ErsatzLogic
Lesley Carhart 
Cybersecurity isn’t ready for the conversation about how bad sexism and ageism are in the whole pen test / red team community, or how influencer culture and the saturated market are enabling it to get worse. https://www.linkedin.com/pulse/tryhackmes-advent-cyber-2025-zero-women-creators-look-josh-mason--rz7ie?utm_source=share
Cybersecurity also isn’t ready for the conversation about how we as an entire industry trick young men into perceiving red team as a way to be legally allowed to be a high tech, vigilante thief and then hire them for crap salaries to write repetitive and futile vulnerability assessment reports.
Women and older career switchers are generally not even exposed to red team as an option of interest that they’d be good at using socialized skills, which is kinda crazy when the most ignored people in society who can pretty much walk in anywhere are older women. Instead we portray it like esports.
In conclusion this is screwing over everyone except five problematic red team “rock star” seniors in a trench coat.
Alex@hacks4pancakes I tried looking for youtube videos on red teaming and it is mostly a bunch of white bald guys wearing tactical gear. It is depressing how gatekeepy red teaming is cuz someone like me would be really good at it.
afx@alex02 @hacks4pancakes I have yet to see a real red teamer in tactical gear after being in infosec for nearly 35 years. It's only the wannabes that do that.
NKT@afx @alex02 @hacks4pancakes Maybe they're that good! Maybe they're that good? Maybe they're... That... Good?
I think too many people watched Tiger Team. It's the same with (proper) locksmiths, except we actually walk the walk.
@Dss @afx @hacks4pancakes tactical gear should be reserved for breaking in the middle of the night when every other option is exhausted, but even then, most tactical gear I find impractical even for in the middle of the night breaking in.
Gilgwath@alex02 is there any actually good infosec content on youtube? I have yet to find any that are more than a dude mumbling into a cheap headset mic while showing of how fast he can typa while totally failing to explain what's going on.
rk: it’s hyphen-minus actuallyI was in a webcast panel discussion where someone said something about red teaming having an overrepresentation of middle aged white dudes in black hoodies and, being a panel discussion, you could see all the participants. A plurality of participants were middle aged white dudes in black hoodies.
@rk how ironic which also would cause problems since a lack of diversity limits what could be done especially for stuff like social engineering. @hacks4pancakes
Kim Scheinberg@hacks4pancakes
I don't mean to laugh, but this is quite the thread to read while spouse and I are at the tail end of our fifth rewatch of _The Americans_
<insert Margo Martindale gif here>
Dave Wilburn 
This is disappointing. Am I misremembering, or didn't they have several women in previous years? I wonder what changed that allowed this to happen.
I also wonder if the speakers had any insight or awareness, or any opportunity to inquire before they accepted their roles. I'm speculating that it's probably not like a panel (or rather a "manel") where you would know who your fellow co-panelists are, but maybe I'm wrong. But it still leads me to wonder if there's a way to inquire and issue demands after your proposal has been accepted. What's the best practice here for prospective speakers submitting to a CFP or responding to an invite?
Raccoon🇺🇸🏳️🌈@hacks4pancakes
The sad thing is that penetration testing is fun. It's basically hammering every solution you can think of at a puzzle you can't see, often having to adapt on the fly to information as you get it, especially when you are pulling off physical or social methods.
It honestly should be for everyone.
sortius 
@hacks4pancakes older women are managers, aren't they? 😬
@sortius totally not stealing anything
@hacks4pancakes nope, if you're wearing the right pant suit, you won't even be seen
Random Damage 🌻@hacks4pancakes this is one of the *advantages* to transitioning over 50.
With very few exceptions I'm not expected to perform femininity in the same way that a woman in her 30's or younger would be, for most people I'm post-sexual and in a different category completely
@hacks4pancakes that's advantageous for those older women who do go into red teaming. If it were a common thing, they'd become suspicious, too.
The stereotype of the young male in the hoodie is very useful for those who aren't any of those things.
SinobellThe advantages do not outweigh the problems.
MissConstrue@hacks4pancakes I'm charismatic. I've spent my career in info tech. I've founded successful companies. I am also a middle aged to older woman. I have great skill in finding points of entry, while being so charismatic and fun that the fact that I walk out with half a dozen ways their security is being compromised is never even noticed. There are so many ways women in their 50s could run pen testing, because we understand how the c-suite works, and what their admins have to manage.
Misuse Case@hacks4pancakes Be an older white woman going into somewhere with an expensive purse and you can basically social engineer anything.
