Share this
dnsUNFILTERED: David Huyhn, KnowFatigue
Podcast > Episode 45 | January 19, 2026
Mikey Pruitt (00:00)
Welcome everybody to another episode of DNS unfiltered. Today I'm joined by David when little H we ⁓ asking David the pronunciation of his last name and he described that Stewie with kill cool whip at the end. Well, welcome to the show David.
David Huynh | KnowFatigue (00:14)
Hello everyone. Mikey,
thank you for having me. Hello everyone. I'm happy to be here.
Mikey Pruitt (00:21)
So I kind of wanted to, I've seen you on a few different episodes of Things and throughout LinkedIn and I wanted to start talking to you about motivation and passion. And we kind of, kind of got into this before we started recording. ⁓ So your motivation to get into a cybersecurity career and your passions, I wouldn't say necessarily align, but they serve each other. Is that right? Explain that a little bit.
David Huynh | KnowFatigue (00:47)
Mm-hmm. That's correct.
So, everyone, I'm 29 years old now. I'd probably say I was broke loser for the majority of my masculine upbringing from like 18 all the way to about 26. So we talk about motivations of getting into cybersecurity and I didn't even know it existed. I knew nothing about IT up until about 26 years old.
When I say I didn't know nothing, I mean, like, I don't know all the sub fields, networking, cloud, systems, things of that nature. I didn't know cybersecurity. ⁓ So, you know, in my early twenties, I've jumped from things to things to try to make money, try to make an income, try to have a financially stable life as a young man, you know, car, hopefully move out of the mom's house. Didn't happen till later, but...
So a big motivating factor for me of just getting into cyber once I learned about it and I learned about it through my older sister who joined the army and she got into IT and then she moved over to cyber security and now she's out. She has the, you know, security clearance and she's working the GovTech role. And that's how I became aware of cyber security. And I was like, it's working for her. Let's, let's try it. Follow up after her. This is around three, three and a half years ago when I was 26. So.
The big motivation there was just I was broke early 20s, ⁓ credit card debt, not happy with my life financially. ⁓ And I wanted to make, you know, be a little bit more financially independent. And so I saw IT and cybersecurity as a pathway for that. ⁓ Then when we kind of start talking about passions, it's not to say that I don't enjoy cybersecurity. I definitely do. But the...
I just want to be clear about, my initial motivation was definitely financial. As I've gotten
things have changed. ⁓ Where of course the financial component isn't like the only thing that I'm concerned about anymore. ⁓ And there is enjoyment, there is growth. ⁓ And I think the over, ⁓ you know, the crossover with them is that,
you do need to have a level of financial stability before you can actually like feel and enjoy your passions. There's tons of artists out there who have passed away ⁓ very not financially stable. And I would definitely argue that it negatively impacts your ability to like really fully enjoy your passions if you are so financially lacking. So.
You know, I think that's the interesting crossover about it. Well, I got into this field just to become financially secure. And as I've gotten some success in that regard, I can kind of look at it and enjoy it more just for it. But yeah.
Mikey Pruitt (03:57)
So it sounds as you're kind of describing like ⁓ breathing room, essentially, like the financial burden of being less is giving you breathing room to understand the job and the work that needs to take place and have an appreciation for it. Not necessarily a, know, ⁓ talking about it every second of every day like cybersecurity and it can consume your life. Like if you're
David Huynh | KnowFatigue (04:02)
Mm-hmm.
Exactly. Yeah, exactly.
Mikey Pruitt (04:26)
Looking at social media and I don't know what your feed looks like, but mine is very like cybersecurity technology ⁓ AI. I'm like, my gosh. If I hear this one more time, I'm just going to freak out. ⁓ but yeah, that breathing room really does give you the space to think about the important things in your life.
David Huynh | KnowFatigue (04:30)
Mm-hmm.
Yeah.
It's a funny dichotomy because in some ways for you to get job hop and promote and get to the higher roles and get more skillful in some ways, you kind of do have to become obsessed of it with that level so that you put in that work and you keep upskilling. But then on the other end, everybody's balance is different of how much they.
Touch grass, and I mean that figuratively, right guys? However you wanna call it, touch grass. If you're just playing games, if you go surfing, you go fishing, go shooting, go to the gym, whatever that may be, but your life doesn't have to be consumed about it. I think it oscillates for different people. Not everybody wants to be a super senior engineer, not everybody wants to be a CISO. And everybody has to kind of determine how hard they're willing to.
much discipline they're willing to put into cybersecurity and become the best that they want to be if they want to be the best, you know, so.
Mikey Pruitt (05:43)
So you're bringing up ⁓ discipline and momentum. I think listening to your story, you joined the Marines, kind of got introduced to cybersecurity through your family member, your sister, and it looked like a trajectory. But you can't just say, hey, I'm in cybersecurity now. That's not really how it works. You kind of have to learn a few things. And you do, at times, periods of your life.
David Huynh | KnowFatigue (05:59)
you
Mikey Pruitt (06:13)
⁓ have to have an obsession to learn something new. So it sounds like what you're saying is you can turn on and off this level of discipline that is necessary for the next goal to be acquired. Does that make sense?
David Huynh | KnowFatigue (06:27)
And you know, I'd really agree with that. And that was a perfect way you said it, because you just activated like an analogy in my mind. If you have a big goal of becoming some type of surgeon, some type of doctor, like you already know, six, eight, 10 years of your life are going to be dedicated to schooling. ⁓ I don't know all the medical terms, but then then, you know, you finally make it to become a doctor and now you're in residency. Like it kind of. It kind of becomes your life obsession. It becomes your life.
when you're in that mode to achieve that big goal of whatever that may be, ⁓ law school even. So I think in a similar way, not so similar in terms of cost, not so similar in terms of year of formal schooling, but maybe similar just in terms of like similar mindset of obsession, consistency and discipline that it's gonna take, it's gonna require a lot from you.
to break into cybersecurity. And sure, for some people, they've been able to break in with a little bit less for whatever location, whatever situation, whatever they knew somebody. But for the most part, having the skills, the competency, the understanding, ⁓ ideally some IT work experience, it usually takes some time to upskill, get into the IT world, and then kind of jump from there. It's a very unorthodox path to jump.
right into cyber. And I think the only usual successful path like that is if you were able to secure ⁓ internships while you were in college. Otherwise, it takes time. Military is also a pretty consistent path into cyber security. But for the most part, ⁓ if you haven't secured internships, ⁓ if you didn't go military, usually most people are going to need some IT
job as a stepping stone first.
Mikey Pruitt (08:27)
I was going to ask you, so your break into cybersecurity, like it sounds like you kind of had a plan. You knew some milestones along that journey. Maybe some of it was still a bit opaque when you started, but you kind of developed it along the path. And a lot of the content that I see, like the popular content on let's say like TikTok or YouTube shorts that are about cybersecurity are often about breaking in.
David Huynh | KnowFatigue (08:43)
Mm-hmm.
Mikey Pruitt (08:54)
to the career of cybersecurity. So based on your experience, what do you think are some key lessons that you learned that you could kind of impart on someone along that journey?
David Huynh | KnowFatigue (08:55)
Mm-hmm.
Yeah, I'm going to say some, guess it's polarizing. I don't think it's polarizing, but ⁓ if you disagree, that's fine. If you don't, I hope it's useful to you. there's a few, like we mentioned, there's some general blueprints of successful archetypes of breaking into cybersecurity, military, getting some type of IT, cybersecurity, MOS going that way. ⁓ If you're able to land cybersecurity internships while you're...
going through college, that is pretty beneficial. ⁓
Mikey Pruitt (09:44)
What role do you think certificates play in the mix?
David Huynh | KnowFatigue (09:49)
I think, and it's to varying degrees, but I do think it is pretty big and important. Obviously just fair notice, maybe potential bias here from me. I broke into the cybersecurity with about eight, nine months of IT support experience. I didn't earn my degree at that time. So I was only certification and IT support work experience, but that took me from zero to nine months and I had eight certifications at the time.
I was basically getting a cert every month. Today I have 24 certs and they are all active. ⁓ regardless, so the role that they play.
Mikey Pruitt (10:24)
Wow.
David Huynh | KnowFatigue (10:32)
Obviously they look great on paper, depending on which ones you pick. Additionally, depending on which ones you pick, some are very conceptual, minimal skill, just good brain knowledge, good speaking, but you don't know how to do anything. And then there's more technical certs where you really know how to do things and you really know how to get a job done when it comes to the hands on the keyboard. So I think different certs have different purposes. They, no matter what, they almost all make you look good. So I kind of have this mentality of the more the merrier.
Yes, there's some financial constraints with that, but it comes back to the analogies of the doctors and the lawyers of the investment to get in. And trust me, it's much more generous over here than trying to become a doctor or a lawyer. You're not going to work out with like walk out with 200K in debt, or at least you shouldn't. Yeah, you're doing it wrong. So they definitely play a role. depending on the ones you select, they can just make you look good and have good conceptual knowledge.
Mikey Pruitt (11:19)
If you do, you're doing it wrong.
David Huynh | KnowFatigue (11:33)
depending on the ones you select, you can have genuine skills. ⁓ And also depending on the situation, they may genuinely be kind of like HR gate kept necessary. Government roles, it's kind of necessary to have a security plus. Some pen testing roles, you won't even get called back if you don't have an OSCP. Management roles, they might not look at you, you don't have a CISSP. mean, it's a genuine thing. ⁓
So yeah, they play a pretty big role, but they're not the only thing. Just putting that out there.
Mikey Pruitt (12:11)
Yeah,
it sounds like it helps to have some type of paper proof that you can do what you say you're the job you're applying for.
David Huynh | KnowFatigue (12:16)
Mm-hmm.
Yep. Especially if you can showcase and back it up. And what do I mean by that? One of the best ways is having a project. And I know this might get really old kind of broken record player type deal, but ⁓ I'm going to go into like the actual how to, you know, cause a lot of people just say a home lab or project, but here's a little bit more of a scenario of let's say me myself, I get a Splunk cert and this is biased because I was a cybersecurity and a SIM engineer. And ⁓ I literally did this.
So have tons of Splunk certs, admin level, enterprise security, enterprise admin, cloud admin, whatever. And ⁓ of course it got the interest and got me to an interview. Now at the interview, I already had a Splunk project. I had my VMware already loaded up. had my VMs already loaded up. Had 64 gigabytes of RAM. I'm good to go. Midway during the interview, I got asked a question of what have I done with Splunk so far?
