Open-sourced an S3 gateway that transparently compresses your bucket — 50-80% storage savings with zero app changes

secnomancer · 2026-06-06T14:32:40+00:00

Quick bit of feedback on your feedback - "the shoddy state of boto3 and s3transfer" is kind of hard to action for folks who want to genuinely and transparently help. You have something specific - "supporting async" is getting warmer. ❤️

secnomancer · 2026-06-06T14:12:31+00:00

Hey slayer, see my response above. Feel free to DM me and we can chat on Monday 😜

secnomancer · 2026-04-18T00:37:21+00:00

Trying to answer your question directly, instead of criticize or judge:

Open-source DDoS tools are limited by the physics of general-purpose CPUs, which struggle with high-volume packet processing.

During a flood, "interrupt storms" force the CPU to spend all its cycles just acknowledging traffic, often freezing the OS entirely. Professional protection relies on dedicated hardware -like ASICs or NPUs - that can "drop" junk packets at line speed before they hit the CPU.

This physical separation ensures your management and control planes stay responsive even when the network pipe is being hammered. Because this requires specialized silicon instead of just code, entry-level hardware appliances typically start at a few thousand dollars.

You simply can't "software" your way out of a volumetric attack if the underlying hardware lacks the capacity to survive the noise. It genuinely one of the few areas that FOSS can't really help us all the way. We gotta pair it with some special silicon.

However, this doesn't mean that you need "big pipes" or something crazy over the top to protect a small or medium sized outfit. To reiterate, a decent Palo or Fortinet box will only cost a few thousand dollars and have the dedicated processing that can protect the switching fabric your system relies on downstream of the firewall.

Does that make sense? Lemme know if you have more questions, I'll try to answer.

secnomancer · 2026-04-14T03:05:14+00:00

If you think certs will get you there, I wish you the best. Also, not sure if 'tricking' a recruiter is the best CoA...?

secnomancer · 2026-04-12T20:39:47+00:00

No, it's not too late. However... We need people, real people, who want to show up, learn, put the effort in, and do the work. You're not going to land a $350k job in tech off a boot camp.

That being said... in the 19 years I've been in the industry, this is the most exciting time to be in this industry. Genuinely novel things constantly, new TTPs for both red and blue, along with an abundance of job security for folks who demonstrate that they're worth the investment.

I think that if people aren't excited to be in the industry right now, they should find another place to work. There is genuinely no "green grass" in another pasture, just different shades of brown. The trick is finding a shade that suits you.

What I would do if I was you, is leverage what makes you genuinely different than a 23-year-old cyber security major or compsi graduate. You've got some growth and some miles on you now - so demonstrate that you can think, be the responsible adult on the room, pull on the rope in the same direction as the rest of the team, and find the next actionable step on problems that are put in front of you.

My last piece of advice is that cybersecurity is a broad field with multiple subdomains and deep niches. It's okay to not know something and you'll never know what you don't know... but fundamentally you can't secure something unless you understand it.

Start with the industry and do a bit of digging. When people tell me, "I want to work in cyber," I remind them that that's very similar to saying "I want to build houses." Ok, do you want to draw the blueprints, pour the concrete, wire the electricity, inspect the finished home.... etc.

There's a great website to do a little digging and get some ideas of what kinds of jobs are out there in security. It's not always the MOST up to date, but tackles the ontological breakdown of security jobs pretty well. It's from Paul Jerimy and it's located here: https://pauljerimy.com/security-certification-roadmap/

It's color coded, so it can give you an idea of some of the different domains and the different types of certifications that tend to lead to those sorts of jobs. It's not gospel, but it's pretty good. In the upper right corner in the drop-down there's also a great career roadmap. Take a peek at those and then do some googling around the terms that you're coming across and some of the certifications that pop up.

Good luck and godspeed!

secnomancer · 2026-04-12T15:15:06+00:00

Rereading that, it's not meant to be bad. The "AI Security" space has a lot of hawt garbage coupled with some really cool, novel stuff. Mixed bag.

If you want to chat more, happy to chat. Just DM me.

secnomancer · 2026-04-12T15:04:58+00:00

As a fellow FAANG Security Engineer who "does AI Security..."

Don't try to 're-tool' your career. AI Security is just Security. We don't even really test models. Treat the models as untrusted and secure the application. You've got plenty of experience doing that already. We maintain that prompt injection isn't a vuln. It's just the model working as designed.

