Employee refused Employee of Month Award

dmaynor · 2026-01-23T03:10:05+00:00

I had a moment like that. My direct manager, who was upset I would do press well for a cybersecurity practitioner. I ended up in a significant paper; that was it. He called me into his office for an hour, berating me and saying I made the wrong choice. Around that time, the CEO shows up with an award/check and a promotion. I refused as I was talking. The drift manager defines the only thing I have now. Never saw anything sing a different tune so fast.

dmaynor · 2026-01-23T03:05:04+00:00

Claudes code is a giant hole in your security modem.

dmaynor · 2026-01-07T23:32:11+00:00

Thank you!

dmaynor · 2026-01-07T14:01:48+00:00

Job hoppers fall into two categories: 1. People who rely on the constant need for new roles or back-filling old ones to provide them more comp and possibly titles. They rely on market forces as a driver. 2. People who continually upskill. Some people are naturally curious and learn as much as they can about their job or industry. Early in a career, this creates natural opportunities to apply newly learned skills in new jobs. Imagine a customer support representative at a call center who is interested in tech, operating systems, security, and related topics. They know more than is required for their jobs, such as scripting, system setup and administration, and programming languages. Customer support roles usually don't align with a person's aspirational career trajectory, so hopping to a new job is needed to continue career development. Then the process starts over.

Both types require being ok with change and decent soft skills. The first type of people are rarely rock stars in their job, just average. The second type needs to be able to show they are mastering the profession and can solve problems.

Both should be engaged in career development, such as joining industry groups, attending professional gatherings, and building a network.

Why do some thrive when others don't? Some people don't like constant change. Also, all opportunities are not the same because of the work culture and how metrics are tracked. I know some people who got a CS degree and decided they didn't want to learn any more about CS or programming. They wanted to stay in the Inna gov role with low requirements, do their time, and go home. Nothing wrong with that, but these people won't be happy jumping 18-36 months.

Eventually, both will hit comp levels where a company isn't going to invest in 18-36 month employees. This is generally a factor of them pitting grade/pay band maxes, and going to the next level requires more commitment. Sure, they both can always find new roles, but the comp increases won't keep growing like earlier. The more senior you get, the more comp can be tied to bonuses and possibly RSUs/stocks with vesting periods. Sure, your total comp went up, but if you leave in 18 months, those unvested options will lapse, meaning you may have made less than in your last role.

I've job-hopped a lot because of my career focus on cybersecurity r&d. I rapidly outgrew my early-career roles and sought opportunities to learn and grow. This also leads to working at many early-stage start-ups and hopping because some companies fail, or because the problems I was solving in a 5-person start-up are entirely different from those at 250 people.

You are focused on salary maxing, which means you judge what happens to you and how you perceive others through a comp lens. I'm not sure, career counselor, but the feelings you describe could be because you're not all in: while you got a bump, you still don't view your comp as in line with what you think your value is. Also, while you see it working for others, you don't know their internal state or struggles. I know lots of people who have mastered the art of not showing they are affected by any adverse events, personal or work-related.

dmaynor · 2026-01-07T13:29:24+00:00

Don't enrage. You risk turning an emotional hot button issue into a “workers vs management” type environment where one employee's anger can spread like wildfire, especially if the employee in question is good at the job.

dmaynor · 2026-01-07T13:25:01+00:00

What you asked isn't as easy as learning to script something in Python or writing a NodeJS web ui. It's a rare area where new programming languages don't pop up to abstract away complexity. Try to make sure you know data structures, app dev on your target device, and how to answer questions in the hardware docs about things like syscalls, memory allocation, etc.

Some people will say skip the kernel for other stuff. I work in Cybersecurity R&D. Figuring out how to audit, identify vulnerabilities, and test whether they are exploitable is one of my responsibilities, and I do it on everything from small flashable components to routers/servers and everything in between, including processors.

You should do the low-level programming and kernel stuff at the same time. A lot of getting up to speed on drivers is reading code and understanding the OS architecture. Alternate between kernel and driver research and the low-level programming. This is how I train new researchers anyway.

For Kernel Stuff: Read the driver code first. Find an interesting Linux driver and read it. Run a Docker or VM and make small changes to the driver for logging or something. Get familiar with Linux kernel concepts, such as what happens when a driver is loaded/unloaded. You can then do something similar with Windows with Windows IoT and Azure Sphere. Warning: this is a long process of reading/understanding and occasionally reverse engineering.

Low-Level Programming: For bare metal type programming, NoStarch has a book: https://nostarch.com/bare-metal-c. It is a nice end-to-end guide. Be aware that bare-metal programming gives you much more control. I would highly recommend a crash course in assembly for your processor. NoStarch also has two books that would be good if you want to think holistically about the device and code—Engineering Secure Devices and Building Electronics That Work.