Perfect timing. I just screen shared my VMware lab, sold them my name, sold them the data is coming in, sold them how I did it, sold them my architecture. ⁓ That showing versus just showing and telling versus just telling, I think it really.
It puts you above probably 90 % of all interview candidates ⁓ because most people don't go that far. And I think seeing is really believing. ⁓ It's a lot different me telling you I'm a good car salesman versus I literally just sell one of your cars on the lot right then and there, right? I might get the job right then and there. So in a very similar way, because I had the lab to showcase my Splunk skills, me showing that I have the Splunk admin certifications goes a lot further.
⁓ And yeah, a lot of hiring managers and seniors have hired bad apples who've done exam dumps, who've had people take exams from them, whatever it may be, and then they get the job and they're completely incompetent. So I think it only helps you to showcase and back up your certifications as well, not just stop at the certification.
Mikey Pruitt (14:28)
Yeah, that's actually probably pretty powerful. Like if you can imagine you're on the other side of that equation, you're the hiring manager, you're interviewing 10 or so candidates for a job. And one of them is like, you know, that job you're hiring me for, here it is. I'm doing it every day for fun or for learning purposes.
David Huynh | KnowFatigue (14:44)
Mm-hmm. Mm-hmm. And it could apply to
almost any cybersecurity job. Even GRC, if you draft up an 853 policy, you draft up any type of compliance policy, like a mock one, for that job industry, like if it was an airport, whatever, then it shows that you have that number one initiative, but it also shows that number two, you have that insight and that skill and that actual genuine real world skill set.
So on the hiring side, it's just like, who the heck is this guy? Like, is different. He's not just saying, I know Splunk. He's showing us he's done things with Splunk. I'm telling you, psychologically, it changes the whole, it changes everything. Seeing is believing.
Mikey Pruitt (15:31)
Yeah, you probably made their job much easier that day.
David Huynh | KnowFatigue (15:35)
It becomes,
it also stops feeling like it's an interview. Like they're just shotgun FBI investigating you. You're doing a demo. It's a conversation depending on how nerdy and how into it the senior is on that interview. They can get excited as well. Just looking at your home now. They're like, so how'd you do this? And you guys are both like nerding out. It's great. It's great. But having...
Mikey Pruitt (15:41)
You're almost doing a demo. You're like doing a demo for the job.
David Huynh | KnowFatigue (16:03)
Having this hands-on skills backing up your search with a project or a home lab is the way.
Mikey Pruitt (16:10)
Good advice. And now I'm curious, so you're, I think you're in the banking industries, all right? Like you kind of work in.
David Huynh | KnowFatigue (16:17)
That was my first
role. That was my first role. Now I've transitioned to other roles. One of the roles that I'm in, one of the fields of the healthcare industry. But yeah, the banking industry was my first industry. Did you want to ask about that?
Mikey Pruitt (16:32)
Well, based on,
yeah, well, just not in banking specifically, but I'm more curious as to what are some of the things you see in the day-to-day work of being a SOC analyst or cybersecurity engineer? What are some of the things that come across your desk that you have to deal with?
David Huynh | KnowFatigue (16:50)
Yeah. So guys, I am a technical blue team professional. OK, so I'm not offensive. I'm not pen testing. I'm not even necessarily compliance GRC. ⁓ So just to put that out there first so that you guys have some context of the type of work I usually run into. From an analyst level,
Depending if you're an in-house meaning you're like protecting that genuine company that you work for. ⁓ Customers bank. was on customers bank. was protecting customers bank as opposed to if you work for some type of contractor or some type of MSSP ⁓ managed security service provider where you're per very, you're providing sock surfaces to another organization. Your workflow and your life balance and your day to day work lifestyle is going to, it's going to differ severely ⁓ with.
and internal, you get your tickets and your alerts and you have all your different tools and logins and dashboards. And it's just you and your company and you get to learn your company very intimately. You get to understand your architecture very intimately. You hopefully you're not, but from my experience, you're usually not burnt out by the ticket and the workflow. And usually you have available time to upscale. You have available time to.
Hop in and assist with sister IT and cyber teams. Like maybe you're just an analyst. You're supposed to be on alert and triage, but because you have the time availability, you're able to assist with projects, whether that may be vulnerability management projects, SIM projects, whether that be any type of additional projects that are outside of just typical alerts, triage, and just incident response at that level. So that's kind of what I've
run into and what I've seen when you're in-house sock. With MSSP it's totally different and unfortunately there's goods and bads, right? You become, you should become very fast and efficient because you have SLA service level agreements where you're responding to XYZ tickets within an XYZ timeframe. Depending on the severity, a high ticket should be responded to in a shorter period of time than a low.
⁓ and you'll see a lot of different attacks. You'll see a lot of different tickets. You'll, you'll run into a lot of different tools, because you have, you have to serve so many different clients and the different clients. One might use cloud or crash rate. One might use Sentinel one. One might use elastic. One might use Splunk and so on. So you get, you basically drink and drown in cybersecurity when you're in an MSSP and
I think some people have to be prepared for it or at least mentally embrace it versus it catches some people off and therefore they kind of feel that that burnout, you know, ⁓ it can become alert fatigue and you're just responding to a whole bunch of false positive benign and, and, and you might get a little bit lazy and lackadaisical where you just copy and pasting previous tickets. Yeah, there's, there's, there's pros and cons with it. ⁓
I always try to teach people to always look at the best of everything and make the best of it. ⁓ Let's say you're at the MSSP. You need to bust your behind, leveling up in the after hours and on weekends when you're not working so that you can keep up skilling and hopefully job hop into a different type of company, a different type of role, a next level role so that you're not just stuck at level one tickets and alerts all day if that's what you want.
If you're happy with it, good to go, do your thing. But that burnout, I think people work, feel like they're working really hard and they're not getting to a type of result. Because if you work really hard, but you get your result, usually you feel rewarded and you feel accomplished. Usually you see it, the burnout, you know, and I think burnout can be physical and or mental or both, but the burnout usually comes from, I feel like I've been busting my behind.
and I'm not getting the desired result. So I feel frustrated, exhausted, and therefore burnt out. So that's SOC analysts or cybersecurity analysts, by the way, SOC Analyst Security Operations Center. And by the way, it's kind of like the analogy of a rectangle is a square, but a square is not a rectangle. So a SOC analyst is always also a cybersecurity analyst.
But a cybersecurity analyst is not always a SOC analyst. SOC analyst is very specific to alerts, triage incident response. Cybersecurity analyst is anything and everything you want it to be depending on the company. Because they can call you a cybersecurity analyst and you're just on vulnerability management, purely vulnerability management. You can be purely just GRC. You can be a jack of all trades doing alerts and triage, but you're also doing a little bit of engineering projects and whole everything like.
Cyber security analyst literally means anything and everything per the needs of that company. So just want you guys to be aware of that. Security engineer. ⁓ If you're just called a security engineer, a similar story, it can literally be anything and everything, IT, networking, cloud, cyber, ⁓ until you usually get a additional title that specifies what type of engineer you are, a detection engineer.
is alerts, SIM, helping the SOC with those alerts, creating the alerts, creating the tooling for those detections, things of that nature. That's a specific type of security engineer, vulnerability management engineer. ⁓ SIM, I think I said the technical engineer, there's a SIM engineer, there's cloud security engineers, there's network security engineers. you can, obviously the specified title would determine that, but
The lifestyle and workflow of a security engineer, let's just say you're a jack of all trades. It's going to be company dependent, security posture dependent, meaning is that company security posture a little bit more mature or are they more immature and they need to be developed? Meaning me as the jack of all trades, I need to implement the SIM. I need to ingest all the tools and all their sources or has it already been done for me? That will change my
type of workflow and the projects that I'll be seeing and highlight on that, security engineers typically work on projects. They don't usually typically work on just pure tickets. That's a big difference and a big change from the analysts workflow and lifestyle. So, ⁓ you don't really have SLAs, but you have kind of due dates and expectations based on the...
the progress of the project and whatever project manager you're with, or maybe it's also your security manager. So it's a different lifestyle. ⁓ A lot more meetings generally. ⁓ An analyst, you'll usually have some type of touch base of just how things are going. It could be daily, it could be once a week, twice a week, but engineers would be a lot more sporadic or potentially consistent. And you're actually meeting with stakeholders about progress of things.
⁓ So, yeah.
Mikey Pruitt (24:37)
Getting closer to that
managerial area. the way you were describing the burnout, feeling like you're spinning your wheels and you're not really making progress, it sounds like people in those roles are kind of doing the same things over and over again. And I'm curious, when is there?
David Huynh | KnowFatigue (24:40)
Yeah, yeah, yeah. You interact with people a little bit more as an engineer. From my experience.
Mm-hmm.
Mikey Pruitt (25:06)
like a configuration change necessary or some new tooling perhaps? How does that escalation process take place?
David Huynh | KnowFatigue (25:16)
you're asking in general, technically, like when is that? Ooh, wow. When is a configuration change necessary?
Mikey Pruitt (25:19)
Yes.
Like, when is it justified?
David Huynh | KnowFatigue (25:28)
Guys, audience, Mikey asked a crazy question. So pay attention, OK? Because he asked, when is it justified? But there's different angles that I can answer that. There's kind of a technical cybersecurity best practice justification. But then there also needs to be a business financial risk justification. These are like, we're on the same team, but we're like two different brains. We're like totally different world, So there's
There may be many times in your guys life and your experience where cybersecurity and best practice wise, the justification is there, the risks are there, the vulnerabilities are there. You guys are ⁓ a vulnerable target. The likelihood is there. The impact to the business is severe.
And now you need to communicate that to your manager, to your uppers, to the CISO, so that this can get actually approved and especially financially approved, right? Now here's the other side of the business, because we just spoke about financial. There's more to this. To get that tooling, to get that remediation, to get that whatever change request ⁓ enabled, executed.
How many people do I need to involve? Do I need to involve systems administrators? That's money. That's work for, that's the systems managers, employees that we're taking resources from or sharing resources with ⁓ financially. How much does that solution cost? Do we need to hire contractors? Things of that nature that, you know, on the individual contributor level, on the technical level,
We aren't usually in those conversations, but it is invaluable if you guys understand that there's more to cybersecurity than just, ⁓ technically it needs to be done and that's best practice and that's good. And we would be defending the company. Well, it's got to get approved. The resource has got to be there, both finances and manpower. ⁓ We need to prioritize it to what's already on the table of projects. So I'm not saying there's a right or wrong.
