

"Cybersecurity Tabletop Exercises: From Planning to Execution" by Robert Lelewski and John Hollenberger was an interesting book that I picked up at Ada's Technical Books in Seattle. Granted, I do a lot of table top exercises, at least four annually, so this is subject matter I know pretty well. Still I wanted to make sure I wasn't missing some big or new thing. I paid over $60 for this book new at only 150 pages, which feels pricey. My default pricing for books is typically $10 per 100 pages with lots of flexibility depending on the subject matter and presentation. Overall I give this 5 out of 10 stars. Frankly, I think it was overpriced and didn't offer any groundbreaking insights. There are also dozens of free resources from the EPA to CISA to a million easily digestible blog posts that cover the same material, so the high sticker price really was a shocker to get that same content. The book is laid out such that the main book (Part 1) is really only about 100 pages of theory (and that feels like stretching it) and the following 50 pages (Part 2) are multiple examples and sample tabletop exercises. If you were mega tight on timing I could actually see grabbing this book for these canned scenarios. That said, there are also dozens of free table top exercises on the Internet. The theory is also a bit light, as stated, you could learn much of this for free on the Internet. The following is the chapters of the book:

Part 1: The Tabletop Exercise Process
Chapter 1: Why Perform Tabletop Exercises?
Chapter 2: Planning the Tabletop Exercise
Chapter 3: The Development Process: Where the Rubber Meets the Road
Chapter 4: Facilitating a Successful Tabletop Exercise
Chapter 5: Acting on What You've Learned: Evaluation and Next Steps
PART II: Example Scenarios
Chapter 6: Engaging a Technical Audience
Chapter 7: Engaging a Executive Audience
Chapter 8: Engaging the Business
Appendix: Reporting Templates

Despite those previously mentioned shortcomings, the book does highlight a few things I think are worth calling out. I think having the non-static, multiple injects per tabletop example was neat. My tabletops often follow phases of the IR life cycle, whereas having the arbitrary injects move the plot could change that pace and add more dynamic content. It's also a little more realistic this way and mixes things up. I also really liked the emphasis on choosing and fitting the exercise to the audience. Such as having specific exercises target technical or non-technical audiences. The book also did well getting planners to estimate modes of participation, brainstorming how to generate more audience participation, and estimating some of the expected outcomes. I also think the postmortems on the exercise itself are a critical step and I'm glad the text calls that out. It's important to extract the lessons learned into actionable tasks to be accomplished otherwise the exercise could be in vain (beyond the teamwork and educational opportunities from the exercise itself). The following is an random youtube video on how to run your own table top exercises if you are interested, it is generally unrelated to the book:

Book Review: "Conversational Intelligence"

2025-11-14T14:00:00.000-08:00

"Conversational Intelligence: How Great Leaders Build Trust and Get Extraordinary Results" by Judith Glaser was a fairly decent book on building world class communication skills and thus interpersonal relationships. This was a fairly simple book that outlined how most corporate teams fail to communicate by issuing orders to one another and how to move toward conversations that view all parties as collaborators. I think the book is fairly thin in terms of actual stratagies to do this, and the author seemingly recreates a lot of existing theories and paradigms, without really referencing those existing structures. This was a cheap and very reasonably priced book at $10 for 200 pages. And this was a mega quick read, I finished it easily under 6 hours. Overall I give this 5 out of 10 stars, as I think there are better ways to convey what the author is getting at. Overall I would probably recommend other leadership books unless you are specially suffering from bad communications skills and plagued by poor conversations. Don't get me wrong, I think there are good and important lessons here. Communicating at level three as she describes it, is critical I think to good interpersonal communication. But I also think the author makes up so many new terms, such as "double clicking" that it actually confuses their point when they could just describe the actual phenomenon more clearly. Further, other reviews have called out how the author seemingly bites other concepts without ever actually referencing the original materials. I got this vibe throughout the entire book and it was a really big turn off. For example she coins her own term and thus the title of the book as Conversational-Intelligence (C-IQ), as a play on the traditional Intelligence Quota (IQ) or the newer Emotional Intelligence (EQ). The problem is that her newly coined Conversational Intelligence is what most people have generally accepted as Emotional Intelligence (understanding others, their communication styles, and thus goals), yet I have never heard another use the phrase conversational intelligence in it's place, before this book. By redefining already accepted concepts to make them your own, without really adding anything new to the concepts you only serve to confuse the topic rather than clarify it. The book is split into 3 parts, in my normal style here at the chapters of the book:

Introduction: Discovering a New Intelligence
Part I: Conversational Intelligence and Why We Need It
Chapter 1: What We Can Learn from Our Worst Conversations
Chapter 2: When We Lose Trust, We Lose Our Voice
Chapter 3: Moving from Distrust to Trust
Part II: Raising Your Conversational Intelligence
Chapter 4: Challenges of Navigating the Conversational Highway
Chapter 5: Harvesting Conversational Intelligence Using the Wisdom of our Five Brains
Chapter 6: Bringing Conversation to Life
Chapter 7: Priming for Level III Conversations
Chapter 8: Conversational Agility: Reframing, Refocusing, Redirecting
Chapter 9: A Toolkit for Level III Conversations
Part III: Getting to the Next Level of Greatness
Chapter 10: Leading with Trust: Laying the Foundation for Level III Interactions
Chapter 11: Teaming Up Through Conversational Intelligence
Chapter 12: Changing the Game Through Conversational Intelligence
Epilogue: Creating Conversations That Change The World