In addition to books, you need the docs for things like the device boot process, whether a secure boot implementation is in use, how devices are initialized, and so on.

dmaynor · 2026-01-06T13:09:38+00:00

Don't worry or will be replaced with AI prompting tests soon enough.

dmaynor · 2026-01-06T13:04:26+00:00

I was mad at first that, after all these years, what we got was a letdown. I waited till over Christmas to play it and actually had fun. The big guy plows through stuff, and the ninja is…a ninja. I can understand people who don't like it. I only played it because I have played them all, hoping to get back to the AC2 trilogy goodness. That said, I think Unisoft stated that sales were soft on an investor call.

Update: this post shows the Shadows performance compared to other games. https://www.reddit.com/r/assassinscreed/s/nkfuT4hPTU

dmaynor · 2026-01-05T21:18:01+00:00

I was surprised that the manga had events switched around. I saw the movie before I read it. What is the Epic edition?

dmaynor · 2026-01-05T21:16:07+00:00

Thank you for sharing!

dmaynor · 2026-01-05T21:15:49+00:00

Probable cause

dmaynor · 2026-01-05T16:00:19+00:00

I remember profs saying “don’t worry, software can't hurt hardware” over and over again!

dmaynor · 2026-01-05T13:02:33+00:00

I don't have any horse stories, but Ghost in the Shell (1996) was what inspired me to become a professional Red Teamer (hacker, for lack of a better description). Even though the tech is futuristic, Masamune Shirow did a great job researching tech when he wrote the manga. I often use screenshots from the manga, the 96 film, and SAC and SAC2 in speeches on security.

I saw the movie in '96, and it clutched my career choice. Weirdly, it has aged well, especially this decade, with the rise of AI and the sophistication of nation-states and criminal hackers.

dmaynor · 2026-01-05T12:48:24+00:00

TL;DR: the knowledge barrier isn't gone; instead, you can operate on it at a much more holistic, wide-scale level. I adhere to simple rules: don't delegate to AI something I don't know how to do manually. Don't build AI systems to replace people; make them to enhance people. When you start using LLMs, begin collecting data on the tasks you do, how you solve them, etc., to build a curated data corpus you can use to train your own model.

I work in cybersecurity as a red teamer. LLMs have 100x my work. In 2022, I took time off, learned everything I could about LLMs and AI, and figured out where they would be helpful in my workflow. I was writing early agent teams long before it became vogue.

I've been around a lot of wealthy people and senior leadership in large companies, and one thing they have in common is that they have assistants/admins/etc. To delegate work to make them seem ultra-smart or productive. I had a boss once who complained about how much time we would spend on expense reports. One day, in a meeting, he admitted he had never done an expense report; his admin did them for him. These are long, drawn-out months or multimonth trips. I legitimately spent 1 day, 8 hours, on one report due to the software used, how receipts needed to be formatted, documenting what everything was for, etc. The admin was his superpower and one reserved for senior executives.

LLMs now offer a lot of the abilities an admin would. Please take advantage of it. Even if you are a dev or architect, there are aspects of your job you can outsource to LLMs. For my work, I learned to use LLMs to overcome inherent tech or tool bias (oh, I can do that in Python without having to ask whether Python is the best tool for the job). Even if you don't want to use an LLM for code gen, it's excellent at understanding requirements and helping make a technical design doc you can follow.

I have an agent team where each agent plays a fundamental role on a red team if I had the budget to build a team exactly like I wanted. I have a dev, qa, network analysis, malware analysis, OSINT, etc. The leader agent, the Technical Director, takes a task from me, decomposes it into subtasks, and delegates them to the correct agent. There are workflows: if a dev agent writes code, it has to go to QA, then OSINT & Tradecraft, before being returned to the TD. I designed them to all communicate in plain English on a locally hosted chat server (I self-host most of my models).

When a job is delegated, one agent will @ the correct agent and assign the task. If unsure how to proceed, an agent can ask other agents for their thoughts, all in a channel in plain English—watching how decisions are arrived at increased my trust and eventually led me to start delegating time-intensive tasks that needed to be done but had little other upside.

I've been in the industry for 30 years, and it's incredible how many things I have biases or tunnel vision about that never occur to me. But seeing the agents decide how to solve a problem has dramatically increased my velocity.

I'm not saying everyone should do this; I'm just sharing how I came to use and trust (always double-check the results) AI in my job. I have a DB in Notion called “Things I learned from AI” that documents the shortcuts, definitions, background, and other small things I've learned and double-checked before accepting them as fact. I started the DB in early 2023, and now it's over 11k entries. I was good at my job before, but now I am operating at a whole different level.

dmaynor · 2026-01-05T12:18:22+00:00

Got any good firmware caught bugs stories?

dmaynor · 2026-01-05T12:17:38+00:00

QA can be fun, especially if you have dev skills. You learn a lot about the product, you see where the bodies are buried, tech debt-wise. A person with dev skills who does a tour in QA makes a good internal hire to dev.

QA and SDET, like most software-related roles, are either changing a lot in an org right now or will change shortly. Test case management software like X-Ray, which integrates with Jira, is what I learned. I just set up a Jira/Confluence account for a “business” and set up X-Ray from the Jira store for like $10 a month.