I'm just saying that there's so much more moving parts than just the technical justification. So. And the better and the sooner you guys understand that there's genuinely a business and there's finance and there's revenue involved and there's expenses and budget involved. I think you guys can better draft and communicate the technical to the business. Cause you can better communicate with them and it's always going to flow that way. The technical needs to better communicate.
to the non-technical, the business ain't going to come back our way. Only project managers do that, but the managers and other departments, they're not. The credit team, the fraud team, they're not going to come learn what CrowdStrike is and what it does. And they're not going to learn Splunk, but I for sure need to explain why them utilizing this Splunk dashboard or us getting this change where we enable MFA across the company. I need to communicate about the
the impact, the benefits, the risks if we don't, the cost to do it, the timeline, the training. We need to communicate to the non-technical and to the business stakeholders. They don't necessarily need to communicate in our lingo, but we need to communicate in their lingo. The sooner you guys do that, the better you're gonna be able to communicate and the better you're gonna be able to synergistically work with your sister teams that are not always tech.
Mikey Pruitt (29:10)
I'm picturing ⁓ a group of accountants that get a line item. That's like an EDR or CrowdStrike or Senowon or Huntress. And it's just like this giant number and they're like, what is this? And you're like, but it's, it's, need it. We need it. Like your, your, we need it has to be pretty convincing. ⁓
David Huynh | KnowFatigue (29:28)
Mikey, you just said something
good too, guys, as cybersecurity analyst and or as an engineer. This is a genuine work, work to do list that you may be asked to do. And it may be necessary. I mean, necessary for your sock, for your job. You might need to communicate the value that the money, time, resources, energy is being put into cybersecurity initiative.
Definitely you're gonna need to communicate it to your managers or to your CISO. Because the CISO needs to also present it to the CFO and CEO for those budgets to get approved, right? So that's why we get a whole bunch of these dashboards and metrics and reports about SLA, meantime to detect, meantime to respond, ⁓ vulnerabilities are, the poems about vulnerabilities from this month to this month, ⁓ attacks that have been attempted versus.
how many that we've defended against. It's so that we can have these metrics, we can paint these beautiful dashboards because pictures are better than spreadsheets always, graphics are always better than ⁓ Excel spreadsheets always. ⁓ So that the C-suite and upper management can make their best educated decisions about how to allocate resources and are they being allocated responsibly, efficiently, effectively. So it's a big deal.
Mikey Pruitt (30:58)
commented on a Reddit post just this morning. ⁓ Someone was talking about how their ⁓ remote employees only had DNS filtering on their devices, which I work for a DNS filtering company, DNS filter. So was like, that's great. However, DNS filtering alone does not make a security stack. this person, they were going back and forth with a few of the other Reddit commenters and
David Huynh | KnowFatigue (31:22)
It does not.
Mikey Pruitt (31:28)
Basically, was, first of all, you probably need to send out your resume because there's a breach coming and this company is probably going under. And the other sentiment was that you didn't do a very good job of selling this to your higher ups, the management team, whoever needed to press the button to buy. You did not convey the importance of more security on the endpoints that are roaming off network appropriately because they said no. ⁓
David Huynh | KnowFatigue (31:56)
very basic defense in depth. That's a very basic conceptual cybersecurity framework, having defense in depth. It's not just the seatbelt of the car, you also have the airbag, you also have the frame and how it crunches and cracks and the glass doesn't shatter. You have defense in depth in almost anything, right? You have an alarm system at your house, but you also lock the door, right?
Mikey Pruitt (32:18)
That's actually a really
I like that car analogy. I'm going to use that in my next presentation. You got side impact airbags, got child restraints, blah, blah. Yeah, that's good. So I'm curious. So like you're very involved with cybersecurity. You know a lot about it. You see some day to day activity. What are some of the things that are kind of on your radar that you've been hearing about either at work or like just in the news that kind of
David Huynh | KnowFatigue (32:30)
Mm-hmm.
Mikey Pruitt (32:51)
make the hairs on the back of your neck stand up that are like, ⁓ no, this is going to be bad.
David Huynh | KnowFatigue (32:56)
Guys, same old, same old boring, not boring, but it's consistently, ⁓ know, ⁓ insecure security architecture, things of like, there's still companies that don't have MFA. like, it's just insane. ⁓ Weak password ⁓ policies. Like, I think the standard now it's supposed to be like 12 plus with uppercase, lowercase numbers symbols, right? If we're not hitting at least those minimums, this is like,
⁓ I am least privileged. These are very common things, but the still the typical social engineering and phishing emails still are ⁓ a big assistant threat. So that's why I say it's boring. Cause it's just, we've already known and heard this and we know this if you're in cybersecurity, already know this is a common thing. But in terms of newer and scary, I'm going to say it's AI. ⁓ It's AI AI spoofing.
Identity spoofing, voice video spoofing. I mean, spearfishing is going to get insane. And there was already, I forgot the company and I forgot the industry, but it did happen where I think somebody spoofed as a CFO and to the team and they did transfer that money. I think it was in the amount about 300,000. I mean, the voice, the names, I mean, the video, it was there and it was convincing enough that
you know, XYZ employee or manager approved it. It's going to get spooky, but of course the more AI in the offense, the more AI in the defense is going to come. So it's going to get interesting and it's the same good fight, know, fighting the good fight of trying to keep these companies alive, well, healthy in compliance and continue to make money. So I think in terms of, you you asked big, new, scary, it's the wild west with AI.
⁓ especially as they're able to break it, make their own, jailbreak any type of more ethical constraints, get more and faster. know, Microsoft just recently developed that first like super computer. Who knows what happens as bad actors get more powerful hardware and they're able to, who knows how fast and how powerful these things are gonna be able to create new scripts, create new websites, ⁓ send more automated AI.
learning, phishing email campaigns, scraping the web for more more OSINT to make it more believable. It's going to get fun. It sounds lucrative.
Mikey Pruitt (35:38)
Yeah, right. It's lucrative for you in the industry and the bad guys and the people that can prevent against it. But I do want to point out that you at first mentioned the basics. Like there may be like eight or nine categories of things that are just like table stakes for operating on the Internet in 2025. So don't forget those things. Table stakes. Do them well. Iron out the kinks. Make sure they are running smoothly.
And then perhaps go look into the new thread that is coming, which is probably AI. I actually saw something this morning that is called Prompt Lock. If you haven't heard of that, go look it up, Google it or whatever. Or ask chat GBT with web search on. ⁓ So Prompt Lock, I think it was a research team at a college of some sort. But just a few weeks ago, they packaged malware.
with Olamma, if you're familiar with Olamma, which is a open source model kind of hosting kind of platform. You can run it in Docker container on bare metal, whatever. And then you can add in ⁓ open source ⁓ large language models. So this malware uses, has Olamma packaged in it with the chat GPT open source model, which is called GPT OSS. So those two things together.
were there available for the malware to communicate with and change its code on the fly based on the hurdle that it was seeing. Now this is like, I've been hearing for months and months, maybe even a year that, ⁓ a polymorphic AI malware, it can change its stripes mid attack. And it was kind of like smoke and mirrors, like that's not really happening. Well, it's actually been proven now that it's happening.
David Huynh | KnowFatigue (37:25)
Mm-hmm.
Mikey Pruitt (37:28)
Or that is possible at least. I haven't seen one in the wild. This was more of a controlled environment type of thing. But it proves the point that if a research team, let me see where it is. I think I have it pulled up like NYU or somewhere. Anyway, they did it, which means the bad guys can do it. Like they're reading the same news that I am. They're like, ⁓ yep, it's possible. Let's go. ⁓
David Huynh | KnowFatigue (37:49)
And if it just hit the news, how long has it already been in the wilds and they just haven't heard about it yet? You know, it could be months old. It could be months behind. So yeah, it's out there. It's definitely possible.
Mikey Pruitt (37:58)
Exactly.
Yeah, it was at NYU's Tandon School of Engineering. At least that's according to perplexity. Yeah, same. But yeah, it's a scary world out there. We don't really know what the future of malware has. I do know, just like you mentioned, that all of the people on the blue team are using the same patterns that the bad guys are using and trying to detect those patterns.
David Huynh | KnowFatigue (38:07)
Yeah, yeah, I like to have flux in the amount.
Mikey Pruitt (38:26)
and trying to detect patterns that don't exist yet or maybe exist only once. That's the problem with ⁓ polymorphic malware is that it has no signature. There's nothing to detect on. So you just have to detect anomalies in general and be very good.
David Huynh | KnowFatigue (38:31)
Mm-hmm.
Right, have to outliers
and based outside of deviations.
Mikey Pruitt (38:47)
And you have to be very good at your alerts and your sock and all that stuff. So you're in the right field, David.
David Huynh | KnowFatigue (38:52)
Yeah.
Mikey Pruitt (38:57)
So going from, you you've got this kind of trajectory into your career, you're kind of, I don't want to use the word comfortable, but you're like, you I'm, you are confident, let's say, in where you're at right now. But what do you think is next for you? Like, what is your next goal on the horizon?
David Huynh | KnowFatigue (39:16)
Yeah, because I'm about four years in and ⁓ I acknowledge that it's not really typical three, four years into already. I'm kind of mid level, honestly, both from title, both from work, both from skill set. Of course, there's still things that I'm completely incompetent and junior at. ⁓ But like, I don't know nearly enough about Docker, Ansible, Terraform, Kubernetes, things of that nature. ⁓ But that's a little bit more on cloud and/or automation over there. still, ⁓ I apologize. With the question, where am I going from here?
Mikey Pruitt (39:55)
Well, you got me sidetracked when you mentioned DevOps and Ansible and Docker. It's like my three favorite things.
David Huynh | KnowFatigue (39:58)
Because - by the way - I think it's going to become more more necessary to upskill with AI because I am worried about level ones, both level one engineers and analysts on how AI is going to impact. Let's take a step backwards. Do you remember how cloud slowly. Injected itself into every job title.
Mikey Pruitt (40:13)
In what way?
David Huynh | KnowFatigue (40:28)
Slowly sysadmins kind of popping up more with with cloud experience slowly security engineers. ⁓ it sure were their cloud engineers just as cloud engineer roles, but also it slowly integrated into sysadmin network security and network engineers slowly integrated into security engineers. I'd say it maybe took potentially eight, 10 years for it to be like almost. Baseline basic that if you're going to be a security engineer.
You need to have some cloud competency. If you're going to be a competence talk analyst, you should have either AWS or Azure, at least the fundamental, because you're going to be F'd if you don't know the terminology. You don't know what an S3 bucket is. You're in big trouble and you get an S3 alert, Or at least you're just going to have to research it then and there. You'll be all right. But ⁓ I think that's going to happen. This is my...