As much as I think there are good, important lessons here around building trust and communication with your peers, many of the author's techniques in communicating how and why that is important, really rubbed me the wrong way. For example, the chapter on "the five brains" talks about fairly pseudo-science ideas that we have these oversimplified parts of our brain that evolved out of lizard brains. That combined with the advice that one must "work on their third eye" in order to improve conversations with people, just came off as hippie nonsense to me. The end notes and references are also extremely thin, mostly only referencing a few of these weird debunked brain theories. Further, where she should be citing other works in the field and ideas she's borrowed, she uses multiple pages to thank CEOs who were her clients at various points in time. It feels very self-serving and like a weird shout-out as opposed to actual acknowledgments of other work in the field. Beyond that criticism, I think the book could have done more to describe different modes of communication that scale differently and thus lend themselves to different types of corporate "conversations". The book is obviously pitched at improving work conversations, not all work conversations are equivalent, one on ones, or direct conversations. I would have liked to see more examples on what kind of "conversation" is an all-hands, and how can you open that up or best engage audiences at these levels of scale, not just in a single conversation or a small group setting. I think giving the readers more tools to have and improve these conversations could be genuinely really helpful in a book like this. That said, the book is easy to read and includes dozens of simple graphs and graphics, or nice images that emphasize the points and break up the normal text. Feedback on this book is all across the board, but there are certainly some people that think similar to I on amazon reviews. That said, this is also a best seller and massively popular, so don't let me dissuade you, a lot of people really like it!

Book Review: "What Got You Here, Won't Get You There"

2025-11-05T15:09:00.000-08:00

"What Got You Here Won't Get You There: How Successful People Become Even More Successful" by Marshall Goldsmith is a great book on evolving your leadership and management approach. It's a self help book that aims on personal improvement through various methods of corporate feedback. The book is straightforward, anecdotal, and practical. It focuses on first breaking down the ego and understanding that all of us, no matter how successful we are, can still find things to improve and work on in our life. The book really hammers home how success can get in our way, blinding us to our own shortcomings, or creating excuses for our behavior that is still holding us back, despite our own success. One of the really cool things about Marshall is that he publishes all of his resources for free on his personal website, including a really neat LLM trained on his advice! I personally listened to the book on audible for roughly ~8 hours (at 1.5 speed) for less than $1. I found it highly enlightening and generally good use of my time. Overall I give the book 6 out of 10 stars, as it didn't really say anything too novel or that I haven't heard before in terms of leadership coaching, however they are still critical lessons for any person, especially those who are already successful, to hear (again). I recommenced this book to anyone in a corporate setting, I firmly believe we all have features we can improve within ourselves and that recognizing that and setting up a plan for achieving it is within everyone's locus of control. In my typical style, here are the chapters of the book:

Section One: The Trouble with Success
Chapter 1: You Are Here
Chapter 2: Enough About You
Chapter 3: The Success Delusion, or Why We Resist Change
Section Two: The Twenty Habits That Hold You Back from the Top
Chapter 4: The Twenty Habits
Chapter 5: The Twenty-First Habit: Goal Obsession
Section Three: How We Can Change for the Better
Chapter 6: Feedback
Chapter 7: Apologizing
Chapter 8: Telling the World, or Advertising
Chapter 9: Listening
Chapter 10: Thanking
Chapter 11: Following Up
Chapter 12:Practicing Feedforward
Section Four: Pull Out the Stops
Chapter 13: Changing The Rules
Chapter 14: Special Challenges for People in Charge

Some of the major themes I want to highlight from the book are as follows. Successful people often fall into what Marshall calls "success traps". What works early in a career (drive and competitiveness) becomes a liability at later levels or in different positions. Its important to not make excuses for our bad traits because we've been successful despite them. Practice "feedforward", not feedback. This is incredibly important when providing people input on their work. Don't diminish it or shoot it down by using negative language, rather focus on what to do next time or how to course correct going forward Perception is reality is a huge message. How others perceive your behavior defines your effectiveness as a leader, not how you perceive yourself. It's important to square your own assumptions with your external perception using peer feedback. Finally, interpersonal change is measurable. You can and should track progress in interpersonal behavior with regular check-ins and metric like systems, just as you would a technical program.

Marshall makes a point of listing out 20 bad habits that can doom a career, I'de like to list them for readers below:

1. Winning too much: The need to win at all costs and in all situations.
2. Adding too much value: The overwhelming desire to add our 2 cents to every discussion.
3. Passing judgment: The need to rate others and impose our standards on them.
4. Making destructive comments: The needless sarcasm and cutting remarks that we think make us witty.
5. Starting with NO, BUT, HOWEVER: The overuse of these negative words which say to others that you’re wrong.
6. Telling the world how smart we are: The need to show people we’re smarter than they think we are.
7. Speaking when angry: Using emotional volatility as a management tool.
8. Negativity, or “that won’t work”: The need to share our negative thoughts even when we weren’t asked.
9. Withholding information: The refusal to share information in order to maintain an advantage over others.
10. Failing to give proper recognition: The inability to give praise and reward.
11. Claiming credit that that we don’t deserve: The most annoying way to overestimate our contribution to any success.
12. Making excuses: The need to reposition our annoying behavior as a permanent fixture so people excuse us for it.
13. Clinging to the past: To deflect blame away from ourselves and onto events and people from our past.
14. Playing favorites: Failing to see that we are treating someone unfairly.
15. Refusing to express regret: The inability to take responsibility for our actions.
16. Not listening: The most passive-aggressive form of disrespect for colleagues.
17. Failing to express gratitude: The most basic form of bad manners.
18. Punishing the messenger: The misguided need to attack the innocent who are informing us.
19. Passing the buck: The need to blame everyone but ourselves.
20. An excessive need to be “me”: Exalting our faults as virtues simply because they’re who we are.

