[tosser12344321]

I'm a head of security, great career, did engineering into management, made a tidy living doing advanced work as a risk plumber across companies that have been relevant. I've built great teams, met and solved hard IR, delved into the real reaches of vuln research, other neckbeard things, got paid very well along the way. Seen and worked on the APT issues.

More or less, I am the attractive resume, and: the game has changed folks.

For what it is worth, I am taking my ball and going home in about 12 months. I've saved enough, locked in a perma-middle class lifestyle in a great nondescript city, and swapping over to offensive consulting and a AI-free, non-tech trade that won't take too long to get into - think a PA, nurse, plumber, etc.

I'm not quite old enough and with the end of responsibilities as to FIRE, but I can read the writing on the wall enough to understand an AI-proof FI needs to be locked in before everyone else realizes the same. Many others in sec are feeling this.

I think tech will find security pros willing to throw themselves into the fray for pay and optimism. There are others like me who are extracting their final nuts. There are others who have golden-handcuffed themselves into this ride with their mortgages and private school tuitions. And I'm sure some others will stick it out. There will also be an AI-enabled version of sec eng soon enough.

But if private sector doesn't wake up to AI integrations - internal doc rollouts hoovering up PII that wasn't supposed to be stored there, externally-facing customer support portals social engineered and pivoted into, PRs via Slack comment via marketing hires who are ATO'd - this is going to be a 1990's-style BBQ where 0days on critical systems are dropped at happy hours at conferences nightly.

And: your security teams are going to be burned out, banking up, and quitting. The risk acceptances, the double-speak, the slow-rolling, the half-baked risk thinking for engineering and product leads, the corners cut, the public endpoints opened up just this one time - that's going to be enough rope, and already is enough, to hang yourself in this offensive context that's building now.

It is deeply humorous that SWE and engineering leadership has worked itself into this position via its AI push to unemploy itself while thinking it's the 1x white collar job exempt from automation threats.

All it'll take is another recession like '08, and the leaves get shaken off the trees finally. Thankfully there is only one (wait, there are two probably), thankfully there are only two-to-three (wait, there are like 10) systemic market threats right now.

[01100011]

I totally appreciate this take and have thought something similar but I am old enough to be familiar with the part of my brain responsible for these thoughts and know it has a long track record of being horribly wrong.

Sure, hedge your bets. Get financially secure. But also consider that "nothing ever happens" is usually correct and the world has a way of ensuring things keep going in the direction they have to in order to give stability to the establishment (which we are generally a part of).

[tosser12344321]

I've thought about that as well - what derails this, what invalidates the unstoppable forward march? That is often how the world works. City real estate costs were flying up year after year after year, and others rust-belting, until Covid and remote work, for example.

So, what can derail AI out of left field? Maybe building DCs for it in Arizona and EMEA can, for one.... choosing very "water-rich" locations there for water-cooled systems.

So, how could this land longterm, assuming AI works sort of good, sort of bad against the use cases? The real questions here for industry people though should be this:

1) How does this play out, over the 5-10 yrs we have to see it occur of trying it/redoing it/trying a new version/going back to the old version, all the while it's occurring over my career, all the while when I have bills to pay and relationships to maintain.

Ans: I think that's a hell of a lot of financial and employment stress induced on us by people who don't understand the tech they're rolling out, the state change that's occurring, and don't need to deal with the consequences. All the while, I go mid career, to late career, dealing with what AI can actually do in the background.

2) What is actually going to work wrt being relevant to my job?

Ans: I think what actually works is the vuln research aspect of AI, feedback loops rapidly, rapidly speeding up on that.

And, what is the most stressful, obnoxious, high burnout part of the job - sec arch and vuln remediation, or IR and vuln response. Both about to go on overddrive, and already are if you're minding bug bounties and IR these days.

3) Has this happened to other industries, how did it go?

Ans: trading, trading, trading, trading. Check it out.