This is my guess, this is my hypothesis, my theory that I think AI skills and AI competency is going to inject itself into every IT role, but at a much faster pace than it took for cloud adoption. Basically where it's going to be more competitive, it's going to be skills inflation. If you're a newbie trying to get into IT, this is another thing on the skills checklist that you kind of have to know and be semi-competent at.
You don't have to be an expert at it, but you have to be semi-competent with it. That's what I think is going to happen with AI and how all of these roles are going to kind of change and evolve. Security engineers, analysts are kind of expected to have some competency with ticketing systems, EDR, SIEM, network analysis, phishing emails. That's kind of very bare bones basic. And now to some degree, whatever that is, there's going to be some type of AI component to it.
whether it's you need to know how to use some type of AI defensive security tool or be aware of some type of AI pentesting threat, something of that nature. And it's gonna happen the same to engineers as well. that's what I think is gonna happen.
Mikey Pruitt (42:42)
Well, I would agree with you. think, I mean, you kind of nailed it right on the head that cloud, the word cloud kind of started appearing on all the job titles. And now like AI or some form of that is kind of popping up on titles. And I think you're kind of talking about the, not the basics, which is like go to chat, chibit, go to chat chibit or perplexity like I did to get news or
David Huynh | KnowFatigue (43:04)
not the basics.
Mikey Pruitt (43:10)
teach me how to do something or tell me about this thing that I don't know about. That's like level one. Level two is starting to use AI in workflows, perhaps. For example, all these new polymorphic AI malware that seems like are possible now are going to need a way for probably AI to look into all those logs and determine what is the anomaly.
Because our DNS filtering service, we process about 250 billion DNS queries per day. That's a few too many for a human to look at. How many humans would it take to look at all this? It's just not possible. And even your basic bank or a decent sized corporation, you're in the hundreds of thousands of DNS queries per day. And that's just DNS queries. There's also...
David Huynh | KnowFatigue (43:49)
Mm-hmm. Yeah.
Mm-hmm.
Customers. Yeah.
Mikey Pruitt (44:08)
Logins to Microsoft 365 and you know this computer's IP address is different than it was yesterday.
David Huynh | KnowFatigue (44:14)
All the authentications,
all the push posts, yeah and pulls, yeah.
Mikey Pruitt (44:18)
There is so much data that is going to need to be combed through at AI scale, or if that's even a word, I don't know. But you know what I mean? That is the future of work, probably, is that the volume of data is so great that humans alone, and not even with machine learning, but the AI LLMs are the only answer.
David Huynh | KnowFatigue (44:27)
Right, right.
then when we brought up the whole DevOps tools and DevSacOps, I brought those up is because I think that's gonna be a necessity with more mid and senior level security engineers ⁓ because the automation, the orchestration, ⁓ how much faster we can set up ⁓ detection as code, things of that nature. So I think it's...
At least with me, myself, with my career, that's where I'm headed and I'm learning more and more skills because
I don't know what's going to happen, but I'm not going to lie to you guys and say that I'm not nervous about keeping our jobs, right? So I'm going to continue to upscale to make it as difficult and as skill gap as possible that you can't necessarily immediately automate me. So I think DevOps skills is, is definitely healthy, effective, and going to soon to be necessary.
You already see it with higher end security engineer roles. You see it at the big fan companies. A lot of those security engineers, they have DevOps skills on those security engineer job listings. ⁓ We forgot to mention Python. We mentioned everything else. We forgot to mention Python. Again, for more automation, right? comes back to the, remember how we were talking about getting all these certs and up-skilling. It's kind of the same ideology where,
We need to keep getting better and staying up to date. By the way, guys, a lot of people kind of complain from this, from an outside perspective about, my God, IT network and cloud cyber is so much consistent upscaling and studying. How's that any different than a lawyer with new law coming out? How's that any different from a doctor with new diseases, with new medication, accountant with new tax code and tax laws coming out? Like, hello? there's, ⁓ even a contractor, a concrete.
Mikey Pruitt (46:32)
I'm accounted.
David Huynh | KnowFatigue (46:43)
roofing, electrician, there's new materials being developed, there's new tools getting released, and you need to stay sharp, you need to stay up to date. ⁓ So yeah, I mean, it just seems kind of, I don't know, entitled, kind of sensitive to be complaining that it's like, and let's not forget that we got into IT and cyber for this amazing, know, hybrid remote lifestyle, pretty healthy salaries. ⁓
And that, my God, it takes work to get into it. It takes work to keep that job. I don't know what to tell you guys, but it's a necessity and you're gonna have to do it. So ⁓ Python, DevOps, yeah, AI, yeah, yeah.
Mikey Pruitt (47:28)
AI. AI not like the basic copy paste. That's actually pretty good advice.
David Huynh | KnowFatigue (47:33)
Yeah. I call it skills inflation or job inflation, because it's like what it took for a security engineer to get that job five years ago, to get the job and keep it five years ago, is not going to be the same skills and competence and knowledge that today or tomorrow it's going to take for a security engineer to pass that same interview at that job.
Mikey Pruitt (47:39)
Yeah.
And that's why you're worried about junior positions, because it's harder and harder to get those.
David Huynh | KnowFatigue (48:03)
I remember how hard I worked just to break into as a level one. I had eight certifications and I was 70 % done completed blue team level one. And that was the only thing that taught me genuine skills. There's others, there's a lot more options today guys. There's TCM security PSAA, there's a Tri Hack Me SAO one. There's tons of options for genuine hands-on skills, how to get the job done as a level one.
All my other certifications didn't teach me Jack for like really, I had C, not, I don't even know if I want to call them out, but a certain C name organization with a certain C name for liter acronym certification that was kind of hard and expensive to get. Yeah. It did not teach me how to ⁓ analyze a phishing email. C Y S A plus. So.
Mikey Pruitt (48:37)
Hands on.
I know you're...
David Huynh | KnowFatigue (49:03)
And maybe I'm at fault for expecting that, but I mean, it is called cybersecurity analysts plus and the cost and expense of everything. But so I, you know, again, just to throw back to the whole security certification conversation, you guys got to pick and choose your time, your energy, the value of it. ⁓ I'm not saying CYSA plus is completely worthless. don't forget GovTech role. CYSA plus ranks pretty high on their certification listings. And it definitely looks good to have it, but
in terms of actually genuine skills and getting the job done and being able to carry yourself at an interview competently.
So to bring that all back with the whole job skills, inflation. That's why I worry about it with more juniors, because I still remember how hard I worked. And I'm not saying this to toot my own horn. I just I've been told consistently that I'm a hard worker, probably ranking in above average in terms of work ethic, discipline, bodybuilding, Marine Corps, whatever you want to call it. Eight certs in like six months, 24 certs already, like whatever you metric you want to call it. But I'm thinking to myself,
If it took me that much work for me, and technically I'm an above average work ethic and discipline, how much are other people going to struggle if they don't have the same level of ambition and discipline and maybe they don't have the finances to compete with somebody as ambitious as me neither? You know, there's so many things I think about. I'm not saying I can't say, you know, we can save everybody, but it's just a concern and I just think and I wonder, you know.
Mikey Pruitt (50:42)
I think you're saying like if you want to be successful in almost anything, not just your career, if it happens to be cybersecurity like you at some point, and we, this is actually how we started is that you have to get into beast mode. I'm going to call it because you brought up your bodybuilding history and you have to laser focus on that goal and you have to get there. Whether that is now including like AI workloads and workflows.
Like you have to get down to the basics. You have to master them. And then you have to get to the next level and just keep going into beast mode and get there.
David Huynh | KnowFatigue (51:24)
big proponent of personal development as well. I'm talking books, I'm business, I'm talking social skills, I'm talking just overall success. So there's so many words and sayings and analogies that kind of assist with that. Like, you guys know the definition of insanity is doing the same thing over and over again, and expecting something different, a different result. Well, a similar saying to that is if you want something you never had, you need to do something you never done. Right? ⁓
I think about the tattoo on my back, I got it of a phoenix, know, dying bird, ashes rise again, blah, blah. And it's kind of a symbolic of like the old complacent, lazy victim mentality, making excuses, whatever, I procrastinating. The old version of you needs to die so that the new version of you can arise, right? ⁓ Some people get dirty and nitty gritty with it. They just say, you got to sacrifice and hustle and grind. There's some aspect of that too. Whatever.
whatever saying, whatever mentality trigger, switch, whatever you want to call it that activates you guys to get into that mental place of consistency, discipline, beast mode, whatever it may be. You know, you're going to have to do that. ⁓ And everybody's motivating factors are different. Me, kind of lean into anger and hate and darker places a little bit more. They motivate me a little bit more. Like me getting from being overweight, obese, the motivation to get into bodybuilding and
Mikey Pruitt (52:44)
Motivate.
David Huynh | KnowFatigue (52:51)
bulking and cutting was like kind of anger and self hatred of like, hate this version of me. I hate feeling like this. I hate looking the same year after year. And I can't stand to live like this anymore. That was my brain and my motivating factor. But for somebody else, it could just be, hey, I want to train for a triathlon or hey, my first child is on the way and they want to be a better role model for that child. It could be for...
Everybody's situation is different. the motivating factors are going to be different. ⁓ But yeah, you you mentioned that to getting in and this is for anything getting started is almost always the hardest part. Change is generally uncomfortable, chaotic, even borderline violent. Change is not comfortable. But did you guys expect it to be? You know, doesn't that sound a little absurd? So those are kind of
success, self help from all different types of books and self-made millionaires and billionaires and people I look up to. So many different motivators that I've kind of just threw all at you guys at once.
Mikey Pruitt (54:03)
I was just, I was just thinking there's a book buried somewhere in there, David Winn. No, like coming, like coming from you or maybe, maybe a stage or something, a book or a stage from you. Because like you say you're, you're like, this is what I learned, but it's like, you're also living that now. So maybe, and, and, and, and honestly, I think the podcast that I've seen you on and our conversation today, like you're, you seem to be.
David Huynh | KnowFatigue (54:07)
There is, there's thinking grow rich.
⁓ from me,
Mikey Pruitt (54:32)
on this earth to motivate people. So I would encourage you to go do more of that.
David Huynh | KnowFatigue (54:38)
That impacts me a lot, Mikey, because again, you're not the first person to tell me that, it's perhaps. Perhaps.
Mikey Pruitt (54:46)
Alright, well look for David Huynh on a stage near you. Thanks for coming to chat David.