Below you can see Marshall speaking at Google on some of the lessons in the book. It's an extremely interactive session with breaks in the middle where he asks the audience to engage in some exercises. You should skip around those parts as you watch at home:

Book Review: "High Output Management"

2025-10-25T13:58:00.000-07:00

"High Output Management" by Andrew S Grove was a great book on various management strategies and lessons learned from Andy Grove scaling his career and business at Intel. The book is all about how managers can maximize their output, and thus the output of their team. It's all about where managers should be spending their time and what investments provide long term value in terms of company and employee growth. I think the book really resonated with me because there is such a focus on education and how a manager should really act as a guide and a teacher. Overall I give this a 6 out of 10 book in my journey of learning better management and leadership strategies. I recommend this book to those who still don't believe in the power of 1 on 1s or want help managing large teams across multiple organizations. I really like how the book talks about a manger's primary role being that of information flow and circulation, such that they are constantly communicating important task level information downward, project level information horizontally, and progress on goals upward. A large part of that communication is receiving information and understanding what the different aspects of the business are doing, to be able to translate it effectively to different audiences. There are several practical tools in this book that managers can implement immediately to become better at their jobs. In my typical format, here are the chapters in the book:

Introduction
Part I: The Breakfast Factory
Chapter 1: The Basics of Production: Delivering a Breakfast
Chapter 2: Managing the Breakfast Factory
Part II: Management Is a Team Game
Chapter 3: Managerial Leverage
Chapter 4: Meetings: The Medium of Managerial Work
Chapter 5: Decisions, Decisions
Chapter 6: Planning: Today's Actions for Tomorrow's Output
Part III: Team of Teams
Chapter 7: The Breakfast Factory Goes National
Chapter 8: Hybrid Organizations
Chapter 9: Dual Reporting
Chapter 10: Modes of Control
Part IV: The Players
Chapter 11: The Sports Analogy
Chapter 12: Task-Relevant Maturity
Chapter 13: Performance Appraisal: Manager as Judge and Jury
Chapter 14: Two Difficult Tasks
Chapter 15: Compensation as Task-Relevant Feedback
Chapter 16: Why Training Is the Boss's Job
One More Thing...

There are a few tools and themes that I found especially helpful from the book, such as tickler files, 1 on 1s, office hours, group decision making, matrix management, and task relevance maturity. I really like the idea of using tickler files as reminder files or note files. I personally set mine up as google calendar dates, with either advanced notice or just as informational popups. I also like them when dealing with all of the intricacies of various team work and interpersonal issues. Especially coupled with 1 on 1s, to track and address employee issues, tickler files can be especially useful to establish early and maintain as a way of generating talking points, saving important notes, or just reaching out for something. I've already talked about them in depth in other management book reviews, but 1 on 1s are a powerful tool for hearing employees as individuals, solving their direct problems, and providing valuable information about the job. Something new I got from this book was the idea of office hours to decrease short to medium-term interruptions by setting a dedicated time for them. The book also talks about career management and planning your career consciously, not only for yourself but helping your direct reports plan their career in their best interests. One really fascinating concept I got from this book around career growth, especially in terms of moving into management was the idea of 'task relevant maturity'. This is the idea that someone may be a great manager in a subject they are very familiar with, but a poor manager in another area where they are less familiar. This is important to consider as your role grows and changes throughout your career. Lastly, I really like the idea of matrix management for large projects, or the idea that multiple people can oversee different parts of a team, and employees are beholden to multiple stakeholders or managers in delivering these large work streams. Other ways to accomplish this for specific projects are RACI charts, but the concept of matrix management alone is powerful for larger teams and organizations. The following is a video series by Abi Tyas Tunggal on the book where he breaks the lessons from the book down into several short video lectures, it's really fantastic stuff:

Bridging the Coming Engineering Cliff (Brainstorming Solutions for DCam's "The Coming Engineering Cliff")

2025-10-13T00:58:00.000-07:00

David Campbell raises a valid concern: are we facing a looming engineering talent pipeline problem? His piece, The Coming Engineering Cliff, paints a picture of AI rapidly encroaching on the territory of a proper computer science education. While the allure of AI-powered development is undeniable, we must not lose a critical element in the development of jr engineers: the irreplaceable value of hard-won experience, the kind forged in the fires of scaling nightmares and security incidents. This isn't about AI vs. engineers; it's about ensuring the next generation doesn't just trade depth for velocity while building skills.

Campbell's argument hinges on AI's ability to automate and accelerate development. Fair enough. But engineering isn't just about churning out code; it's about understanding the underlying systems, anticipating failure modes, and crafting solutions that are both thoughtful and robust. This instinct isn't something you can simply train a LLM on. Instinct comes from going through a production outage at 3 AM, from tracing a memory leak through a million lines of code, from learning, often painfully, what not to do. It's about recognizing patterns not just statistically, but viscerally. It's the difference between knowing the rules of chess and being able to anticipate your opponent's strategy. In many ways it can be adversarial thinking, but applied to your own systems. LLMs excel at pattern matching. They can regurgitate solutions based on past incidents. But what happens when faced with a novel threat, a zero-day exploit, a scaling challenge no one has ever encountered before? That's where the A+ engineer, the one with the battle scars and the finely honed instincts, steps in. They don't just apply a prepackaged solution; they invent one that suits the need at hand.

Cloud platforms and AI-powered tools promise to abstract away the complexities of infrastructure and security. And in many ways, they deliver. But this abstraction comes at a cost. Younger engineers, raised on these platforms, are increasingly shielded from the 'unforgiving edge of scale', as Campbell aptly puts it. They can deploy applications with a few clicks, without ever grappling with the intricacies of load balancing, network security, or database optimization, as examples. They become vibe coders, deploying code they barely understand, hoping for the best. This isn't to say these tools are inherently bad; they're incredibly powerful if used by engineers who possess a solid foundation of knowledge. The problem is that these platforms can become a crutch, preventing younger engineers from developing the deep understanding necessary to troubleshoot complex issues and design resilient systems. They're learning to drive without ever understanding how the engine works. And when the engine inevitably breaks down, they're left stranded.

