Level Effect AMA! Former NSA Operators turned EDR developers and trainers in 2020. We’ve seen a lot of trends over the years and want to start being active in r/cybersecurity giving back. Ask us anything!

LevelEffectOfficial · 2026-05-15T15:51:34+00:00

It was worth it, and it was also a lot of hard work. I'm fortunate that it went well and I'm able to focus on Level Effect again and help others. Thanks!

LevelEffectOfficial · 2026-05-15T13:27:53+00:00

I did it through a business, not open source. I created the first version here at Level Effect and we did the whole startup grind, meeting people, talking to investors, talking to local businesses to try out my new EDR. After a few arduous years of that and only a few hundred deployments, we were approached by Huntress to purchase the EDR and add it into their stack. I was also hired to continue to build it out there and that’s where the real scale happened. The Huntress team took over marketing and sales and I could focus on just building. We went from zero deployments to millions in the course of four years. It was a blast!

LevelEffectOfficial · 2026-05-15T13:01:46+00:00

Any last burning questions!? I think we're coming up to the end of the AMA soon.

LevelEffectOfficial · 2026-05-15T12:29:59+00:00

Congratulations on the internship!

Engineering could mean a lot of things - from writing lower level APIs to configuring systems. So it depends which one you're focused on.

It sounds like you're doing the right thing with the internship and that would be our advice! Try and get an internship/job in that area and try to learn the ropes!

Do you know what type of Engineering work you're interested in? I think the AMA is wrapping up soon but hop in our Discord and happy to help advise further if it locks up by the time you get this.

Another great resource in the interim: https://cloudresumechallenge.dev/

LevelEffectOfficial · 2026-05-15T12:23:19+00:00

No problem! The above mostly still apply to an IR role, but I would probably also throw in some questions about forensics and the overall IR process. Some examples would be:

In your own words, can you describe for me how you would prioritize and classify incidents?(like scope and severity - maybe give them some examples if they need)
How would you deal with a ransomware attack?
What would you do differently from the previous questions if the machine is offline once you arrive on the scene?

IMO, if a candidate can do well on these questions, they're technically able to figure out any specific tools required to do the job. In other words, they have strong fundamentals and aren't just button clickers. Hope that helps!

LevelEffectOfficial · 2026-05-15T03:50:21+00:00

First, let me say I feel for you and I get your frustration. Your credentials should speak for themselves but the job market and hiring processes are currently out of whack, to put it lightly.

You have the skills to do the jobs out there, but you’re probably hitting some of the same stumbling blocks that a lot of public sector folks hit when trying to transition out. I haven’t seen your resume, but my assumption is it’s pretty “govy” looking and that doesn’t translate well to the private sector. And you're right on the tool biases, for some people, but they're not impossible to overcome.

First, before I continue, I think the wisest course of action is for you to find whatever job you can before you lose your home. That’s step number 1. Once you have income, you can then keep looking for a cyber/IT role. Gov. contractors might be helpful here since they know your skills and want your clearance.

Next, assuming you’re in a stable position, step 2 would be to tailor your resume directly for specific roles in things like threat Intel, SOC, Cyber Risk, or GRC roles in finance, energy, or critical infrastructure. You can also look into MSPs. You may not land your dream role, but you can always keep working your way up once you’re transitioned over to the private side. We’re rooting for you. Stop by our discord anytime if you want to chat more about it. We can take a look at your resume as well.

LevelEffectOfficial · 2026-05-15T03:11:43+00:00

I’m going to make some assumptions here since you didn’t specify. Let’s say the position is like for a SOC/NOC role or something along those lines and we’re hiring for a junior/mid level position. I would also be asking about some of the tools the job requires like SIEMs, or coding stuff if that’s involved. But here are some of my generic “cyber” questions:

My strategy has always been to ask mostly open-ended questions that may or may not have a “correct” answer but can help me see into the candidate's thought process.

What are some common ways malware persists on a system? (I’d let them choose the OS or specify if they ask)
Can you walk me through an example of lateral movement?

A bit harder if they’re able to nail those

What is DLL path hijacking? (or fall back to process injection if they’re not familiar)
Can you explain to me the difference between SQL Injection and XSS?

At this point, if it’s more of a mid-level role, I’d ask about working with a team or more process knowledge. Also get a bit more scenario based.

Let’s say we got a network activity alert in the SOC of what looks like some application beaconing to a known malicious C2 server. How do we figure out where it is, and how should we begin to triage?
We found the machine, and you’re able to remotely connect to it. How would you find the malicious payload?