David Huynh | KnowFatigue (54:52)
Absolutely Mikey, thank you for inviting me, thank you for having me.
Welcome everybody to another episode of DNS unfiltered. Today I'm joined by David when little H we ⁓ asking David the pronunciation of his last name and he described that Stewie with kill cool whip at the end. Well, welcome to the show David.
David Huynh | KnowFatigue (00:14)
Hello everyone. Mikey,
thank you for having me. Hello everyone. I'm happy to be here.
Mikey Pruitt (00:21)
So I kind of wanted to, I've seen you on a few different episodes of Things and throughout LinkedIn and I wanted to start talking to you about motivation and passion. And we kind of, kind of got into this before we started recording. ⁓ So your motivation to get into a cybersecurity career and your passions, I wouldn't say necessarily align, but they serve each other. Is that right? Explain that a little bit.
David Huynh | KnowFatigue (00:47)
Mm-hmm. That's correct.
So, everyone, I'm 29 years old now. I'd probably say I was broke loser for the majority of my masculine upbringing from like 18 all the way to about 26. So we talk about motivations of getting into cybersecurity and I didn't even know it existed. I knew nothing about IT up until about 26 years old.
When I say I didn't know nothing, I mean, like, I don't know all the sub fields, networking, cloud, systems, things of that nature. I didn't know cybersecurity. ⁓ So, you know, in my early twenties, I've jumped from things to things to try to make money, try to make an income, try to have a financially stable life as a young man, you know, car, hopefully move out of the mom's house. Didn't happen till later, but...
So a big motivating factor for me of just getting into cyber once I learned about it and I learned about it through my older sister who joined the army and she got into IT and then she moved over to cyber security and now she's out. She has the, you know, security clearance and she's working the GovTech role. And that's how I became aware of cyber security. And I was like, it's working for her. Let's, let's try it. Follow up after her. This is around three, three and a half years ago when I was 26. So.
The big motivation there was just I was broke early 20s, ⁓ credit card debt, not happy with my life financially. ⁓ And I wanted to make, you know, be a little bit more financially independent. And so I saw IT and cybersecurity as a pathway for that. ⁓ Then when we kind of start talking about passions, it's not to say that I don't enjoy cybersecurity. I definitely do. But the...
I just want to be clear about, my initial motivation was definitely financial. As I've gotten
things have changed. ⁓ Where of course the financial component isn't like the only thing that I'm concerned about anymore. ⁓ And there is enjoyment, there is growth. ⁓ And I think the over, ⁓ you know, the crossover with them is that,
you do need to have a level of financial stability before you can actually like feel and enjoy your passions. There's tons of artists out there who have passed away ⁓ very not financially stable. And I would definitely argue that it negatively impacts your ability to like really fully enjoy your passions if you are so financially lacking. So.
You know, I think that's the interesting crossover about it. Well, I got into this field just to become financially secure. And as I've gotten some success in that regard, I can kind of look at it and enjoy it more just for it. But yeah.
Mikey Pruitt (03:57)
So it sounds as you're kind of describing like ⁓ breathing room, essentially, like the financial burden of being less is giving you breathing room to understand the job and the work that needs to take place and have an appreciation for it. Not necessarily a, know, ⁓ talking about it every second of every day like cybersecurity and it can consume your life. Like if you're
David Huynh | KnowFatigue (04:02)
Mm-hmm.
Exactly. Yeah, exactly.
Mikey Pruitt (04:26)
Looking at social media and I don't know what your feed looks like, but mine is very like cybersecurity technology ⁓ AI. I'm like, my gosh. If I hear this one more time, I'm just going to freak out. ⁓ but yeah, that breathing room really does give you the space to think about the important things in your life.
David Huynh | KnowFatigue (04:30)
Mm-hmm.
Yeah.
It's a funny dichotomy because in some ways for you to get job hop and promote and get to the higher roles and get more skillful in some ways, you kind of do have to become obsessed of it with that level so that you put in that work and you keep upskilling. But then on the other end, everybody's balance is different of how much they.
Touch grass, and I mean that figuratively, right guys? However you wanna call it, touch grass. If you're just playing games, if you go surfing, you go fishing, go shooting, go to the gym, whatever that may be, but your life doesn't have to be consumed about it. I think it oscillates for different people. Not everybody wants to be a super senior engineer, not everybody wants to be a CISO. And everybody has to kind of determine how hard they're willing to.
much discipline they're willing to put into cybersecurity and become the best that they want to be if they want to be the best, you know, so.
Mikey Pruitt (05:43)
So you're bringing up ⁓ discipline and momentum. I think listening to your story, you joined the Marines, kind of got introduced to cybersecurity through your family member, your sister, and it looked like a trajectory. But you can't just say, hey, I'm in cybersecurity now. That's not really how it works. You kind of have to learn a few things. And you do, at times, periods of your life.
David Huynh | KnowFatigue (05:59)
you
Mikey Pruitt (06:13)
⁓ have to have an obsession to learn something new. So it sounds like what you're saying is you can turn on and off this level of discipline that is necessary for the next goal to be acquired. Does that make sense?
David Huynh | KnowFatigue (06:27)
And you know, I'd really agree with that. And that was a perfect way you said it, because you just activated like an analogy in my mind. If you have a big goal of becoming some type of surgeon, some type of doctor, like you already know, six, eight, 10 years of your life are going to be dedicated to schooling. ⁓ I don't know all the medical terms, but then then, you know, you finally make it to become a doctor and now you're in residency. Like it kind of. It kind of becomes your life obsession. It becomes your life.
when you're in that mode to achieve that big goal of whatever that may be, ⁓ law school even. So I think in a similar way, not so similar in terms of cost, not so similar in terms of year of formal schooling, but maybe similar just in terms of like similar mindset of obsession, consistency and discipline that it's gonna take, it's gonna require a lot from you.
to break into cybersecurity. And sure, for some people, they've been able to break in with a little bit less for whatever location, whatever situation, whatever they knew somebody. But for the most part, having the skills, the competency, the understanding, ⁓ ideally some IT work experience, it usually takes some time to upskill, get into the IT world, and then kind of jump from there. It's a very unorthodox path to jump.
right into cyber. And I think the only usual successful path like that is if you were able to secure ⁓ internships while you were in college. Otherwise, it takes time. Military is also a pretty consistent path into cyber security. But for the most part, ⁓ if you haven't secured internships, ⁓ if you didn't go military, usually most people are going to need some IT
job as a stepping stone first.
Mikey Pruitt (08:27)
I was going to ask you, so your break into cybersecurity, like it sounds like you kind of had a plan. You knew some milestones along that journey. Maybe some of it was still a bit opaque when you started, but you kind of developed it along the path. And a lot of the content that I see, like the popular content on let's say like TikTok or YouTube shorts that are about cybersecurity are often about breaking in.
David Huynh | KnowFatigue (08:43)
Mm-hmm.
Mikey Pruitt (08:54)
to the career of cybersecurity. So based on your experience, what do you think are some key lessons that you learned that you could kind of impart on someone along that journey?
David Huynh | KnowFatigue (08:55)
Mm-hmm.
Yeah, I'm going to say some, guess it's polarizing. I don't think it's polarizing, but ⁓ if you disagree, that's fine. If you don't, I hope it's useful to you. there's a few, like we mentioned, there's some general blueprints of successful archetypes of breaking into cybersecurity, military, getting some type of IT, cybersecurity, MOS going that way. ⁓ If you're able to land cybersecurity internships while you're...
going through college, that is pretty beneficial. ⁓
Mikey Pruitt (09:44)
What role do you think certificates play in the mix?
David Huynh | KnowFatigue (09:49)
I think, and it's to varying degrees, but I do think it is pretty big and important. Obviously just fair notice, maybe potential bias here from me. I broke into the cybersecurity with about eight, nine months of IT support experience. I didn't earn my degree at that time. So I was only certification and IT support work experience, but that took me from zero to nine months and I had eight certifications at the time.
I was basically getting a cert every month. Today I have 24 certs and they are all active. ⁓ regardless, so the role that they play.
Mikey Pruitt (10:24)
Wow.
David Huynh | KnowFatigue (10:32)
Obviously they look great on paper, depending on which ones you pick. Additionally, depending on which ones you pick, some are very conceptual, minimal skill, just good brain knowledge, good speaking, but you don't know how to do anything. And then there's more technical certs where you really know how to do things and you really know how to get a job done when it comes to the hands on the keyboard. So I think different certs have different purposes. They, no matter what, they almost all make you look good. So I kind of have this mentality of the more the merrier.
Yes, there's some financial constraints with that, but it comes back to the analogies of the doctors and the lawyers of the investment to get in. And trust me, it's much more generous over here than trying to become a doctor or a lawyer. You're not going to work out with like walk out with 200K in debt, or at least you shouldn't. Yeah, you're doing it wrong. So they definitely play a role. depending on the ones you select, they can just make you look good and have good conceptual knowledge.
Mikey Pruitt (11:19)
If you do, you're doing it wrong.
David Huynh | KnowFatigue (11:33)
depending on the ones you select, you can have genuine skills. ⁓ And also depending on the situation, they may genuinely be kind of like HR gate kept necessary. Government roles, it's kind of necessary to have a security plus. Some pen testing roles, you won't even get called back if you don't have an OSCP. Management roles, they might not look at you, you don't have a CISSP. mean, it's a genuine thing. ⁓
So yeah, they play a pretty big role, but they're not the only thing. Just putting that out there.
Mikey Pruitt (12:11)
Yeah,
it sounds like it helps to have some type of paper proof that you can do what you say you're the job you're applying for.
David Huynh | KnowFatigue (12:16)
Mm-hmm.
Yep. Especially if you can showcase and back it up. And what do I mean by that? One of the best ways is having a project. And I know this might get really old kind of broken record player type deal, but ⁓ I'm going to go into like the actual how to, you know, cause a lot of people just say a home lab or project, but here's a little bit more of a scenario of let's say me myself, I get a Splunk cert and this is biased because I was a cybersecurity and a SIM engineer. And ⁓ I literally did this.
So have tons of Splunk certs, admin level, enterprise security, enterprise admin, cloud admin, whatever. And ⁓ of course it got the interest and got me to an interview. Now at the interview, I already had a Splunk project. I had my VMware already loaded up. had my VMs already loaded up. Had 64 gigabytes of RAM. I'm good to go. Midway during the interview, I got asked a question of what have I done with Splunk so far?
Perfect timing. I just screen shared my VMware lab, sold them my name, sold them the data is coming in, sold them how I did it, sold them my architecture. ⁓ That showing versus just showing and telling versus just telling, I think it really.
