[Carl Vincent (vyrus)]

I think there's a very real chance that in the immediate future, like within the next year to three years, that the industry's growth starts to slow down, maybe even starts to stop, maybe even starts to roll back a little bit. I'm not saying it's all gonna go away, I'm not like doom and glooming, I'm saying strictly financially, from a tactical perspective, it is a bad business decision to bother to do security past whatever it costs you to make the gold iPhone at that point. I don't know how long that's going to last.

I don't know if that's indicative of the whole rest of the industry, but I think that's the times we live in. We as an industry should kind of decide how we collectively react to that.

[Kyser Clark]

Welcome to The Hacker's Cache, the show that decrypts the secrets of cybersecurity one byte at a time. I'm your host, Kyser Clark, and today I have Carl Vincent, aka Vyrus, who is a senior security pro with deep time in offensive security, fraud and threat intelligence, and adversary work. Carl's known for straight talk on what red teaming really is, how to speak to the threat model, and for recent research into the silver bullet ecosystem that fraud actors lean on.

So Carl, thank you so much for stomping in on The Hacker's Cache and being here with me. Go ahead and introduce yourself and unpack your experience for the audience.

[Carl Vincent (vyrus)]

Yeah, that's me. I'm Carl. I spent a couple decades breaking stuff and breaking into stuff.

Somewhere in there, I did a short stint at a shop doing mergers and acquisitions diligence security for Fortune 10-type super big stuff. That was wild. That was pan.

For a while, I was doing pen testing, and then I got into full spectrum physical stuff. I was like, oh, this is probably the shadiest job I'll ever do. Then I did that job, and I was like, oh, it gets way shadier.

I had no idea. Recently, I've been doing a lot of blue team stuff, a lot of adversary engagement and building out threat detection programs and working for AI companies and finance companies and fintech and that sort of thing.

[Kyser Clark]

Can you give the audience the TLDR of that silver bullet talk that you gave?

[Carl Vincent (vyrus)]

Yeah. Silver bullet is, I mean, honestly, I hesitate to call it malware, but it's basically evil burp. Actually, the comparison I like a lot better is it's evil postman.

It's basically a launcher. It's a scriptable launcher for HTTPS requests. Silver bullet is the closed-sourced, designed-for-fraud version of the open-source version, which is OpenBullet.

It's exactly what it sounds like. It's designed for people to figure out ways to do web-level REST HTTP-style abuse, usually in the form of credential brute-forcing or account theft or a whole lot of card testing, payment card testing, that sort of thing. It's modular, so it's got plugins.

People write plugins and sell plugins for bypassing CAPTCHAs and getting around CSRF tokens. The bad guys all sell their scripts, so the attacks are usually codified in these scripts. The scripts can be incomplete, and so they can be backdoored, and criminals don't trust each other, surprise, surprise.

So they often will sell them or trade them for anywhere between a dollar to like 20 bucks for the really good ones. And then the fraud actors will, in an effort to check them to find out if they're clean, will post them on VirusTotal. And that's great for blue teams, because that means if you know how to search for them, VirusTotal turns into a nonstop threat intelligence feed for this one variant of software.

And the bonus round is that a lot of times for the nature of the attack, there are URL artifacts encoded into the script so that it's attacking the right place. And that means that as a defender, you can basically take the query pieces that you know will find silver bullet scripts, and then add the shortest chunk of an artifact for your domain for the organization that you're trying to defend. And now you've got this feed for just you.

So anything that shows up, this is somebody attacking you specifically.

[Kyser Clark]

Yeah, that's pretty cool. So that talk was over a year ago. Is it still relevant today?

[Carl Vincent (vyrus)]

Absolutely. It gets more relevant basically by the day. I said this during the talk, at scale, cybercrime, for the most part, unless we're talking about nation states or crypto smash and grabs, is mostly not about popping shells anymore.

It's mostly about getting user level access to a platform or set of platforms, and then leveraging those platforms to do whatever the shady is. And in 2025, everything is a SaaS platform now. Everything's third party SaaS.