The core issue here is understanding why. A LLM trained on incident postmortems can identify potential failure points, but does it truly understand the underlying causes? Can it reason about nuanced trade-offs in a high-pressure situation? I'm reminded of the Chinese Room argument: the AI can manipulate symbols according to rules, but it doesn't actually understand the meaning behind those symbols. This lack of understanding is particularly dangerous in security contexts. Trusting a non-deterministic black box that's prone to hallucinations to make critical security decisions is a recipe for disaster. We need engineers who can not only identify vulnerabilities but also understand the attacker's mindset, anticipate their moves, and design defenses that are both effective and adaptable. AI can augment human intelligence, but it can't replace it. We still need engineers who can think critically, creatively, and independently, who can challenge assumptions, and who can make informed decisions in the face of uncertainty.

So, what's the solution? We can't simply abandon AI and cloud platforms; they're too valuable. Instead, we need to find ways to bridge the gap between abstraction and understanding, to cultivate the next generation of A+ engineers. Here are a few ideas:

Revive the apprenticeship model: Pair junior engineers with experienced mentors who can guide them through the complexities of real-world systems.
Create failure-friendly environments: Give engineers opportunities to experiment, to break things, and to learn from their mistakes in a safe and controlled setting. Think CTF environments where they must secure and scale vibe-coded programs.
Capture the wisdom of the elders: Document the experiences and insights of our most seasoned engineers before they retire or move on to other ventures. This means more senior engineers should blog or write about their hard gained experiences.
Integrate depth into the AI-assisted workflow: Design AI tools that not only automate tasks but also explain the underlying principles and trade-offs.

The goal isn't to eliminate AI, but to use it as a tool to enhance human intelligence, not to replace it. We need to create a culture that values depth of understanding, critical thinking, and the ability to adapt to unforeseen challenges. The coming engineering cliff isn't inevitable. But avoiding it requires a conscious effort to cultivate the next generation of A+ engineers, engineers who possess not only the technical skills but also the hard-won experience and the intuitive understanding necessary to navigate the complexities of the modern technological landscape. AI can be a powerful ally, but it's no substitute for human ingenuity. Let's not trade the wisdom of experience for the illusion of effortless automation. The future of engineering depends on it.

Book Review: "The Language of Deception"

2025-08-31T10:29:00.000-07:00

"The Language of Deception: Weaponizing Next Generation AI" By Justin Hutchens, takes an ambitious look at the intersection of social engineering, machine learning, and adversarial tradecraft. If you’re coming from a background in red teaming or threat intelligence, you’ll recognize many of the psychological and social principles, but what makes this book valuable is how it reframes those timeless tactics through the lens of AI for the general people. This book tries to warn people of the fallacy of the "thinking machine" or the idea that LLMs are intelligent or really considering ideas just because the output looks human. It's also a fantastic book on the history of AI, showing how these systems have evolved over time, and how models have been used throughout computer science. It's a long book around 400 pages, I listened to it on Audible at ~$15 for about 10.5 hours. I give it 6 out of 10 stars for being a great book on the risks of AI. Overall, I recommend the book to general technologists interested in AI as it lays out some stark realities with the tools, while not being too technical. Although it was written in 2023, it feels like it was written awhile ago (because the space moves so fast) but still several of their predictions have come true. Hutchens doesn’t treat AI as magic. He systematically looks at how attackers could operationalize it, from mass-scale phishing to automated social-engineering campaign pretexting. The framing feels very much in line with how threat actors actually iterate on attack campaigns. The following are the chapters of the book according to the Wiley website:

Chapter 1: Artificial Social Intelligence
Chapter 2: Social Engineering and Psychological Exploitation
Chapter 3: A History of Technology and Social Engineering
Chapter 4: A History of Language Modeling
Chapter 5: Consciousness, Sentience, and Understanding
Chapter 6: The Imitation Game
Chapter 7: Weaponizing Social Intelligence
Chapter 8: Weaponizing Technical Intelligence
Chapter 9: Multimodal Manipulation
Chapter 10: The Future
Chapter 11: The Quest for Resolution

Some parts feel a little disconnected from the reality of the technologies. For example around Chapter 7 the author is talking about bot automation and automated service interaction and discuses using the UI and web scraping to avoid bot detection, when in reality these techniques are pretty different from simply using the or scraping the user UI, and such actives are heavily logged and scrutinized for bot activity. I know it's a small nitpick but it shows a strange disconnect from the reality of some of the techniques. It's also a little wonky because the audio book counts the chapters differently than the print book, but I've referenced the print chapters here. The book calls out one of the major threats my team repeatedly calls out, which is the illusion of intelligence in modern LLMs. Just because some it putting together a string of words that gives the illusion that it understands, doesn't mean the model has a true understanding of the content. This can cause users of these systems to place a false confidence in their output or misunderstand the tools entirely. Hutchens brilliantly demonstrates this with the "Chinese Room Paradox", reminding us that convincing language isn’t evidence of comprehension. The following is an interview with Hutchens discussing the contents of the book:

I Tried Gooning at DEF CON (Do Not)

