Join co-host Phoebe DeVito as she turns the microphone on fellow co-host Thomas Rogers to discuss MetaCTF’s transition to SkillBit. Thomas shares the origins of MetaCTF, the philosophy behind hands-on CTF-based learning, and how that foundation evolved into a broader platform for cybersecurity skill development that’s better captured with the name, SkillBit. They also explore the vision behind SkillBit’s bite-sized training model, the role of AI in guiding skill development, and how organizations can better measure and grow cybersecurity talent. 

Tune in now with the player below, or check it out on the SkillBit (formerly known as MetaCTF) YouTube and Spotify channels!

Spotify Link

YouTube Link

Phoebe DeVito (00:00)
Hello! Welcome to the Cyber Talent Series where we explore how organizations are closing skills gaps, accelerating onboarding, and building high performing cybersecurity teams. My name is Phoebe DeVito, and today I’m going to be talking with my co-host, Thomas Rogers, and you’re going to be getting a peek behind the curtain at MetaCTF’s transition to SkillBit.

So, thanks for having this convo today, Thomas.

Thomas Rogers (00:32)
Yeah, excited.

Phoebe DeVito (00:34)
So our long time listeners might remember

Phoebe DeVito (00:36)
when we interviewed you in episode for folks who are newer to the show, could you just give a quick refresher on your role at Skillbit and kind of your focus day to day?

Thomas Rogers (00:45)
Yeah, So I’m co-founder of I’m the president. So I lead marketing, customer success, sales, me and Roman work together on job primarily on the day-to-day is to talk to customers, help customers with whatever they need to be successful in their cyber skill development journey.

Phoebe DeVito (01:03)
Awesome. Okay, cool. And so before we get into this transition to Skillbit, kind of going back to the beginning, wanted to hear if you could talk a little bit about the inception of the company, kind of from the beginning, what problem you and Roman were originally setting out to solve and how that’s been accomplished through MetaCTF.

Thomas Rogers (01:22)
Yeah. So Roman’s been running CTFs for a long time, 10 years more. really he started building and running and managing CTFs because he felt like that was best way to learn cybersecurity, whether you’re getting into the field or trying to get exposed to new vulnerabilities, attacks, methods, tools, whatever the case.

because it’s so hands-on and experiential and requires you to do things. Also the fact that it’s collaborative, cybersecurity is a team sport and CTFs are a team sport. so Roman started running CTFs a decade ago. And what that led to is really him seeing that there was a need to run really high quality CTF competitions and companies were reaching out to us continuously asking,

to run their company mostly as a part of their security training program. So whether it part of an established program or something they were trying to gin up interest in, but that was a really interesting time to see, we were just doing this thing for conferences and to democratize cybersecurity learning and now companies this activity as a learning method.

So servicing those customers and working with a bunch of enterprise companies to run these CTF competitions, which we’ve run 600 of them in the past four or five years, talking to them continuously. So we’re saying, what does this actually solve for you? What is this doing for you? And I think what we really learned is format of the CTF challenge is what’s really valuable.

It requires people to do things, to engage, new things. And so that was a critical learning and something that’s really been a key driver in our transition to Skillbit is that this CTF challenge is something we can take and we can apply it to other methods of learning, evaluation, assessing. so that’s what we’re doing.

Phoebe DeVito (03:19)
Awesome. Yeah, that’s a great recap. Thank you. And you kind of just mentioned it, but I’m curious at what point did you and Roman feel like the company had evolved enough that like a rebrand made sense? When did that kind of start for you? And then when did it become really solid?

Thomas Rogers (03:34)
We’ve talked about it for four years. I think the hardest part is like deciding on a name, finding a domain. That was a whole thing. But, you know, feeling like the name is something that fits like where we want to go and it’s going to be like versatile. I think probably the main drivers are the launch of our continuous learning platform. So that was MetaCTF on-demand labs, which will now be Skillbit Labs.

Phoebe DeVito (03:41)
Mm-hmm.

Thomas Rogers (03:57)
So it’s continuous learning and it’s basically like we’re moving out of just doing CTF competitions as training. So we’re doing more than that. And I think that evolution kind of reflects where we see an opportunity to help. And our expertise is kind of beyond that. But the idea of changing the name is something we’ve thought about for a long time. just took, you know, it takes time to find the right name and all the other pieces to fall into place because also like the

The key part of that is like the name is not, it’s important, but it’s not that important. Like it’s, it’s not like critical to running a business. so we’re trying to, find time to, the right decision there.

Phoebe DeVito (04:37)
I love that you mentioned, you know, the name’s not everything, but it is a big piece of this rebrand. I was fortunate to get to be part of that process, you know, as one of the team members at Skillbit, seeing all of the different options and then kind of narrowing it down in that process is, painstaking and also really fun. So I’d love if you could kind of talk a little bit more about like the initial inspiration for the name Skillbit and kind of how we got to that.

Thomas Rogers (04:58)
Yeah, there were two things that went into first is our philosophy around training, which is the bite size piece. So, skill bit bite size skill development. That’s sort of where that came from. But on the bite size piece, that’s a big part of our philosophy is that users should be able to log on to our platform and get a lot done in a short period of time, because we’re deconstructing these complex workflows into individual tasks that they can complete.

in a short period of time. So that bite size nature is designed to meet the modern security professional workflow. People are busy, teams are understaffed, they don’t have much time, they can jump in for 20 minutes here and there, hopefully each week or, you know, or in some cases, whatever the cadence is right for them. But designing this training platform where the content is

meant to be able to be solved in short bursts. that was a big part of it. The other part was it was really important to me to include word skill in this. think, I have a lot of feelings about the term, and, just kind of comparing the term skill development versus training. I think training has a lot of, sort of legacy learning connotations, I guess I’ll say like where.

you know, like classroom based, A little bit more like knowledge based versus actually, you know, learning to do things skill development is, is maybe a little more like practical and tangible. And so the word skill I think was very important to us to include in the name. And so combining, you know, bite size and skills was, was a, was a no brainer for us with Skillbit.

Phoebe DeVito (06:31)
Yeah, awesome. And I like that you mentioned that. So one thing obviously is part of this rebrand for the listeners. We’ve been doing a lot with our website, including working on some case studies. And that’s given me a really cool opportunity to interview a lot of our customers and also just operating as the customer success manager, trying to really see part of our platform has been really, really helpful to folks. And I think what’s so interesting is the thing that kind of came up

If you think of like a word cloud, like the word that would be the biggest, think that came up in every conversation is just the flexibility. and I think for so long, even in my career, like training feels like it’s been synonymous with like, I’m going to miss that week of work or I’m going to miss that whole day and have, you know, a ton of stuff I got to make up. sometimes you can’t even find that day where that works for your schedule, you know, or it’s consuming all of your outside of work and you know, there’s nothing wrong with those training structures, but

I love how you just touched on, we’re trying to kind of meet cybersecurity folks where they are. And I think that it was really, really encouraging to hear say that, you know, if I like only have five minutes between meetings, I can not only feel like I got something done, but I can actually learn a new skill that’s then going to help me in my job. you know, I think that that’s such a great point. And I do think that, it’s also such a rapidly evolving industry where we need to be upskilling. and so.

you know, trying to make that something that fits into the actual workflow of someone who works in cybersecurity, I think is also something I’m passionate about. So I’m happy that you touched on that.

Thomas Rogers (07:58)
No doubt. Yeah, it’s been good getting all the feedback that you’ve collected just from helping people get started with our platform. I feel like that’s been so helpful to hear like, hey, this is what we hoped people would get out of it. And then they’re actually getting out of it what we hoped. That’s great.

Phoebe DeVito (08:14)
Yeah, absolutely. And I think one more thing I’ll speak to just on those like customer interviews is think this it’s really awesome to hear that this tool can help teams like build on their kind of existing culture of skill development. And I think it’s really cool to hear how, you know, for some folks, it’s just like, I’m an individual using this tool, and I’m able to crack away at a couple of challenges between meetings. But we’ve also heard really fun stories of teams that

like build 3D trophies for winners and have like these little internal competitions or we talked to one person who every week one member of the team like finds a challenge that really was interesting for them and kind of like presents on it. So I think it’s cool to think about the way that this can also be something that brings teams together as everyone is kind of working to upskill. And ultimately that’s, know, in the best interest of the individual, the organization. So

yeah, I think it’s, it’s, you you’re putting out a product and you want to, you want to hope that it’s like meeting people where they are and it’s helpful, but I think it’s really cool when you can hear about folks using this in ways that maybe we didn’t even predict. so yeah, I’m super excited about the evolution of this. and speaking to that, I’m curious, so as a Skillbit grows, what products or services are you most excited about either building or kind of building on to meet some of those customer needs, like we talked about?

Thomas Rogers (09:28)
I think helping in more ways up and down the talent stack. So sort of evaluating like, hey, where do we fit in the talent stack? And for the most part so far we’ve fit in the, hey, you already base of cyber focused employees and you’re trying to help them develop in their career. You’re providing them with additional professional development opportunity. And there’s other things that.

you know, companies need to do up and down that talent stack. So whether it’s like learn new tools, onboard new employees, we have been doing a good bit of helping companies to assess at the interview stage. So the CTF format really works there because it’s, kind of like problem solving. So you get to see how an individual, a candidate would, you know, interact with a specific like task at work.

it’s kind of like a case I think up and down the talent stack is something really interesting. yeah providing more value in terms of like learning, things that are going to help the company InfoSec. And then the other thing is just adding a lot of, you know, to our platform in a way that’ll help the user experience. So to streamline

like what should I focus on next? threat hunter and I want move forward in my career. spend time and how should I focus time? I don’t have much time and sort of deciding skills I want to develop is challenge. So helping to do that and then helping managers to better have an evaluation of what are our capabilities, what are our team’s capabilities so that they can decide.

you know, who to staff on a project or who to promote or do we need to hire externally? Can we hire internally? All those things. So I see that that’s primarily where we’re going to use AIs to like improve the user experience.

Phoebe DeVito (11:13)
Yeah. Awesome. I love that you talked about the evaluation piece. I think that, one thing I was thinking about when we started recording this today is how many of our, like, think almost every podcast guest we’ve had on the cyber talent series has talked about, evaluation and how critical and like foundational that is to building these teams. and so I’m curious. Yeah. I’m curious when you think back on like our other kind of recordings and the episodes.

you know, folks that we’ve talked to, like, have there been times for you where you’re like, that’s like, yeah, that’s exactly the problem I’m trying to solve.

Thomas Rogers (11:44)
think the thing is like every single episode has been kind of like that. So it’s not, you know, maybe it touches on different things, but I think that’s what’s so interesting is people are attacking similar problems from different angles and have unique approaches to each of these things that they’re accomplish. But at the end of the day, everyone is like trying to hire the best people, hire the smartest people that fit their culture the best. then

treat them well and upskill them and make sure that their organization is protected and that they do a great job. Cyber professionals have a ton of pride and pride of work. so I think, yeah, no one single episode, don’t think. I mean, I could think of like five, but pretty much every episode is like people trying to…

accomplish similar things that are like, yes, that’s exactly what we would ideally want to help with.

Phoebe DeVito (12:32)
Yeah, a hundred percent. and I think, you know, one thing I’m excited about when we look at like, especially with the skill bit labs product and this on-demand, you know, ability to go in and solve challenges. One thing I think I’m really excited about seeing how it evolves is, it’s not all like the hard technical skills and a lot of that.

you can teach, but like just this idea of curiosity being really important. and I think whatever field you’re in, that’s true. And it was really cool for me when I started talking to some of our customers, hearing them say like, this helps me see like my team’s curiosity, you know, both in like, who’s wanting to go develop their skills, but also like that ability to kind of, I think of like pulling a string on a sweater. It’s like, you just can go deeper and

even with some of the really frustrating challenges that are harder, like you can spend as much time as you want really like digging into a new concept. So I think I’m, really excited to see, you know, like in Skillbit and even beyond that, how we can grow in the InfoSec community in that ability to kind of like see candidates for all that they are like, you know, hard skills and soft skills that are going to make them a really awesome team member. And eventually like the people that we’ve been read, like really great leaders. So.

Yeah, I’m excited about that part of it too. And it’s cool hearing that from some of our customers. So speaking of kind of the InfoSec community, obviously the InfoSec community is strong and Skillbit is established in the community. and you know, MetaCTF has been for as long as that’s been kind of our name. And so what would you say to that community as the company enters this new chapter during this rebrand?

Thomas Rogers (14:01)
I think it’s just more of the same. this is all about us being able to provide more to the community in different ways. ideally, you know, we’re still going to run the CTFs where you can block off the third Thursday of every month with our Flash CTFs. And we’re still going to have the weekly challenge every Tuesday drop at 6 p.m. Eastern.

And so just going to be more stuff like that. So more opportunities to learn more free resources, more ways to get your foot in the door and meet new friends and current and future colleagues and like working with them. Yeah, the skill bit evolution is just going to be one that is going to enable us to invest even more into the community.

Phoebe DeVito (14:48)
Awesome, I love that.

So as you look ahead, how do you see the way organizations develop? you know, we talked a little bit about evaluation. So evaluating cyber talent, how do you see that continuing to evolve and how do you see Skillbit fitting into that future?

Thomas Rogers (15:03)
I think thinking about conversations that we have on this podcast and outside of this podcast, is when I ask executives how they quantify and measure capabilities, it’s usually don’t really. And the primary reasons why companies don’t try to do that is just because it’s hard.

I think, actually quantifying a skill is typically viewed as a, you know, it’s, it’s a soft thing. It’s, not a tangible measurable thing. And what we want to do is, is sort of demystify that and like, create a measurable way for companies to think about capabilities. So.

That’s just going to unlock a number that they’re going to be able to do with a more data-driven approach, right profile of candidate to look for here? Oh, we know because we have this basis of these are three incident response analysts in our current company.

They fit this profile. This is their skills on this index that we’ve created internally. So we know this is the type of candidate we need to look for. And then it’s a pattern matching exercise from there. And you don’t have to rely on the resume. You can still use that as a piece of the decision making.

it’s not like the whole thing. then you use the interview to sort of supplement that, but that’s just one example. A couple other examples might be, we’re evaluating this new vendor and we need to understand how quickly are we gonna be able to adopt this tool and get it up and running and achieve value. Maybe they’re presenting us with a business case of you’re gonna…

this is like the ROI and like how you’re going to achieve might be able a look at like what your team’s capabilities are on that tool, whether like from previous work or some exercises they’ve done recently as a part of the demo and POC. so I creating a world where there’s a quantitative approach that’s accepted and understood for capabilities

especially within cybersecurity, is one working on helping to co-create at Skillbit.

Phoebe DeVito (17:21)
That’s awesome. I love that. I think, you know, had a couple of awesome guests who’ve talked about how they kind of quantify more in the sense of that like interview process. But I think when we get into that conversation of like, you know, it’s you want that more well-rounded picture, like certificates are awesome and like certifications are great. And like they’re not everything, you know, the resume tells you a lot, but not everything.

And then when we get into the more subjective stuff like interviews, we’ve had guests bring up like it can get, you know, there can be bias or different things that, you know, you’re in a room with eight interviewers. And sometimes I think we talked on one episode about even the time of day you talk to someone can impact that. And love that idea of like, whether this is like vendor evaluation or candidate evaluation, like finding that way to kind of like quantify some of these like qualitative skills that make.

like a candidate really awesome or a vendor, you know, a good fit for your company. I’m glad that you on that and I’m excited to see where Skillbit can take it.

Thomas Rogers (18:15)
For sure, yeah, cut through the noise.

Phoebe DeVito (18:17)
Yeah, absolutely. Thomas. Well, is there anything else you want to tell our listeners about this transition to Skillbit?

Thomas Rogers (18:24)
so it’s mid-March 2026 and we’ll be rolling out our new marketing website in the next week or two. And we’re also we have a new product release coming out for Skillbit Labs. It’s super exciting. That’s probably more of like an early April timeframe, but just stay tuned. Follow us on social and you’ll hear all about the company changes and yeah, stay in touch that way.

Phoebe DeVito (18:49)
Awesome. All right. Thanks so much. we’ll, yeah, we’ll be back on your feed soon. Thanks everyone.

The post Ep 16 – The Cyber Talent Series appeared first on MetaCTF.

Join Thomas Rogers, Co-Founder of SkillBit (formerly MetaCTF), and co-host Phoebe DeVito as they speak with Joe McCallister, Senior Manager of Cybersecurity at The Trade Desk, about building and leading modern cybersecurity teams. Joe shares his unconventional path from retail and sales into cybersecurity leadership and how those early experiences shaped his approach to hiring, mentoring, and developing talent. The conversation explores why curiosity and community are critical traits in cybersecurity and how managers can evaluate these traits in candidates when building teams. Joe emphasizes the importance of psychological safety to allow for open lines of communication to avoid burnout and encourage collaborative conversations about career growth. Joe reflects on transitioning from an individual contributor to a leader and the importance of “letting go” and trusting your team to take on new opportunities. 