[01100011]

I don't know what derails it, I just know that the line on the chart going up or down rarely goes straight. AI might finally be the thing that results in permanent exponential growth and not a sigmoid, or maybe it hits some limits. Maybe those limits are on the human side(our ability to use it, regulatory, social backlash, etc). Maybe management tries to cut out the tech folks only to result in a tangled mess of crap that only we can help them untangle? Maybe the folks with background knowledge will suddenly be needed en masse to control and leverage AI?

We are, for example, about to grow the reach of tech even further thanks to AI. A large percentage of future warfare, for instance, will now be taken over by tech. If humanoid robots get gud, there's a whole 'nother world of applications that will probably need people to specify, test, improve, etc.

Sure, on the one hand I think the value of writing code will probably go to zero in ten years(although some applications explicitly forbid AI coding like some critical infra or space stuff), but writing code is a small part of many SWE's jobs. AI currently still needs to be told what to build and how to make a cohesive, sensible product. Maybe that changes, maybe it doesn't. But the path to eliminating human work is not short or clear-cut.

[theturtlemoves]

> a AI-free, non-tech trade that won't take too long to get into - think a PA, nurse, plumber, etc.

I'm not sure if personal assistant or nurse are going to be AI-free. Plumber, welder, bricklayer, pest exterminator, sure. Don't underestimate the downsides of physical labor, though. Low pay and backbreaking.

What writing on the wall? If anything, I think you'll be more needed, not less, in times to come.

[tosser12344321]

> I think you'll be more needed, not less, in times to come

Ya I get the need but you miss the point - no, you can't pay me anymore to wade into that and own risk, beyond a consulting context with low skin in the game.

There is a wave of senior leads thinking like this, because the knife's edge of "enough risk to game it for pay" finally tilted too far, and the career has changed.

In terms of going home after work and not yelling at my kids and spouse due to work stress due to the 10th 0day in a week on my corporate VPN/my retail-facing app/my..., there's a real QoL issue to consider. Many outside of security consistently misunderstands the mental health/career satisfaction/pay triad.

[chasd00]

> beyond a consulting context

"Consulting, if you're not a part of the solution there's money to be made prolonging the problem" - Despair.com :)

/i'm a consultant

[tosser12344321]

The well-paved path into vCISO life

[theturtlemoves]

Fair point, hadn't looked at it that way.

(Edit: Word of warning though, my father was a bricklayer and he also screamed at his kids whenever he came home overworked. I'm not saying I know the answer here but every job has its "they don't pay me enough for this shit")

[operatingthetan]

>Ya I get the need but you miss the point - no, you can't pay me anymore to wade into that and own risk, beyond a consulting context with low skin in the game.

In a situation of triage, "owning risk" is off the table.

[01100011]

> Low pay

I see you haven't hired a tradesman in the USA lately...

Sure, my body would hate me for it, but as a plumber I could make about half what I make as a SWE and given the progressive tax structure and business write-offs I'd probably net a comparable salary.

[jdlshore]

Self-employment is more expensive than you think. On the positive side, generous IRA limits. In the negative side, health insurance costs. In my experience, that’s what gets ya. Tax differences are fairly minor and not enough to cover the gap.

[01100011]

Really? It's been a few years since I was a 1099 contractor but it was pretty good. Write-offs for new computers and equipment, for the home office, for 10% of all utilities... Mileage... Did all that go away?

[jdlshore]

No, but it’s generally for expenses you wouldn’t otherwise have, if you’re being honest about it. There are some existing expenses you can write off (like the home office, internet, etc), but you also pay the so-called “self-employment tax” which doubles your social security and Medicare taxes (or something like that; it’s been a while).

The major benefit is that you can invest much more of your income into a SEP-IRA, which is a before-tax deduction. 25% of income or $75K, whichever is lower. That adds up.

But health insurance is a massive cost. Last time I ran the numbers, which admittedly was a while ago, my income as a self-employed consultant had to be much higher than my income as an employee in order to reach the same take-home amount.