So a lot of it is as a fraud or threat actor, I just want to get into your account enough to use the website like you and then do the bad and peace out with the account or the money or whatever it is. A lot of it is not custom exploits and malware and popping shells and lateral migration. I mean, those things still matter because they still happen.

But they've narrowed a lot, at least in my experience, to ransomware actors or very high tradecraft individuals who are looking for long-term persistence, which tends to veer towards the nationally backed threat actor game, because everybody else, they don't want to stay in your system for six months. That's hard. They just want your account, so they can either sell it or use it.

[Kyser Clark]

If threat actors are more into that camp of where they just want to get in your account and get what they want and then get out, and they don't want that long-term persistence, would you say that these types of threat actors, like who are they targeting? Are they targeting the big companies? Are they targeting kind of the individual users?

[Carl Vincent (vyrus)]

Everybody. I've seen all the big media producers, like any app you've ever seen on a Roku or an Apple TV, all of those get hit because those accounts get sold and traded. A lot of times people are sharing them with their brother and their in-laws and their whatever anyway.

It's all kind of a gray area on how much one platform enforces login party AIM versus another. There's a lot of that. Also, some services are legal in some areas and not legal in others and VPNs are a thing.

Honestly, anything you can buy online. Anything you can buy online is fair game. I see all the major cloud providers getting into cloud accounts.

Those get hit a lot. A lot of payment card. I'd say the significant vast majority to the point where I would almost say all of the carding attacks and credential stuffing based payment attacks and stuff like that that I've seen happens on Silverbullet.

It's the way. All the card testing, card checking, card caching, a lot of that stuff all happens on Silverbullet.

[Kyser Clark]

Nice. Yeah. Well, thanks for unpacking all that.

All right, Carl, let's go ahead and move on to the security Mad Libs. For those who are new to the show, Carl will have 40 seconds to answer five security Mad Libs. If he answers all five Mad Libs in 40 seconds, you will get a bonus six Mad Lib that's unrelated to security.

So, Carl, are you ready?

[Carl Vincent (vyrus)]

As ready as I'm going to get.

[Kyser Clark]

Your time will start as soon as I stop asking the first question. Here we go. Carl, my biggest professional flex is antivirus.

The nerdy sticker on my laptop is an old German conference that doesn't exist anymore. The ones who I refuse to uninstall is sublime. My dream setup includes six monitors.

You can't call yourself a hacker if you've never done a salsa shot. How am I doing this? I probably have it.

[Carl Vincent (vyrus)]

It's very specific. It's a very specific reference.

[Kyser Clark]

I don't know. Well, let's go and dive into it. What is that?

What is that reference? Am I allowed to know?

[Carl Vincent (vyrus)]

So back in the day, you know, in the previous era of DEF CONs, the security goons used to walk around and interact with attendees in various ways. And one of those ways is there was a dude who used to make this stuff called habanero rum. And it was exactly what it sounds like.

It was extremely high proof alcohol infused with capsaicin by mixing it with organically grown extremely spicy peppers, strained, and people would walk around. And I mean, the irony of it is that the person who did it was actually very passionate about the peppers part of it. So if like the part of it that you could taste was actually quite good, but you would only taste it for like a hot second, and then it was just liquid pain.

And for a few years, so they would make, they would strain the stuff out, but then you'd have the leftover stroma from the peppers, right? And then you have to gut that. And then you have the, you know, so you have the unfiltered, you have the highly filtered, you know, it's, you know, almost transparent.

You have the first run, but it's got the gunk leftover. And then you have like the actual pepper chunks, like the stroma. So at one point, for yield, like there's still alcohol in the other bits, you don't want to throw all that out.

And so they had, anyway, groups of people would walk around with all three of these bottles. You'd have the super clear stuff, you'd have the pepper chunks, and you'd have the kind of goop that was part of the extract. And through social interactions, every once in a while they would do, they would offer whatever, what's called a salsa shot.

And a salsa shot was all three in equal parts into a shot glass, and you would drink this kind of chunky boozy pepper mash. And the rule was you couldn't drink anything for 60 seconds. So you'd do it in 60 seconds.