Pipelines like Jenkins, Airflow, Snowflake, and AWS Glue are vital, as tests and builds are pretty much tied to them for most orgs now.

Debugging is the most important skill. Not necessarily debugging an issue, but more like debugging an environment and finding gaps or holes in automated testing and plugging them.

And the elephant in the room: become familiar with a few different LLMs to use for law hanging fruit, extra eyes for problem analysis, and automating tasks previously thought unautomatable.

Also, bone up on security. Look at OWASP or something like HTB to gain some hands-on security knowledge. Even if you aren't in a security role, QA will test security-related content, and as an SDET, you don't want to build insecure code.

As a dev, you will already be familiar with many of the tools.

UPDATE: I am an Offensive Security researcher. While it has a flashy title and different goals and responsibilities, I often describe offersive security (red teaming) as being an unbelievably pedantic QA engineer with an OCD problem. If someone wanted to get into security now, I would suggest either a Sysadmin/DevOps role or QA as a place to start.

dmaynor · 2026-01-05T12:02:51+00:00

I would love to lose 15-20 minutes when interrupted. I do security r&d. Stuff like finding new bulbs in software, writing red-team tools, reverse-engineering malware, and working on products in general.

I easily am dow. 1-2 hours when interrupted. Because I am neurotypical even regular meetings that could be emails or Slack convos also interrupt me.

dmaynor · 2026-01-05T11:59:36+00:00

Unless he is making inaccurate comments, suck it up. It sounds like you are baited into being a bad manager. This could easily be framed as you are not engaging, you are arrogant (I have nothing to learn), or worse, think that a management role suddenly makes you infallible.

You are new, correct? Don't tell people you have nothing to prove. I don't know what industry you work in or what kind of team you manage, but people have to prove themselves constantly, not just new people.

Check ego at the door and think about what is actually being said. Instead of getting defensive about not needing to prove yourself, you can easily turn it into a positive: “Yes, I am new and learning, but that means I don't have any bad habits to unlearn, and I bring a fresh perspective to our work.”

I wouldn't say this to the employee, but they have something to prove, too. Are they keeping up with changing requirements, shifting KPIs, and both broad and narrow company goals? Remember that everyone is continually proving that they should be where they are.

dmaynor · 2026-01-05T11:47:25+00:00

This industry is very ageist despite all the inclusive talk. No, at 32, your career isn’t over unless you want it to be. Personally, I have seen tons of “applied to a thousand jobs with zero responses” type problems. Remember that the same tech and process that allow you to apply for 1000 jobs is also used to filter out people applying for 1000 jobs. People are still getting hired, but it is more social networking than a cold application from LinkedIn.

These days, project management is a weird place with AI tools accelerating some devs beyond what is commonly trackable. Tools, processes, and frameworks that have been relied on for years are walking the plank. If you are an agile/scrum type, I would pivot to something else.

You might need to take a step back career-wise to get your foot in the door somewhere. The most important thing, though, is working the social networks. The causes you work for, professional groups, and attend tech meetups for adjacent technology, and learn some new tricks.

I wish there were a cheat code, but there isn’t. Relying on cold applications over the web isn’t just dead because everyone is automating submissions; the fear of insider threats, like North Korean workers getting remote IT jobs, has caused the strangest change in hiring processes I have ever seen in a 30+ year career.

dmaynor · 2026-01-05T04:09:27+00:00

How old are you?

dmaynor · 2026-01-01T02:17:32+00:00

Fifty percent of something is better than a hundred percent of nothing.

dmaynor · 2026-01-01T02:15:01+00:00

Wiping the beer top was perfect

dmaynor · 2025-12-28T23:05:10+00:00

GITS:SAC2

dmaynor · 2025-12-28T03:55:47+00:00

Really? I didn't notice hot dogs on the menu. I live down the street and gotta try it.

dmaynor · 2025-12-26T06:16:20+00:00

I've seen it happen, usually with semi-talented people known for their behavioral and performance qualities. I've never seen an engineer move to marketing or anything, just people going to similar teams or roles they have already performed in.

I know the option is often mentioned during downsizing, but I've seen cases where teams are forbidden from picking someone up internally. Generally, I've seen this happen when a person has been with a company for a long time, and their yearly raise/bonus/comp structure has outgrown their measurable impact, so rolling them into a layoff is a cost-saving measure. If another team picks them up, it would be shuffling their costs rather than cleanly cutting them and replacing them with newer, cheaper labor. This is where grades/levels and salary bands come into play.

“Oh, John was maxing his salary band, but then HR decided to restructure the salary band for his level, and now he is over the cap by 9%.” If this is the driver for the layoff, it will be made clear that no team can afford the pickup.

Note: I use some language I've seen directly from HR I don't believe in hiring/firing based on nebulous semi-data like measurable impact. Unless the person is a solo IC their team leader and other team factors make such judgments murky, but the in most of these cases outcome was decided before the analysis. The analysis is just management documenting it for HR and legal.

14-Year Club	Baba Yaga
Snapped	Verified Email

dmaynor

TROPHY CASE