It puts you above probably 90 % of all interview candidates ⁓ because most people don't go that far. And I think seeing is really believing. ⁓ It's a lot different me telling you I'm a good car salesman versus I literally just sell one of your cars on the lot right then and there, right? I might get the job right then and there. So in a very similar way, because I had the lab to showcase my Splunk skills, me showing that I have the Splunk admin certifications goes a lot further.
⁓ And yeah, a lot of hiring managers and seniors have hired bad apples who've done exam dumps, who've had people take exams from them, whatever it may be, and then they get the job and they're completely incompetent. So I think it only helps you to showcase and back up your certifications as well, not just stop at the certification.
Mikey Pruitt (14:28)
Yeah, that's actually probably pretty powerful. Like if you can imagine you're on the other side of that equation, you're the hiring manager, you're interviewing 10 or so candidates for a job. And one of them is like, you know, that job you're hiring me for, here it is. I'm doing it every day for fun or for learning purposes.
David Huynh | KnowFatigue (14:44)
Mm-hmm. Mm-hmm. And it could apply to
almost any cybersecurity job. Even GRC, if you draft up an 853 policy, you draft up any type of compliance policy, like a mock one, for that job industry, like if it was an airport, whatever, then it shows that you have that number one initiative, but it also shows that number two, you have that insight and that skill and that actual genuine real world skill set.
So on the hiring side, it's just like, who the heck is this guy? Like, is different. He's not just saying, I know Splunk. He's showing us he's done things with Splunk. I'm telling you, psychologically, it changes the whole, it changes everything. Seeing is believing.
Mikey Pruitt (15:31)
Yeah, you probably made their job much easier that day.
David Huynh | KnowFatigue (15:35)
It becomes,
it also stops feeling like it's an interview. Like they're just shotgun FBI investigating you. You're doing a demo. It's a conversation depending on how nerdy and how into it the senior is on that interview. They can get excited as well. Just looking at your home now. They're like, so how'd you do this? And you guys are both like nerding out. It's great. It's great. But having...
Mikey Pruitt (15:41)
You're almost doing a demo. You're like doing a demo for the job.
David Huynh | KnowFatigue (16:03)
Having this hands-on skills backing up your search with a project or a home lab is the way.
Mikey Pruitt (16:10)
Good advice. And now I'm curious, so you're, I think you're in the banking industries, all right? Like you kind of work in.
David Huynh | KnowFatigue (16:17)
That was my first
role. That was my first role. Now I've transitioned to other roles. One of the roles that I'm in, one of the fields of the healthcare industry. But yeah, the banking industry was my first industry. Did you want to ask about that?
Mikey Pruitt (16:32)
Well, based on,
yeah, well, just not in banking specifically, but I'm more curious as to what are some of the things you see in the day-to-day work of being a SOC analyst or cybersecurity engineer? What are some of the things that come across your desk that you have to deal with?
David Huynh | KnowFatigue (16:50)
Yeah. So guys, I am a technical blue team professional. OK, so I'm not offensive. I'm not pen testing. I'm not even necessarily compliance GRC. ⁓ So just to put that out there first so that you guys have some context of the type of work I usually run into. From an analyst level,
Depending if you're an in-house meaning you're like protecting that genuine company that you work for. ⁓ Customers bank. was on customers bank. was protecting customers bank as opposed to if you work for some type of contractor or some type of MSSP ⁓ managed security service provider where you're per very, you're providing sock surfaces to another organization. Your workflow and your life balance and your day to day work lifestyle is going to, it's going to differ severely ⁓ with.
and internal, you get your tickets and your alerts and you have all your different tools and logins and dashboards. And it's just you and your company and you get to learn your company very intimately. You get to understand your architecture very intimately. You hopefully you're not, but from my experience, you're usually not burnt out by the ticket and the workflow. And usually you have available time to upscale. You have available time to.
Hop in and assist with sister IT and cyber teams. Like maybe you're just an analyst. You're supposed to be on alert and triage, but because you have the time availability, you're able to assist with projects, whether that may be vulnerability management projects, SIM projects, whether that be any type of additional projects that are outside of just typical alerts, triage, and just incident response at that level. So that's kind of what I've
run into and what I've seen when you're in-house sock. With MSSP it's totally different and unfortunately there's goods and bads, right? You become, you should become very fast and efficient because you have SLA service level agreements where you're responding to XYZ tickets within an XYZ timeframe. Depending on the severity, a high ticket should be responded to in a shorter period of time than a low.
⁓ and you'll see a lot of different attacks. You'll see a lot of different tickets. You'll, you'll run into a lot of different tools, because you have, you have to serve so many different clients and the different clients. One might use cloud or crash rate. One might use Sentinel one. One might use elastic. One might use Splunk and so on. So you get, you basically drink and drown in cybersecurity when you're in an MSSP and
I think some people have to be prepared for it or at least mentally embrace it versus it catches some people off and therefore they kind of feel that that burnout, you know, ⁓ it can become alert fatigue and you're just responding to a whole bunch of false positive benign and, and, and you might get a little bit lazy and lackadaisical where you just copy and pasting previous tickets. Yeah, there's, there's, there's pros and cons with it. ⁓
I always try to teach people to always look at the best of everything and make the best of it. ⁓ Let's say you're at the MSSP. You need to bust your behind, leveling up in the after hours and on weekends when you're not working so that you can keep up skilling and hopefully job hop into a different type of company, a different type of role, a next level role so that you're not just stuck at level one tickets and alerts all day if that's what you want.
If you're happy with it, good to go, do your thing. But that burnout, I think people work, feel like they're working really hard and they're not getting to a type of result. Because if you work really hard, but you get your result, usually you feel rewarded and you feel accomplished. Usually you see it, the burnout, you know, and I think burnout can be physical and or mental or both, but the burnout usually comes from, I feel like I've been busting my behind.
and I'm not getting the desired result. So I feel frustrated, exhausted, and therefore burnt out. So that's SOC analysts or cybersecurity analysts, by the way, SOC Analyst Security Operations Center. And by the way, it's kind of like the analogy of a rectangle is a square, but a square is not a rectangle. So a SOC analyst is always also a cybersecurity analyst.
But a cybersecurity analyst is not always a SOC analyst. SOC analyst is very specific to alerts, triage incident response. Cybersecurity analyst is anything and everything you want it to be depending on the company. Because they can call you a cybersecurity analyst and you're just on vulnerability management, purely vulnerability management. You can be purely just GRC. You can be a jack of all trades doing alerts and triage, but you're also doing a little bit of engineering projects and whole everything like.
Cyber security analyst literally means anything and everything per the needs of that company. So just want you guys to be aware of that. Security engineer. ⁓ If you're just called a security engineer, a similar story, it can literally be anything and everything, IT, networking, cloud, cyber, ⁓ until you usually get a additional title that specifies what type of engineer you are, a detection engineer.
is alerts, SIM, helping the SOC with those alerts, creating the alerts, creating the tooling for those detections, things of that nature. That's a specific type of security engineer, vulnerability management engineer. ⁓ SIM, I think I said the technical engineer, there's a SIM engineer, there's cloud security engineers, there's network security engineers. you can, obviously the specified title would determine that, but
The lifestyle and workflow of a security engineer, let's just say you're a jack of all trades. It's going to be company dependent, security posture dependent, meaning is that company security posture a little bit more mature or are they more immature and they need to be developed? Meaning me as the jack of all trades, I need to implement the SIM. I need to ingest all the tools and all their sources or has it already been done for me? That will change my
type of workflow and the projects that I'll be seeing and highlight on that, security engineers typically work on projects. They don't usually typically work on just pure tickets. That's a big difference and a big change from the analysts workflow and lifestyle. So, ⁓ you don't really have SLAs, but you have kind of due dates and expectations based on the...
the progress of the project and whatever project manager you're with, or maybe it's also your security manager. So it's a different lifestyle. ⁓ A lot more meetings generally. ⁓ An analyst, you'll usually have some type of touch base of just how things are going. It could be daily, it could be once a week, twice a week, but engineers would be a lot more sporadic or potentially consistent. And you're actually meeting with stakeholders about progress of things.
⁓ So, yeah.
Mikey Pruitt (24:37)
Getting closer to that
managerial area. the way you were describing the burnout, feeling like you're spinning your wheels and you're not really making progress, it sounds like people in those roles are kind of doing the same things over and over again. And I'm curious, when is there?
David Huynh | KnowFatigue (24:40)
Yeah, yeah, yeah. You interact with people a little bit more as an engineer. From my experience.
Mm-hmm.
Mikey Pruitt (25:06)
like a configuration change necessary or some new tooling perhaps? How does that escalation process take place?
David Huynh | KnowFatigue (25:16)
you're asking in general, technically, like when is that? Ooh, wow. When is a configuration change necessary?
Mikey Pruitt (25:19)
Yes.
Like, when is it justified?
David Huynh | KnowFatigue (25:28)
Guys, audience, Mikey asked a crazy question. So pay attention, OK? Because he asked, when is it justified? But there's different angles that I can answer that. There's kind of a technical cybersecurity best practice justification. But then there also needs to be a business financial risk justification. These are like, we're on the same team, but we're like two different brains. We're like totally different world, So there's
There may be many times in your guys life and your experience where cybersecurity and best practice wise, the justification is there, the risks are there, the vulnerabilities are there. You guys are ⁓ a vulnerable target. The likelihood is there. The impact to the business is severe.
And now you need to communicate that to your manager, to your uppers, to the CISO, so that this can get actually approved and especially financially approved, right? Now here's the other side of the business, because we just spoke about financial. There's more to this. To get that tooling, to get that remediation, to get that whatever change request ⁓ enabled, executed.
How many people do I need to involve? Do I need to involve systems administrators? That's money. That's work for, that's the systems managers, employees that we're taking resources from or sharing resources with ⁓ financially. How much does that solution cost? Do we need to hire contractors? Things of that nature that, you know, on the individual contributor level, on the technical level,
We aren't usually in those conversations, but it is invaluable if you guys understand that there's more to cybersecurity than just, ⁓ technically it needs to be done and that's best practice and that's good. And we would be defending the company. Well, it's got to get approved. The resource has got to be there, both finances and manpower. ⁓ We need to prioritize it to what's already on the table of projects. So I'm not saying there's a right or wrong.