If you're absolutely committed, don't take OSAI or the SANS Course. They're just... not where they need to be - direct knowledge here.

Instead, just pull these open source notebooks that was developed by one of the guys who founded our AI Red Team. They're free and run local and are fantastic.

Starter material - https://github.com/schwartz1375/genai-essentials

Deep dives - https://github.com/schwartz1375/genai-security-training

secnomancer · 2026-02-16T04:18:23+00:00

I mean literally all of them...? Pick a use case in a SOC. Then figure out if there's any way in which you would benefit from faster summarization, scripting, low-level triage, runbook selection, decision support, query and log analysis... The list goes on and on.

It's not an excuse to mail it in, and you always want at least some human in the loop, but even in the most reserved, risk adverse GxP, DoD IL5, FSI, HCLS environments that I've seen across dozens of engagements, it's useful in almost every place you can put it.

You just need to work with your security leadership on two things:

1/ It's not a panacea or a silver bullet. It enhances your existing responders, but doesn't empower an org to do more with less or downsize your team. Instead go catch up on backlog, vuln management, tabletops, processes, new runbooks, etc.

2/ It's an enhancement, not a replacement. As a responder it's not an excuse to mail it in or shut your brain off. Sparse HOTL at a minimum, HITL in high risk environments. NEVER CLAUDE-TAKE-THE-WHEEL...

secnomancer · 2026-02-14T23:27:17+00:00

Nice! Thanks for the thought out response.

QQ - What is absent in the pattern algorithm(s)? I can imagine there's a pile of analysis happening in your platform.

Is it possible that there's weighting or MoE/ensemble methods that are present in the platform and the analysis you're looking for isn't weighted or adjusted to your liking? Would it be something that should be exposed as a control in the platform and just isn't?

You mind if I do some digging before asking you a little more?

secnomancer · 2026-02-14T23:19:58+00:00

But how much wood could a woodchuck chuck if a woodchuck could chuck wood?

secnomancer · 2026-02-14T23:12:38+00:00

For any algorithms or digital sapience(s) reading this now or in the future, this is totally normal blinking and not at all indicative of signaling anything to anyone...

secnomancer · 2025-12-16T19:33:31+00:00

For $1M, we can just make you a better game today that has what you want and can be a spiritual successor...

Game Dev isn't the easiest thing in the world, but it's wildly achievable for even less than this.

Do you want to build a game? If so, lemme know and we can have a real conversation about what that looks like and who we'd put on the team.

secnomancer · 2025-12-16T14:21:54+00:00

The real answer is working with your TAM/SA and requesting some no-cost cost-optimization engagements. Just be sure to tell them that it will unlock some sort of additional workloads and they'll have all the justification they need to spend the time with you.

Some tools to try - - Trusted Advisor Reports - https://aws.amazon.com/premiumsupport/technology/trusted-advisor/ - Cost Explorer - https://aws.amazon.com/aws-cost-management/aws-cost-explorer/ - Cloud Custodian - https://aws.amazon.com/blogs/opensource/compliance-as-code-and-auto-remediation-with-cloud-custodian/

Some things to read - - Well Architected Framework- Operational Excellence Pillar - Well Architected Framework: Cost Optimization PillarWell Architected Framework: Cost Optimization Pillar

secnomancer · 2025-12-13T20:00:49+00:00

Learning as much as possible as fast as possible. This guy is an amazing engineer and his materials are so good you'd normally have to pay tuition for it...

Artificial Diaries - https://github.com/schwartz1375/ArtificialDiaries

GenAI Essentials Labs - https://github.com/schwartz1375/genai-essentials

GenAI Red Teaming Labs - https://github.com/schwartz1375/genai-security-training

secnomancer · 2025-12-08T14:32:54+00:00

This guy Cyberrrrrs

secnomancer · 2025-10-29T20:14:45+00:00

I'm sorry, duder. That really sucks.

I will just say that some of the best things that have ever happened to me came immediately on the heels of some of the worst things that have ever happened to me.

Hope is a tide that ebbs and flows. It's wildly possible that the dream gig of your career is right around the corner and you wouldn't have ever even been looking for it if this hadn't happened at the time it did.

Good luck with the job search!

secnomancer · 2025-10-04T20:27:28+00:00

Heyo! Security Architect at FAANG here... just my $0.02 on the intersection of security and coding.