Tune in now with the player below, or check it out on the SkillBit (formerly known as MetaCTF) YouTube and Spotify channels!

Spotify Link

YouTube Link

Phoebe DeVito (00:00)
Welcome to the Cyber Talent Series where we explore how organizations are closing the skills gaps, accelerating onboarding and building high performance cybersecurity teams. My name is Phoebe DeVito. I’m joined by Thomas Rogers. And today we are talking with Joe McCallister, Senior Manager of Cybersecurity at Trade Desk. Thanks Joe for being here.

Joe McCallister (00:28)
Yeah, thanks for having me. I’m excited to chat with you.

Phoebe DeVito (00:30)
Awesome. So to kick it off, would you just tell us a little bit more about who you are and what you’re working on now?

Joe McCallister (00:36)
you said, Joe McCallister, I’m at the trade desk with which is an advertising technology company based out of California. I myself am actually in Colorado, we are a globally And I’ve kind of come up through the traditional IT background. The start of my technical journey was in the traditional IT and had a mentor of mine say you should do security because you’re already doing it. You just don’t know And from there

had a couple of stints at like some MSP realm, some consulting, and then went to the in-house realm of security. started out as the solo engineer here, and now I run a team across a whole bunch of different kind of domains and disciplines in security and have a lot of fun just talking about security, not taking myself too seriously. to get out in the elements if I can when my schedule and the kids allow.

and otherwise just kind of trying to live this thing we call life.

Phoebe DeVito (01:25)
Awesome. so, heard you on the future of security operations podcasts and loved listening to you talk there a little bit about your journey and your transition from sales and retail into cyber. And would love if you could give just a really brief kind of overview of what that looks like for you and how you knew, you know, cyber was the path for you.

Joe McCallister (01:44)
Yeah, always like to tell people that there’s no typical way to get into security and there’s no typical journey, for cybersecurity. And I also like to say I’ve lived kind of two professional lives. I made the pivot from retail and sales. always like to also toss in that I sold BMWs for eight, nine they’re a blast to drive, but selling cars is not game, but between

sales and retail side of things, what I really learned a lot about was communication, de-escalation, what smart goals are, actual realistic goals. There’s a whole bunch that kind of carries through that you might not think on first blush. And I’ve actually found even in hiring, I look for people that have non-traditional backgrounds that have some sort of weird little bullet point in their resume that’s just kind of fun to hear more about. I’ve actually got a couple of folks that we learned after the fact.

worked at Best Buy in college like I did. But essentially what happened was I got a little burnt I thought I was going to live my life after high school as a retail manager and started to see lot of friends do the same and a lot of friends, unfortunately, you they do the annual reorgs and retail is a very volatile space, especially Amazon was going after retail spaces. Circuit City had closed a few years earlier.

And so saw a lot of friends lose their jobs and thought maybe this isn’t as stable as I thought. Went over to the geek squad of all places and just started toying around. And I always liked video games and all that fun stuff and just decided to kind of really run with it. I used those customer service skills to further my career and into the technical, started doing some online support, malware removal. Thought that was really interesting. I love knowing how things work, but I think I like more so how they break. And so that kind of…

kickstarted my technical interest and went to school, got into enterprise and that’s where I started the MSP journey and drank from the fire hose. If anybody out there is working at an MSP or has that history, you know, it is a whole lot of experience and a very little bit of time. I think we were servicing over 250 clients and running help desk over there and then went to what we call the road warrior and user support, go into sites. That customer service background definitely served me well there.

able to interact with clients and represent the business as a kind of third party. And then as I mentioned, I had a buddy that looked at me and said, you’re already doing security. You should think about this. And he me to get my CISM I was even, you know, kind of technically ready, worked together. He did classes. I went to the ISACA on the weekends, got my certification the rest is a little bit of,

I’d like to say the rest is history, but then there’s six plus years here at the trade desk where I came in as the first engineer kind of built a team and took over everything from third party risk management and contracts to application security and platform security. So feel like I could talk about that for two, three hours, but I will hand it back.

Phoebe DeVito (04:22)
Hahaha

Thomas Rogers (04:25)
OK, cool. So Joe, you mentioned you’ve covered like so much different stuff, and I feel like the experience that you’ve gotten kind of outside security, seems, is like really influenced the way you’ve, you know, grown your career and manage teams. Like, how does that influence the way you mentor, hire, evaluate, you know, early career talent? And yeah, especially as you’re like leading a cybersecurity team now, what do you talk to your

team members about in terms of where to focus and build their careers.

Joe McCallister (04:53)
a phenomenal question. And I appreciate it because I do try very hard to bring some of that like early career. try to think of every interaction and even tell my teams, whether they work for me or if it’s a colleague that’s struggling with a manager, let’s say, I like to tell them, you know, I’ve had good managers and bad managers and they’ve all taught me something. So there’s a lot of things that I bring along, from those managers. there’s even, the review cycles and the things they look for as positive indicators of performance.

retail is kind of interestingly applied to technology and security. Thinking about things like integrity is really important to the security industry. We have to have that. I like to tell my team to always look for, and when I’m looking for talent as well, always looking for that curiosity mindset. there may or may not be a right answer, I love when I’m in an interview and we pose some sort of technical question or even a hypothetical and I get an answer and then they say, well, what would you do?

It’s always an interesting throwback to say, how would you approach the situation? there’s very rarely, unless it is those binary Jeopardy-style, the port number questions, which don’t make great interviews anyway, there’s always multiple ways to approach the problem. And I also instill in my team that those communication the soft skills just cannot be overstated in their importance in cybersecurity. What I’m

Thomas Rogers (05:55)
you

Joe McCallister (06:07)
with my security and working with engineers and developers is we can’t just go and drop a stack of papers on their desk and say, you need to fix all this, or this is how you’re gonna do your job from now on. No revelations there, right? That’s a lesson that’s been learned in security a million times over. But when you’re on the ground, it is so much more important to build the relationships. And I like to say like my job right now is mainly diplomacy. It’s shaking hands, kissing babies, like making friends with managers and engineering.

executives to understand what their priorities are and how we can stay out of the way or instruct them safely or give them the paved path towards a more secure and compliant deployment or securing our next release to make sure we don’t fall flat on our face when we open source something or release something that’s going into a customer’s home. And we get that one security researcher that busted open and goes, look at this code. It’s terrible. So

Those are the big things, the curiosity, the communication, lot of it’s all soft skills, honestly, has gotten me much further than any bit of my technical knowledge at this point. It’s not, not, important, but it’s definitely.

Thomas Rogers (07:06)
We’ve been hearing curiosity a lot, been doing some customer interviews and just trying to understand better, like how they interact with our product and use it. And we had a conversation yesterday with the head of security operations who said that he tries to kind of measure for curiosity. And it’s funny, cause you don’t think about curiosity as like a, you know, a tangible, measurable characteristic.

but it’s fascinating how important that is in cybersecurity. So I’m sure it is helpful to have some sort of quantifiable, measurable, or at least a framework in understand, is this person, maybe it is binary, they are curious or they are not. But yeah, there’s some careers where you can just say, here’s the process, we’re just gonna do it a million times and it’s not gonna change that much. And in cyber, it’s very different.

That curiosity is really important.

Joe McCallister (07:59)
Yeah, it’s always interesting when we get folks I interview from larger, more established firms or kind of more conservative industries, I’ll say in the way that like, you know, we’re again, we’re ad tech, it’s kind of wild west out here, but like we get finance and healthcare folks. And we’ll find, we’ll definitely find amazing candidates, but we also will sometimes have to start pulling threads to help them open up that curiosity just a little bit. Programs that have been around for 10, 15 years and all you’re really doing is running playbooks and pressing buttons.

Not exactly what we’re looking for here. So we have to try to kind of say, well, what if that didn’t work? Then what do do? ⁓ I don’t, that playbook always works. Well, that’s not the right answer. Like start asking more questions about the incident or the, the event we’re seeing and let’s figure it out together.

Thomas Rogers (08:40)
How do you do that on the curiosity side? going back to I would assume it’s a somewhat similar process encouraging team members to be curious, or maybe they already are curious when you bring them encouraging them to remain evaluating a new prospective candidate or something. have you learned there in terms of finding people that meet that characteristic?

Joe McCallister (09:04)
It’s kind of a tough question to get a good answer out of just because what I try to do is as a manager and as a leader, encourage that curiosity by ensuring they know, instilling humility across the team and saying, I don’t know if I know the right not a traditional AppSec person. So I rely on my AppSec team and I will play the idiot in the room and say, okay, what’s IDOR? Tell me, can we walk through what you’re seeing in this instance that tells me that it is truly a

10 out of 10 and we need to go pull people into a bridge to fix this or can we slow down and kind of think about things a little bit differently. But it is a challenge to keep that curiosity going. It’s about giving the freedom and the space to be curious. And we talk a bit about, know, the buzzword term of psychological safety, but it is really important that they feel like no question is a dumb question. Like they feel like they can partner with somebody they always have.

resources available to them. And we always make a lot of space for learning. It is part of the job. And we’re one of the few teams at our organization that it is a kind of a pillar to where we say we have to not only know what a security principle is, but we have to know fundamentally how to set up Kubernetes and then how to break it. So we need to not only know what the new with AI and all the other technology coming out, right? We have to be

up to speed very quickly. So we try to make room for that and understand the more that we learn, the less we truly know. And that allows them to get a little bit more curious, spend a little bit more time, thankful to the organization as well. They allow us the resources. Like we can go out and just grab an O’Reilly book or a Wiley and read it together and set up study sessions for, I’ve got a couple of folks doing the OSCP. So they have their own study session on the

to work on it together and start looking at it as, I wonder if we’re vulnerable to this in our organization. They’re finding really cool bugs that way.

Thomas Rogers (10:47)
It sounds like you do, you know, dedicate time. I think that’s so important like work can just kind of consume. And it’s like, you know, it’s a busy job. can be really high, stressful at times. So, yeah, what have you done that’s like help to make sure that time is blocked? And I.

Again, that goes back to your psychological safety. I feel safe in knowing that manager cares that I want to develop in my career, learn new things. But curious what sort of things you put in place to allow for that.

Joe McCallister (11:17)
been a hard lesson to learn myself. I’ll use SANS as a direct example. Like I took a SANS on demand course and it is not how I learned a million miles, I should just go to the course, get in that room and talk to the people that are in the room. That’s the value. But I have other folks can do that. And what we’ve done with my learning, which was I was doing the SANS course and I just kept checking email, I just kept checking Slack. there’s a ticket. I could just close this out in five minutes,

your context switching, you’re getting out of it. By the end of the week, was like, I, what did I actually learn and retain here? That’s useful for me next week and next month, next year. So we, using my failures, I have instructed the team, like you, you’re in charge of your own time. You’re all adults. You need to focus on, if you’re going for a certification, if you need two days, three days, the whole week to study, block your calendar. You’re in control. We can shift priorities around.

we can ensure that deadlines are communicated and we can just work with it. It is just as important for us to be able to give good advice, to be able to give good consult and advisory to our stakeholders and also be the expert in the room when people need it. So we can’t do that if we’re just leaning on like my schooling from seven, eight, nine, 10 years ago is still fundamentally applicable, but also woefully out of date with what’s out there today.

Phoebe DeVito (12:30)
That’s awesome. Yeah. I was going to on the psychological safety aspects. So many folks that we bring on have said one of the main things they assess in interviews and in, you know, team members growth is that curiosity and the humility to say, like, I don’t know how to do this or, know, I want to go find out. But I love that you kind of hit on the manager’s responsibility or the organization’s responsibility to make that a safe thing to do and like set that tone. So I love that.

One thing I was thinking about when you were talking about evaluating candidates and just different ways of up-skilling. So you’ve got a lot of great certifications and I’m curious when you’re, you know, hiring a team member or building a team, what’s kind of the role that certifications play and how you’re evaluating that.

Joe McCallister (13:14)
Such a hot button issue. It’s such a like hot take ready topic. I like certifications quite a bit. I asked my team quite often, know, are you thinking about going for anything? In general, it’s a good way to put that stamp on, know, that well, it certifies that you know the things that you’ve just been studying for. I don’t think it’s the end all be all, but when I’m looking at a resume as an example, it is a really quick.

pulse check on just kind of what they’ve done, where they’ve been. I even think, you know, I would not necessarily hot take, but if you’re in security or looking to get in security and you’re going to go get your A plus, I wouldn’t necessarily encourage like saying that’s the one you should go get, but seeing it on a resume, I’m like, cool. mean, they, get the literal physical connections. That’s great. Like, and they saw something through very similar to, a formal education and a bachelor’s degree, right? You started something.

Thomas Rogers (13:59)
Thanks

Joe McCallister (14:02)
sizable and admirable and finished it. And that means something. Typically, it’ll be paired up against like some sort of quick knowledge check. I don’t do the technical interviews, but I’ll ask about the experience too. Like how was, you how was yours? I don’t have my CISSP. I have my CISM. How do you find the CISSP? How did you study for it? What were your challenges? What was your weakest areas? Always a fun, like, you know, you have the different domains. Where’d you score the lowest? Because mine was like physical security. I don’t know the

kinds of doors and fire extinguishers anymore, so I don’t need it.

Thomas Rogers (14:31)
within that interview process and as you think about like building teams. just the role that you see, guess, know, certifications obviously play a role in that, but like the capability side of things, like how do you, how do you assess like these are the capabilities that we need internally?

a people’s standpoint, from a tooling standpoint, when you’re evaluating holistically, this is the type of program we want to build and this is where we are today. How do you do analysis focused on both the talent and the technology?

Joe McCallister (15:03)
It’s exactly that gap analysis, in my mind, as you were asking, I was like, he’s, he’s talking about our skills inventory, which is something that I have. And I wanted to make it not sound so systemic and cold, but it is essentially, you know, how are we doing in our cloud service provider incident response knowledge and realms, right? Like we’re great in AWS, but how’s GCP? I know they’re fairly applicable, but if we’re looking for a candidate, maybe we look for somebody that’s maybe been in an MSP or has worked across multiple.

cloud service providers or we operate in China. Has anybody done incident response in China relating to legislation regulation applicable over there or even interacting Olly cloud in that region? But it is all about getting the inventory of what we have today and understanding much like your systems, right? Like what does the job, what are we missing? What could make us operate a little bit better? Are we missing somebody that has extraordinary

customer service, customer facing skills. Today we’re in a great place. We don’t have anybody that is in the deep forensics knowledge. Today our incident response is largely recover and write up your report and move on, but we’re not gathering deep artifacts and able to work that to its inevitable end. So that’s on our sheet, on our punch list for our next hires as nice to have.

And we’ll typically build those into our job descriptions as well so that candidates hopefully know like, here’s a bullet that’s kind of what we’re looking for. It is largely not associated with tools. Like I’m not interested in if you’ve used rapid seven versus Qualys versus all of this. Like if you get the concept, you can learn the tech pretty quickly. So that’s always one thing I keep in mind is I’m not looking for somebody to just slot in and be our CrowdStrike pro.

Thomas Rogers (16:39)
How much of that evaluation is qualitative versus quantitative? It seems like you mentioned, the skills inventory? So that sounds quantitative. So yeah, how are you doing that?

Joe McCallister (16:48)
It’s as close as I can get to quantitative, right? It’s like, I’ve gone far too deep. have absolutely rabbit hole on this and gone down like the NIST, nice framework, use DOD job descriptions and, case stats, gone that deep to say like, how do we start assigning archetypes to our people? And then I started to kind of think I’m going way too deep on this.

Like it is not this difficult. So there’s a healthy mix. It’s about, I find that one of my talents I’ve had to refine as a manager is discretion to say, we’re getting way too in the weeds, even myself, I’m getting way too in the weeds on this. I need to just back up and say, how are we on cloud, on-prem, Kubernetes? Like, let’s look at the fundamentals. Let’s look at our crown jewels, right? Can we defend those? we respond to those? And how are we, when it comes to

identifying rogue agent, agentic AI in the infrastructure. Like not great because it’s fairly new. So maybe we need somebody that is on the cutting edge of that. So it is a healthy mix. It’s just kind of an internal barometer of I can put a check in the box, but are we getting too far down the road? And do we want to get the right person? It’s always about, the right The right fit for the team is there to help everybody learn and is really big for us.