And then for, I think it was either the next minute or the next five minutes or something like that, the only thing you could drink is a warm PBR. And then after that, you could drink whatever you want. And it turned into this kind of like dare, you know, shenanigans situation.

Yeah, many, many a memory of salsa shots gone horribly, horribly awry. I mean, in fact, man, I have a buddy who's, he works in IT. He's actually not a security person, but he works in IT.

I think he works for like a school district. I brought him to DEF CON one year. Great dude, most of my adult life.

And I brought him to DEF CON, and it was during a period when I was still running Open Capture the Flag, which is a game that me and a crazy group of people called Decent F49 invented years ago, that now is like a huge deal. The open version, because there's DEF CON Capture the Flag, and then there's like our version, both are still around. Anyway, so we brought him to DEF CON one year.

He drove out, helped us drive a lot of the gear, a big help. But we got there early, and this was before DEF CON had a Thursday, right? So we showed up on Thursday because we showed up to set up, but DEF CON didn't have like a Thursday yet.

And so the salsa shot goons were like walking around, like hunting for victims. And so they find this guy. So he's been at DEF CON, like DEF CON hasn't started yet, but he's been physically in the contest room, you know, so in physically present in DEF CON, total in his life at this point, maybe a whole five minutes, right?

We've like parked and gotten out of the car because it's the first place we went for Vegas, because we had to unload all the gear. And so these random people he doesn't know, but obviously know us, are like, oh, you're a noob. Okay, we got to give you a salsa shot.

So the first anything that he has on DEF CON is a salsa shot. And he downs it, and immediately it kicks in, and like maybe 20 seconds into it, money's changing hands, people are just waiting on him to pop, they're getting the trash can ready. Like, here we go.

And he didn't, he held it in, he was all good. And then he did the warm PBR. And then he sat down for about five minutes and kind of held himself together and then started to like, recoup.

Oh, man, it was like, it was a huge flex. It was a huge flex. He writes that to this day.

He's like, hey, hey, remember, remember that time those guys like ambushed me and tried to make me do that salsa shot? And they thought I was gonna yack and I didn't. He still flexes on it.

[Kyser Clark]

That's great. Yeah. So this past DEF CON was my first one.

I didn't see any of that going on.

[Carl Vincent (vyrus)]

Yeah, it's a totally different, that stuff is totally like, it all happens offsite on other stuff now. Like, it's a totally, totally different world, man. It's all very professional.

[Kyser Clark]

And, you know, interesting, man, it makes me wish I went in there to feel a little sooner.

[Carl Vincent (vyrus)]

People say that, and like, the nostalgia is real, I'm not gonna lie. But it's just, the world's different now, though, like, you know, things change appropriate with the context of, you know, what they gotta be, you know, I'm like, the hijinks still happen. They're just, they're more spread out.

You know, a lot of it has a different flavor, like the stuff that happens at B-Sides is different than the stuff that happens at DEF CON. You know, there's way more conferences now. That's another thing, right?

Like, I mean, a lot of this stuff that used to go down at DEF CON and people tell old stories and oh, I wish I went back then. It's like, well, yeah, but back then there was like three cons, like in the world. Now there's like 300, right?

So, no, you just, you go to your local con and you do that, right? It's fine.

[Kyser Clark]

Nice. Yeah, very valid points. And yeah, yeah, I can, I can understand that for sure.

So let's go ahead and get in your bonus question. So this is unrelated to cybersecurity. And you can relate it if you want to, if you can somehow relate them together, feel free to do that.

You can explain your answer as much or as little as you want to. You can even dodge a question entirely. So here it is.

All right. Bonus, bonus Madlib. My final words in a video game would probably be blank.

[Carl Vincent (vyrus)]

GG?

[Kyser Clark]

Spoken like a true gamer.

[Carl Vincent (vyrus)]

I mean, man, like dad life. So I haven't played a video game in like two years, but I mean, video games got me into security in the first place. That was, that was my path.

And I think the last video game I played regularly, like with any kind of cadence, I think was actually Starcraft, which is hilarious because I'm terrible at Starcraft. But I had a friend for many years who was, who got really good at it for an American. And he ended up kind of getting me into it because we would play.

And then I kept playing for a while. So yeah, I think that's the last thing.