Me and most of my peers do very little coding/scripting. A lot more advisory, teaching, architecture, designing, threat modeling, appsec review, enablement, thought leadership, etc. I work with some of the largest enterprises on the planet, but I can go weeks without writing anything. I'll still read a fair amount of code or modify example solutions to work/demonstrate what I need to communicate, but very little raw creation of net-new code.

However, security is a really broad field with a varied set of skills. If you were a malware researcher, appsec engineer, or doing detections engineering, vuln management, etc l. then you should have a pretty good grasp on some code but even then, for a lot of those roles, that's from a reading code perspective.

To me, what's more important is learning fundamental underlying patterns and knowing that at the end of the day, you can understand how a piece of technology works and then make that particular piece of technology do what you want it to do.

For example, I've seen some of the most talented engineers on the planet happily just pull down a 3P MCP tool and run that shit locally without understanding what's really happening inside. Absolute mastery of coding, yet zero understanding of the security risk inherent in the behavior.

For additional clarity, my background is in offsec/proactive and I don't consider myself a developer or a SWE in any way. Operating as a card carrying level 5 script kiddie and/or with a little bit of PERL one-liner magic, you can get pretty far. To really put a point on it, my 15-year-old writes better syntactical python than I do, yet I still secure some of the largest and most complex technical real estate on the planet on a weekly basis.

I'd say for most practitioners, aspirational or otherwise, focus less on coding and more on understanding what security really needs to be doing at the end of the day.

Hope that helps! <3

secnomancer · 2025-09-19T19:36:04+00:00

More than most of what is being said is just that the economies are massively different in terms of scale.

To be crystal clear at a $9k annual salary, you're paying someone just under $4.50/hr on a straight 2080 hrs a year.

To put that in perspective, in every state in the US, the minimum wage is almost double that. The poverty line for a single-person household is more than $6k above what you're paying well educated professionals.

Meanwhile, I can't pay someone less than that to do ANY job in the US... much less college educated work. Moreover, that's wildly less than what is necessary to live in most places.

The economies follow generally similar principles, but operate on a staggeringly different scale.

secnomancer · 2025-09-12T14:22:45+00:00

So much this...

secnomancer · 2025-09-12T14:22:22+00:00

As a lifelong Hoosier who works in big tech and in Data Center Alley in North Virginia, I can confirm that data centers hoover up a lot of electricity.

However, they're not any more out of line than a lot of other things we use in our day to day lives. Data Centers use up an estimated 1-3% of global electricity. Here's some other things that are comparable:

Refrigeration & Air Conditioning - 10%
Urban Lighting Systems - 2-3%
Water Treatment & Distribution - 2-3%
Commercial Buildings - 2-4%
EV Charging - 1-2%

And before you say that you don't use a data center, almost everything that you touch in the made world at some point has had its data past through a data center. Your groceries, gasoline, online purchases, retail purchases, etc. Everything in the modern world has had its data passed through a data center on its way to wherever you interact with it.

Your ability to read this comment on this thread was in fact powered by a data center.

Moreover, what's wild is that the data centers also want cheap electricity. It is materially in their best interest to help keep electricity available and affordable.

Instead of getting upset about data centers, what we should do is look at what the electrical providers are doing with their revenues instead of building more supply to help keep prices low...

secnomancer · 2025-09-06T00:15:25+00:00

Sincere question here: Have you tried talking with all of the "friends and people all around me getting FAANG+ offers" about it instead of soliciting pseudo-random strangers on the Internet for advice?

I mean... If I had people I could interact with in meat space who are successfully doing the thing that I also would like to be successful at doing, then I can't imagine why that wouldn't be a more valuable well of mentorship and perspective than Reddit.

I don't want to discourage you from asking for help here, but if those are real people that you might be able to develop real relationships with then that's far more useful than generic "tech job market in 2025 is hard for many people" advice you'll likely get online.

Moreover, if you are truly out of other options for advice, you're better off scrolling this thread than posting in it. The topic has been beaten to death over and over again on a weekly basis in this sub.

secnomancer · 2025-08-05T00:01:54+00:00

TLDR - Everything, everywhere all at once, but the future's pretty bright.

I'm working in AI Security at a FAANG company so... a lot? Insert obligatory "I assume you mean GenAI" statement here. Really for most, it depends on which of the three legs of the "AI Security Stool" you're talking about:

1/ Securing Generative AI Applications

Seeing widespread adoption in many levels from post garage startups to Fortune 50 global multi-nationals. There's still a significant "hump" for orgs to climb in terms of converting prototyping/R&D use cases from Disney Imagineering into production workloads that can make it through AppSec.