I'm just saying that there's so much more moving parts than just the technical justification. So. And the better and the sooner you guys understand that there's genuinely a business and there's finance and there's revenue involved and there's expenses and budget involved. I think you guys can better draft and communicate the technical to the business. Cause you can better communicate with them and it's always going to flow that way. The technical needs to better communicate.
to the non-technical, the business ain't going to come back our way. Only project managers do that, but the managers and other departments, they're not. The credit team, the fraud team, they're not going to come learn what CrowdStrike is and what it does. And they're not going to learn Splunk, but I for sure need to explain why them utilizing this Splunk dashboard or us getting this change where we enable MFA across the company. I need to communicate about the
the impact, the benefits, the risks if we don't, the cost to do it, the timeline, the training. We need to communicate to the non-technical and to the business stakeholders. They don't necessarily need to communicate in our lingo, but we need to communicate in their lingo. The sooner you guys do that, the better you're gonna be able to communicate and the better you're gonna be able to synergistically work with your sister teams that are not always tech.
Mikey Pruitt (29:10)
I'm picturing ⁓ a group of accountants that get a line item. That's like an EDR or CrowdStrike or Senowon or Huntress. And it's just like this giant number and they're like, what is this? And you're like, but it's, it's, need it. We need it. Like your, your, we need it has to be pretty convincing. ⁓
David Huynh | KnowFatigue (29:28)
Mikey, you just said something
good too, guys, as cybersecurity analyst and or as an engineer. This is a genuine work, work to do list that you may be asked to do. And it may be necessary. I mean, necessary for your sock, for your job. You might need to communicate the value that the money, time, resources, energy is being put into cybersecurity initiative.
Definitely you're gonna need to communicate it to your managers or to your CISO. Because the CISO needs to also present it to the CFO and CEO for those budgets to get approved, right? So that's why we get a whole bunch of these dashboards and metrics and reports about SLA, meantime to detect, meantime to respond, ⁓ vulnerabilities are, the poems about vulnerabilities from this month to this month, ⁓ attacks that have been attempted versus.
how many that we've defended against. It's so that we can have these metrics, we can paint these beautiful dashboards because pictures are better than spreadsheets always, graphics are always better than ⁓ Excel spreadsheets always. ⁓ So that the C-suite and upper management can make their best educated decisions about how to allocate resources and are they being allocated responsibly, efficiently, effectively. So it's a big deal.
Mikey Pruitt (30:58)
commented on a Reddit post just this morning. ⁓ Someone was talking about how their ⁓ remote employees only had DNS filtering on their devices, which I work for a DNS filtering company, DNS filter. So was like, that's great. However, DNS filtering alone does not make a security stack. this person, they were going back and forth with a few of the other Reddit commenters and
David Huynh | KnowFatigue (31:22)
It does not.
Mikey Pruitt (31:28)
Basically, was, first of all, you probably need to send out your resume because there's a breach coming and this company is probably going under. And the other sentiment was that you didn't do a very good job of selling this to your higher ups, the management team, whoever needed to press the button to buy. You did not convey the importance of more security on the endpoints that are roaming off network appropriately because they said no. ⁓
David Huynh | KnowFatigue (31:56)
very basic defense in depth. That's a very basic conceptual cybersecurity framework, having defense in depth. It's not just the seatbelt of the car, you also have the airbag, you also have the frame and how it crunches and cracks and the glass doesn't shatter. You have defense in depth in almost anything, right? You have an alarm system at your house, but you also lock the door, right?
Mikey Pruitt (32:18)
That's actually a really
I like that car analogy. I'm going to use that in my next presentation. You got side impact airbags, got child restraints, blah, blah. Yeah, that's good. So I'm curious. So like you're very involved with cybersecurity. You know a lot about it. You see some day to day activity. What are some of the things that are kind of on your radar that you've been hearing about either at work or like just in the news that kind of
David Huynh | KnowFatigue (32:30)
Mm-hmm.
Mikey Pruitt (32:51)
make the hairs on the back of your neck stand up that are like, ⁓ no, this is going to be bad.
David Huynh | KnowFatigue (32:56)
Guys, same old, same old boring, not boring, but it's consistently, ⁓ know, ⁓ insecure security architecture, things of like, there's still companies that don't have MFA. like, it's just insane. ⁓ Weak password ⁓ policies. Like, I think the standard now it's supposed to be like 12 plus with uppercase, lowercase numbers symbols, right? If we're not hitting at least those minimums, this is like,
⁓ I am least privileged. These are very common things, but the still the typical social engineering and phishing emails still are ⁓ a big assistant threat. So that's why I say it's boring. Cause it's just, we've already known and heard this and we know this if you're in cybersecurity, already know this is a common thing. But in terms of newer and scary, I'm going to say it's AI. ⁓ It's AI AI spoofing.
Identity spoofing, voice video spoofing. I mean, spearfishing is going to get insane. And there was already, I forgot the company and I forgot the industry, but it did happen where I think somebody spoofed as a CFO and to the team and they did transfer that money. I think it was in the amount about 300,000. I mean, the voice, the names, I mean, the video, it was there and it was convincing enough that
you know, XYZ employee or manager approved it. It's going to get spooky, but of course the more AI in the offense, the more AI in the defense is going to come. So it's going to get interesting and it's the same good fight, know, fighting the good fight of trying to keep these companies alive, well, healthy in compliance and continue to make money. So I think in terms of, you you asked big, new, scary, it's the wild west with AI.
⁓ especially as they're able to break it, make their own, jailbreak any type of more ethical constraints, get more and faster. know, Microsoft just recently developed that first like super computer. Who knows what happens as bad actors get more powerful hardware and they're able to, who knows how fast and how powerful these things are gonna be able to create new scripts, create new websites, ⁓ send more automated AI.
learning, phishing email campaigns, scraping the web for more more OSINT to make it more believable. It's going to get fun. It sounds lucrative.
Mikey Pruitt (35:38)
Yeah, right. It's lucrative for you in the industry and the bad guys and the people that can prevent against it. But I do want to point out that you at first mentioned the basics. Like there may be like eight or nine categories of things that are just like table stakes for operating on the Internet in 2025. So don't forget those things. Table stakes. Do them well. Iron out the kinks. Make sure they are running smoothly.
And then perhaps go look into the new thread that is coming, which is probably AI. I actually saw something this morning that is called Prompt Lock. If you haven't heard of that, go look it up, Google it or whatever. Or ask chat GBT with web search on. ⁓ So Prompt Lock, I think it was a research team at a college of some sort. But just a few weeks ago, they packaged malware.
with Olamma, if you're familiar with Olamma, which is a open source model kind of hosting kind of platform. You can run it in Docker container on bare metal, whatever. And then you can add in ⁓ open source ⁓ large language models. So this malware uses, has Olamma packaged in it with the chat GPT open source model, which is called GPT OSS. So those two things together.
were there available for the malware to communicate with and change its code on the fly based on the hurdle that it was seeing. Now this is like, I've been hearing for months and months, maybe even a year that, ⁓ a polymorphic AI malware, it can change its stripes mid attack. And it was kind of like smoke and mirrors, like that's not really happening. Well, it's actually been proven now that it's happening.
David Huynh | KnowFatigue (37:25)
Mm-hmm.
Mikey Pruitt (37:28)
Or that is possible at least. I haven't seen one in the wild. This was more of a controlled environment type of thing. But it proves the point that if a research team, let me see where it is. I think I have it pulled up like NYU or somewhere. Anyway, they did it, which means the bad guys can do it. Like they're reading the same news that I am. They're like, ⁓ yep, it's possible. Let's go. ⁓
David Huynh | KnowFatigue (37:49)
And if it just hit the news, how long has it already been in the wilds and they just haven't heard about it yet? You know, it could be months old. It could be months behind. So yeah, it's out there. It's definitely possible.
Mikey Pruitt (37:58)
Exactly.
Yeah, it was at NYU's Tandon School of Engineering. At least that's according to perplexity. Yeah, same. But yeah, it's a scary world out there. We don't really know what the future of malware has. I do know, just like you mentioned, that all of the people on the blue team are using the same patterns that the bad guys are using and trying to detect those patterns.
David Huynh | KnowFatigue (38:07)
Yeah, yeah, I like to have flux in the amount.
Mikey Pruitt (38:26)
and trying to detect patterns that don't exist yet or maybe exist only once. That's the problem with ⁓ polymorphic malware is that it has no signature. There's nothing to detect on. So you just have to detect anomalies in general and be very good.
David Huynh | KnowFatigue (38:31)
Mm-hmm.
Right, have to outliers
and based outside of deviations.
Mikey Pruitt (38:47)
And you have to be very good at your alerts and your sock and all that stuff. So you're in the right field, David.
David Huynh | KnowFatigue (38:52)
Yeah.
Mikey Pruitt (38:57)
So going from, you you've got this kind of trajectory into your career, you're kind of, I don't want to use the word comfortable, but you're like, you I'm, you are confident, let's say, in where you're at right now. But what do you think is next for you? Like, what is your next goal on the horizon?
David Huynh | KnowFatigue (39:16)
Yeah, because I'm about four years in and ⁓ I acknowledge that it's not really typical three, four years into already. I'm kind of mid level, honestly, both from title, both from work, both from skill set. Of course, there's still things that I'm completely incompetent and junior at. ⁓ But like, I don't know nearly enough about Docker, Ansible, Terraform, Kubernetes, things of that nature. ⁓ But that's a little bit more on cloud and/or automation over there. still, ⁓ I apologize. With the question, where am I going from here?
Mikey Pruitt (39:55)
Well, you got me sidetracked when you mentioned DevOps and Ansible and Docker. It's like my three favorite things.
David Huynh | KnowFatigue (39:58)
Because - by the way - I think it's going to become more more necessary to upskill with AI because I am worried about level ones, both level one engineers and analysts on how AI is going to impact. Let's take a step backwards. Do you remember how cloud slowly. Injected itself into every job title.
Mikey Pruitt (40:13)
In what way?
David Huynh | KnowFatigue (40:28)
Slowly sysadmins kind of popping up more with with cloud experience slowly security engineers. ⁓ it sure were their cloud engineers just as cloud engineer roles, but also it slowly integrated into sysadmin network security and network engineers slowly integrated into security engineers. I'd say it maybe took potentially eight, 10 years for it to be like almost. Baseline basic that if you're going to be a security engineer.
You need to have some cloud competency. If you're going to be a competence talk analyst, you should have either AWS or Azure, at least the fundamental, because you're going to be F'd if you don't know the terminology. You don't know what an S3 bucket is. You're in big trouble and you get an S3 alert, Or at least you're just going to have to research it then and there. You'll be all right. But ⁓ I think that's going to happen. This is my...