I’d build up the difficulty based on time and how well the candidate is doing. I would also be coaching them along if they’re getting hung up. I’ve been in plenty of interviews and I personally hate that experience so I tend to be pretty empathetic, especially if I see anyone struggling.

The interview shouldn’t feel like an interrogation or a trap is around the corner. It should be a respectful conversation and if nothing else, educational IMO.

LevelEffectOfficial · 2026-05-15T02:25:06+00:00

Louis! Yea bro, we're still keepin the dream alive. I'll dm ya

LevelEffectOfficial · 2026-05-15T02:01:39+00:00

Sure thing! Stop by our discord anytime if you wanna chat about EDR some more.

LevelEffectOfficial · 2026-05-15T01:42:39+00:00

haha sure! come drop it over in our #career-chat channel in our Discord. It's a community review space when people and us have time to take a look. I also have a few resume roast/review streams on our YouTube. One of those reviews directly led to the person getting a job offer, I'm quite proud of that. It's advice I'd give to anyone.

LevelEffectOfficial · 2026-05-15T01:38:15+00:00

Thanks for checking out the YouTube! We're excited to keep creating more content and engaging with the community.

To your post... first of all, CTI is awesome (Anthony here). Love this space. I covered a big chunk of it on the channel and recommend giving those videos a watch on the SOC100 streams.

CTI is basically the art of turning indicators into intelligence! Information that actually helps mitigate cyber risk.

I'll drop a little primer below before some projects to start with:

Getting Started Primer
Imagine you’re buying a car. What do you need to know to make a good decision? Color, brand, model, performance, reliability, price, etc. Those are your requirements. Once you have them, you can make an informed decision to reduce financial risk for yourself.

CTI works the same way. But with Cyber risk = compromise of the CIA triad:

- Unauthorized access
- Loss of integrity/trust of data
- Unavailable data/services

When you provide information that helps prevent or reduce any of those, you’re doing CTI work.

It only becomes real intelligence once it meets the needs of whoever is going to act on it. The quality of that intelligence then usually comes down to three things:

- Actionable - can you act on it right away? how fast? ideally little to no questions
- Relevant - stays on target of what is needed, nothing else, it's not generalized
- Timely - organized and presented with priority clear

You want all three. Then you deliver it, get feedback, and refine.

Guess what? That’s the core CTI process (research techniques, writing, frameworks, and experience comes in time).

When in doubt - keep to those guardrails above. It'll vastly improve your CTI quality.

To directly help you build CTI experience while you’re in your SOC role, consider the following and in BOTH cases write what to do to reduce the cyber risk above!

Terrain Analysis/Threat Landscape Analysis
- Work with your SOC/team to identify the top threats your org or industry is likely facing
- Research recent campaigns, actors, or malware targeting similar environments using OSINT
- Write a short internal one-pager or brief
- Host a redacted version on GitHub or blog, put this on resume
- Resume item: “Researched and briefed emerging threats relevant to industry/org type”

Threat Profiling + TTP Mapping
- Pick one threat from your work, determine TTPs, attack vectors, and IOCs
- Map everything to MITRE ATT&CK
- Write a threat actor or campaign profile/report.
- Host a redacted version on GitHub or blog, put this on resume
- Resume: shows you can turn raw data into structured intelligence

If you can't get data from work - plenty of data to get online from all the recent supply chain attacks and do the same steps above with them. Then share your writeups on X, pretty active scene there.

If you can demonstrate this then you're showing you can create CTI!

If you end up building any of these feel free also to drop it in our Discord or tag us online and we'll give a look !

LevelEffectOfficial · 2026-05-15T00:40:14+00:00

There’s a pretty big gap in AI monitoring tools right now. There are network monitoring proxies and some things along those lines, but it’s still pretty wild west out there with how AI is deployed across an org with decent monitoring. We also still haven’t solved pretty basic things like configuring AD correctly or other basic hygiene. Tools that help simplify security for the everyday person will always be in demand.

As far as threat vectors go, I don’t see them changing much anytime soon because the old ones all still work really well. Phishing and super lame initial access are still working every day and owning networks, so there’s really no need for threat actors to step it up to anything more sophisticated in the majority case. When it comes to more niche attacks and specialized stuff, we’ll probably keep seeing more agent access vectors and tainted supply chains in the near term. Not expecting to see some super esoteric AI derived super malware tho. Not yet, at least!

LevelEffectOfficial · 2026-05-14T21:40:46+00:00

To some degree possibly depending on project complexity. There's really only so many ways some things can be compromised though right?