2025-08-27T17:34:00.000-07:00

I recently volunteered as a DEF CON goon expecting to help people feel welcome and connected. Instead, I was let go for a minor infraction, an experience that left me concerned about how the culture of volunteering at DEF CON has shifted. When volunteers give their time and money, they should be empowered to support attendees, not treated like replaceable enforcers. DEF CON thrives on community, but that only works if volunteering stays rooted in connection, not control. I don't want to name any specific people or leaders involved in this decision process, but as a long term volunteer for security events this just felt over the top to me. I will name the group, as this happened while I was volunteering for the NFO section of the goons (info goons), but to be frank I thought they would be the most open and least "GOON"-like group. The official reason I was let go was that I missed a call from my shift lead and was absent from a newly created shift location for 45 minutes. I thought I was activly doing my job by showing people the rooms, as I was engaged in helping DEF CON attendees find locations and people they were interested in the entire time. At the end of the day I'm volunteering to make a more positive experience for others attending the thing. And I didn't do anything offensive or against the rules, I was just temporarily outside the control of a manager, and that was a terminal event. On top of that, I'm a highly educated person who is often in leadership and managerial positions, so I understand feedback and coarse correction if I'm not doing my job right. Firing me for being absent (due to a misinterpretation of what I thought I was supposed to be doing), is so absurd within a volunteer context that it really attributes itself to the over-zealous image of goons that the community has formed. Here are my major issues with the current culture of DEF CON goons:

Authority & Power Trips - Certain goons come across like “mall cops,” more interested in enforcing rules than helping people. Some even brag about skipping lines or using their role for personal perks.

Clique-ish Dynamics - It can feel like an insider’s club where newcomers aren’t welcomed. First-time volunteers often struggle to connect, while long-timers stick together.

Status Over Service - The role can seem like a badge of superiority rather than a commitment to supporting attendees.

Unapproachable - Groups of info goons often cluster together, making them intimidating and generally ineffective (They don't all answer questions when grouped like that, most of them stand around doing nothing). Attendees also report that simple questions often go unanswered.

Rules Over Hospitality - Instead of focusing on helping people, there’s a strong emphasis on enforcing arbitrary rules, which creates the impression that attendees are being policed rather than supported.

Some perceive that goons enjoy status more than service, treating their role as a badge of superiority. I was very excited and eager to help people, but it felt like my shift lead was more eager to correct me or chastise me (For example I stopped in the hallway to give someone stickers, less than a minute activity, and I was chastised and told we had a five minute rule so I shouldn't be stopping and giving out things). Ultimately, I volunteered because I wanted to connect with people and make their DEF CON a more enriching experience. Being dismissed for trying to do that but not meeting some arbitrary rule left me questioning whether the culture around DEF CON goons has lost sight of its original and intended purpose. For further context on how DEF CON’s culture is shifting more broadly, this piece is worth a read: When Counterculture and Empire Merge

Course Review: "Advanced Detection Engineering in the Enterprise"

2025-08-23T09:35:00.000-07:00

I recently took "Advanced Detection Engineering in the Enterprise" at BlackHat USA 2025. The course was taught by the FalconForce team, including the founders Olaf Hartong and Henri Hambartsumyan, as well as Theo Raedschelders and James Gratchoff. This was an amazing course, that largely focused on Windows detections leveraging modern Azure detection stacks. Microsoft Defender for Endpoint (MDE) and Azure Sentinel being the main hunting and detection platforms for log searching. The course followed a fantastic purple teaming structure, by providing us with fully instrumented Attacker and Victim VMs, that we could use to execute attacks and then hunt and detect said attacks in the logs. We were provided offensive tools such as Mythic, for command and control, and were able to emulate many modern, Windows, attacker tools and techniques, such as SharpHound, Mimikatz, ClickOnce Apps, HTML Smuggling, Living off the Land Drivers, DLL Hijacking, and even Macro weaponization. After executing the attacks we worked on many robust detections for said attacks, such as non-system processes making smb or kerberos calls. Overall these were highly relevant and modern techniques on both sides, with attacks that work in modern environments as well as effective and widely applicable detections for said attacks. The first two days focused on local enterprise detections using onsite technologies like MDE and instrumented host VMs. We used tools like OneClick and executed techniques like DLL hijacking and agent beaconing. Later we used SOCKS proxies to tunnel through our agents and hit further targets in the environment. The second two days focused on detections in the cloud using cloud-logs in Sentinel. Here we looked at techniques like cloud credential phishing and further Azure post-exploitation techniques and detections. The training included tons of good theory that was also applicable to non-Micorsoft environments, such as optimizing search queries, where / what logs to collect, and what log sources to write certain detections on (and why). They also broke down a lot of the technologies, showing edge cases in timing queries, and how certain join statements were better in certain situations, all very useful stuff if are trying to debug query results in an investigation. They also taught a lot of meta-detection theory, such as storing detections as code, keeping wiki pages on every detection, and testing their detection pipelines end-to-end in an automated way.The lab was brilliant as it incorporated both attacker and defender VMs that were both fully instrumented with the right tools and logging. My group often goofed around on the VMs and attacked each other using different techniques after we finished the labs. It was a wonderful environment to play around in and then hunt those activities. The adversary simulation was also very well throughout, it wasn't canned but was still representative of modern TTPs with edge cases considered for both escalations and detections. Overall, I highly recommend the course to defenders and attackers at every level. I think this is an amazing purple teaming course, and offers something to everyone. That said, I think the course will have a larger impact if your day-to-day environment is Windows or Azure based. I truly believe in learning both the attacker and defender techniques for a more holistic understanding of computer security and this course teaches exactly that. Even if you are a beginner I think you could follow this material, and if you are an expert there is so much cool esoteric knowledge packed into this course (and room to do your own stuff), that I promise you will enjoy it. The following is an older video of Olaf's but covers a good amount of the theory and approach to detections that they take as a group.