Thomas Rogers (17:54)
So it sounds like it’s an aggregate sort of calculate. I don’t know if you even use the word calculation, but an aggregate evaluation. you doing like project performance, performance reviews even, are you using like training and certifications as a part of that evaluation or?

Joe McCallister (18:12)
We So I do weekly one-on-ones with my direct reports and then I that are like one level lower than me report into like our incident response chain. we do some checks. Most of the time they’re very casual. I just ask like, how are you? What’s up? Do you need me to unblock anything? What can I work on? But I always do try to ask those questions. like, what are you kind of refining? What avenues are you going down? And it gives me a really good picture the engineers themselves want to go. I’ve got

One that is going down the OSCP route and I’ve got another that’s going down the forensics route. They’ve decided those on their own, but there are gaps that we have. And we’re kind of in a nice place where we have kind of green field of you can go do this. And we would never say no to two experts in those fields. don’t a formula that comes out to here’s what we need next or a depth chart like some of them playing a little bit too much Madden and NCAA football to say like, here’s my needs, but.

Thomas Rogers (19:01)
Yeah.

Joe McCallister (19:03)
We do have a good idea of what we need. And we also do look at what projects we have on our roadmap for 26 and beyond say what skills are we missing that can help us accelerate those projects, hit our deadlines, or maybe get them done sooner. you know, do we need somebody that comes from software engineering as opposed to the security to help us build some infrastructure to support our tooling or to support developers a little bit better? Or do we need somebody that’s worked in an organization that has those?

processes and playbooks already and can help us spin what we’ve Roughly documented, know, back of napkin stuff. Can you get that into a workflow for us?

Thomas Rogers (19:37)
think that the way you’ve have seemed to approach it seems the right way to do it instead of sort of the inverse and being like, I assume it allows you to be much more proactive where we are, where we want to go. It’s really difficult to build a gap analysis, obviously, if you just have the end state without knowing where are we at today. also to the point where you actually know where we are today.

probably took a lot of time and thoughtfulness. guess if you were talking to another person in the industry maybe a first time manager or something, who was trying to build that gap analysis, you recommend about getting a good grasp of this is where we are today?

Joe McCallister (20:15)
Yeah, I think my first advice is always going to be listen, just chat with the teams and understand because they’ll tell you. Hopefully you’ve established that psychological safety and depending on the scenario, right, if it’s a first time manager that’s coming from individual contributor on that team, they probably already have a good idea of who’s good where and what the opportunities are. But if they’re brand new hire from the outside in, you should always spend that first 30, 60, I would almost argue the first 90, like if you’ve got the runway.

to really just absorb and listen, try not to shake anything up. I’ve made that mistake before of even, you know, trying to introduce one medium to large size change and it falls on its face because don’t have the foundation. And I didn’t understand that had significant gaps in our process and our forms and our intake that allowed us to fall on our face a little bit. We picked ourselves back up and had very candid conversations with the team. know, there was a lot of frustration and

on my sword a bit of saying like, I know better. should have just waited, listened and instituted the right thing. So it’s always going to be listened. And then once you listen, you should be able to kind of think a little bit more you have to raise your point of view from, when you’re used to doing the tactical down on the ground, just getting your tasks done and shipping projects, you have to start looking, thinking in systems, think how your projects feed into each other, what team this might affect.

One thing that frustrates my team all the time is that first order thinking, right? What devs only going to worry about the project they’re on, the feature they’re shipping and nothing else. And so when they make a network change and it affects all of NetOps or bring something else down, they’re like, sorry, sorry, it’s not good enough. We got to think about this. This is important. A little bit of a tangent, but it is something I like to make sure you’re getting into management, thinking a lot more globally is vital.

Thomas Rogers (21:49)
Yeah.

I assume has that foundation helped with regard to evaluating like AI adoption, AI tooling, just sort of like AI strategy in general.

Joe McCallister (22:05)
the benefit that I did not see coming from, that approach and thinking globally, but also using the community, like the stuff that I’ve talked about already, my communication and just diplomacy has been we are getting more people coming directly to us with concerns and questions. We are having more interactions that are extremely valuable that I, a year ago, couldn’t imagine happening, but because we now have friends and colleagues and lunch table discussions and people are, know, engineers are smart.

Your talent acquisition people are smart. Your HR folks, they’re really smart and they know when they see something that doesn’t look right. And so now we have people coming to our public cybersecurity channel in our Slack saying, Hey, I’m seeing something weird. we’re like, awesome. DM me, let’s chat about it. So it’s been an unintended, I shouldn’t say unintended. Of course I wanted that to happen. I’d love to take credit, but one thing about building relationships is you have the relationship and now people come to you with things that they know or even think you might be interested to hear about.

and it can really start to some good breadcrumbs to fixing big problems at the organization.

Phoebe DeVito (23:02)
That’s So you talked a little bit about how just your role or alluded to how different like your role is now in leadership. And so just curious how your experience as a practitioner kind of shaped the way that you think about leadership and cybersecurity.

Joe McCallister (23:18)
I mean, the joke I can make is probably about timelines and due dates. Like I can at least set realistic timelines and due dates as opposed to like we did this yesterday is not a, not an answer I typically give. but I think what also informed me again is a bit more of the soft skill of management, which is providing air cover for my team, being sure that my stakeholders understand what they’ve got on their plate. One thing I’m working through right now, just as a very pertinent example is just being able to display for executives and leadership, how many pieces are on the table.

Phoebe DeVito (23:23)
you

Joe McCallister (23:45)
who’s available, you know, we have, get security reviews, technical assessments, threat models, pen tests, and we have projects. And so we’ve only got so many resources, and we prioritize what comes in first. know, a developer comes up with a feature that’s potentially revenue enabling or touches something that makes the company money. We’re going to focus on that. That takes us away from a project and then IT wants to fast track this project. I would love to help you.

but I’m a little bit handcuffed and that leads to conversations, do you have enough resources? I’m glad you asked, no, I don’t, I never do. And I could use more budget as well, but we’ll get to that conversation later. But it is all about figuring out where, again, everything comes down to gap analysis for better or worse, these risk management terms, it’s figuring what to do when.

Thomas Rogers (24:28)
was that transition for you initially when you sort of moved into that people manager role? I know on the engineering side, it’s a tough one and probably one that most people struggle with. Even people who want to move into management, it’s like, when’s the right time? Maybe it’s not the right time. So yeah, what was that like for you?

Joe McCallister (24:46)
It was rough. mean, it really was because I can tell, and I’ve seen it in my managers that I’ve promoted as well. The hardest thing to do coming from an IC and a practitioner perspective is let go of that individual contributor work and truly learn what effective delegation is and trusting that people will do the job in their own way. It’s actually funny enough, speaking about Best Buy and kind of parameters they had.

I remember it from 15-ish years ago, they had four managers or supervisors. was a bullet point in the box. So don’t know how I recall this, but it always stuck with me that says, trusts others to do their job in their own way. And it’s something that I think really stuck with me because I need to remind myself that everybody’s here for the right reasons, assuming positive intent and knowing that I trust these people. I need to actually show that I trust them, give them the work.

And what I found is really interesting is the folks that are hungry for the work take I like to try to delegate effective things that isn’t just like, need you to go write this report. That doesn’t help anybody. Things that will have an outcome or an impact on that individual, have them learning something new. And also I try to delegate almost too far. Like I delegate down to a level that

I feel comfortable and then I look to see if I think I can go one more down. Can I give this to a junior and is it a really cool opportunity for them to kind of prove themselves? And if they don’t do it right, like they’re a junior, let’s coach them. Let’s figure out like, here’s what I’m looking for. Here’s what I’m thinking. I’d love to see these kinds of data points as well. Can we get these fields added? That’s where I still get to do my nerd stuff a little bit, found it hardest to really let go of

stuff. But once I did, I really saw the team be enabled, more effective. I saw the passion. I saw more of that curiosity coming out every single day. And we were getting stuff done. So it feels great to put check marks on things, be able to tell my boss, like the team did this. I could selfishly say I did it, but no, we did this as a team because we’re working effectively as a team. When you become the key man, it sucks.

Like you can’t take a vacation, you can’t do, you you also get this inflated ego of this place will sink without me and I don’t think that’s healthy anything. Again, a little bit of a tangent, but my personal beliefs, I don’t believe in the key man.

Phoebe DeVito (26:46)
Thank

Thomas Rogers (26:57)
That’s a lot of pressure, lot of weight to put on one person. So you mentioned one-on-ones earlier and how important those are and just as a tool to have a strong pulse on where you are today, but also as a development tool, how often are in those sort of one-on-one conversations are you talking about like professional development? I’m sure it gets pushed sometimes when

Things are really crazy, but yeah, how often are you trying to be intentionally, you know, bringing those things up?

Joe McCallister (27:23)
my one-on-ones are actually entirely employee driven. So I tell them, this is your time. If you want to talk about tasks, we’ll talk about tasks, but we have project update meetings for that. I’m to say no, I’m here to help and enable like, especially if you just want to vent about a project, like, yeah, let’s get into it. Cause then I can actually hopefully fix some things. I keep that stuff confidential. You know, we’re not going to start any fights or anything, but we’ll, we’ll figure out. I let them also.

typically respectfully challenge, but they can cuss me out if they want, that’s fine. If I’ve done something that isn’t exactly vibing with how they’re feeling on project, but I do try to set a lot of time aside and ask them what their next step is and how they want to get a really good exercise for me was when somebody mirrored that back to me, but it was what is my next step and how do I get there? Because it had me going back through our documentation and our career path and our job, you know, all the,

pretty confluence docs we can write all day long, but at the end of the day, can I answer that question for a junior, I see a senior, a manager, like do we have a clear path and the very clear expectations that are, you doing this? And are you doing, you know, we typically look for folks that are starting to stretch a bit and do the job above them and then they become promotion candidates from there. typically like those weekly ones, it typically comes up, the bi-weekly ones, it definitely comes up for the folks that are.

for my managers, they usually just want some feedback or you know, they’re, find people love to hear they’re doing a good job. So it’s a much more fun for me to say, you’re doing awesome. Here’s where I see you. I definitely think there’s possibility in the future like this road’s open for you.

Thomas Rogers (28:49)
that clarity’s gotta be super helpful for them. And you can almost in that case be like a coach for them, or, you know, accountability buddy, like, hey, you said you wanted to do these things. Me, you know, what do I care? Like it’s your career. I can just kind of hold you. I can just say like, hey, you said you were gonna do this and you didn’t, what’s going on? And it might be project-based or whatever, but on top of that,

You mentioned like the stretch like taking on more work or taking on the work of like the next level as like a really good way to grow in a career. And in addition to like doing the work that they were hired to do, how do you think about like the extra stuff, like the extracurriculars? Obviously that comes from curiosity, like they have to want to do it, to the SANS courses or the training sessions or even just like doing

CTFs or stuff outside of work just to try and build add-on skills. How does that play into the equation in your mind?

Joe McCallister (29:43)
Pretty heavily in all honesty. love, we talk quite a bit. We’ve got a few kind of casual channels in Slack where we talk about everything from like one guy that posts news all the, he’s, don’t know how he stays up on it so well. He’s an animal, but he is essentially our unofficial threat intelligence guy because he’s just all over, you this week it’s Claude Bot. It’s talking about how to figure that out. And then our detection guys jump in and say, this is really cool. Let’s figure out a way to do this together.

And I view that as like, asked him to go do that stuff. Nobody asked the detection folks to go figure out how to detect this brand new threat that is potentially out there. Do we know where it is? Can we answer the questions quickly? I applaud anybody that can go and do those things because it can get really easy to just do the tasks and close the alerts, move on to the next incident, move on to the next project.

that’s part of the reason that we’ve built in that time to say it’s always okay to say I have to take a break because I’m going to go learn some stuff or next week I’m myself I’m going to a conference here in Denver and I want to go see some people learn some real tech nerdy talk to some folks, hopefully get some best practices and come back and share that stuff. That’s the expectation is when you go to SANS, what’s the coolest thing you learned? What didn’t quite click? Can we figure it out together?

because that tells me that they’re still really curious. They’re still really engaged in their career. you know, it also depends on seasons, right? Like in those one-on-ones, I like to just check on how they’re doing and say, like, where’s your kind of, we call it the burnout barometer. Like, where are we at? Like, I know I’m asking a lot of you where security is always understaffed and under budgeted. you feeling? Like, are you freaking out? Are you feeling kind of numb?

really good sign you need a day off. we’ll kind of give them some space to just take an afternoon off, go read a book, don’t look at a screen, like do some stuff, but they come energized because otherwise if we just, you know, if we start to see them just checking tasks off, we start seeing less input, less chat, less attendance at in-person events, never mandatory, but always kind of like, hey, is everything good? Or you can kind of tell in tone. Somebody might just have a, I’ve had them.

I’ve had times where I’m like, just need to take a day. I need to just go up to the mountains and take one big deep breath of those pine trees. And I’m usually pretty all right after that.

Thomas Rogers (31:50)
Denver is a good place for that. But yeah, I feel like the having that space is obviously really important. think one thing that’s so unique about cybersecurity is conferences are often they feel like just it’s almost more just about the community than anything else. And there’s obviously the big ones and there’s there’s places for vendors and

But even the vendors in a lot of cases, I think the ones that do the best job are the ones that are really in the community and they’re just sort of there and have an understanding. think probably a big reason for that is because a lot of the vendors were started by former security practitioners, so they get it. But yeah, the conference is just the ability to commiserate with people who are dealing with the same crap you’re dealing with just at another company is.

So valuable, mentally.

Joe McCallister (32:38)
yeah,

the interaction, I tell you, I wish I could take, and I’ve floated this idea a couple of times. We have one of our C-suite executives here in Denver, our strategy officer, and I’ve thought, what if I took her to Rocky Mountain InfoSec or West Hack and Fest when they’re out here? Because I truly think our conferences are wildly different than any other, definitely different than an advertising conference and definitely different than a product or a UX or even a developer conference.

They have a different feel. The community is very tight. There’s so much resource and information sharing, but I do think the most fun is always lobby con, right? Like seeing your friends, lots of hugs. This is why I get sick after going to see, we had a company get together last week and I’m a little scratchy throated, it an amazing event from the corporate events team, but the best time was lunch, dinner, breakfast and coffee. Like just being able to.

Phoebe DeVito (33:17)
Mm-hmm.

Joe McCallister (33:29)
see how people are doing, getting to check in in though through the screen it works pretty well. like to say the one-on-ones are effective, but there’s nothing that beats quality time together. And I think that’s true of our conferences too. I get to see a whole lot of friends, different companies doing different things, everybody’s doing exciting stuff out there. And I think sometimes it’s also a good reminder that nobody has it figured out. Like we’re all still trying problems that we thought were going to be fixed 10 years ago.

The job never ends, but we got to stay optimistic.

Thomas Rogers (33:56)
For sure. I mean, I think coming out of COVID, it’s like we’re still sort of readjusting to it’s like, yes, actually being, you know, with other adult humans is a good thing in person. Like we have, we’re a fully remote company just feel, I feel guilty cause I’m like, when I was 23, 24, was like, I was in an office five days a week, nine to five, and you could get lunch with like a supervisor or something and just.

Joe McCallister (34:07)
Yeah

Thomas Rogers (34:22)
by osmosis, you learn so much more than when you check in over Zoom a couple times a day. It’s just completely different.

Joe McCallister (34:30)
Yeah, we go in three days a week. So we’re Tuesday, Wednesday, Thursday, and I’m in the Denver office here and I’ve got one of my incident responders next to me. And for the longest time, my wife actually works from home and I was like, I’m jealous. I wish I could like got a nice little setup. I’m comfortable. Just get coffee whenever I want. Like the dogs are here if I get bored. And then I know he came on and we get a couple of lunches, get some coffee. It’s just nice to be able that he can spin his chair over and be like, have you ever seen this?

of me, you know, was so upset. were going RTO a little bit and then part of it’s like, dang it, they’re kind of right. Like I get it. I’m still kind of in the middle somewhere. So at least we have the flexibility for a couple of days, but I do see the benefit of, of being into your point, me being in that. That, MSP office is where I met my, my mentor in security, where he was able to say, you’re doing security come study with me and kind of gave me some of that launch pad. So as much as I.

I don’t love the 45 minute commute. On the best of days, it does serve me pretty well.

Thomas Rogers (35:25)
Yeah, pros and cons for sure.