DamonHD@MisuseCase @hacks4pancakes The equivalent of wearing hi-viz and having stripy warning tape and hard hats.
Cat 🐈⬛🛰️@hacks4pancakes Also: Mary McDonnell as Liz Ogilvy in "Sneakers".
Balthasar@hacks4pancakes I once witnessed well-known European red teamers get into a push up contest at a conference after a few beers…
In the industry, a self-perception of “I can hack it, I am so much better than the people who build it”, really feeds into this male ego culture.
I think we need to emphasise our purpose as red teamers is not to show how good we are but to help organisations understand weak spots and attacker behaviour. We should view red teaming as tricky puzzles instead of being a vigilante mercenaries.
kouhai, of the health issues@hacks4pancakes hahahaha yeah…
from the “fixing reported issues” side, there’s no way that doing these standard web assessments is something I’d want to do for more than a year
josh g.@hacks4pancakes
"crap salaries" and "futile vuln reports" is discouraging. do exceptions exist? I'm considering a career shift and "break business code" sounds a lot more motivating than "build business code". (my poor ADHD engineering brain is a mess that way)
"crap salaries" and "futile vuln reports" is discouraging. do exceptions exist? I'm considering a career shift and "break business code" sounds a lot more motivating than "build business code". (my poor ADHD engineering brain is a mess that way)
@hacks4pancakes
(to be fair, "break and then fix business code" might balance in the positives)
(to be fair, "break and then fix business code" might balance in the positives)
LisPi@hacks4pancakes The funny thing is that seemed pretty obvious on looking at the actual jobs (the real security jobs aren't for corpos, they involve actually doing the maintenance (technical and social) that they want to cheap out of). No, this is no Watch_Dogs shenanigans.
This is clown hour regulatory "compliance" at the lowest possible cost with next to zero accountability.
This is clown hour regulatory "compliance" at the lowest possible cost with next to zero accountability.
@hacks4pancakes seriously, the whole idea of the "hero solo operative" is something that is really the domain of young men, and it's far from the most effective technique
Kay 
@hacks4pancakes Strange how in a country with so many tech experts they couldn't find women speakers.
Recently I attended #Kawaiicon2025 a #Cybersecurity / #InfoSec conference in Aotearoa New Zealnd, a country with just over 5Million people living here. They found an assortment credible and interesting speakers who were men or women or nonbinary (NB). Same with panels. And organisers which helps. The participating audience was still more Men than Women or NB but anyone attending would have found peers.
https://kawaiicon.org/talks/
A fully sponsored Girl Geek Dinner pre-con welcoming event was also held.
https://kawaiicon.org/con-events/#girl-geek-dinner
Calling out manels (all male panels) is brave work and it's helpful when men do the "Do Better" call.
Tero Hänninen@Kay @hacks4pancakes as someone who has been arranging a small conference for a decade (securityfest.com) have to tip my hat to them. That’s well done. We’ve had the immense pleasure of being able to attract diverse speaker lineups over the years, but it’s a real struggle every year and it does require lot of active work.
JW@hacks4pancakes
My limited understanding, from working in a CIOs office, good cyber security requires a range of skills and ways of thinking, a gaggle of young white blokes will struggle to achieve this.
My limited understanding, from working in a CIOs office, good cyber security requires a range of skills and ways of thinking, a gaggle of young white blokes will struggle to achieve this.
Em 
Jeff Moss@hacks4pancakes Crazy how much of this is cultural, or lack of leadership. At DEF CON Bahrain easily half of attendees were women with skills.
I asked why so high and an answer I got was the Kings Wife years ago wrote a letter to the government agencies saying (essentially) that for IT Director positions if there are two equally qualified candidates, and one is a women, then you choose the woman. Now years later they have equal representation.
David Pollak@hacks4pancakes a mono-culture reduces the set of ideas explored… very bad for red teams…
A mono-culture of well off white men who can confidently walk through high crime areas without worrying (I’m in that group) perceives far fewer threats than marginalized folks. This is a huge negative for red and blue team.
Net-net, it’s fucking stupid not to engage with a broad set of folks when red teaming.
satire@hacks4pancakes I’m not sure it’s wise to use a subtitle that I would have suggested. Well played for slipping it in.
rtificial@hacks4pancakes wtf? Why did they do that this year? Usually they have atleast 2-3 women on the advent of cyber. I haven’t even seen the lineup for this year.