Book Review: "Countered Terrorism"

2025-07-30T16:06:00.000-07:00

"Countered Terrorism: Real Life terror plots... Foiled" isn't actually a book, but rather a short 6 episode series on Audible. That said, the series is incredible, and a rare look at counter intelligence operations gone right! It's a pretty incredible collection of stories that highlights how counter intelligence can truly be successful in stopping activities left of bang, and some of the critical components that go into those decisions. Presented by David Harewood, David adds a Hollywood spin to the entire thing although regularly interviews to experts and law enforcement close to the situations for the ground truth. This makes the series both highly entertaining and deeply informative. Overall I give the series 7 out of 10, for being engaging and informative, although I wish it was less commercial and dug more into the the forensic details of the investigations. I also recommend it to those interested in intelligence operations or security operations, as making intelligence actionable and heading off big attacks is almost everyone's ideal situation. You can listen to the series for free on Audible, which consists of 6 short stories, each an hour in length. The episodes are as follows:

Ep 1: Day of Terror: Undercover in Manhattan
Ep 2: Capital Blackout: IRA Dreams of A Dark City
Ep 3: The Liquid Bomb Plot: Foiling Britain's Deadliest Plot
Ep 4: The London Nail Bomber: Rampage of Hate
Ep 5: Terrorist007: Catching a Chatroom Jihadi
Ep 6: MoonMetropolis: When a Troll Becomes a Terrorist

The episodes were fascinating and insightful, each of them showing the story of various types of radicalization and various novel terrorist techniques. The stories are wonderfully told and build suspense throughout them, although they tend to focus on the key forensic and intelligence details that allowed them to break the case early. It's this very concept of breaking an intel case early, or shifting the execution to left of bang, that is both so effective and rare. Very rarely do you have all of the evidence you need to act before the incriminating event happens, but these stories repeatedly show how operating on 'just enough' information is sometimes more valuable in terms of interception than as opposed to not acting because you don't have enough information. The following is an except from one of the stories, "The Liquid Bomb Plot", featuring both David and several interviews with those directly involved:

Book Review: "The Manager's Path"

2025-06-19T22:55:00.000-07:00

"The Manager's Path: A Guide for Tech Leaders Navigating Growth and Change" by Camille Fournier is an incredible book for the various levels of management, showing managers how to scale their skills throughout their career. It’s probably the definitive book you hand to a new manager. I listened to it on audible on for free, which is an incredible deal for a book of this caliber. Overall I give it 8 out of 10 starts for having tons of practical tips for actually managing a work force in the modern era. I recommend it to really anyone in corporate America as I think it can help explain a lot of modern mid-level management motions. I really like how the book covers some common new leader pitfalls, such as being overly controlling or a micro manager. A sign of a great leader in my opinion is someone who can provide guidance and set people up for success, while empowering them to really make the work their own. Throughout the book Fournier emphasizes clarity, expectation-setting, and honest two-way communication. In my typical fashion, the following are the chapters of the book:

Chapter 1: Management 101
What to Expect from a Manager
How to be Managed
Assessing Your Own Experience
Chapter 2: Mentoring
The Importance of Mentoring to Junior Team Members
Being a Mentor
Good Manager, Bad Manager: The Alpha Geek
Tips for the Manager of a Mentor
Key Takeaways for the Mentor
Assessing Your Own Experience
Chapter 3: Tech Lead
Being a Tech Lead 101
Managing Projects
Managing a Project
Decision Point: Stay on the Technical Track or Become a Manager
Good Manager, Bad Manager: The Process Czar
How to be a Great Tech Lead
Assessing Your Own Experience
Chapter 4: Managing People
Starting a New Reporting Relationship Off Right
Communicating with Your Team
Different 1-1 Styles
Good Manager, Bad Manager: Micromanager, Delegator
Practical Advice for Delegating Effectively
Creating a Culture of Continuous Feedback
Performance Reviews
Cultivating Careers
Challenging Situations: Firing Underperformers
Assessing Your Own Experience
Chapter 5: Managing A Team
Staying Technical
Debugging Dysfunctional Teams: The Basics
The Shield
How to Drive Good Decisio/ns
Good Manager, Bad Manager: Conflict Avoider, Conflict Tamer
Challenging Situations: Team Cohesion Destroyers
Advanced Project Management
Assessing Your Own Experience
Chapter 6: Managing Multiple Teams
Managing Your Time: What's Important, Anyway?
Decisions and Delegation
Challenging Situations: Strategies for Saying No
Technical Elements Beyond Code
Measuring the Health of Your Development Team
Good Manager, Bad Manager: Us Versus Them, Team Player
The Virtues of Laziness and Impatience
Assessing Your Own Experience
Chapter 7: Managing Managers
Skip-Level Meetings
Manager Accountability
Good Manager, Bad Manager: The People Pleaser
Managing New Managers
Managing Experienced Managers
Hiring Managers
Debugging Dysfunctional Organizations
Setting Expectations and Delivering on Schedule
Challenging Situations: Roadmap Uncertainty
Staying Relevant
Assessing Your Own Experience
Chapter 8: The Big Leagues
Models for Thinking About Tech Senior Leadership
What's a VP of Engineering?
What's a CTO?
Changing Priorities
Setting the Strategy
Challenging Situations: Delivering Bad News
Senior Peers in Other Functions
The Echo
Ruling with Fear, Guiding with Trust
True North
Recommended Reading
Assessing Your Own Experience
Chapter 9: Bootstrapping Culture
Assessing Your Role
Creating Your Culture
Applying Core Values
Creating Cultural Policy
Writing A Career Ladder
Cross-Functional Teams
Developing Engineering Processes
Practical Advice: Depersonalize Decision Making
Accessing Your Own Experience
Chapter 10: Conclusion