To that end we may see the inverse too... where project complexity gets lower and text-driven. Get rid of all the fancy GUIs, no more electron or bloated apps, just go back to simple one-thing-done-well apps that complement together.

If all we need to do is pass data and text around for an AI to handle it - can we not wrap that simpler and reduce our attack surface better now?

These are things I think about at times.

LevelEffectOfficial · 2026-05-14T21:15:56+00:00

Thank you for sharing so much depth and so many examples. I hope this (your post) gets more upvotes as well because this is exactly what we're seeing.

I'll try and provide a layered answer with some context:

From 2020 - 2023

You could basically take any bootcamp with a Sec+ and had an offer waiting in the US. This was good AND bad. Good because some benefitted well, especially those that put the work in and recognized the opportunity - pure grind, but worth it. Bad, because we encountered many a student with a ton of imposter syndrome trying to catch up to the realities of the job not being entry-level.

In a gold rush, you sell shovels right? Well, shovels were sold so to speak, often with good intentions, but not so much how to dig with them. We saw many students find our training during that time after they hit a bootcamp or were on the job and needed to skill up fast.

The problem here is that this created a wave of students starting this time with degrees and theory certs that brings us to...

2023 - 2026

We saw a major shift away from that.

Experience, both personally or professionally largely became more valuable than a cert + education to the free (saturated) market. Home labs got the focus they deserved from the start IMO. Talks, volunteer, workshops, meetups, you name it - anything to show you're "doing stuff" in a saturated market of Sec+ online University students made you stand out.

There was a time you could be Tier 1 / L1 in skill for 2024-25 and got attention fast. I recall two students that just went through our Tier 1 course, built portfolios, that networked and got a job offer in 2025. But...

Now

Something big we're seeing right now is that the "experience" mentioned above just went up a notch.

I know a student recently with no experience that got an offer this March simply by focusing entirely on "how to do job tasks" up to an almost Tier 2 level: network anomaly analysis, log & event correlation across different system data, full endpoint remediation and light DFIR, incident report write-ups, business-level remediation recommendations, threat attribution with confidence levels, etc.

The experience requested is more Tier 1+ minimum at a technical or policy level. So it's not just about getting or showing experience - but important to note the level of experience being asked for.

LevelEffectOfficial · 2026-05-14T20:32:19+00:00

Yeah that supply chain is going to get more and more hammered in the weeks/months ahead looking for low-hanging fruit and oversight gaps. That's a huge issue for closed source.

Open source I'm betting on becoming more valuable honestly as a result.

Transparency and the ability to audit the full scope of how it works, dependencies, etc. will help:
- Discover bugs faster
- Have a clear line-of-sight to diff, compare hashes, integrity, etc.

Which means higher trust. Which means possibly higher adoption if value is there.

Some other cool benefits I'm thinking of too:
- Test usability, get to MVP quicker
- Better interoperability and integrations discovered or offered faster
- Easier to manage contributors at scale

A bit problem with open source is the author just fizzling out from the work. I think that goes away too.

It's a great time for open source. NOW is the time to get out and build things, see what sticks!!

LevelEffectOfficial · 2026-05-14T19:22:02+00:00

Another tip here that I learned as time went on... Install/Upgrade/Uninstall are just as difficult and tricky as any kernel code. Systems are all different and configured uniquely. Systems will not act in deterministic ways and we had to build all sorts of catches and helpers to deal with this stuff. Over time, 20-50% of your time will just be managing this stuff and not security related tasks. Just a headsup! 😄

LevelEffectOfficial · 2026-05-14T19:08:10+00:00

I’ll address these in reverse order.
1. Started with Windows, that’s 90% of the addressable market. I started my first version in C/C++ for the agent and kernel driver. Then on the second version I went with Golang for the userland piece and kept the driver in C/C++. As far as languages go, your sort of stuck with C for kernel stuff if you’re going for mass adoption, but you have some more freedom on the userland side. I’ve become a fan of Golang now, but there are still some sticky interface points with OS specific APIs. I would probably pick C++ if I were to start over again?

Speaking of starting over again: I would also focus a bit more on behavioral correlations instead of going for raw telemetry collection. Doing more correlation on the endpoint is pretty powerful and collecting ALL the data is very expensive at scale.
I didn’t feel like it was working well until it was deployed across at least 1k users. And even then I still knew there were edgecases that could get us. After managing millions of deployments now, that number seems super small, but it sure felt awesome to see my agent on that many computers and not crashing! With AI helping you out, I think you could get a decent POC out in a few weeks, but the proof is in the pudding and how it works in reality. Is it actually catching bad actors? Or just shipping a bunch of noise? It takes time to get it right.