Phoebe DeVito (35:26)
Yeah. And I think, you made a really cool point. One thing I’ve seen is, I think there’s just an additional layer of like intentionality that you need to bring into the online spaces. Cause like you said, in an office, it might be easier to bump into one of your teammates and say like, Hey, you’re looking like really tired. Like, are you feeling okay? I’m like kind of the walk to the, you know, water container or whatever, but online, like, I think you do have to be so much more intentional on both sides. I think that.

know, folks starting their career now are probably having to really learn to advocate for themselves and, you know, build that like relationship and it doesn’t come as naturally when you are in the virtual environment or the hybrid environment. So I like how you touched on, you know, the ways that you intentionally bring that into your one-on-ones with your team.

Joe McCallister (36:11)
Yeah, think a discussion to be had around, how much of yourself can you bring to the job, to work, and how much is too much to I’ve always felt like, you know, I’m sure we’ve all been on these meetings and maybe even customer calls or whatever it might be. Like you put the mask on and you’re doing the show business and then the call ends and you just like slump. you’re like, ⁓ that was exhausting. By the end of it, you know, you have eight.

of those back to back all day or 16 of them if they’re 30 minutes or whatever the case might be, you’re just spent because actor and you’ve been putting on the show for so long. in the office, it’s a little easier to see like, know, just had your headphones all day, everything good? Like you’re usually real chatty and you didn’t eat lunch, you good? Like, come on, let’s go grab a snack real quick or something. But yeah, bringing that into the…

the one-on-ones, being able to make those connections and be able to trust that they’ll tell you the truth is a thing. And some people, I’ve had this as well, where we have an individual, we have a great relationship, have a conversation, something seems off, you’re good, yeah, I’m fine. You don’t have to tell me anything. Like you really don’t have to share or overshare. trust you and I also am here if you need something. can tell me anything, it can stay between us, you don’t have to tell me a damn thing, we can get back to

If that’s what you want, let’s go do that. So it’s really for the managers and for the people leaders, just being able to dial into that EQ, that empathy. And sometimes it’s really hard for ICs and engineers in this new role. Like, I just want to write the code. I just want to ship the product. Like, yeah, sorry, that’s not the job anymore.

Thomas Rogers (37:37)
You

Phoebe DeVito (37:37)
100%. Awesome. getting close to the end, although I feel like we could talk forever.

So Joe, the last question that we like to ask folks is if you were starting your career in cybersecurity today, so knowing everything that you know now, what is one thing that you would tell yourself?

Joe McCallister (37:53)
Something that I think my wife has kind of drilled into me is that everything’s going to be okay. Like you’re going to figure it out. It’s the worst piece of advice to get by the way, when it comes to children, when it comes to your career, everything’s going to be okay. You’re going to figure it out, is something that I, I constantly, you know, I will be very candid and say that, you know, every once in a while I check LinkedIn jobs. Then I remember like I’m a member of an amazing team. I love leading the people I lead.

Phoebe DeVito (38:02)
Hahaha

Joe McCallister (38:19)
I love the company I work for. get to meet cool people every and there’s a lot of work to do. Like I’m very, very fortunate. And, are there days where I’ve slammed the laptop shut? Sure. But there’s never been a day where I’m regretting, where I’m at or what I’ve done. And so I’m very thankful. And even in the jobs I was very frustrated at, I needed to remind myself it’s going to be all right. Like you’re, you’re smart, you’re capable. Like you got to pump yourself up.

you can do this, everything’s gonna be all right. Get out there, make some friends, have a conversation, get some coffee. You never really know when it’s gonna turn into something amazing.

Phoebe DeVito (38:52)
I love that. Well, Joe, thank you so much. It’s been so awesome having you on.

Joe McCallister (38:56)
Yeah, thank you so much. really enjoyed speaking with you.

The post Ep 15 – The Cyber Talent Series appeared first on MetaCTF.

AHHHHHHHH!!!! Vegetable CTF hit us with ransomware! Thank goodness I got a memory dump while the process was running… Can you help me recover my projects?

Recon

Okay, it’s time to recover the files. VegetibleCTF will not suceed on our watch. Normally, I would start with Volatility, but at least by default, I can’t get symbols to load for this memory dump. Instead, let’s look for interesting strings that might tell us what we’re looking at. We know it’s ransomware, so there’s probably a note. Running strings with grep to look for ransom notes, we find the following:

*** Your files have been encrypted ***
All files under your home directory have been encrypted using AES-256.
The random encryption key has been encrypted with my public key and stored at:
To recover your files, you will need that key file along with the decryptor that I will send you when you pay the million bitcoin ransom, muwahaha!
This program will remain running while this window stays open.

Your Key? My Key

The proper thing to do would be to extract the ransomware process, and search it’s memory to see if the key is still contained in RAM. However… There’s only 8gb of RAM, and we have known filetypes. We know that AES-256 was used, so we can just try every possible 8 byte aligned key, check if it decrypts the pdf file header properly, and if so, use the key to decrypt our target files. This is not elegant, but does work. We do have to guess the cipher mode, but for the sake of brevity, we’ll assume that we figured out it was OFB.

Since we need the solve to run fast, we wrote it in C, and ran it against the UAP document in the projects folder.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <limits.h>
#include <openssl/evp.h>

#define IV_LEN        16
#define KEY_LEN       32
#define STRIDE        8
#define AES_BLOCK     16
#define PDF_MAGIC     "%PDF-"
#define PDF_MAGIC_LEN 5
#define DEFAULT_MAX   (8ULL * 1024 * 1024 * 1024)
#define PROGRESS_EVERY 50000000

/* Decrypt only the first block (16 bytes) to check for PDF header. No Final. */
static int try_key_first_block(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv,
                               const unsigned char *ct, unsigned char *plain16)
{
    if (EVP_DecryptInit_ex(ctx, EVP_aes_256_ofb(), NULL, key, iv) != 1)
        return -1;
    int out_len;
    if (EVP_DecryptUpdate(ctx, plain16, &out_len, ct, AES_BLOCK) != 1)
        return -1;
    return (out_len >= PDF_MAGIC_LEN) ? 0 : -1;
}

static int try_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv,
                   const unsigned char *ct, size_t ct_len,
                   unsigned char *plain, size_t *plain_len)
{
    if (EVP_DecryptInit_ex(ctx, EVP_aes_256_ofb(), NULL, key, iv) != 1)
        return -1;
    int out_len;
    if (EVP_DecryptUpdate(ctx, plain, &out_len, ct, (int)ct_len) != 1)
        return -1;
    *plain_len = (size_t)out_len;
    int fin_len;
    if (EVP_DecryptFinal_ex(ctx, plain + out_len, &fin_len) != 1)
        return -1;
    *plain_len += (size_t)fin_len;
    return 0;
}

int main(int argc, char **argv)
{
    const char *dump_path;
    const char *veg_path;
    char out_buf[PATH_MAX];
    const char *out_path = NULL;
    unsigned long long max_offset = DEFAULT_MAX;
    unsigned long long progress_every = PROGRESS_EVERY;

    if (argc < 3) {
        fprintf(stderr, "Usage: %s <dump> <file.veg> [output_path] [max_offset] [progress_interval]\n", argv[0]);
        return 1;
    }
    dump_path = argv[1];
    veg_path = argv[2];
    if (argc >= 4 && argv[3][0] != '\0')
        out_path = argv[3];
    if (argc >= 5)
        max_offset = strtoull(argv[4], NULL, 0);
    if (argc >= 6)
        progress_every = strtoull(argv[5], NULL, 0);

    if (out_path == NULL) {
        size_t len = strlen(veg_path);
        if (len > 4 && strcmp(veg_path + len - 4, ".veg") == 0) {
            snprintf(out_buf, sizeof(out_buf), "%.*s", (int)(len - 4), veg_path);
            out_path = out_buf;
        } else {
            snprintf(out_buf, sizeof(out_buf), "%s.dec", veg_path);
            out_path = out_buf;
        }
    }

    /* Load .veg file */
    FILE *fv = fopen(veg_path, "rb");
    if (!fv) {
        perror(veg_path);
        return 1;
    }
    fseek(fv, 0, SEEK_END);
    long veg_size = ftell(fv);
    rewind(fv);
    if (veg_size < (long)(IV_LEN + AES_BLOCK)) {
        fprintf(stderr, "Veg file too short\n");
        fclose(fv);
        return 1;
    }
    unsigned char *veg = malloc((size_t)veg_size);
    if (!veg) {
        fclose(fv);
        return 1;
    }
    if (fread(veg, 1, (size_t)veg_size, fv) != (size_t)veg_size) {
        fprintf(stderr, "Failed to read veg file\n");
        free(veg);
        fclose(fv);
        return 1;
    }
    fclose(fv);
    const unsigned char *iv = veg;
    const unsigned char *ct = veg + IV_LEN;
    size_t ct_len = (size_t)veg_size - IV_LEN;

    /* Allocate plaintext buffer */
    unsigned char *plain = malloc(ct_len + 32);
    if (!plain) {
        free(veg);
        return 1;
    }

    /* Open dump and mmap */
    int fd = open(dump_path, O_RDONLY);
    if (fd < 0) {
        perror(dump_path);
        free(plain);
        free(veg);
        return 1;
    }
    struct stat st;
    if (fstat(fd, &st) != 0) {
        perror("fstat");
        close(fd);
        free(plain);
        free(veg);
        return 1;
    }
    size_t dump_size = (size_t)st.st_size;
    if (dump_size > SIZE_MAX) dump_size = SIZE_MAX;
    if (dump_size <= KEY_LEN) {
        fprintf(stderr, "Dump too small\n");
        free(plain);
        free(veg);
        return 1;
    }
    if (max_offset > dump_size - KEY_LEN)
        max_offset = dump_size - KEY_LEN;

    void *dump = mmap(NULL, dump_size, PROT_READ, MAP_PRIVATE, fd, 0);
    close(fd);
    if (dump == MAP_FAILED) {
        perror("mmap");
        free(plain);
        free(veg);
        return 1;
    }

    fprintf(stderr, "Dump: %s\n", dump_path);
    fprintf(stderr, "Veg:  %s\n", veg_path);
    fprintf(stderr, "Out:  %s\n", out_path);
    fprintf(stderr, "Max offset: 0x%llx (%llu), stride %d\n", (unsigned long long)max_offset, (unsigned long long)max_offset, STRIDE);
    fprintf(stderr, "Running...\n");

    EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
    if (!ctx) {
        munmap(dump, dump_size);
        free(plain);
        free(veg);
        return 1;
    }

    unsigned char first_block[AES_BLOCK];
    unsigned long long tried = 0;
    for (unsigned long long offset = 0; offset <= max_offset - KEY_LEN; offset += STRIDE) {
        const unsigned char *key = (const unsigned char *)dump + offset;
        if (try_key_first_block(ctx, key, iv, ct, first_block) != 0)
            continue;
        if (memcmp(first_block, PDF_MAGIC, PDF_MAGIC_LEN) != 0) {
            tried++;
            if (progress_every && tried % progress_every == 0)
                fprintf(stderr, "  tried %llu keys (offset 0x%llx)\n", tried, offset);
            continue;
        }
        /* Match: do full decrypt and write */
        size_t plain_len;
        if (try_key(ctx, key, iv, ct, ct_len, plain, &plain_len) != 0)
            continue;
        fprintf(stdout, "\nSUCCESS at offset 0x%llx (%llu)\n", offset, offset);
        fprintf(stdout, "Key (hex): ");
        for (int i = 0; i < KEY_LEN; i++)
            fprintf(stdout, "%02x", key[i]);
        fprintf(stdout, "\n");
        FILE *fo = fopen(out_path, "wb");
        if (fo) {
            if (fwrite(plain, 1, plain_len, fo) == plain_len)
                fprintf(stdout, "Decrypted file written to: %s\n", out_path);
            fclose(fo);
        }
        EVP_CIPHER_CTX_free(ctx);
        munmap(dump, dump_size);
        free(plain);
        free(veg);
        return 0;
    }

    fprintf(stderr, "No key found.\n");
    EVP_CIPHER_CTX_free(ctx);
    munmap(dump, dump_size);
    free(plain);
    free(veg);
    return 1;
}

Running it gives us our decrypted file, and the flag!

./brute_decrypt_from_dump memdump.raw encrypted_files/Projects/UAP/UAP_SAUCER_HARDWARE_SPEC__Sophia_Walker__rev3.pdf.veg

The post Flash CTF – Handsome Ransom appeared first on MetaCTF.

We were trying to get the flag from this binary we purchased a few months ago, but we lost the license, maybe you can help?

Let’s take a look.

We can use file to determine that it’s a Linux executable (ELF), so if you don’t have a Linux host or VM, you’ll want to grab one. Use chmod +x license_to_rev to make it executable, then ./license_to_rev to run it (for safety, it’s best to do this in a container or VM with untrusted binaries).

$ ./license_to_rev 
Usage: ./license_to_rev <license-file>

A license file is required to use this product.
Each copy is individually licensed. Please provide the path to your
license file. Without a valid license, the program cannot continue.

Well, that was anticlimactic. Can we just give it a blank file?

$ touch license
$ ./license_to_rev license
That is not the correct license. Invalid license.

Bummer. We’ll have to actually reverse it. Let’s start with strings, and as usual, look near the middle of the output:

It doesn’t look like a very complex program – the output isn’t much longer than this. It looks like it expects a license.txt file at some point. Interestingly, there’s a mention of EMBEDDED_ZIP and ENCRYPTED_MESSAGE, but not much more. (The eagle-eyed might spot that sneaky PK near the middle…)

Let’s try looking at it in Ghidra. The main() function, while lengthy, isn’t too complicated:

Interestingly, after some conditionals (probably reading in the license file), it’s calling functions like inflateInit2() and inflate(). A quick search hints these are zlib functions, and ldd confirms that the zlib library is used:

$ ldd license_to_rev 
        linux-vdso.so.1 (0x0000755399730000)
        libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007553996e2000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x0000755399400000)
        /lib64/ld-linux-x86-64.so.2 (0x0000755399732000)

Finally, we also see this line near the bottom:

We could keep reversing to try to figure out what it’s decompressing, or we could take all the hints the code is giving us (remember EMBEDDED_ZIP from earlier) and check for embedded archives within the binary. A tool like binwalk is perfect for this.

$ binwalk license_to_rev     

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             ELF, 64-bit LSB shared object, AMD x86-64, version 1 (SYSV)
8736          0x2220          Zip archive data, at least v2.0 to extract, compressed size: 264, uncompressed size: 341, name: license.txt
9098          0x238A          End of Zip archive, footer length: 22

There is indeed a Zip archive hiding in there! We can use binwalk -e to extract it. It gives us a file, license.txt.

$ cat license.txt 
# License to Reverse - License Certificate
# Skillbit (formerly known as MetaCTF)

LICENSE_TYPE=Professional
SERIAL=MCT-4XHA-GKNA-5F1E
LICENSED_TO=Terrance Troutt
ISSUE_DATE=2025-07-01
EXPIRY_DATE=2026-02-01
ACTIVATION_ID=MNZHOM7YMY63DQBG1GTW

TERMS=This license is non-transferable. Each copy is individually licensed.

--- END LICENSE ---

And yet…

$ ./license_to_rev license.txt 
This license has expired. Please contact support for a new license.

Looks like it checks the expiry date. Can we just change it, say to expire in 2027?

$ ./license_to_rev license.txt 
That is not the correct license. Invalid license.

Dang. It’s probably doing some kind of integrity check.

We could try to RE how this works and defeat it, or patch out the check. Or… Ghidra shows that localtime is used. Could we just make the program think it’s still, say, 2025?

We could actually change our clock (and this does work), or we can use a tool like https://github.com/wolfcw/libfaketime. It’s apt installable on Ubuntu.

$ faketime '1 year ago' ./license_to_rev license.txt 
MetaCTF{y0u_g0t_@_g0ld3n_ey3_4_r3v}

And there’s our flag!

The post Flash CTF – License to Rev appeared first on MetaCTF.

This is a simple web exploitation challenge. The goal is to retrieve the flag in an article, but the article is blocked by an annoying subscription paywall popup.

Solution

Let’s take a deeper look by using the ‘View Page Source’ feature on the webpage. Even though the subscription popup prevents you from reading the article in the rendered view, scrolling through the source reveals that the entire content of the article can be found in the <body> of the code.

The post Flash CTF – Great Paywall appeared first on MetaCTF.

As with most packet capture challenges, let’s start by opening it in Wireshark, a free program for creating and analyzing network packet captures.

This is a pretty simple PCAP. Only 32 packets – it almost all fits on my screen. If we click around the packets, we can see with the bar on the left that there are only two TCP connections (aka conversations, streams, etc) that were captured here:

It looks like both were simple HTTP requests and responses. Let’s filter for http to hide all the TCP noise and show just the high-level information.