The book feels especially practical for engineers moving into management, offering advice grounded in real-world experience. I personally found a lot of it very intuitive having worked several jobs in the bay area, that said I could see it being even more impactful to someone who hasn't worked where these aren't already regular practices. It includes core tips such as scheduling regular one on ones, or personal meetings with your directs and others around the company. This includes keeping notes from these meetings for both interpersonal development as well as managerial responsibilities (unblocking, performance reviews, etc...). Not only does this strengthen relationships it puts actionable tasks and strategies to the responsibilities of managing technical individuals. The book really speaks to a technical audience when it talks about debugging relationships and corporate issues using tools like meetings and documentation. The book scales throughout the many levels a manger's career could take them, such as up to director and c-suite. At those levels the book talks about leading more from a strategic and culture perspective, and provides many great tips for guiding a company at that degree. Finally I like how the book makes a point of highlighting that if culture isn't set out explicitly it can develop negatively on it's own. It reframes why so many bay area companies use strong cultural credos as a core part of their identity. It really drives this point home using Apples as an example and the culture Steve Jobs created there, and how his culture is still referenced decades later as a decision making argument. The following is an interview with Camille Fournier, so you can hear some of the good advice straight from her:

Bootcamp #27: Real-World Phishing Response and Malware Triage

2025-06-11T17:31:00.000-07:00

Welcome back all! This is the latest installment of my bootcamp series, as I'm currently mentoring several padawan hackers. This session will focus on a training video I made over 2 years ago on triaging an advanced phish and QuackBot malware strain. I encourage you to watch the video slowly as it's jam packed with quick, but seasoned triage tips.

Book Review: "Nonviolent Communication"

2025-06-08T08:25:00.000-07:00

"Nonviolent Communication: A Language of Life" by Marshall Rosenberg was a great and very enlightening book. It offers a simple yet profound approach to improving how we communicate, not only with others but also with ourselves. Whether you're navigating difficult conversations at work, struggling in your relationships, or simply looking to be more mindful in your everyday interactions, Nonviolent Communication provides tools that can lead to more peace and understanding. This book isn't just about how to re-frame our conversations, it's about how to truly connect. Rosenberg teaches a method of communication that reduces conflict, fosters empathy, and gets to the heart of human needs. I listened to it on Audible, as read by Marshall himself, for about 5 hours at less than $3! Great book, I highly recommend it for those looking to improve corporate communication or those looking to improve their interpersonal relationships. For anyone who wants to be heard without coming across as aggressive, this book is a must-read. As for the actual methodology, it breaks down into four simple steps.

The Nonviolent Communication (NVC) formula is as follows:
1. Observations
2. Feels
3. Needs
4. Requests

These steps might seem basic on the surface, but the book dives deep into how they can fundamentally shift the way we relate to others. When applied correctly, this formula becomes a powerful tool for reducing judgement and conflict, while increasing mutual understanding. The book also shows how people encounter frustrations when their needs aren't being met, but also when they fail to express those needs. Often, we resort to blame or passive aggression instead of simply naming what we need. NVC teaches us to take responsibility for our emotions and communicate in a way that invites cooperation rather than defensiveness. One of the secret, super powers within the book is actually being able to interpret people's needs and requests despite them not even making it clear. Rosenberg shows how we can develop the skill of hearing the unspoken needs and feelings behind someone’s message, even when they express themselves in a way that sounds aggressive or critical. This shift in perception can turn tense conversations into opportunities for empathy and resolution. The book also spends a lot of time talking about judgment language, and how when we use language that judges we are far less likely to get our needs met, as the recipient will likely shut down or resist us in response. When we use language that judges, we often trigger resistance or defensiveness in others, making it less likely our needs will be heard or met. Overall, Nonviolent Communication is more than a communication guide; it’s a mindset shift. Whether you're looking to improve workplace dynamics or deepen personal relationships, this book offers invaluable tools to speak, and listen, with compassion and clarity. I hope you enjoy this as much as I did! Please leave any thoughts or feedback in the comments!

Book Review: "Service Model"

2025-05-29T09:19:00.000-07:00

I recently read "Service Model" by Adrian Tchaikovsky, published mid 2024, and I've been telling everyone to read this. The book extremely timely in terms of its message about the future of humanity and automation, and I think it comes at an important time. That said, I think this book is very love or hate for many people. I absolutely love it, but some people find it very dry and boring, as it's both long and the main character thinks like a robot throughout the entire book. The book is a long journey of self discovery, as Uncharles searches for a new master but along the way discovers a very broke world, finds the answer to how things came to be, meets God, ultimately grapples with consciousness, humanism, and self determination throughout the story. The book also doesn't have a ton of action, it really lends itself to some fantastic nods to great writing, deep character dialogues, ironic thought experiments, and cautious sci-fi predictions. The book is fairly long at 400+ pages, that said I think it goes quickly as it is divided into five distinct sections that each have their own style and goals, making it fun and fast throughout each section. You can almost think of it as reading 5 short stories that are part of a larger epic. I listened to it on audible, which was also read by Adrian Tchaikovsky, which if you read my reviews you will know I really enjoy (when an author reads their own work). Speaking of Audible, it's also free with a membership, currently, so take advantage of that! Overall I give the book 8 out of 10 stars for being a very timely read and pointed critique of the AI automation craze that is taking over so many industries currently. I actually recommend it to anyone working in tech or policy, and especially recommend it to programmers as I think they will find Uncharles robotic humor great. It also feels like a love letter to his literary influences, filtered through his own seasoned and playful voice. As a writer, this kind of stylistic pastiche is not only fun but also deeply rewarding when done well. Tchaikovsky is a master of “show, don’t tell,” allowing the story’s ideas to emerge organically over time as Uncharles embarks on his adventure. The following are the sections of the books (and which authors they represent), and how many chapters each section contains.