[Kyser Clark]

Nice. Yeah. Same here.

That's what got me into where I'm into now. Because like, I was a huge gamer. I made that natural progression from console to PC, PC gamer.

And then once I became a PC gamer, I always wanted to like, how can I get more performance? I started like understanding how the computer components work and always trying to buy the best of the best so I can run my games with the best graphics, the most FPS so I can get pwned online. Yeah.

And yeah. And that's what got me in like, that's what got me into computer building. But then, then I realized like, Oh, I'm pretty good at this troubleshooting stuff.

Cause like when you're building your computers, like troubleshooting is a natural part of that. And I was like, one of, one of my coworker, I used to work in oil refinery. He's like, dude, why don't you go to college for this?

Like, why don't you just like, you know, do this for work or something? I was like, I don't think I can. Like, I'm not like, this is literally what I thought.

I was like, man, I'm not good at math. I don't like college. And what a horrible mentality.

But like, I feel like that was like my guidance counselor is like all adults lying to me my whole life. Like, Oh, you have to be good at math to be work with computers, you know? And that's just the case.

And I just, I wish like the teachers and the guidance counselors and all the parents, you know, that I had in my life. And wouldn't have said that. Cause I probably would have joined the field a lot sooner.

Cause I, I, I started in security. I was age 24. So which isn't too late, but better late than never, but it would have been nice just to get a little, little earlier restart, I suppose.

[Carl Vincent (vyrus)]

Definitely never late than never. One of the, one of the craziest pieces of research I've ever done. Well, not craziest, but like probably some of the most professional research I've ever done.

I did with someone who at the time had only been in the field for a year and the job they had before they were at the same consulting shop with me was bagging groceries. Like they literally went from bagging groceries to, they were their own kind of nerd and they were reading RFPs and genuinely finding logical flaws in by just reading the RFPs and kind of visualizing things in their mind. And then they ended up completely randomly kind of throw in some dice and, you know, live in life and ended up at a consulting firm.

And then we ended up at like a big, like a big shop together and did some research on QIC that we ended up presenting at Black Hat after that. And she was amazing. She was super smart, you know, and it was, it was a great example of like, yeah, better late than never, you know, only been doing this a year.

She is a Black Hat, you know, we're like slinging, slinging top level stuff.

[Kyser Clark]

That's great. Like that, I think I have a wicked brain for that. I feel like just reading RFCs, like without having being any experience, I feel like literally like, oh, let me get home after packing my groceries and find actual flaws in these RFCs.

And yeah, that's, that's next level thing here.

[Carl Vincent (vyrus)]

All the cool bugs, man. Nobody finds the cool bugs fuzzing. You just, you know, it's that, it's that, it's that big brain.

You just read it and be like, yeah.

[Kyser Clark]

And then to, to put the chair on top of the, it's never too late to start. So I'm not going to mention names, but someone reached out to me and you know who you are about how they are like 10 years away from retirement. And they hit me up and they're like, is it too late for me to start?

And my first thinking in my mind was like, I've been in the field for like seven and a half years now. And I made a pretty good career in that seven and a half years. And I'm like, if you have 10 years of retirement, like you can get further than why I am right now.

If you put in the work, like you can get a lot accomplished in that, in that amount of time. And like, if you're in your mid fifties, like you can still have a great career. And I, I made the argument like, you know, those 10 years are going to go by no matter what, like if you're in a job that you hate and you're sitting on the sidelines and you're watching people do the job that you think you'll enjoy, well, then you're going to have regrets at the end of your life.

So yeah.

[Carl Vincent (vyrus)]

You got to do something right. Like if you're not retired yet, you got, you're going to be doing something. So you might as well be doing something that makes you not want to beat yourself with a brick.

Yeah.

[Kyser Clark]

Great, great advice there. So moving back into our main discussion. So the, one of the things that actually, the thing that prompted me to bring on a show was the Tribe of Hackers Red Team, great book series, by the way, one of the things you said on your entries, you said, always speak to the threat model.

And I'm curious if you could give an example of when that advice changed your client's mentality, when you spoke to the threat model, can you give like a concrete example of that?