From just this view, it looks like the user GET requested a page from a website (just /, the root URL), then POST uploaded some sort of data (we can assume, as the length of the POST is almost 2000 bytes) to the /upload URL. Wireshark even conveniently tells us that a PNG file was uploaded.

If we click on the first 200 OK and look in the bottom-left pane, we can see the HTML contents of the webpage:

It’s a very simple form for uploading a file. Presumably, that’s what the POST was for. Let’s look at the contents of the POST:

We see some form-data with the filename flag.png. Presumably, this is our flag. We’ll need to extract it. There are a few methods of approaching this.

Extracting flag.png via Export Objects

Wireshark has a built-in facility for extracting data from HTTP requests. This sort of works for our purposes. I’ll demonstrate:

We can save the multipart/form-data as a PNG file, but it won’t open. Why? If we open it in a hex or text editor, we’ll see that it’s because the form data delimiters are still present:

We could use a tool like binwalk to get at the PNG within, but for something this simple, we can just remove the first few lines, making sure to put the PNG magic bytes right at the start of the file:

And that does the trick – the file will now open in an image viewer.

Extracting flag.png via Copy Bytes

This is a more generalizable method that will work for non-HTTP protocols. The downside is that it makes use of your clipboard, which can be finicky.

Open up the protocol hierarchy (bottom left pane) and find Portable Network Graphics. Make sure that when you click it, on the right, it highlights only from the start of the actual PNG data, not the MIME type or other such metadata.

Right click it, Copy, as Raw Binary:

And now, if your OS’ clipboard cooperates, paste it anywhere on your disk:

The other options in this menu (as hex dump, as escaped string, etc.) are also quite useful for more complicated scenarios, where you need to do further processing on the data.

Opening flag.png via Show Packet Bytes

And finally, we saved the best method for last, because it took the author way too long to realize this works.

Right click the Portable Network Graphics item again. This time, choose Show Packet Bytes.

And lo and behold:

Yes, Wireshark has a built-in image renderer. It truly does it all.

Finally, here’s the full flag:

The post Flash CTF – Dead Drop appeared first on MetaCTF.

“I’ve seen a bit of hype around today’s Flash CTF on Bluesky, I wonder if any of that hype comes with its own secrets…”

TL;DR

The secret lives in a Bluesky reply that looks like normal text but uses Unicode lookalikes (homoglyphs) to embed a secret message. If you treat all the non-ascii characters as a binary 1, and ascii characters as 0s,, read the result as binary, and you get the flag.

Finding the right post

The challenge points to Bluesky and “hype” around the Flash CTF, so the first step is to find where that hype actually is.

Starting on Bluesky, search for “flash ctf”. That surfaces MetaCTF’s account and a bunch of related posts (and some other results you can ignore for this challenge).

From there you should go to @metactf.bsky.social and scroll through their profile.

One post stands out: “We may or may not have hidden something special in tomorrow’s Flash CTF ” with the signup link for the event. That’s a pretty clear nudge that something is hidden in the hype. i.e. in the posts or replies themselves, not just in the CTF platform.

So the next step is to see who was talking about the Flash CTF and whether any of those posts look “off.”

The suspicious reply

Under that same MetaCTF post there’s a reply from @shayden1337.bsky.social (the author of the challenge and Head of Content at Skillbit/MetaCTF) that’s basically hype + a hint:

The reply says “I can’t wait for tomorrow’s Flash CTF! I spent quite a while on the challenges, I hope that they’ll switch your brain on just like transistors! If you read this message very carefully, maybe you’ll even discover something…”, but the characters look off.

“Read this message very carefully” and “discover something” are strong hints that the text itself carries the secret. So the content of that reply is the blob we care about.

What’s actually in the message?

On the surface it’s plain English. The trick is that not every character is what it looks like. A lot of Unicode code points look identical to ASCII (e.g. Cyrillic а vs Latin a, or special apostrophes and spaces). So the message can look almost normal in the Bluesky UI while actually being a mix of real ASCII and these lookalikes.

If you copy the reply into an editor or script that distinguishes Unicode, you can see which characters are “weird.” For example, in an editor that doesn’t have glyphs for every codepoint, some of them show up as boxes or replacement characters. In the screenshot below, those are highlighted so you can see where the non-ASCII characters sit in the stream.

So we have a long string of characters. Some are normal printable ASCII, some are Unicode lookalikes. That’s the structure we need for the next step.

Decoding the flag

The encoding scheme is binary in disguise:

• Printable ASCII character → bit 0
• Anything else (e.g. homoglyph / special Unicode) → bit 1

Walk through the message left to right, output a 0 or 1 for each character, then interpret that string as big-endian 8-bit bytes (first 8 bits = first byte, etc.). Decode those bytes as UTF-8 (or plain ASCII for this flag) and you get the flag.

So the solve is:

1. Get the exact text of the reply (copy from Bluesky or use the same string from the challenge if it’s provided).
2. For each character: if it’s in string.printable (or your language’s equivalent), emit '0', else emit '1'.
3. Chunk the resulting bit string into groups of 8.
4. Convert each 8-bit chunk to a byte, then decode the byte sequence as text.

Example in Python:

import string

ENCODED_MESSAGE = "..."  # paste the full reply text here

decoded_message = ""
for char in ENCODED_MESSAGE:
    decoded_message += '0' if char in string.printable else '1'

binary_chunks = [decoded_message[i:i+8] for i in range(0, len(decoded_message), 8)]
restored = ''.join(chr(int(chunk, 2)) for chunk in binary_chunks)
print(restored)

Run that and you get: MetaCTF{fl4g_induc1ng_hyp3!}

The post Flash CTF – Skybound Secrets appeared first on MetaCTF.

Join Thomas Rogers, Co-Founder of SkillBit (formerly MetaCTF), and co-host Phoebe DeVito as they connect with Kevin Woods, Director of Learning and Development at GuidePoint Security. In this episode, Kevin shares his perspective on bridging the cyber skills gap by building scalable training programs and creating structured yet flexible learning pathways. Kevin discusses the importance of being disciplined and proactive to building a cybersecurity career. The episode also explores how organizations can invest in entry-level talent and design learning programs that drive retention and long-term success in the industry.

Tune in now with the player below, or check it out on the MetaCTF YouTube and Spotify channels!

Spotify Link

YouTube Link

Phoebe DeVito (00:00)
welcome to the cyber talent series where we explore how organizations are closing skills gaps, accelerating onboarding and building high performance cybersecurity teams. name is Phoebe DeVito. I’m joined by my co-host Thomas Rogers. And today we are talking with Kevin Woods, Director of Learning and Development at GuidePoint Security. So welcome, Kevin.

Kevin Woods (00:18)
Yeah, thanks for having me. It’s pleasure.

Phoebe DeVito (00:21)
just diving right in, typically we like to start with asking folks to just tell us a little more about who they are and what they’re working on right now.

Kevin Woods (00:28)
Yeah. So as you said, I’m the director of learning and development. So as such, I get to work with a lot of people who are trying to upskill, trying to get into the industry, to do career changes. There’s a lot of different areas in cybersecurity. And so I think a lot of people are trying to pivot from one into another. And so just making sure that we have career paths laid out for them. I myself came from the cyber side to kind of a winding path to get there.

So I’ve seen some of these different ways that we can get into cybersecurity, the different skills that we have. And so just trying to help sure they have a good, successful career in the field.

Phoebe DeVito (01:02)
Awesome And I know you mentioned this winding path that actually was my next question So I’ve heard you talk a little bit about it on other shows and I think it’s a really cool story So any amount that you’re comfortable sharing would love to kind of give a little peek into that to the listeners

Kevin Woods (01:16)
Yeah, absolutely. I like to share it because it is a little unique, like you said here, goes back a little ways, but I studied biology in college. I really didn’t know what I wanted to do. I felt like I had to go to college just because everyone was doing it at the came time I graduated, didn’t know, still didn’t know what I wanted to do, but I actually saw a commercial for the Navy and they were taking a biologist at the time. went to

the Navy recruiter office, they were out at lunch, but the army recruiter was in. So I was like, all right, sign me up, join the army. And went through training was military intelligence. And it just so happened at that first unit I landed at, they didn’t have a security manager for their information security program. And they’re like, military intelligence, that’s kind of technical, right? You can take this over. And so I had no idea what I was doing. I had never taken any IT, comp sci classes, anything like that.

I just knew it was my first job in the military and I wanted to do a good job and impress the boss. So, went out, started researching it, started asking a million questions. I was in the shop like every day, just probably annoying them, asking them as much as I could. Cause I was trying to get us ready for a security audit. So at the time we were just trying to abide by different regulations on the federal side, a lot with access controls. And I just, didn’t really know a lot of the words or the terminology they were using, but.

decided I was going to figure it out and did a lot of research just after hours. And before I knew it, I was really intrigued. Like, why are we, you know, not just setting up these access controls, but how are they actually protecting us? Right. And, yeah, taught myself how to code, some raspberry pies, got a firewall, a router, and just started messing around and started playing in my free time. Did that for a few years. Hopefully, I did a decent job on the security management front.

then the army opened up a cyber operations branch and was taking volunteers to move into it. And actually the first round got denied instantly because they didn’t meet the educational requirements. They were only taking people with bachelor’s in cyber. But then round two, they dropped the educational requirements and went through a bunch of screening and assessments got picked up. And the army trained me a lot of what I know today in cyber operations and moved over.

eventually ended up taking over an incident response team. And that was kind of the last gig I had before getting into the civilian world. Guide point actually offered me an internship. did that when I was transitioning out and I fooled them enough to give me a full-time offer and became a security engineer over there. And then that’s how I got into cyber. and then a little side project of mine while I was doing security engineering was, Hey, you were an intern. Why don’t you help?

you know, us bring in other military people that want to be I took on the side project to create an internship program and we had five or six people coming out, joined that first year and it was successful. And before we knew it, other people were hearing about it in the company and saying, Hey, can I send my new hires through that? Or, Hey, I have a family member. I know this person in school that would love to go through this program. And it just blew up way more than we ever thought. And yeah, now today we’ve had.

Like 15,000 applications last year for this program. brought in close to a hundred people. So I’m getting to deal with hundreds of people that are career changers that are military transitioning, military spouses, kids that are recent graduate from high school, colleges, university. So it’s a lot of fun to, to share my story and to help them also get into the field. Cause there’s a lot of different ways to get into cyber. So yeah, happy to share.

Thomas Rogers (04:37)
That’s incredible. I feel like the theme of your background and story is just like action, like doing stuff, not waiting to be like, it okay if I learn how to code or, whatever it is, how does that shape the way you like run this program now? And also like how you design, upscaling, the teams at Godpoint.

Kevin Woods (04:55)
Absolutely. Right. Like that’s that’s what I’m looking for when I’m bringing people into this internship program. And that’s what we’re looking for in our employees is we don’t want you to say, hey, I need to learn this tool or I really like to learn this tool. If they say that to me, I’m like, OK, what are you doing to learn it? I mean, is anything stopping you from doing get a lot of things. Hey, I don’t even know how to install it. I don’t know where to begin. And I think that’s true for a lot of people, but sometimes you just have to start researching. And that’s what we want.

from our cybersecurity practitioners is that they’ll just get started and they’re gonna troubleshoot along the way. They’re gonna run into all sorts of issues, but that’s sometimes the best way to learn too, right? I’ve been there and hopefully can relate it to other people. like, hey, you just gotta figure it out sometimes, right? In a field that’s ever changing, I tell someone to spin up a web server and they go to YouTube, that video is out of date two days later.

Right? So like they’re going to run into an issue. They have to figure out a way to troubleshoot it and just figure it out. a lot of these vendor tools, they want to learn. There’s free licenses out there. There’s free trials out there. So just download it, mess around and don’t be afraid to make mistakes. Take some action and start

Thomas Rogers (06:00)
How do you blend, the sort of like hacker mindset of like, I’m just going to go figure this out with like actually giving them some structure of, yeah, how do you blend that?

Kevin Woods (06:10)
Yeah.

Yeah, that’s the difficult part, right? We talk about disciplined initiative in my program a lot because we want you to go out there solve it. but you do need some left and right limits for sure. Right. Because this is a field with so much information that it can be very overwhelming of where to even get started. And so usually we’re trying to figure out first, what are you looking to do ultimately? Is this something you’re passionate about? Is this just a requirement from your supervisor? What does it look like here?

and then go out and start figuring out what is the path forward, right? So how do you get to that goal that you’re trying to achieve? And we’ll say, Hey, you can do it X, Y, and Z. This is how we recommend, but it’s never followed these exact steps. It’s never these exact commands to set something up. It’s never somebody just holding your hand doing it, but it’s okay. Generally you’re going to want to set up a web server. You’re going to want to set up a SIM and then start attacking that web server and see if you can actually

catch it on that SIM. So you can get that data to trigger that SIM trigger and alert. That’s kind of the level we want to provide to our practitioners and then say, hey, go do it type of deal. Not this is the command to set up this leave it like that. We always want to set up scenarios too. So they have a bigger picture because at the end of the day, right, cyber is about people. People create risk, people manage risk, people mitigate risk.

And so you have to understand to the overall scenario, what type of team, what type of business you’re then be able to report on your findings or what you’re able to do. Cause you can be the most technical pen tester in the world and great at it. But if you can’t report how you got in or how to fix these problems, really it’s all for not right.

Thomas Rogers (07:44)
I feel like a lot of that depends on the stage of the learning, training, upscaling journey too. Because we see that a lot with our platform where now we have this big, vast library of the CTF style, the scenario based challenges. We have labs. We have learning modules that are more like traditional learning, so like text based and video.

And it’s like, could just say like, Hey, this is how you learn how to do something. Or we just say, here’s everything, like have fun. And really we’re trying to find now is like the in-between some people genuinely do just want to go in and like choose their own adventure. And some people want to, you know, start and be like, tell me where to go. but like, yeah, setting it up so that they have the optionality around like, okay, this is a topic I know nothing about. need to.

have my hand held for a little bit and then I can run. I feel like that’s such a challenge. It’s probably even harder for you because you have to create process and frameworks around it.

Kevin Woods (08:36)
Yeah, and you have to lean. So we do use a mentorship program here. So everyone gets a one-on-one mentor, which if any organization doesn’t have a mentorship program, highly recommended. It doesn’t cost anything. It’s pretty light on resources, but that’s what the there for. It’s somebody that’s a kind of a specialist in that field because they’re going to know the better triggers for how do we move. If we talk walk, run, that crawl phase might be, okay, yeah, we do have to kind of.

show you a few of these tasks, right? Ideally, what we like to do is, go learn the fundamentals for whatever field that you’re getting into. You can go through these different courses if it’s pen testing, wonderful. Go some of these different capture the flags or go through these courses that we have. But at the same time, let’s start shadowing that subject matter expert, see how they’re actually conducting it, watch their process that they’re doing. And as we move along, it’s like, OK, now the next time after you’ve shadowed

a couple of them, why don’t you take this piece of the pen test? You still have oversight with that mentor and you say, hey, you take that, the mentor still does that part of it and you kind of combine answers, right? You look at it, see how things are different and just constantly provide guidance and slowly you take on a little bit more and more and more for some of these people that are just getting into pen testing or if it’s a new area of pen testing that they’re doing. And we try to apply that to all the different areas that we in cybersecurity, right?

And yeah, it’s tricky, but I think relying on the mentors for us and the managers and the supervisors, the people who have also kind of taken people under their wing and develop them, that’s been huge because as one learning and development team, we can’t know all those triggers and when someone’s ready to kind of move on to the next stage.

Thomas Rogers (10:16)
Kind of a meta question, what have you done to learn about learning?

Kevin Woods (10:20)
Yeah, no, that’s a good question. yeah, I I try to go to different webinars, been to conferences, actually taken a class on it as well, but it’s, it’s different, right? It’s tricky because it’s so much more like the human element and human psychology of how do we train these people effectively? So for me, that was something I overlooked early early on. was like, okay, I’ll teach some of technical foundations, right? I’m comfortable in that area.

I’ll teach it. then it started turning into maybe I should get feedback on these things. Is this actually working and trying to figure out what metrics to collect? And then recently or past couple of years or so, it’s like, all right, maybe I should actually do some educating myself and I probably could do a better job at it. I know I do well if I’m in like a conference where I can actually see people talk and I can see things live that are happening.

and hear use cases and actual stories of individuals who have had success in their programs or failures too. can learn from that. for me, that’s been the best way to learn because it’s not really hands on in the sense that I can just hop into a Linux terminal and show somebody if I’m teaching them engineering. So it’s a little, little different for me for sure. It’s been an area that I’ve been trying to grow over the past few years.

