I quitted Infosec and I couldn't be happier.

This article aims at providing you some insights about the experience I had in the “infosec world” for the past few years. I had an amazing journey and grateful for everything that happened. Don’t get me wrong with the title, even if the road was sometimes “bumpy” (aka ‘bad’ experiences), I got some good lessons learnt through them and live by them. I am not trying to convince anyone with this article, except just do what’s good for you and preserve yourself. Just that.

End of the year season is off now and is quite an interesting period for me, as I am meeting with some family and old friends and they often ask me how things are going, what I am up to and what are the challenges I am foreseeing for the upcoming year. Funnily enough, I “quitted” (professionally speaking) infosec 4 years ago but people still believe this is my day-job and ask me how things are going in that area as news are boiling in that regard (LastPass Breach, Ransomware attacks, …).

To give you more context about me, I’ve always been passionate about infosec, and this started almost 20 years ago when I discovered this “field”. There was no bug bounty back then, Twitter was not a thing. I discovered it through milw0rm and str0ke who operated it, but also thanks to the French community with some old site called “loadition.net”, with Heurs and Trancefusion who created the “AoS” hacking crew which didn’t last long, with french people like Xylitol who were (still are) such an interesting mystery, followed “La Nuit du Hack” back then when it was in some old farms, then on some boats in Paris, with IRC where people were idling all the time, where you never knew if it was the right time to ask a question, where it took ages to get some answers and most importantly “The Hacker Manifesto” (and obviously Phrack that I did not understand at all at that time) which still resonates today in my head “I am a hacker, and this is my manifesto. You may stop this individual, but you can’t stop us all… after all, we’re all alike.”.

It was such an interesting time, I was around 12-14 years old.

I dived in this field, learnt some C and Python, did my first GUI with Delphi, idled on many forums & IRC channels and spent countless hours on the computer - days and nights, weekends obviously included. I was literally passionate about this field, about this mindset “think outside the box”, “it’s a challenge between you and the machine” - I was always speaking about it and I knew I wanted to do that all my life. It was not only a way of working, it was a way of living.

I then decided to pursue practical studies in Computer Science where I learnt more about programming, assembly, engineering etc. I was studying in the day, “playing” at finding vulnerabilities in PHP CMS in the evening, browsing the internet and improving my grep skills to spot potential flaws. Fun fact, this actually got me my first job! I contacted the CMS author and he fixed the vulnerability in no time. That guy is called Rodrigue and has been one of the best mentor I’ve had in my life. We stayed in contact and eventually, that guy was so nice he offered me a job the year later following my vulnerability disclosure when I was in the lookout for a job position as an apprentice.

I kept working hard to improve my skills and eventually, I made it as the only student speaker at the very first edition of GreHack - good old times. Same for DeepSec when I met an amazing crew in Austria while travelling as an exchange student in Prague.

After finishing my studies, I decided to go work abroad and went to London where I spent 2 years working in the penetration testing field. It got pretty intense (especially since I didn’t go through any academy process, I was just a fresher straight from University where I learnt all my practical skills by myself) as we mostly had 1 week assessment to do on our own (shadowing was almost non-existent at that time) and 25% research time (a killer argument as we did not have that in France back then), allowing us to do whatever we wanted to. Two of the best highlights about this journey are that:

  • I successfully achieved OSCP which was a huge milestone for me
  • I worked on DET, a Data Exfiltration Toolkit, a project I completely created from my head based on HammerToss campaign way before Domain Fronting capabilities. One day, it even got Dave Aitel’s attention on Twitter and that really fulfilled me with joy, thinking I was on the right path of achieving things.

This opportunity abroad let me being a trainer in Black Hat USA, which, for an European guy who’s passionate about infosec, is just the Eldorado! I did my first DEFCON in 2010 while studying in Canada, and I had stars in my eyes since then!

Funny memory - I remember the first internal assessment I did and got Domain Administrator in few hours - I told them about devices that were connected inside their network, they thought it was not anymore. That recalls me an amazing talk from Haroon Meer where he essentially says that one of defenders advantage is that they know the battlefield compared to attackers. How come an attacker knows the battlefield better than the defender after spending few hours in it. “Such a stupid state to be in” if I can quote him.

After a while working in the penetration testing field, some kind of feeling grew up in me, being surrounded days and nights by infosec professionals and it kinda boiled down to: “But why don’t they just patch? It’s not that complicated after all” and I couldn’t understand the fact that when we came back X months later for a retest, things didn’t change or we found another (even sometimes easier) way to compromise them.

I clearly miscalculated the complexity needed to make things change within companies, and I overlooked it so badly. On the other hand (allow me to play devil’s advocate for a second), I never experienced it before, no one taught me about that kind of complexity (change management & all) during university and the previous (and only) company I worked for was just a small startup where things went blazing fast. This is where seniors may have a real added value, explaining the unknown to juniors.

Back to France

Fast forward, I came back to France around Brexit to pursue some venture with a friend (I met with Romain in a climbing spot in London and realized after 30 minutes we were literally neighbors, like next door’s neighbors, since then he’s such a good friend of mine) which “collapsed” quite quickly after.

What should I do now? I realized I was tired of working in security. Seeing some Assembly/Python/Shellcodes did not excite me anymore, it almost made me sick. I did not want to touch a computer anymore, I was pretty much done with that. I didn’t have this excitement anymore, as I used to have. You know, that kind of passion that makes you wake up in the night because you have this “amazing idea” that you need to try, right on, right now! I went from a “Hack everything!” motto with passion to disgust about it, not wanting to touch a computer anymore. After some years and some introspection, I can now fully say that this was the beginning of a burn-out.