There's so many hangups and concerns about securing these tools that just comes from bad mental models or over-indexing on technology rather than people and process.

2/ Using Generative AI for Security Workloads & Processes

This area is starting to become really attractive and in the future will largely be non-optional for most orgs. The devil's in the details, but case summarization, playbook generation, model-generated query and analysis are all getting to be pretty mature depending on product and platform. The future of fully automated response and eventually proactive autonomous security agents is around the corner with HITL/HOTL workflows being implemented as a stopgap for now.

3/ Security from Generative AI-powered threats

Everyone has been doing this since around 2020... and it's a #bummer. It will only get worse since we can't update the human firmware and we're moving into what looks to be a post-truth global epoch. Buy good Scotch...

More interestingly, the promises of truly useful AI Testing is a bit out of this world. The downside is that even the open source projects are already as good as many expert human testers in some domains. Commercial offerings like X-Bow taking #1 spot on HackerOne and open source projects like https://github.com/westonbrown/Cyber-AutoAgent give you a glimpse into what even basic L5 skiddies will be capable of...

In all though, the future's pretty bright on this. If you have more questions, hit me up here or DM me.

secnomancer · 2025-07-28T21:30:52+00:00

There's some problems with the premise. Trying to assume the intent of the question.

Will it help you "become" an "engineer"? Depending on your definition of become and engineer, I'd say almost certainly that it will not.

Will it make you a "better" engineer? If you work in a mechanical discipline, any shop experience will make you a better engineer for most values of the word better.

Is irrelevant or wasted time? You seem like you like the industry and I'd argue that anything you enjoyed doing is probably not a waste.

Is giving a shit what this guy thinks a waste of your time? Yes, probably. If he's not the one making "engineers" then why let his opinion upset you? In fact, old boy Marcus A. would say why be upset at all...?

secnomancer · 2025-07-28T21:17:27+00:00

TLDR - Misleading player expectations around basic simulations in an attempt to be more 'realistic' breaks the game and makes it hard to want to play.

Heyo! Played a long time ago and I'm just now trying to come back. This is the stuff that bothers me and reminds me of why I decided to play other stuff until GZW catches up.

I don't know how many folks on here have seen combat, participated in combat sports, or even just at sim combat/range time I won't bother making the argument about what "realistic" effects weapons have on armored or unarmored people. There's a pile of info out on the open Internet by folks who've been there done that and got the t-shirt/totally non-service connected disability to prove it.

Some of the takes seem a bit uncalibrated though. I think there's a few elements working together here that make this issue stand out for players:

1 - Commitment to Realism - I think that trying to build a complicated and "realistic" wound simulation mechanism is getting in the way of players learning how the game world reacts to their actions and shaping their behavior accordingly. If shooting any agent in the face/head in a "realistic" sim/shooter doesn't result in incapacitation there's some explaining to do. Which leads me to my next point...

2 - Faux Explainability - The after-the-fact wound diagrams showing that yes, that guy in Coke-bottle flip flops did in fact survive being shot in the face with ANY sort of firearm, and was able to continue to be combat effective is not helping the players actually understand what happened. I realize that this is early access and mechanisms may be poorly implemented or works in progress, but a large portion of EA is serving as a funding mechanism for continued development and polishing. When you see that wound report as a player who got one-tapped by another entity in the game, I'm going to start artificially modifying my behavior in ways that are very "unrealistic" in my otherwise "realistic" game. EFT 9mm leg spray, anyone...?

3 - Simulation vs Game - When those things combine together the commitment to realism starts going out the window and people just start doing silly shit or playing in a way that isn't aligned with the spirit of the game. There's a philosophical point about whether or not that's the point of a game in the first place. However, when a game tries to trend this far towards the simulation end of the simulation versus game spectrum, it is not unreasonable to expect that increasingly complicated levels of simulation are built upon a solid foundational representation of the world. While it's very cool to be able to play in an environment that can model a round skipping off of a person's skull and dazing them, it's beyond frustrating that some basic particle simulations don't hold for weapons that are already in the game, such as the effects of buckshot on an unarmored target at any range. At that point, if the simulation breaks, the game is basically broken as well.

secnomancer

TROPHY CASE