Phoebe DeVito (11:26)
Awesome. Yeah. So you touched a little bit on this and I think you actually mentioned CTFs specifically, but I’m just curious your perspective on the importance of hands-on training when it comes to preparing and growing.

Kevin Woods (11:39)
Yeah, I mean, I think it’s pretty critical, right? There’s only so much you can learn in a book or watching a training course online. And I think most people realize the value in hands-on training, but they don’t always know how to get it or how to administer it to their people or even really even constitutes hands-on training. We kind of talked about this a little like if I see a training where somebody, we’ve had a vendor come in and they walk through.

some of our students and like, this is how we set up this tool, but it’s straight, just copy paste the commands. There’s not true understanding that’s happening there. And so again, you want to get to the point where they’re hands on in the sense that they’ve been given a goal to achieve and then they find a way to achieve it. Because again, I’m looking for people that can research, they can troubleshoot, they can get creative with their solutions. And I think a lot of our hiring managers are as well. We always talk about if

with some of my hiring managers here, if they’re hiring entry level talent, they’re looking for comprehension and natural curiosity and the ability to troubleshoot are some of the three biggest things they look for. You’ll notice those aren’t like technical skill sets because we can teach a lot of these technical skills. And I think that hands on piece of it is going to help them develop all that extra stuff. In addition to, yeah, obviously if you’re in a terminal all the time, you’re going to get a little bit better at doing that, but really it’s helping them.

especially like CTFs where you have to research and research and bang your head against the wall for a little bit. It teaches them to go through those frustrations and just find a solution.

Thomas Rogers (13:04)
I love your thinking on that, when you’re developing like learning plans, training plans, or just like trying to, you know, identify like, what are the kind of gaps or areas for opportunity for us? How do you think about like assessing as a part of that process, like using performance data or some sort of data to inform

like what you actually like train and build learning plans around.

Kevin Woods (13:26)
Yeah. I mean, if we could do it perfectly, that’d be awesome. Right. It’s super, it’s super hard to forecast. So, right. What is going to the most impactful to our organization, but for us it’s, it’s being heavily involved with leadership, understanding strategically where we’re going. recently we started getting more involved with like our HR teams that are doing employee experience. So they’re talking with managers, supervisors on what are the current skills gaps that exist? I know there’s tools out there too, that

Thomas Rogers (13:29)
He

Kevin Woods (13:52)
help in a lot of regards. I haven’t used a ton of them, so should probably look into some of those as well, right? But that can be really tricky to identify as an organization what skills we’re missing, because usually there’s not a ton of data or records around that. And so we’ve taken more of say, qualitative approach and asking a lot of our manager supervisors, what skills are you lacking and where are we going, right? Obviously 2025, 2024, we’ve seen a huge uptick in AI.

So it’s not just, okay, we need AI skills, but what also are we going to need with that? With AI comes a lot of data, right? And so how do we manage, control, and secure data effectively? And so we’re thinking through not just how do we train on AI overall, but how do we make sure that we’re prepared to handle all the data that’s coming in and make sure our customers are able to understand different security controls around the data on the back end that that AI is going to access? So hopefully that answers your question there.

Thomas Rogers (14:47)
It does. Yeah. And I mean, think the qualitative piece is like obviously important. Like what you said in interviews, it’s like you’re often trying to understand almost more about like, how does this person problem solve or like what level of curiosity do they have more so than do they have this, you know, skilled XYZ or do they know how to use this, you know, some tool that y’all use because you can teach, you can get them there. So

Yeah, I just find that fascinating, like combining that with like the hands on side. generally, I think it’s like, you know, you’re going to build training plans around like what people are interested in. Like you’re going to take that type of input, but, yeah, it’s just really hard to prioritize. Like, how do you what to focus on?

Kevin Woods (15:27)
Yeah, yeah, for sure. mean, that’s always difficult, right? And at the end of the day, we need to make sure our employees are passionate about what they’re learning about too. Like even if data security is our greatest need, if we have someone who just hates data and doesn’t want to do it, there’s no sense in forcing that person, right? But a lot of people will say, hey, I just want to learn a skill. You know, what’s, what’s available to me sort of deal. And they don’t even know what’s going to be an in-demand skill moving forward.

even though there’s tons of studies out there, I ISC square just dropped their cyber workforce studies and show all their top in need skills. we, look at all that industry data as well and try to match up and, start creating plans around that too.

Thomas Rogers (16:07)
How do you think about like on an individual or team basis prioritization? I’m sure guide point security, like engineers are very busy how do you like think about helping people prioritize professional development?

Kevin Woods (16:21)
Yeah, again, it comes from the top down, right? We’ve been fortunate enough that we have leadership support across the board that we’re going to encourage our people to do some form of professional development and let the mid-level managers, the supervisors figure out what does that actually look like in terms of hours, priorities? We’ll let the managers handle that. if they managers want to say, hey, take

three hours a week where you’re just doing professional development on a normal week. But if we have some weeks where things are a little bit slow, go take a course, to get a certification, go to an event. But I do think that needs to be at the manager level. So you get to support the buy-in from the leadership side. You have the L &D program who can provide any sort of guidance that manager needs. If the manager comes to us and says, Hey, I have a SOC analyst one, how do I get them ready to be a CTI?

analyst next. Like we have a career have different ways and resources for that person to develop them. Now it’s on that manager to understand the schedule of that individual contributor and make sure that they’re still getting their job done, but they have that opportunity to continue to develop. Right. And I think with some of that leadership buy-in, there’s again, tons of studies, tons of data points around if you invest in L and D, you actually have a higher amount of

higher amounts of productivity, higher amounts of revenue, I’m happy to share those data points and studies with you here. But yeah, on average you get about a 21 % increase in profitability if your organization is spending $1,000 or more on an individual learning and development, $1,000 per learning and development. So it’s huge, right? The returns can be huge if leadership buys in and then let the managers kind of

how they want to do it.

Thomas Rogers (18:03)
Good data. I feel like that’s the opposite of what, maybe not the opposite, but maybe not the first place. lot of people would think, you when you think about like, how much time should a person dedicate to, learning development or upskilling or, whatever. I feel like a lot of people go to like that individual, like let me look at my schedule, let me see, and you just try and fit it in. that’s pro tip.

Like you got to start at the top. It’s got to be supported across the whole organization.

Kevin Woods (18:29)
Yeah, the problem with the individual deciding is they might take on too much, too little, right? Like sometimes they don’t. And we’ve had to have that conversation that like, you probably shouldn’t be studying for a certification right now. You got a few engagements that are overdue or in the flip side, say, I just don’t have the time. I’m so overwhelmed and swamped with work, which I know is a big thing in this industry. Half these, sizzles we talked to these security offices say they’re understaffed. They don’t have enough manpower. So how can I possibly even.

fit all this stuff in. if we look for the reasons that they say they’re understaffed or why they don’t have enough people, the skills gap exists. They say the number one reason is because they can’t find somebody who has the right skills, not because of budgetary constraints, which is just fascinating. Right. So why not take the time to find that person and you get that ROI in the long term if you allow people to up skill you don’t fall behind and you don’t create skills gaps term.

Phoebe DeVito (19:23)
Yeah, it’s so interesting. wish I had a data point on like just the way that overlaps with even employee retention. I’m just thinking about think what I love about this that we do is, it’s a theme that comes up so much is like, whether we’re talking about cyber or anything else, like it is people at the end of the day. And I know like even for myself, when I’ve been in roles where I feel like there’s an investment in like, there’s the opportunity there. Should I choose to take it to continue to learn and grow?

it just makes it feel like such, you know, it’s a good feeling when you know, you’re in a place where people care about your development and it’s encouraging. and I think it just, even when we look at the numbers of how expensive it can be, when there is a lot of employee turnover, I do think that, you know, not in a way to fear monger, but just to say, like, I think when you encourage your teams and show you believe in them and, want to provide those opportunities, you know, so many people that we’ve talked to have seen a lot

growth come from that. So it’s awesome to hear that perspective.

Kevin Woods (20:19)
So 2024, the human resources journal reported organizations with an L and D program have 57 % greater retention rates. So basically employees stay twice as long for organizations that have L and D programs and the average cost to replace a cybersecurity engineer in this field. varies, but the rough range.

Phoebe DeVito (20:31)
Wow.

Kevin Woods (20:41)
average is about 60 to 80 % of their salary. So turnover is crazy expensive. I think most organizations realize that retention is critical, especially in this field. And so yeah, you have a direct link. There’s multiple studies that show it between having an L &D program, investing in your people and how long they end up staying too.

Phoebe DeVito (20:59)
That’s awesome. I love that. And so you mentioned the skills gap. That was actually something we heard you talk about on the Philip Wiley podcast. Thought that was a really interesting kind of conversation there. And so I think one thing that came up is we hear a lot of discussion about the gaps in the cybersecurity workforce from the perspective of folks who are trying to get hired. you know, there’s so much conversation about like how to break into the, industry.

And so on the flip side, think you made some great points there. Would love to talk about a little bit here, just about the importance of recognizing the impact on that for the industry as a whole. And I think we talked about that a little bit earlier, that kind of like it takes a village mindset, but would love to just hear your thoughts on that skills gap in the cyber workforce.

Kevin Woods (21:43)
Yeah. And the scary thing is it just continues to grow. If we look at these different workforce reports, like the skills gap is being reported more and more. And we’re seeing millions of jobs globally that are open, hundreds of thousands of cyber jobs just in the U S and it’s not cause the people aren’t there. Like I see hundreds of thousands of people looking for these jobs and we can’t necessarily blame the job seekers. There’s things they could do better, but there’s a lot of stuff to on the employer side. I think that we can be doing and that’s

Taking risk on individuals on entry level talent, think there’s ways we can get people experience through internships, fellowships, apprenticeships. We do academic co-ops as well. There’s a lot of way employers can start giving back in that way. And it doesn’t cost all that much. Again, we can talk about the ROI, but if you have an intern that you convert to full-time hire, it’s about five times cheaper than going and finding somebody out there in the normal job hunting, right?

And so as employers, we need to be willing to take a little bit more risk and bring in on entry-level talent because otherwise we’re going to run out of cybersecurity practitioners. talk to people all the time that have been looking for jobs. They think they’re doing everything right from what I can see, they’re doing everything right. And they get discouraged because they can’t find an entry-level cyber position. And some of them ultimately just bail on cybersecurity altogether. And these are talented, passionate individuals that can be contributing to industry long-term.

we just haven’t found a spot for. And so I do worry that a lot of the people that are in the industry that have tons of experience, they just kind of got started on their own. They took weird paths to get here, just like myself. And someone took a chance on them, right? I think because we had to, because it wasn’t an established domain yet, but now we don’t want to take a chance on others. Just sounds a little crazy to me. I understand it though, because entry level people, are a risk to an organization for sure.

But ultimately that’s what we have to do. I think academic institutions, sort of training programs too, need to do a little bit better job of actually showing tools that we use in industry. So that’s difficult again, because can train on open source tools. But when I pull up a resume, I see Wireshark on every single resume that I look at, Nmap, Kali Linux, wonderful. Those are great starting points, 100%.

When it comes down to if you’re gonna be a SOC analyst, there’s probably a few big name vendors out there you can think of that you’re going to be likely exposed to and using. And that’s what the company wants to see is somebody that knows how to use this tool that they’re actually using, right? And academic institutions just aren’t teaching that. And I think largely it’s due to licensing issues. And so for me, I think a lot of vendors would also benefit from offering academic licenses.

or even just allowing commercial free licenses and the educational institutions telling people, hey, go install this free version of this tool. Let’s get hands on. Let’s start messing around with it. And we can start getting experience on the actual tools we’re using in the industry. a lot of things we could be doing better across the board, I think from all parties involved. And I think we’re seeing a lot of right steps moving forward. it is a little scary because the threat is not.

getting smaller. don’t have a gap that exists. They’re just getting better, faster, using more technology. And unfortunately, did see a report earlier that actors were saying it’s just way more profitable and way easier to get down to the bad side of the house. And obviously, we want to kind of stomp that and level that curve as much as possible. And it’s scary because we’re really not doing it at this point in time.

Thomas Rogers (25:11)
so much there that I agree with and want to talk about. I want to talk about tools, but I’ll wait a second. So we friend and advisor of our company on a couple of weeks ago, Rob Fuller. And one of the things he talks about in hiring is over like 25 years, he’s workshopped like this rubric that he uses the interviewing. And so often

have a candidate that scores really well in his rubric, but doesn’t hit like the basic qualifications or preferred qualifications on the resume. And HR will be like, what the heck? This person’s perfect. And he is then able to like kind of counteract that because he’s like, I’ve got this rubric that’s tried and true and it works really well. And this person’s really curious and is going to learn and be a great resource. it sounds like that’s something that you.

agree with, you know, from a hiring perspective, like you have to, you have to find a way to be able to take chances on people that are not, you know, right down the middle candidates. have you been used as a resource historically to help? I mean, you clearly have like a very data driven approach to that. But yeah, like what have you seen that’s worked there?

Kevin Woods (26:16)
Yeah, we kind of have our own version of a rubric. I’ll again, it’s kind of at the team level. So all the higher managers are doing their own thing with that, but we have had several managers retrial. Like, how are you evaluating these people? How do you look for natural curiosity? How are you testing them on problem solving skills? I like doing technical assessments, nothing that’s supposed to trip them up, but I just want to make sure they can work through some basic troubleshooting skills.

for technical interviews, I actually give out my questions beforehand. say, I’m going to straight up ask you these questions or here’s a list of 20 questions I’m going to ask from these. And the idea is not that, you know, they’re Googling it during the interview, right? Obviously, but I want to make sure they have the chance to research these things. Cause a lot of times we don’t need you to know all the answers off the bat, but if you’re able to find them and have an intelligent conversation about them, I know you’re showing up prepared.

And you’d be surprised how many times I go into an interview and I’ll ask the very first technical question and the person doesn’t have any idea, right? They don’t know how to answer it. Like I gave these to you beforehand, right? And that just gets into the level of preparation and how much research you do beforehand. yeah, we’re, we’re always looking, especially on the technical assessment, we clicked a lot of data around that too, and how people perform, how long it takes them in different areas. And we started sharing that with some of the different teams here.

at Godpoint security too. I know some of them are using a very similar approach. I like that rubric style too, because it’s really tough. you go into an interview and you’re just not prepared to think of appropriate questions, or you might come out thinking like, that person was awesome without really looking at your notes. Or if you dive into the rubric, you’re like, well, actually they couldn’t do this very basic thing that they should have known how to do. And again, I do get worried with AI coming in.

to play, see it all the time, people trying to use AI in their interviews as well. And that’s probably going to shape some things moving forward, right? It’s going to be a little bit more difficult. So the more you can have your questions that you look for, answers that you look for for those questions, right? And try to interpret not just the direct answer that they’re giving you, but how they go about approaching that answer, that delivery, right? And talk to them just about their…

critical thinking abilities as much as possible.

Thomas Rogers (28:27)
I love the idea of giving them the questions ahead of time for the assessments. Definitely gonna make note of think too, the big misnomer with assessments is that the goal is to stump and like that’s definitely not, and also that it’s just binary. It’s like you solve it or you don’t. It’s more about the process. It’s like putting them in a situation to just see how they think. that’s the entire purpose. They’re not only gonna be judged by, you know, there was all this

blow back against like leak code and all these other things last year. And I just, it always infuriated me cause I’m like, this is not even like a whole picture of like how these companies are hiring. It’s just like one piece of a formula. yeah, I feel like that’s assessments have gotten like kind of a unfair of that stuff.

Kevin Woods (29:11)
And we’ve even had managers here, they’re like, why are you assessments? Because across the board, different people obviously feel different ways. But that’s because I think when they think of assessments, yeah, it’s like just stump the jump sort of thing or like try to find the most absolutely intelligent person you can in this one particular area. When in reality, we need social skills, conversational, emotional intelligence. Like there’s a lot of other areas other than just hopping into a terminal and finding an answer.

Thomas Rogers (29:38)
Cool, so I go back to tools because we talked about that earlier. really interested in this and it sounds like you have some good thoughts on it. So I’m curious your thoughts on how tools fit into like a cybersecurity professional just how to think about like tool-based learning development.

Kevin Woods (29:56)
We base a lot of our learning kind of around certifications. think certifications have good like pathways, natural training plans. So it’s a decent way to get started. I like having a foundation of technical knowledge that has nothing to do with a vendor tool. So start with that. You understand computer systems, operating systems, networking and basic security skills. Once you get to that point,

then let’s go learn a vendor tool, right? I think that’s how you approach it. I don’t think it’s just one or the other. I think you need to marry up the two because they’re both equally important. also run into people that all they know is just one tool. That is what they’ve learned and they can’t understand what’s happening in the background. They don’t understand why this tool is operating the way it is or even know how to interpret the data they’re looking at. So start with the foundations that’s going to make you a much better practitioner.