[Carl Vincent (vyrus)]

So many, I would say most of my offensive security career has been spent explaining to people why they don't actually need what they think they need in terms of anything, in terms of information, in terms of engagement. It's not so much now, I think there's been a little bit of shift, but also a little bit of elevation in terms of the common knowledge within the corporate risk space of like what a pen test actually is versus what a red team actually is. So I think it's a little bit different, but it was so common back in the day where everybody, oh, like red teams were new.

It was like, oh man, like physically inclusive testing. Yeah. Oh, red team.

Yeah. Oh, we need a red team. No dude, you don't need a red team.

No, no. Someday. Yes.

You will probably need a red team, but let's make sure admin, admin doesn't work on everything first. Okay. You need some people to sit in a conference room for two weeks and bang on stuff and hand you a list of fix it tickets.

And then you need to build a program that can maintain those fixes for a while. Then we can talk about a red team. Right.

But yeah, I'd say basically every context is always just either I'd say the industry as a whole has moved from leaders or stakeholders within the org being really convinced of what they need from an offensive security perspective and being very objectively wrong and having to spend most of your time kind of walking them back from like, no, no, no, no, you don't need that. Right. To I think now a lot of it is people know that they need people are a little bit better about knowing the kind of advice that they need now and not knowing how to get it, you know, or, or not realizing that a lot of times it's like, Hey, well, I can, I can go give you a bag of bugs, but if you don't have the org ready to handle those bugs, I'm actually doing you a disservice.

Right. So maybe it's not even time to focus on offense. You know, I know you've got your compliance and stuff, but like, maybe you should focus a little bit more on like building a detection program, building an incident response program.

I mean, I can think of one, I can think of one client who I had relatively recently on a contract where it was big client, like, like big, big, big only clients of their industry for the government that they're in. It's like, it's like a state-owned company. They basically wanted us to go after silver bullet stuff for threat as opposed to fraud.

And it kind of turned into a little bit of an Intel game where we were like, Hey, like these people are probably the accounts that you should watch because all the stuff that's hitting you is coming out of these handful of fraud groups. And it's mostly all resales from like these two or three dudes who have horrible tradecraft because most people aren't like, in a lot of cases, online fraud is actually not illegal. Like you can sue them if you can find them or they're in a country that you can get to, but most of the time it's actually not criminally illegal, which is why people do it.

Cause it's like, why would I pop a shell and risk getting straight up drone strikes depending on the particulars of the attack when I can just like mob you with stolen Facebook marketplace credentials. And then if you get, you know, if you catch me, you just ban my account. Like why?

Of course I'm going to do that. Right. And yeah, they got, they got real upset with us.

They were very like, Oh, you're not, you know, you didn't give us what we want. You didn't add to our program. You didn't do this out in the other.

And we told them in the readouts, we're like, look, you're getting ripped off right now. Right. And this is cute till it's not.

And at some point it's going to get very public and you're going to go from getting a little ripped off to getting a lot of ripped off all at once. And by then it's too late because you haven't built the infrastructure to respond in time. And now they actually are, I mean, I, you know, obviously I'm not going to say the shop, but like there's, they are having problems right now where their fraud response, that the technical way arm of their ability to respond to the type of fraud that they had us look at is so atrophy that now it's turning into a threat response problem that is to some degree going to require some rip and replace.

Like they have some serious, like in some cases, like threat to life stuff like going on. And so the, like the, the tiny mole is now a very big cancer.

[Kyser Clark]

You kind of work like the full spectrum from adversary engagements, threat intel and some response and now product and platform security at large companies. What would you say is like the one skill or habit that actually travels well across all those different roles?

[Carl Vincent (vyrus)]

I mean, I would say it's a meta skill. It's just, it's just know what you're talking about. And when I say that, I don't, I don't mean it in like, um, like I say, I know what you're talking about and that just sounds kind of like a, it sounds like a Joe Rogan-y thing to say.

Like, it's not, I don't just mean be arrogant or be whatever, but I mean, don't be afraid to not know things, but be very clear, be with yourself between things that are objectively true that you are aware of versus things that you feel are true because of your expertise. And it's okay to argue for these things. Right.