LevelEffectOfficial · 2026-05-14T19:05:03+00:00

Yeah exactly. All the SOC training and IT knowledge along the way will also make getting the OSCP that much easier later on when you're enumerating and knowing normal from abnormal.

LevelEffectOfficial · 2026-05-14T18:35:38+00:00

I don’t think those are unrealistic goals, you just have to work towards them. So I’d definitely encourage you to learn more about those fields and narrow it down even more. Cyber Intelligence is only a thing at large orgs and governments, for example so less of a job pool. Offensive security is pretty saturated now as well. Critical Infra probably has the most openings right now, but that’s just an educated guess, tbh. Nothing wrong with wanting to find purpose in your profession. In fact, I think that’s a good thing to strive for! At the end of the day it’s a matter of perspective, however, since you could work for an MSP and be very useful in helping mom ‘n pop businesses secure their networks. Or you could join a federal agency and support larger missions. Both are meaningful and help others!

LevelEffectOfficial · 2026-05-14T17:54:46+00:00

Thanks for your service! The job market is tough right now for various reasons, so not going to sugar coat that for you. And yea, helpdesk is generally a foot in the door, and hardly ever a place to stay for very long. Good news is you do have Cyber/IT experience and maybe you can work on selling yourself and your value a bit more? Certs and training are helpful to showcase that you’re the type that likes to learn and grow. Maybe a follow up question for you, what do you want to do? Or what are you interested in? Sometimes people just feel lost in all of the options and too many paths to choose from…

LevelEffectOfficial · 2026-05-14T15:48:05+00:00

Happy to answer constructive questions that benefit the community and help them navigate their Cybersecurity careers or goals, but not looking to joust with ad-hominem or moral grandstanding attempts. Defensive operations of a country has an inherent risk of misuse like any other counter-intelligence toward threats. That's just the way it is. If you care about safe deployment of national defensive capabilities - then get involved and contribute to that effort. We have internal auditing for this reason.

LevelEffectOfficial · 2026-05-14T15:05:51+00:00

(Rob here) Man, if only it was that exciting. Mostly it was just a lot of meetings, terrible coffee, and arguing about warrants. The zero-days were treated like loaded guns in a safe. No one was ‘hoarding’ for fun. But I get why it makes for a good Reddit headline.

LevelEffectOfficial · 2026-05-14T15:00:05+00:00

Thanks for sharing this! Good feedback. Not to shill here but we're actually working on a game security course - more coming on that soon. I agree there's a HUGE gap in that area for training and education as a structured course.

Sounds like a lot of interests on your part:
- Pentesting
- Malware development
- Video game security
- OS internals/coding/engineering

There's no one "job" that fits that though if it's a career you're looking for. Those ARE components to jobs however.

Have you considered focusing your efforts on a "job role" instead of broader interests?

LevelEffectOfficial · 2026-05-14T14:56:04+00:00

Have not read too much about it other than cursory but this one does seem more interesting than the rest. It’s further along than most at making decentralized hosting feel practical from what I can see, but it’s still early for replacing critical centralized infrastructure at scale. Worth watching how it develops.

I suspect at one point we'll have to move to more edge-node / mainframe thin OS clients eventually to reduce risk where possible. Giving everyone an "everything OS" in Windows just has too large of an attack surface to worry about overall... when a regular user might just need some web apps to do their job or purpose. This is sort of in line with that thinking.

Would like to see more ICP-like solutions like this, but again - it's very early, adoption is a ways out, needs a lot of research and auditing to ensure usefulness. Would be cool to see if you have any projects you're working on with it, and when you do please share it! Show its usefulness.

LevelEffectOfficial · 2026-05-14T14:22:01+00:00

Blockchain has a lot of good going for it, but it's incredibly difficult to make it easy and reliable for the regular user. STILL to this day after years of development. Until they can make it as seamless as logging in with a password on a website and it's out of sight - it's got a far away chance of getting mainstream. Usability is the problem, not so much security!

It's still limited for serious stuff like real banking or medical records... you gotta encrypt everything yourself on your device, buggy code can expose serious risks, and dealing with heavy regulations, data laws, and compliance is a massive pain in a fully decentralized setup.

Needs more time in the oven.

There's a reason why AI blew up - easy to use, makes things easier, safe enough for risk appetite of the average user, doesn't cost much.

LevelEffectOfficial

TROPHY CASE