But then if you want to be hired, now we got to add in, level in some of those different tools that we’re actually going to use, right? So you know how to use them, but to me, it’s way easier to teach a tool, the buttons to click, and here’s the process of it. It’s way harder to teach people about risk management and understanding like where these different threats come from and how do we constantly evolve and adapt to those threats. Is that a similar thing that you had

Thomas Rogers (31:07)
wrinkle with that is because I’ve seen, you know, people in large organizations that are experts in one tool, but if it’s like Workday or Salesforce, like that’s fine, obviously, because every company is going to use that as kind of the gold standard in cybersecurity. It’s hard. mean, there are definitely, you know, some tools that are used by, you know, a lot of companies, but there’s also so many like emerging tools that are, you know, really cool. curious, like

Yeah. How do you think about that? Like, cause the tech stack is bigger than ever.

Kevin Woods (31:35)
Huge right? Most companies have dozens of cybersecurity tools, right? And so I think you can become an expert on one tool, but you have to be exposed to different areas, right? And you’re right. If it’s like Salesforce and that’s all you do and that’s where you live and you probably have a job in that area for a long time, great. But if you want to be a well-rounded cybersecurity practitioner, I’d say you need to understand the foundations. You need to know how computers are talking, how threats are attacking, how to defend against those different threats.

You can have your tool of choice. That’s like your, your primary, if you will. And that’s what you learn. That’s what you’re good at. That’s what you’re an expert at, but there’s so many other tools that are connecting into that. And we typically, if you’re unsure where you want to go, if you’re just getting started or like learn a SIM, nearly every single security operations center, that’s what they deal with. Right. so start there and then you can start looking at all these other tools. If you know, Hey, you want to get into data loss protection and prevention. Cool. Go learn.

those as well, right? But there’s a lot of adjacent tools are all communicating amongst each other. So we constantly have to be just learning newer and newer things. And that’s, that’s another part of upscaling. think a lot of people want to learn these new tools and we’ll say, Hey, maybe you already know like a few SIM tools. Maybe you should go learn like an EDR or something else, right? And kind of expand your, your knowledge here too.

Thomas Rogers (32:51)
So I think we’re completely aligned on all that. I’m also curious because we’ve know, a bunch of different types of training for vendor tools and it’s usually owned by the vendor, usually. And that can be kind of hit or miss depending on how much they invest in it. So you’re really like, it’s kind of out of your control. What we’ve seen that worked to go back to our earlier conversation works, you know, a lot of times is

Kevin Woods (33:03)
Mm-hmm.

Thomas Rogers (33:16)
Hands-on. like give, you know, give people like snowflake instance and like some actual data, give them like a flow of scenario, almost like CTF style and have them like go through, you know, those types of like hands-on challenges related to a tool designed to be solved by a tool. Have you seen stuff like that is it more just kind of the vanilla vendor training?

Kevin Woods (33:40)
Yeah, GuidePoint works with over 700 vendors now, which is nice for me, because I get exposure to a lot of these different vendor tools, which is cool, and a lot of their different training. And to your point, it’s across the board, right? Some have way more management systems and training courses built out. I’ll say, and we get the same a lot of our learners as they go out to them, the ones that do have the hands-on labs, like built-in.

Thomas Rogers (33:43)
Yeah.

Kevin Woods (34:04)
They get way higher scores. The people tend to pick them up, learn them a lot faster than we have some training. It’s just videos and some texts that you’re reading and they just, they’re not going to be on board and able to provide a value to their company and use that tool effectively nearly as fast as the ones that are actually going into the system and learning it hands on. And some vendor training that we have, it’s just

video and text, what we’ll do is we’ll spin up that entire environment just in a cloud environment or one of our lab environments that we have and say, hey, follow along as what they’re doing in the video, you do it as well. And it might be a little outdated, might have a different version. So it might look a little different. That’s okay. Research it, figure it out, but follow along into everything that they’re doing. And when we started, we made that transition for one of the vendor certs that we were studying for. saw just like a…

6x improvement on the number that we’re passing it and ready to actually provide those services. So yeah, to your point, it’s across the board. See all different variation, but the more hands on you can get, and you can start with video and text. Like I’m not knocking that at all, but at some point you have to introduce the actual tool itself and let people get hands on and start using them.

Thomas Rogers (35:16)
700’s a big number. That’s a lot.

Kevin Woods (35:19)
Yeah, a lot of vendor partners. I’m blessed to be at GuidePoint Security. They’ve been awesome company across the board, just from the leadership buying into the whole learning and development and the culture. But yeah, the vendor side is pretty nice too, because we deal with a lot of vendors who they just want to help out. A lot of them will volunteer to mentor or come work with like our interns and just teach them different courses and give us training environments and stuff like that But it’s allowed me to get some

certs too, so I get to some fun.

Phoebe DeVito (35:47)
Awesome.

Thomas Rogers (35:47)
Sweet.

Phoebe DeVito (35:48)
well so our wrap-up question is if you were starting your career in cybersecurity now, so knowing everything that you know now, is one thing you’d want to tell yourself?

Kevin Woods (35:57)
Yeah, I’d say the hardest thing about this industry is getting into it and getting started. So have patience, know there’s a lot of luck involved. People are gonna have to network, even if you hate networking and go into events, go out there and do it. But really the biggest thing is experience is huge. It’s experience way more important than any certification, any training, any studying you’ve done. I think those take you a long way, but at the end of the day, be willing to…

take whatever opportunity presents itself, whether it’s a little low paying or night shift or not exactly in the location that you’re looking for. Just get out there, start working, take action like we talked about, and that’s gonna open up way more doors and opportunities for you later on. And you might actually find that you really appreciate and like that opportunity that you started in. And so, yeah, take action.

Phoebe DeVito (36:43)
Awesome. Love it. Well, thank you so much for coming on today. It’s been a great conversation.

Kevin Woods (36:47)
Yeah, thanks for having me.

Phoebe DeVito (36:48)
awesome.

Thomas Rogers (36:49)
Thanks, Kevin.

The post Ep 14 – The Cyber Talent Series appeared first on MetaCTF.

We’re excited to share something special with the SkillBit community.

As many of you know, we host a monthly Flash CTF that is free to enter and open to a wide range of skill levels. At SkillBit (formerly MetaCTF) we love passionate, curious hackers (or aspiring hackers!) and want to reduce barriers for anyone who is invested in growing their cyber skillset.

As part of our February Flash CTF, we’re partnering withVulnCheck to send two lucky raffle winners to the RSA Conference 2026, one of the world’s largest and most influential cybersecurity events. The Flash CTF will take place on February 26, 2026. Registration is still open at https://skbt.io/feb2026

RSA Conference brings together more than 40,000 security leaders, practitioners, researchers, and innovators in downtown San Francisco. Attendees gain access to cutting-edge research, industry networking, and the latest developments across the cybersecurity landscape.

Everyone who participates and meets eligibility requirements will be entered into a raffle for the chance to win a ticket to the conference ($195 value) as well as up to $1,000 in travel and lodging reimbursements.

This giveaway reflects our mission to make hands-on cybersecurity learning more accessible, and to open doors for emerging or established professionals to connect with the broader security community.

“Cybersecurity careers are built through practice, curiosity, and community,” said Thomas Rogers, Co-Founder and President of SkillBit. “RSA Conference is one of the world’s premier events for connection and career growth in cyber, yet attending is a major investment. Sponsoring an individual to attend RSA Conference 2026 reflects our dedication to expanding access and helping the community thrive.”

Learn more in our recent press release: https://www.prnewswire.com/news-releases/skillbit-announces-path-to-rsa-initiative-sponsors-2026-conference-trip-for-one-lucky-learner-302678024.html

The post Path to RSA Initiative appeared first on MetaCTF.

Join Thomas Rogers, Co-Founder of MetaCTF, and co-host Phoebe DeVito as they connect with Antoinette Stevens, Principal Security Engineer at Ramp, to discuss growing detection and response teams, transitioning into people leadership while staying hands-on, and hiring for humility and curiosity. Antoinette also shares how she approaches build vs. buy decisions, and why mastering the fundamentals matters before layering in AI-driven capabilities.

Tune in now with the player below, or check it out on the MetaCTF YouTube and Spotify channels!

Spotify Link

YouTube Link

Phoebe DeVito (00:11)
Welcome to the Cyber Talent Series where we explore how organizations are closing skills gaps, accelerating onboarding, and building high performance cybersecurity teams. My name is Phoebe. I’m joined by Thomas Rogers. And today we are talking with Antoinette Stevens, Principal Security Engineer at Ramp. Thank you so much for being here, Antoinette.

Antoinette (00:29)
Thank you for having me.

Phoebe DeVito (00:30)
Yeah, awesome. All right, well we can dive in. First we like to ask folks to just tell us a little bit about themselves and what they’re doing now.

Antoinette (00:39)
Yeah, so I’ve been at Ramp. I just hit three years in December. I was the founding detection and response engineer. So I started building out that team when I joined in 2022. And I’ve since grown it to have two detection engineers under me with a couple of open roles on that side. And I’ve also since become the tech lead of our internal tooling engineering team with a couple of engineers under me on that side as well, where we focus on building platforms for internal tooling purposes as well as tooling for our CX team.

Phoebe DeVito (01:11)
Awesome. That’s amazing. And congrats on three years. (Antoinette Stevens (01:14) – Thank You.) Yeah, huge milestone. So I’d love to hear a little bit more about your journey into where you are now.

Antoinette (01:20)
Yeah, So I graduated with my degree in computer science from the University of Georgia. And while I was in school, I interned twice at a company based in Iowa called Principal. I think what I did there, which is probably the best path, was on my first internship, I wasn’t really that interested in the work. So I used that time to network instead, and met the security team there so that for my second internship, I worked with that team and then I got a return offer after graduation to work on our network engineering team. And then eventually I moved over to the security operations team. I was at Principal for like four and a half years and then I left and went to Cisco Meraki, where I was a detection and response engineer for them for about three years, did a very short stand at Slack and then came to Ramp.

Thomas Rogers (02:08)
That’s awesome. And now you’re managing a team, or I guess a couple teams technically. And you have like a lot of leadership type stuff that you do. What’s that transition been like from like IC to manager?

Antoinette (02:21)
I think it’s important to note that the culture of Ramp is that I’m still both an IC and a manager. So I don’t solely manage, I still am expected to ship code and deliver on things and get things done individually on top of also managing my team. The way that I think about it and the way that I think about those who report to me is the mindset of force multiplying my efforts.

So, I design like the tech spec and roadmap for both teams. I recognize that I can’t do everything. I recognize that I don’t have the skillset to do everything. So, I believe it’s important to find people who can go deep where I no longer can or don’t have time to and make sure that the vision that we’ve created for the various teams can still be executed on through the people that I hire and have working on my team.

I think what I don’t hear enough people talk about, and maybe it’s because I don’t read like manager books, I think there’s an identity crisis that happens when you become a manager. And it helps a lot that I still get to do IC work, but if I didn’t, it would make me how useful I would be. Because I think like after a day of sitting in meetings, you kind of think to yourself like, what did I do today? Because sometimes it like just talking to people, even if you like help change someone’s mind on something that would have impacted other things, like at the end of the day, sometimes it just doesn’t feel like you accomplished that much because you didn’t like build a product or launch something or any of those things. So I think there’s like a level of what is my job now sometimes that comes with it.

Thomas Rogers (04:02)
I think that’s what makes that transition so hard for so many don’t have the opportunity you have to keep your hands on keyboard for at least part of your job, whatever percentage that is. And so it’s like ripping the bandaid off from like, hey, you don’t get to do that stuff anymore. Now you just have to sit on Zoom calls all day.

Antoinette (04:20)
Yeah, I’ve noticed that there are certain tools that I just have not had to look at in a while because I have like someone else who’s triaging those alerts now and so I don’t have to go into them and that even is like kind of jarring to realize.

Thomas Rogers (04:35)
Yeah.

How, do you think that’s, I assume that’s really helpful that you’re still really involved in like setting the roadmap. So you sort of know you have probably a pretty strong pulse on like what needs to be done and who needs to do it. And the skill gaps that you or your team might have. So yeah, could you talk about, that side of things and like setting the strategy?

Antoinette (04:57)
Yeah, I try not to be so removed from anything that I don’t know what’s going on. And so I try to use like weekly reports or making people track work in linear tickets or different things like that, just so it’s easier for me to understand what’s happening. I’m also just not afraid to ask questions, I think, about what’s going on.

And then I have the team, at least on the detection response side, I have them do their own research around things where I might ask like a prompting question and then teach them how to begin to set up backing research to make decisions. So a good example of that is let’s say we want to change like our email security strategy or something like that. I’m not involved day to day anymore on how we triage alerts from an email security perspective. And so I do have to lean on them to help me identify what the gaps are. And so I might have them go look at our tooling and determine like based on what you’re looking at so far, what’s a waste of time versus not? Or where do you consistently see yourself saying, I wish that it had this thing. And so I think I get a lot of value from aid mentoring them on how to do the research, but also them doing it means I don’t have to. And then I can just help make decisions at a top level.

Thomas Rogers (06:11)
So that’s super cool. So back at Principle, a big part of what you learned in the early days was the importance of learning from other people and networking. How do you encourage your team to do that? How are you still doing that today, personally?

Antoinette (06:26)
Yeah, so when I worked at Principal and lived in Iowa, I went to a security meetup called SEC DSM, so Security Des Moines. And I think early career, it’s the best thing I could have done because I got to learn a lot across various areas that I would not have otherwise touched in my day job.

So the way that I’ve kind of continued that at Ramp is we have RampSEC, which is our quarterly security meetup. We organize speakers to come. I have not done the component from SecDSM that I found useful, which is the CTF part. But I think from an early career perspective, the best thing you can do for yourself is just be a sponge take time to learn as much as you can. Go to conferences. I don’t go as much anymore, but I do think that early career, like it’s best for early career, participants to go and just soak up as much as they can.

For the people who report to me, I have one analyst who was a conversion. So he was on our CX team and then, we moved him over to security. I used to have him look up security articles and then research whether or not certain exploits or vulnerabilities were possible at ramp to help him A, understand how to think from a security perspective, but also understand how to begin the process of like threat hunting understanding how to look at security controls, so on and so forth.

Thomas Rogers (07:45)
That sounds really valuable for your direct reports. It’s a very hands-on way of managing. Did you just kind of take a first principle approach to coming up with a plan for your team? Did it just come natural to you? Or how did you come up with that?

Antoinette (08:04)
I think that one came naturally because that’s what I do. Like I listen to a lot of podcasts. I read security articles and then a part of the job is to simply go, okay, I know this is possible, but is it possible here? And so getting the team to think about that as well feels like a natural progression. I also think that almost everyone on a security team should be consistently reading like security news. Just it’s imperative to understand the landscape.

And so it’s not just reading. It’s after you read it. Are you then taking that and applying it to where you were?

Phoebe DeVito (08:37)
That’s awesome. I know you mentioned a little earlier, some things you keep in mind when you are building a team and like hiring. So, wanted to know how much hiring and interviewing you’ve done so far in this kind of new role. And then also just along the way, any tips or tricks you’ve kind of picked up to find if someone’s going to be a good fit for the team, either culture wise, skills wise.

Antoinette (08:59)
I’ve done quite a bit of interviewing and a little bit of hiring. I think more interviewing than hiring. I think that’s just the way that cycle goes. What I look for is curiosity in people, which I think sounds very straightforward, but you’d be surprised how uncurious a lot of people are. And what I mean by that is do people question their own assumptions?

Like, do you walk into a scenario, make some assumptions, and then never stop to go, but is this true? And then never take the next step of validating. I think it’s a natural thing to not do that. And so I tend to look for people who do. I like to look at how people react under pressure. And the lucky part of that is it’s a quick win because interviews by their nature are high pressure situations for a lot of people. I need to look at how people are under pressure because incident response it’s important to know that someone won’t panic. And so how someone is when they are put under the wire is very helpful. I also during certain interviews tend to purposely throw in questions or things that I am fairly confident someone might not know just to see if they ask for help.

So purposely adding things with gaps in it. I like to know if someone will ask for help or again, fill it in with their own assumptions or grasp at straws. And that’s super important again, because for security or in instant response, your assumptions could change everything. It could slow things down, create untrue scenarios, it mess up your entire process. And so I think it’s really important to have people who are mindful in that way kind of come in and join the team.