But knowing the difference is, is kind of, I mean, and that seems very like kind of meta and kind of like, yeah, dude, just be a grown up. Like, why would I need to be told that? But like, man, I've been in, I've been in such situations where the management.

Okay. Here's a great example. I was in a situation where I was, you know, internal doing Blue Team-y stuff and I had a stakeholder come to me and this ended up reoccurring over like a few years.

Like they kept coming back to me because they didn't get the answer they wanted, where they, they had a, they had a reason. They had a significant business reason where at certain times of the year, they would have to process a whole bunch of PDFs. Right.

So we'd get a bunch, like a few thousand PDFs from org thing. Right. And we'd have to process them in a way that involved humans editing them.

Right. And then rebroadcast those PDFs to what would downstream eventually be the public. And the concern was if, if bad bits of malware, something, if, you know, if, if, if negative sticky gets seen in anything that we ship, even if it's not our fault, because we didn't make it socially, we will be held responsible.

And that has market impact because the people who were shipping the documents to can just take their business somewhere else. Right. And so leadership had decided that the way to solve this problem was to build a file scanner, basically, they wanted to build a, a, a catch all, you know, put the things in and it'll tell you if anything is bad, they're full stop.

Right. And I, I kept having to have this conversation with this person where I said, look, thank you for explaining the problem. You don't actually need a file scanner because knowing that it's bad, won't fix the problem.

You need, you're like, you're just going to get a bag of alerts and then you're going to have to go build a process for fixing it. Also, that's not possible. You can get close.

You can, you'll get stuff, but solving for 100% of bad in a PDF is, is like an NP hard problem because of the way that the structure of the, of the file type is set up. And it wasn't just PDFs. There was a few other files, but they, but they were all, they all had this problem.

And so I told them, I was like, but the fun thing is, is that this is actually a super easy solution. You don't need a file scanner. You just need a file cleaner, basically image magic.

And then a couple other tools that would give some things away. So I won't say them, but basically like there are three Linux commands that you can put together. That'll solve this problem.

So when you can just run it in a rapidly destructible container and there you go, we just literally build a big for loop that when you get these big vats of software of, of documents in, you just run them all through the cleaner. And the ones that don't parse may or may not be bad, but you just throw those out. Right.

And then anything that goes through it, you've authoritatively decided how you want to structure the file. And so it works. And the threat model here is very similar to like what Chrome did with PDFs, where when you look at a PDF in Chrome, Chrome has a subset inside the code and in Chromium where the rendering agent just turns your PDF into an image.

It basically just, it's like Google implemented image magic under the hood. Right. And so, yeah, I mean, they have their issues, but they run that inside of, inside a memory bubble.

Right. And it's significantly removed the threat of, well, well, when I'm looking at the PDF, what if the renderer, you know, messes with me? Well, it won't because you're looking at an image, same tactic.

And they came back to me with, well, I'm not convinced. Right. Not convinced that my solution won't work, but they're not convinced that building a scanner isn't, isn't possible.

Right. And I try to tell them like, look, I'm not trying to be disrespectful. Right.

But you're giving me an opinion and I'm responding to you with a fact. Like, it's not my opinion that this is not possible. It's math.

It's math. Like, I understand you may not know the math and I'm not trying to make a big deal out of the fact that you know the math. I mean, this is my job.

I get paid to know the math. You don't get paid to know the math. It's fine.

Right. But please understand what I'm telling you. Like, the earth is not flat.

It's not subjective. Okay. You don't have to do it my way, but your way will not work.

Like, it will not work. It was like two and a half years of going back and forth with this guy. Where he would like, oh, what about a catapult?

Remember this project? Let's try to pull this project off the shelves. Bro.

But in the end, they did end up doing it my way. And when everything came to light, they ended up saving significant amounts of money because they were, the way they were going to do, when they couldn't get me to build them the scanner, they were going to go buy one basically. And I mean, they were going to pay just out the nose for this to the degree that it would have had a significant business impact.