I’m not a CPA and wasn’t interested in squeezing every dollar out of the system. I had a simple sole proprietor LLC. So there may be other tricks to pull. But the tax writeoffs are overrated, in my experience, other than the IRA. It’s not free money; for the most part, it’s a discount on purchases you wouldn’t otherwise be making, and a lot more hassle to boot.

[01100011]

> my income as a self-employed consultant had to be much higher than my income as an employee in order to reach the same take-home amount.

Yeah, I typically charged double my salary rate. You have to pay for your own sick time and vacation time. I think that's generally baked in to the rate.

[theturtlemoves]

Really? Time to move to the USA I guess. Here in Europe it seems to me there's a big gap between minimum wage and high paying jobs. Not much in between

(Afterthought: Don't forget the time and cost of retraining. I don't doubt your statement that you'll make just as much but I doubt it'll be right off the bat)

[quickthrowman]

Union electricians make about $60/hr in my metro area of 3M in the upper Midwest, union plumbers, sheetmetal workers, and pipefitters are all around there or higher. The total pay package is over $100/hr if you include health insurance, vacation, and pension.

[01100011]

Plus overtime, which you actually get paid(more) for, unlike being a salaried worker.

[burningChrome]

This is huge and something I've been hearing a lot of rumblings about.

I just did some quick research:

- ~4.8 million unfilled cybersecurity roles globally as of 2025–2026

- Global workforce ~5.5 million, but ~10.2 million needed to meet demand

Not to mention the growth in the industry has slowed to ~0.1% year over year and you're seeing those shortages are outpacing the current workforce. Add in the most senior folks like yourself are just noping out and leaving the industry wholesale is troubling and unsettling.

Its not surprising we're seeing an unprecedented level of successful attacks. We simply don't have the resources to keep up with the criminals/hackers out there who are moving significantly faster than the companies they are targeting.

As others have pointed out, I'm not sure how this can get anything other than much worse in the near future.

[zipy124]

Being a cyber criminal pays many multiplies of working in cyber, as it already is with legal offensive cyber paying far better than defensive cyber. Capitalism going to capitalism. Especially since the risk of cyber crime is so much lower than physical crime, with your ability to commit it cross border, and backed by a nation state it is unsurprising it is a growing problem.

[bottlepalm]

I'm starting to think anyone who knows anything about software engineering has a moral obligation to step up and defend against what's coming. I think the world needs us more than ever, this is a critical time that can go one way or the other. We need to use AI to defend and protect ourselves and the ones who can't protect themselves against malevolent AI and its users.

[lelanthran]

Who is paying my mortgage while I step up?

[dboreham]

Like we did for electronic voting?

[tosser12344321]

I wish there was a medium that would feel like it would work for this.

[semiquaver]

How?

[bottlepalm]

Working for companies doing it already, starting companies to do it, working free on open source project to hammer them down, or creating your own open source software to aid in AI defense.

[fsflover]

Does switching to Qubes OS count?

[bottlepalm]

No, but contributing to it does, or more so the packages it depends on which are more cross cutting.

[rtdq]

There are two polar opposite vibes in this comment section: one guy above is calling FOMO, we should all get into the security trade, and yours is FUD.

I hope this all lands somewhere in the middle but honestly who knows at this point.

[tosser12344321]

I'd suggest talking to people in the security trade!

And if you're planning it, plan it soon b/c vendors like Dropzone are carving out the entry sec eng ops/ir jobs in-house or at the MSPs, and Trail of Bits skills foss on GH are carving out the 2-3x extra $3-400k TC line sec eng roles .

[mihaaly]

Feels like that there was a World War started on smaller spark than some of those in the OP in a tense world. And this world is tense again, very tense.

[chasd00]

i've been saying there's going to be some interesting "computer glitches" in the news over the next few years. We've already had one where someone convinced an AI to sell them airline tickets for $1. I expect many more strange bugs, some being very bad, in the future.