Phoebe DeVito (10:34)
Yeah, I love that. I think there’s an element of like humility there too. Like it’s so interesting. I think early on, I remember even early on in my career thinking like knowing all the answers was the correct thing. And it’s so funny as you get further, you learn it’s like being able to admit when you don’t know the answer and lean on your team. And that’s ultimately like why you build really strong teams with complimentary skills. So I love that you brought that up.

Antoinette (10:56)
Yeah, I also, and there’s, it’s really hard to look for this one in an interview, but I always appreciate when someone knows how to say, hey, you know, I was wrong here. And here’s why I won’t be wrong again. which I again goes back to the humility thing. I think humility goes a really long way. And I don’t know that we see it enough in the security space is I think there’s a perception that if you don’t have the air of always knowing what you’re talking about. People might not trust what you’re saying. I think people trust me more because I will openly say like, I have no idea what this is, but I’ll go find out.

Thomas Rogers (11:31)
Right.

How do you like gauge all those different things? Obviously like some of it just comes from like you’ve done a lot of them, like you have some intuition built in, but do you have like a rubric or something? How’s that changed over time?

Antoinette (11:43)
I think a lot of that signal gets raised through the interview loop. We do like a incident response scenario for people, or it gets raised through the way that we ask questions. Again, it’s leaving things purposely ambiguous to see how people respond to it. I also think you’re right. I’ve interviewed enough, and I’ve done this job long enough and interacted with enough people that I can kind of tell. But I prefer things to be more concrete when I’m evaluating someone in an interview, which is why I tend to try to design scenarios where you can clearly say, this person did try to fill in the gaps or this person did not. And can kind of go from there. I think that much ambiguity when it comes to how you score people in an interview leaves room for bias. And so I try to stay away from that.

Thomas Rogers (12:30)
How about like hard skills? Because I’m sure part of that is like, you can’t always hire the perfect candidate. So you’re to have to trust yourself that you as a manager, you as an organization can get them to where they need to be. And I’m sure it differs for different roles, but how do you evaluate that in the interview process?

Antoinette (12:46)
If someone is not meeting the bar for hard skills, that doesn’t mean that we won’t hire them. And that’s mainly because I think it’s easier to teach someone a hard skill than it is to teach them how to be a good person. And so I prefer to use my time teaching someone how to write a Python script, how to use AI or how to think about detection and response versus consistently having to talk to somebody about how they treat people or like their attitude towards something or things like that.

Thomas Rogers (13:13)
That’s cool. And then curiosity, like going back to your first point that you said, about your curiosity based on all the stuff you do, all the talks you do and RampSec, which is super cool. Is that kind of an intuition thing too? Like you can just tell about a person, like how curious they are, like are they going to these conferences? Are they invested in this stuff outside of work?

Antoinette (13:32)
No, so no, I think that one’s a bit more difficult, right? Because I don’t know that I would necessarily say this person went to more conferences than this other person. Therefore, they’re more curious. I think that one again comes up though, in how someone responds in scenario situations when you’re walking through something like how many questions did they ask about this thing? When they when they really didn’t have to? What were their follow up questions? What were they curious about? I think it really comes out there when you get to see someone’s nature as they’re working through a problem.

Thomas Rogers (14:04)
Yeah, that makes total sense. I want to switch gears real quick. I know are always looking at like new tools. And yeah, you’re a part of the team at Ramp that, you know, is evaluating like new vendors and stuff all the time. And, the work at RampSec, like inviting, you know, people to speak and stuff like that. You just get to see a lot of cool technology. I think purposefully, it seems like you’re like seeking that stuff out.

Yeah, I don’t know anything to share like new stuff that you’ve seen that you’re excited about or what are you seeing like in the landscape right now?

Antoinette (14:34)
I think the biggest concern for everyone, is around package and extension management as supply chain compromise becomes more common. You see VS Code extensions get taken over. Chrome extensions are basically malware at this point. We recently onboarded a vendor to help with identifying malicious extensions on user endpoints. And I think that’s the coolest one that I’ve seen. And it isn’t necessarily the technology itself because it’s a script running on an endpoint. I think what’s more impressive about the vendor is they built a arm to go with it. And so it’s worth it to pay for the vendor for the research group that they have, because they are like actively identifying malicious extensions.

So it’s not they just are waiting for a third party source to tell them it’s they are actively hunting and finding stuff and then alerting their customers and publishing their work. I think that’s the big draw for me, which is a super smart business model.

Thomas Rogers (15:34)
That, I mean, I feel like that just speaks to the InfoSec community as a whole, the importance of involvement and obviously that’s a part of a business model, but it also could just be a doing good for the world type thing. So yeah, how does that flow into your day job? How are you approaching the new stuff that’s coming out, new vendors?

And yeah, what part of your day or week are you dedicating to like, keeping up with stuff?

Antoinette (16:02)
Yeah, I think it’s less so lately. And the reason I say that, I think there’s a huge push to really think about what we can build internally. I think a lot of companies who have picked up the AI adoption are probably looking internally at what they can build and do on their own without vendor involvement. And I think the benefit that I have is like we can do the full stack. Like I know how to deploy the infrastructure here, and we know how the host services and do all of this other stuff. And so I think a lot of what we’ve done lately is look inward to how we can solve our problems.

Thomas Rogers (16:35)
That’s perfect, because my next question was going to be about Build vs. Buy, because I know you did a talk about that last year. So yeah, curious, I feel like you have a really simple framework for that. So yeah, I would love to hear more about that.

Antoinette (16:49)
Yes, I will pick the one that saves me the most time in the long run. So, I think that if there is a problem that I have, and I know that I can build it quickly and then never have to touch it again, I’m going to build it. There’s a problem that I have, and I could build it sure, but it’ll require a bunch of upkeep and maintenance and all of these other ambiguities. I’m going to buy it for the support and engineering power that comes behind it.

Thomas Rogers (17:18)
I feel like that’s such a hack for you as a CS major, like someone who’s a builder personally, but, and then ramp just has so many talented engineers anyway. That’s super helpful. How do you think about like tooling in general as a part of like the cybersecurity function? Like tooling plays a role you know, you think about like road mapping and like gaps on the team from like an individual level. Do you also do that analysis like from a tooling perspective and yeah, how does that fit in?

Antoinette (17:46)
Yeah, I do that analysis from a tooling perspective, but it mainly comes from where we think gaps are. So at the beginning of this year, I looked at all of our security incidents. I pulled a bunch of trends across our alerting. I spoke to the people on my team and came up with a list of these are the gaps as I see them. So we need to talk about whether or not we have the capabilities in-house to fill these gaps. And if not, we need to talk about whether or not we need a vendor.

And so that’s the approach I’ve taken where I think I get approached with a lot of solutions to problems I haven’t decided I have yet. And that is just not the way that I like to work. And so I prefer to understand the problems that we have and then go identify vendors that might be able to help and solve those.

Thomas Rogers (18:33)
If you bring on a new tool, I’m sure there’s a learning curve, especially if no one on the team has used it before. Is that a factor, or is that just something you’re like, we’ll figure it out?

Antoinette (18:42)
No, it’s a factor for sure. I think it depends on what it is. I think usability is a huge part of adoption when it comes to any kind of tooling. So whether it’s a tool that we in security use, or if it’s a tool that like other people at Ramp need to use for security purposes, I care a lot about how easy is it to use. And I again care about the reliability of it at that point, especially if we’re it out to the org. I think a lot of the security vendors are kind of catching on to that and making their team a bit better. Because I remember there was a SIM in like 2016-2017 that I looked at and it the way I used to describe it is this feels like something that was built by a PhD person, and it was not like someone would a doctorate built this and this is not a compliment.

Thomas Rogers (19:29)
Yeah, I feel like those types of tools are, it’s like if you can get to the point where you like actually know how to use it and then start learning, it can be great, but the learning curve and just also just communicating like, hey, this is how this works. Like that can be, you know, really tricky and onboarding is everything with new tools. I feel like that’s something we’ve seen a lot. We work with a lot of security vendors and just like CTF style challenges being like a really nice way to like learn how to use a tool. Like, let’s give you a scenario and like practice a low stakes way. It doesn’t have to be like a competition. It’s just like, I mean, it can be, but so yeah, the tooling side is like really fascinating to me. Giving people like the hands-on opportunities to actually try before buying and using.

Antoinette (20:14)
It’s, mean, like to the point about the CTFs, I think it, CTFs are the reason I ever touched like Kali Linux, which I don’t need and most people don’t need on a regular basis, but it’s a good opportunity to get, again, to understand capabilities and what’s possible, especially from like an attacker standpoint. It’s the reason that I got comfortable with the AWS CLI.

It’s the reason I understand like stenography and participating in CTF is the best way to like pick up so many skills, but especially around tooling.

Phoebe DeVito (20:46)
Awesome. Yeah. We obviously agree here over at, you know, Skillbit now, but formerly MetaCTF. So we love CTFs too.

Awesome. One thing that was really cool that I know you’ve done is you participated in the AI Security Council workshops. I think that was like September last year, talking about impacts of AI on cyber operations. Would love anything you can share about that experience.

Antoinette (21:10)
Yeah, I think in the last year, my life has become very focused on AI in various ways between AI security, AI enablement, how AI changes how we understand security at an enterprise level, so on and so forth. For the AI Security Council, my main advice, which I actually still stick by, is if your company was not good at the basics, then there’s no other conversation we need to be having right now. Like if your company doesn’t have a shadow AT program, if you don’t have endpoint detection and monitoring, if you have poor access patterns, AI is just going to make it worse, but you should figure that out first too because there there’s no new threats that I see you introducing at that point.

Now, if you already have the basics down pack, then I think now you get to start worrying about things like the lethal trifecta and whether or not you’re granting access to agents that can access sensitive data, accept external inputs and then have access to the internet. Like I think that’s when you get to go to the net. It’s like Maslow’s hierarchy of needs. Like you get to go to the next one now you’ve solved the first thing.

Thomas Rogers (22:21)
I feel like that’s just not a unique thing with AI. Same thing goes for marketing. If your marketing isn’t working, AI is not going to help make it better. And same goes for hiring. your security is not working today, hiring three analysts is not going to help. So you need to have that infrastructure in place. So obviously, like, for high-performing security teams AI can it to that next level. But to think that you’re just gonna layer that into something that’s not working already is not the right approach.

Antoinette (22:53)
Cause if you don’t know what you’re doing, the AI won’t know cause you’re prompting it. They won’t know.

Thomas Rogers (22:57)
Yeah, it’s trained on you.

Antoinette (23:00)
Exactly. It’s trained on you and worse than that, it’s trained on generic data. And so from a security perspective, asking AI to, for example, build a security program for you is going to fail because it has no context of your business and won’t apply it.

Thomas Rogers (23:16)
So how are you applying that, what you know about like AI and like AI security to like, how does that flow through to your teams? Like, are you suggesting like, yeah, more upscaling and learning from that sense or yeah?

Antoinette (23:29)
Thomas, let me tell you, I love AI. So, my security operations team was probably the first operations team at Ramp to fully use, an AI agent platform for investigations. Maybe 30 to 40 % of our tickets right now, have an AI agent as a first level triage. And so it goes through, pulls a bunch of information, puts it in the ticket.

An analyst can come through and review that and say, yep, I agree with the determination here and close it out. So the AI is not closing it out for anyone. And we’re what it looks like for AI to be able to auto close the tickets as well. And what that’s allowed us to do is ingest more log sources so that we can expand our coverage without needing to expand our team per se because hiring’s hard.

Thomas Rogers (24:14)
I know you mentioned you’re doing a lot of evaluation where you’re like, can we just build this internally? We have a lot more capacity probably in some ways because of AI. Do you feel the same way about hiring because of AI? Like, hey, we don’t need to grow the team because we’re able to do more with what we have today.

Antoinette (24:32)
No, I don’t. I don’t think I feel that way. think it’s. I can be more strategic about how I grow the team. Like I don’t need to go hire 10 analysts, probably, you know, but I have to hire another detection engineer. and so I it, changes who I’m looking for when I hire. We are hiring another analyst to help with some of the like operational load, but it’s less, I need you to sit here and just watch a queue for tickets, and it’ll be more interesting work I think.

Thomas Rogers (25:00)
How do you think you would have approached that you were getting into your career? If you were starting now, I’m kind of stealing the wins from our last question, But yeah, I don’t know. How would you approach that? I assume that’s how you lead your team, is this is how I would do it. But yeah, what do you recommend for your team?

Antoinette (25:20)
If I were, this is not for my team. If I were starting in security now, I would focus all of my efforts on learning everything I can about AI and AI security. And then I would get a job at a larger company to either work in security because they’re slower to adopt AI, and so their strategy around hiring probably hasn’t changed. Or I would, if you really, really wanted to work at a smaller company, go work at one of the ones that, because everyone’s learning AI, a lot of companies have roles open where it’s basically like, we just want you to be curious and go do that. I think throwing yourself into, I want to become highly knowledgeable about AI for the purpose of security would be a good path forward.

Thomas Rogers (26:05)
Cool, good advice.

So with the AI tooling, I’d say one of the things, so I went to some of the big conferences last year, so like Black Hat and RSA and DEF CON, and so many vendors are just talking about how you can replace people with their tool. And I’m curious your thoughts on that.

Antoinette (26:20)
They’re trying to sell a product. I don’t know that anyone is in a place where you can replace a person. You probably replace an unskilled person. But like, I don’t think I’m personally at a point where I feel like someone’s tool will take my job. I’m not saying it’s never gonna be possible, but not today. I also…

I don’t like black box vendors. And so a lot of the vendors who have like AI platforms, I just haven’t looked at it because they don’t give you a lot of flexibility in what you can do. I also just don’t feel the need to right now because we have like a platform we use that’s highly flexible. And so it covers most of the use cases that I see a lot of vendors have. So I could build a lot of those tools. I think a lot of vendors should be more concerned about the fact that a lot of internal teams can rebuild their product.

Thomas Rogers (27:11)
I know you’re not laughing, but that’s funny. Yeah, I get that. with kind of all the evaluations and stuff you internally with your team, I would assume it would like change some of the build versus buy stuff because you probably can build more stuff than you used to. But yeah, how does that like work like cross-functionally? Like I assume you’d have to like work with other teams to make some of those decisions. Curiously from a manager perspective, what that’s like.

Antoinette (27:38)
I think on the internal tooling side, there are other stakeholders that we work with when we’re deciding about tooling. The general expectation on that side though, is that we’re for the most part building everything. On the security side, it’s less of an issue for detection and response because that team is almost fully encapsulated to itself in terms of stakeholders.

So if I am deciding to fill some sort of gap, I actually for that team usually choose to buy, but that’s because there’s like a talent gap in terms of there being other engineers who can build and deploy something, which is not the case on the engineering team.

Thomas Rogers (28:13)
Yeah, that makes sense. Cool. right. I wanted to ask you about RampSec, and what that’s been like to be a part of curious, kind of like from an outsider. I just think it’s really cool that y’all do that.There’s weirdly like not a ton of, big, cyber conferences in New York. And so I feel like that is filling a really important gap. So I would love to hear just your experience with that, what y’all are trying to accomplish with that, more background on it.

Antoinette (28:39)
So I started RampSec in 2024. Mainly for the reason I mentioned of I really wanted to create a security community that could give people the benefit that I got from the community that I had when I was starting. And I’m pretty happy with where it’s gone.

I didn’t have goals. I didn’t have a goal of like having a hundred people show up every time. I didn’t need to be the biggest thing. It really was about, I want to build a space where people feel like they have a community here. I do think that it’s worth mentioning, like Reddit has a meetup that they do called SNOOSEC. There’s a new one called Sprawl now that’s meeting in February and Sprawl is like company agnostic. And so I think that’s even cooler because you don’t have to worry about it being tied to a specific vendor or company or whatever. I’m proud of RampSec because I hope in some small part it’s inspiring people to start up their own things and go explore how they can continue building community and things like that.

Thomas Rogers (29:41)
For sure, that’s awesome.

Phoebe DeVito (29:43)
Awesome. All right. Well, typically our wrap up question is if you were starting your career in cyber now, is there anything you’d tell yourself? I feel like you covered them, but if there’s any you want to add, now’s your time.

Antoinette (29:53)
Honestly, I wouldn’t change anything. Like I think the path that I took is the best path I could have taken of starting at a large company, learning as much as possible from people who are well established and understanding those patterns and then going smaller.

Phoebe DeVito (30:07)
That’s awesome to have no regrets. I love that. Awesome. This has been such a good conversation. I feel like we could talk forever, but yeah, thank you again so much for coming on.

Antoinette (30:17)
Thank you.

The post Ep 13 – The Cyber Talent Series appeared first on MetaCTF.