That was it.

Taking your passion and making it your day work is obviously tempting but also a risky game, as you will keep “working” tirelessly if you’re not putting barriers (I was single at the time, not many friends in a new city and eager to learn new things) and I do think that employers have duties here to prevent it. I was not aware about that sloppy road of excessive work (and the associated risks) and I fell down the rabbit hole because of what? I was just eager to learn more, explore more, hack more, uncover more.

I took a break for couple of months to travel to Iceland, do skydiving and do things outside of computers. This got me so much energized!

I finally joined Michelin in December 2016 where I started working in the CERT team where my main mission was to automate scanning and reconnaissance phases on internet-facing assets and this was my real first experience on the other side of the story - defending infrastructure and where I finally experienced change management (and the complexity behind it), impact evaluation and so on.

At the time of the article (January 2023), I’ve been in the company for 6+ years and the journey has been fantastic and led me to different roles, especially outside of security. After the CERT journey, I had the opportunity to lead a team of “DevOps” (http://paulsec.github.io/posts/devoops-ramblings/) for adding/maintaining new assets to the IT ecosystem (Artifactory, Gitlab, AWX, …) to help development teams across the organization. We internally developed a tool called ChopChop to implement what DevSecOps meant to us, we also gave a talk at DEFCON about it. Phenomenal team with outstanding achievements. I think this is the best team ever I’ve had the pleasure to work with. Please, refer to the previous blog post to learn more about it if you’re curious.

I then pursued with another role as a Lead for the IT Support team for Logistics, where I was able to touch and see real matters that the company had. Not that it was not the case before, but my main mission beforehand were mainly “IT for IT” driven. Even though, we can first think that this is 100% unrelated to information security, there are similar ambitions. You are not necessarily trying to attack/defend a system but you’re doing your best to prevent any big impact and it’s a great thing to consider this as a game. Based on my technical background, I naturally started diving into SRE (Site Reliability Engineering) and helped towards automation, mitigating “by default” and I loved it. I also met amazing colleagues such as Guillaume and Adil with whom we’ve had some pretty intense (early) days and (late) nights. This was mainly a human journey (I can’t emphasize this enough) - I met incredibly talented people and we then achieved the goals that we set together. This is one of the highlight of my career for sure.

Finally, I changed position last November to lead a new team in charge of rewriting one of the main application we have at Michelin for the Supply Chain. The team has been clearly phenomenal on the milestones it already delivered and I am blessed to be part of that journey! I might write some lengthy post about it in the upcoming months, they clearly deserve it but I need more time to apprehend their full potential, Imposter syndrome is starting to kick in!

Don’t get me wrong, I am not trying to be a Michelin advocate, but I wanted to explain the journey I took and why I decided to switch to a different path. One thing I realized over the years is that even though security is (still!) one of my passion, human interaction is far beyond. I remember I annoyed my co-workers in London when we went out to grab a coffee, I was the annoying one having chit-chat with the barristas because I liked it. I loved that kind of exchange.

I love people - I think this is why I enjoy trips so much actually. You get to appreciate people’s differences, different opinions, and this makes you richer at the end of the journey. When I look back at me when I was at school, I used to be extremely rigid and “binary” - it was either black or white. The reality is that it’s more a nuance of grays I have in front of me. I am happy I learnt this as an early stage of my career as this is one of the most important thing I’ve learnt.

Based on that, I decided to pursue my career more on the management part, and keep the technical aspects as a hobby and I promise, I keep tinkering (a lot - at least, as much as I can).

Even though, security is not my day-job anymore, I still have one foot in that ecosystem, I keep maintaining cfptime.org - a website to list call for papers for infosec conferences since 2017. I also speak from time to time in NoLimitSecu, a French podcast about security, and I eventually tweet some things like I will tweet this blog post in the upcoming hours. I also spend some time testing new frameworks, developing new tooling for some personal purpose. I still do a bit of reverse engineering, mainly Android malwares. I dive into the security advisories that I find interesting, with no pressure or intentions behind it. I came back to the root of that passion - eager to learn with no specific boundaries, I try to keep thinking out of the box :-D.

Takeaways

Looking back, working in infosec was such a great experience and I recommend it to anyone who wants to jump in!

There are many things along the way that I still can reuse nowadays, such as:

  • a great technical background - I experienced assessments on Windows, Linux, Android, iOS, … and it’s great to have this overview of all those platforms and having navigated in the inner of some of those systems
  • the rigor and exactness needed when writing a memory corruption exploit - I will essentially refer to Corelan’s trainings (both bootcamp and advanced) and OSCE certification as they are really challenging, and you need to understand exactly what you’re doing to make it work, one byte at the time.
  • additionally to the rigor, the ability to script something fast and identifying quick-wins that can have a big impact
  • consider a company that fits with your values, your ambitions (which let you explore new opportunities, that let you uncover your potential…), with the right manner to work (mandatory shadowing on assessments, …) and so on!

The main warning I might just give to people is to keep proper distances between work and personal life. I often use the analogy “you’re here to run a marathon, not a sprint” and I think this is a good one. I would clearly recommend people to perform any external activity outside of security in their time off. I personally do improvisation theater and this is such a relief!

To conclude, never forget to have some fun, pursue your dreams and do what is good for you. I wish you all the best, you deserve it!