It almost made like chunks of the workflow not even worth it. And so, yeah, like in that, just knowing the difference and being consistent and being persistent just paid off. And I would say, yeah, that's the thing that'll save you is just don't worry about being, don't worry about speculating and being wrong.

Just worry about knowing the difference between when you're speculating and when you're speaking on things, you know, and just never move off that island, man. Just like, nope. Two plus two is four.

Yeah.

[Kyser Clark]

That's a great story. That's a great analogy. I liked that a lot.

The first thing I thought of was imposter syndrome. We're pretty sure like we know we're right, but like, do we know for sure that we're right? Like, how do you, how do you deal with that?

[Carl Vincent (vyrus)]

It's a good thought exercise because you can't have imposter syndrome about facts. Like even if it's real, real, real scary, right? If you're surrounded by people pointing weapons at you, telling you the earth is flat, it's never going to make the earth flat.

Ever. And so I'd say that's how you use it to challenge the fear, right? Even if it's, even if everything that you're being tasked to communicate is 90% speculation, as long as you can know the difference between what you're speculating on and what you're not speculating on, like hold onto the thing that you're not speculating and just, and just let that guide you through your fear and through your anxiety.

And eventually that will guide you through the, the imposter syndrome. In fact, and I find this in most shops, like I'm in my, in my story, it was very one-on-one and there was some resistance, but I had some seasoned in my career. I was also, you know, considered some minor degree of leader.

You know, I was expected to kind of lead efforts, right? So like friction was implied in the role, but I would say that that's actually not the majority of my experience. The majority of my experience is that as long as I say, like, these are the facts.

Now, let me tell you what my opinions are based on my expertise, that sometimes people that have, that know things that you don't will actually help you. They'll actually fill in like, Hey, you didn't say these other three facts or Hey, you presented this, like this is subjective, but actually that's a, that's a fact here. Let me go pull the paper.

Let me go show you this research. Like, no, no, that's actually a known thing, right? They'll help you build this mountain.

And it also builds this, if you learn how to communicate that in a way that's not adversarial and you get used to that, it also kind of changes the vibe of the conversation where it's like, it changes from who's right and becomes more of a, no, we're all building the airplane together. And so these are the, these are the facts that I can offer, right. But that need to be part of the solution.

And then it builds a pattern. So other people will join the conversation and say, Oh yeah, well, you know, I'm 90% speculating on all the stuff that you asked me for, even though I'm relatively confident about it, but these are the three things that I know. And one of those things is something you didn't know.

And it's like, cool. Now our plane has five facts and a minute ago it had four, right. And it just kind of organically builds this, like, you know, by the time you're done, it's like, Oh, wow.

Like between all of us, we're like 90% sure on the solution. And the last 10% is the collective speculation of all these people in this room who we know all have value because they've all communicated at least one fact that is, that is high cohesion.

[Kyser Clark]

That is a golden nugget. Thank you so much for sharing that. Like we can argue the solution to the problem.

As long as we are working together to run the play that wins the Superbowl, you work together as a team, it's okay to have different opinions and different solutions to the problem. But as long as you're trying to win the game, it's you're just really talking about like, what play do you run to win the game?

[Carl Vincent (vyrus)]

The way I like to phrase it is all of us want our stock to go up. Right? Like, like, nevermind who's getting what salary or different comps, like we're all getting shares, and we all want those to go up.

And if we want those to go up, we should be right. So like this little like 10 second little ego boost that ain't gonna pay my bills in five years.

[Kyser Clark]

That's solid point. So Carl, unfortunately, we are running out of time. So I'm gonna ask you the final question.

Do you have any additional cybersecurity hot takes or hidden wisdom you'd like to share?

[Carl Vincent (vyrus)]

I got one really spicy thing and I'm kind of scared. This is gonna be spicy. It's gonna be spicy.

[Kyser Clark]

Hello, spicy, man.

[Carl Vincent (vyrus)]

About to get canceled. I think we as an industry should maybe theorize about what it's going to look like for the first time since InfoSec has boomed into InfoSec, you know, out of quote unquote, hacker culture, I think there's a very real chance that in the immediate future, like within the next year to three years, that the industry's growth starts to slow down, maybe even starts to stop, maybe even starts to roll back a little bit.