Part I: KR15-T (Agatha Kristie)
Chapters 1 - 4
Interconnection I
Part II: K4FK-R (Franz Kafka)
Chapters 5 - 9
Transition II
Part III: 4W-L (George Orwell)
Chapters 10 - 16
Transition III
Part IV: 8ORH-5 (Jorge Luis Borges)
Chapter 17 - 21
Interconnection IV
Part V: D4NT-A (Dante Alighieri)
Chapter 22 - 31
Epilogue

I think this book really encapsulates many of the modern problems with AI and automation in general, from software that no longer receives patches to perversely incentivized automated systems. One of my favorite re-occuring themes was this idea that Uncharles was on the verge of independent thought, in the sense that humans can't help but think these are "intelligent" machines because they sound and look human in many ways. I see this a lot with AI where people attribute actual thinking to what is statistical generation. There are many other modern phenomenon having to do with this automation age that the book captures super well. From robots generating "emotional-like" responses only for their logic units to override those to entire service centers that are caught in automation loops and errors, resulting in the external systems then erroring with no way of repair. I really like how it gives this sense of of run away human and robotic interpretation while maintaining only really one human character throughout the book. The ultimate message is really important, which is not to lose our humanity in spite of all of these advancements and automations. If we ever get to the place of automating away the common laborer then we need to care for them in some way otherwise the foundations of human society will easily collapse around us. I also really appreciate how Adrian tries to mirror some of his favorite writers in each part of the book. The following are some of those observations to their respective parts. The first part tries to emulate Agatha Christie. This part was wildly hilarious to me as both an investigator and a huge Christie fan. I liked the Poirot like reveal where the detective gathers all the house robots in a room to announce that Uncharles is not a murder, despite Uncharles persisting that he did murder his master. This was an incredibly ironic and hilarious part in my opinion. Second part tries to emulate some of Franz Kafka's absurd bureaucratic labyrinth such as in The Trial or The Castle. The tone of these chapters are increasingly surreal as Uncharles meets The Wonk and things go very sideways in the service center. The third part pays homage to George Orwell's animal farm and 1984. This part really hammers home how dark a fully automated future could be. This part not only critiques the authoritarian nature of the Farm, but also shows where AI can use perverse incentives to negatively impact human life. The fourth part alludes to Jorge Luis Borge's The Library of Babel, and was probably one of my favorite parts of the book. This part of the book takes a deeply philosophical turn and uses much symbolism to convey the idea of knowledge and how the context of knowledge matters more than the individual data points. I also like how much of an allusion to modern LLMs this is, in that they use context to understand things. The fifth and final part refers to Dante Alighieri and his Divine Comedy. This part is excellent and shows Uncharles journeying into a version of a robotic hell. At the end of this chapter Uncharles meets a figure who calls himself god (and can equally be viewed as a devil), and attempts to give Uncharles what he desires. Uncharles is eventually unhappy with all of the options god gives him and ends up siding with The Wonk. I won't spoil the actual ending of the book, but short to say you should read it for each section alone! The book is highly thought provoking and fun the way it pays homage to various other important authors in history. Overall I really enjoyed this book and highly recommend it to others!

Red Teaming at NCCDC 2025

2025-04-29T04:10:00.000-07:00

This was another solid virtual CCDC year. This year was remote again (we had another virtual NCCDC during the pandemic) so the blue teamers played from their respective schools / areas, and members of the red team all gathered in various locations to play together. We had some people meet on the east coast, some people meet up in Texas, and others just play remote. I met up w/ Dave, Evan, Alex and others in Las Vegas, where we hacked together from a suite in the Cosmo. Before we get too far into it, this year the winning teams were:
1st: University of California, Irvine
2nd: University of Virginia
3rd: Dakota State University

We got to use alot of the virtual CCDC infrastructure, which I enjoy as it feels like a second home for me now. We set up Tailscale as the VPN, we had Traphouse for reporting, Grid for hosting, IP pools (for dividing up our operations), private pastebins, and even a special AI service provided by Scale AI. We had a bunch of shared C2 options, and a massive collection of local malware stockpiled from over the years. I personally ran 3 VMs, one for throwing, one as a backup C2 in the environment, and one for hosting various items (as a grid fallback) or using as shared access. I also used a team hosted server of Realm, my own locally hosted instance, and a Butterfly implant for a DNS covert channel as my callback command and control this year. I've really been enjoying Realm, it's a great framework with lots of options in terms of tomes (dynamic modules) and scriptability. And that's not counting direct connect backdoors, and indirect backdoors. We were able to get the domain based on OSINT and learned that the organization registered the 'oscorpi.com' domain. we correctly assumed this could be related to 'OS Corp Industries' or Marevel's The Green Goblin. So we started generating password lists for users like Harry Osborn (hosborn) and Norman Osborn (nosborn) and credentials like 'Gr33nG0bl1n'. Our password lists ended up striking gold faster than our network exploits (with the Domain Controller on the .5), so our prediction of the organization and subsequent credentials were pretty spot on this year! I was also able to figure out which team I was assigned halfway through the competition based on tools they pulled down from their github repo, which gave me a boon of intelligence in terms of what they were looking for and their general hardening techniques. I was also able to recover some of their tools, for example they used a binary to scan and harden the machines, which was a really cool approach, reminding me of previous Blue Spawn approaches. Below is the final presentation and award ceremony. Dave's red team debrief starts at the 40:00min mark, although the whole thing is really good.