This is my guess, this is my hypothesis, my theory that I think AI skills and AI competency is going to inject itself into every IT role, but at a much faster pace than it took for cloud adoption. Basically where it's going to be more competitive, it's going to be skills inflation. If you're a newbie trying to get into IT, this is another thing on the skills checklist that you kind of have to know and be semi-competent at.
You don't have to be an expert at it, but you have to be semi-competent with it. That's what I think is going to happen with AI and how all of these roles are going to kind of change and evolve. Security engineers, analysts are kind of expected to have some competency with ticketing systems, EDR, SIEM, network analysis, phishing emails. That's kind of very bare bones basic. And now to some degree, whatever that is, there's going to be some type of AI component to it.
whether it's you need to know how to use some type of AI defensive security tool or be aware of some type of AI pentesting threat, something of that nature. And it's gonna happen the same to engineers as well. that's what I think is gonna happen.
Mikey Pruitt (42:42)
Well, I would agree with you. think, I mean, you kind of nailed it right on the head that cloud, the word cloud kind of started appearing on all the job titles. And now like AI or some form of that is kind of popping up on titles. And I think you're kind of talking about the, not the basics, which is like go to chat, chibit, go to chat chibit or perplexity like I did to get news or
David Huynh | KnowFatigue (43:04)
not the basics.
Mikey Pruitt (43:10)
teach me how to do something or tell me about this thing that I don't know about. That's like level one. Level two is starting to use AI in workflows, perhaps. For example, all these new polymorphic AI malware that seems like are possible now are going to need a way for probably AI to look into all those logs and determine what is the anomaly.
Because our DNS filtering service, we process about 250 billion DNS queries per day. That's a few too many for a human to look at. How many humans would it take to look at all this? It's just not possible. And even your basic bank or a decent sized corporation, you're in the hundreds of thousands of DNS queries per day. And that's just DNS queries. There's also...
David Huynh | KnowFatigue (43:49)
Mm-hmm. Yeah.
Mm-hmm.
Customers. Yeah.
Mikey Pruitt (44:08)
Logins to Microsoft 365 and you know this computer's IP address is different than it was yesterday.
David Huynh | KnowFatigue (44:14)
All the authentications,
all the push posts, yeah and pulls, yeah.
Mikey Pruitt (44:18)
There is so much data that is going to need to be combed through at AI scale, or if that's even a word, I don't know. But you know what I mean? That is the future of work, probably, is that the volume of data is so great that humans alone, and not even with machine learning, but the AI LLMs are the only answer.
David Huynh | KnowFatigue (44:27)
Right, right.
then when we brought up the whole DevOps tools and DevSacOps, I brought those up is because I think that's gonna be a necessity with more mid and senior level security engineers ⁓ because the automation, the orchestration, ⁓ how much faster we can set up ⁓ detection as code, things of that nature. So I think it's...
At least with me, myself, with my career, that's where I'm headed and I'm learning more and more skills because
I don't know what's going to happen, but I'm not going to lie to you guys and say that I'm not nervous about keeping our jobs, right? So I'm going to continue to upscale to make it as difficult and as skill gap as possible that you can't necessarily immediately automate me. So I think DevOps skills is, is definitely healthy, effective, and going to soon to be necessary.
You already see it with higher end security engineer roles. You see it at the big fan companies. A lot of those security engineers, they have DevOps skills on those security engineer job listings. ⁓ We forgot to mention Python. We mentioned everything else. We forgot to mention Python. Again, for more automation, right? comes back to the, remember how we were talking about getting all these certs and up-skilling. It's kind of the same ideology where,
We need to keep getting better and staying up to date. By the way, guys, a lot of people kind of complain from this, from an outside perspective about, my God, IT network and cloud cyber is so much consistent upscaling and studying. How's that any different than a lawyer with new law coming out? How's that any different from a doctor with new diseases, with new medication, accountant with new tax code and tax laws coming out? Like, hello? there's, ⁓ even a contractor, a concrete.
Mikey Pruitt (46:32)
I'm accounted.
David Huynh | KnowFatigue (46:43)
roofing, electrician, there's new materials being developed, there's new tools getting released, and you need to stay sharp, you need to stay up to date. ⁓ So yeah, I mean, it just seems kind of, I don't know, entitled, kind of sensitive to be complaining that it's like, and let's not forget that we got into IT and cyber for this amazing, know, hybrid remote lifestyle, pretty healthy salaries. ⁓
And that, my God, it takes work to get into it. It takes work to keep that job. I don't know what to tell you guys, but it's a necessity and you're gonna have to do it. So ⁓ Python, DevOps, yeah, AI, yeah, yeah.
Mikey Pruitt (47:28)
AI. AI not like the basic copy paste. That's actually pretty good advice.
David Huynh | KnowFatigue (47:33)
Yeah. I call it skills inflation or job inflation, because it's like what it took for a security engineer to get that job five years ago, to get the job and keep it five years ago, is not going to be the same skills and competence and knowledge that today or tomorrow it's going to take for a security engineer to pass that same interview at that job.
Mikey Pruitt (47:39)
Yeah.
And that's why you're worried about junior positions, because it's harder and harder to get those.
David Huynh | KnowFatigue (48:03)
I remember how hard I worked just to break into as a level one. I had eight certifications and I was 70 % done completed blue team level one. And that was the only thing that taught me genuine skills. There's others, there's a lot more options today guys. There's TCM security PSAA, there's a Tri Hack Me SAO one. There's tons of options for genuine hands-on skills, how to get the job done as a level one.
All my other certifications didn't teach me Jack for like really, I had C, not, I don't even know if I want to call them out, but a certain C name organization with a certain C name for liter acronym certification that was kind of hard and expensive to get. Yeah. It did not teach me how to ⁓ analyze a phishing email. C Y S A plus. So.
Mikey Pruitt (48:37)
Hands on.
I know you're...
David Huynh | KnowFatigue (49:03)
And maybe I'm at fault for expecting that, but I mean, it is called cybersecurity analysts plus and the cost and expense of everything. But so I, you know, again, just to throw back to the whole security certification conversation, you guys got to pick and choose your time, your energy, the value of it. ⁓ I'm not saying CYSA plus is completely worthless. don't forget GovTech role. CYSA plus ranks pretty high on their certification listings. And it definitely looks good to have it, but
in terms of actually genuine skills and getting the job done and being able to carry yourself at an interview competently.
So to bring that all back with the whole job skills, inflation. That's why I worry about it with more juniors, because I still remember how hard I worked. And I'm not saying this to toot my own horn. I just I've been told consistently that I'm a hard worker, probably ranking in above average in terms of work ethic, discipline, bodybuilding, Marine Corps, whatever you want to call it. Eight certs in like six months, 24 certs already, like whatever you metric you want to call it. But I'm thinking to myself,
If it took me that much work for me, and technically I'm an above average work ethic and discipline, how much are other people going to struggle if they don't have the same level of ambition and discipline and maybe they don't have the finances to compete with somebody as ambitious as me neither? You know, there's so many things I think about. I'm not saying I can't say, you know, we can save everybody, but it's just a concern and I just think and I wonder, you know.
Mikey Pruitt (50:42)
I think you're saying like if you want to be successful in almost anything, not just your career, if it happens to be cybersecurity like you at some point, and we, this is actually how we started is that you have to get into beast mode. I'm going to call it because you brought up your bodybuilding history and you have to laser focus on that goal and you have to get there. Whether that is now including like AI workloads and workflows.
Like you have to get down to the basics. You have to master them. And then you have to get to the next level and just keep going into beast mode and get there.
David Huynh | KnowFatigue (51:24)
big proponent of personal development as well. I'm talking books, I'm business, I'm talking social skills, I'm talking just overall success. So there's so many words and sayings and analogies that kind of assist with that. Like, you guys know the definition of insanity is doing the same thing over and over again, and expecting something different, a different result. Well, a similar saying to that is if you want something you never had, you need to do something you never done. Right? ⁓
I think about the tattoo on my back, I got it of a phoenix, know, dying bird, ashes rise again, blah, blah. And it's kind of a symbolic of like the old complacent, lazy victim mentality, making excuses, whatever, I procrastinating. The old version of you needs to die so that the new version of you can arise, right? ⁓ Some people get dirty and nitty gritty with it. They just say, you got to sacrifice and hustle and grind. There's some aspect of that too. Whatever.
whatever saying, whatever mentality trigger, switch, whatever you want to call it that activates you guys to get into that mental place of consistency, discipline, beast mode, whatever it may be. You know, you're going to have to do that. ⁓ And everybody's motivating factors are different. Me, kind of lean into anger and hate and darker places a little bit more. They motivate me a little bit more. Like me getting from being overweight, obese, the motivation to get into bodybuilding and
Mikey Pruitt (52:44)
Motivate.
David Huynh | KnowFatigue (52:51)
bulking and cutting was like kind of anger and self hatred of like, hate this version of me. I hate feeling like this. I hate looking the same year after year. And I can't stand to live like this anymore. That was my brain and my motivating factor. But for somebody else, it could just be, hey, I want to train for a triathlon or hey, my first child is on the way and they want to be a better role model for that child. It could be for...
Everybody's situation is different. the motivating factors are going to be different. ⁓ But yeah, you you mentioned that to getting in and this is for anything getting started is almost always the hardest part. Change is generally uncomfortable, chaotic, even borderline violent. Change is not comfortable. But did you guys expect it to be? You know, doesn't that sound a little absurd? So those are kind of
success, self help from all different types of books and self-made millionaires and billionaires and people I look up to. So many different motivators that I've kind of just threw all at you guys at once.
Mikey Pruitt (54:03)
I was just, I was just thinking there's a book buried somewhere in there, David Winn. No, like coming, like coming from you or maybe, maybe a stage or something, a book or a stage from you. Because like you say you're, you're like, this is what I learned, but it's like, you're also living that now. So maybe, and, and, and, and honestly, I think the podcast that I've seen you on and our conversation today, like you're, you seem to be.
David Huynh | KnowFatigue (54:07)
There is, there's thinking grow rich.
⁓ from me,
Mikey Pruitt (54:32)
on this earth to motivate people. So I would encourage you to go do more of that.
David Huynh | KnowFatigue (54:38)
That impacts me a lot, Mikey, because again, you're not the first person to tell me that, it's perhaps. Perhaps.
Mikey Pruitt (54:46)
Alright, well look for David Huynh on a stage near you. Thanks for coming to chat David.
David Huynh | KnowFatigue (54:52)
Absolutely Mikey, thank you for inviting me, thank you for having me.