Now, I'm not saying it's all gonna go away. I'm not like doom and glooming. But I'm saying I think this is gonna sound political, but I'm not trying to be political.

I'm just taking the state of the world and applying it to what we do and saying this is what my crystal ball says, right? America, very specifically, the West slightly more broadly, except Europe's pretty good at this to some degree, because they have like, you know, GDPR and stuff like that. Usually, the consumer marketplace experience dictates the line between security and business friction, right?

People want a frictionless UI, but they also don't like getting ripped off. They also don't like having their data stolen, right? And as technology has become more ubiquitous in society, I think we've moved in the last couple, you know, 15 years from a world where, yeah, you can be mad that like this company lost your data, but what are you going to do?

Go use a competing product? There aren't any. To now, there's significant saturation across technological platforms.

Like people will take their ball and go home. They will use a competitor because they don't like getting emails about data breaches, right? They don't like having their credentials lost.

They don't like, they experience like, oh, yeah, these guys got breached. And then that later on in that week, all of a sudden, my spam calls went up like a lot. And now I'm getting like way more spam calls than I used to.

Like people are feeling it, right? Like people are starting to intuitively kind of grasp a little bit more what's going on in cyberspace. And I think that has led, that has been the line of, well, we need to make sure we don't get breached because it's a problem, right?

Like it helps the org recognize a problem. I think that's kind of going away a little bit. And I'll illustrate it in an example.

I feel like it's an open secret, right? That in Apple's not the most recent, but a few times ago, groups of layoffs, right? They got rid of basically their entire threat intelligence team.

They basically just decided we don't care about threat intelligence. Very rough estimate, right? Let's call it 100 people who are probably all making six figures doing threat intelligence.

Let's call it a million dollars a year. Does it make financial sense to keep a threat intelligence program such that people keep using your phones or iCloud versus like, oh, if your intelligence sector gets too weak, you can't go chase the people responsible for the fappening as like a random example, right? Does it make sense to pay the money to have that capability as an organization versus does it make more sense to just buy Trump a golden iPhone?

And if the fappening 2.0 happens tomorrow, that the sirens aren't coming for us because we already bent the knee and kissed the ring. So our customers will be mad, but we won't have to worry about litigation. And since our ecosystem is so locked in and we can afford not to care.

I'm not commenting on the ethics of that or the morality of it or any of that. I'm saying strictly financially, from a tactical perspective, it is a bad business decision to bother to do security past whatever it costs you to make the gold iPhone at that point. I don't know how long that's going to last.

I don't know if that's indicative of the whole rest of the industry, but I think that's the times we live in. And so I think we as an industry should kind of decide how we collectively react to that. Yeah.

I don't know, man. It's wild times, but this is kind of how I see it.

[Kyser Clark]

Well, thank you for that perspective. That was a doozy for sure. I really liked that.

It was a little spicy. And I think you make some very valid points. And I think there's a lot of truth to what you're saying there.

Unfortunately, we're out of time. And the final wisdom is the final wisdom. I have like five follow up questions, but till the next time, we're going to leave it there.

That was good. Carl, thank you so much for hopping on the show. Where can the audience get ahold of you if they want to connect with you?

[Carl Vincent (vyrus)]

I do have an account. I really use it. It's vyrus001.

I'm also on bluesky at vyrus.bsky.com, I think, whatever that is. I'm on Mastodon. I can't remember if that's vyrus or vyrus001, but it's at a sub-instance called hackers.town. And then, yeah, I float around on Slack and Discord and stuff. I guess probably the most public of the Discords that I'm in is probably the Valid Discord. So yeah, if you slide into the Valid Discord, I'm skulking around there.

[Kyser Clark]

Great. And audience, best place to reach me is just drop a YouTube comment, ask your questions, I will reply, and maybe even feature on one of my Q&A episodes. Audience, thank you so much for watching.

Thanks for listening. If you enjoyed the show and you're on audio, rate the show five stars. If you're on YouTube and you're watching on video, hit the subscribe button, hit the like button, and hopefully I'll see you in the next episode.

Until then, this is Kyser and Carl signing off.