I’ve been in the IT space for two decades in some form or another, and firmly in infosec for the latter half. I’ve worked support, and I’ve managed that same support team. I’ve automated, I’ve documented, I’ve coded, broken, fixed, and reported. I’ve hacked, a lot. I’ve mentored, and been mentored in turn.
You can find me here:
and if you want to know more, read on:
My Career In A (Large) Nut Shell
What follows is the not-short story of how I ended up where I am today. It’s somewhere between a resume, a cover letter, and a biography. Grab a snack.
Middle School
I started programming in the 8th grade, learning BASIC for the TI-83+ calculator. Our math teacher had introduced us to this functionality in order to teach us about functions of some sort, but that lesson was lost on me at the time. I was hooked. I read “Chapter 16 – Programming” without ever having studied programming before. I don’t think I had even seen code before. “Chapter 17 – Activities” had me plotting pixels to form a SierpiĆski Triangle. I was making dice-rollers for our D&D group, formula solvers for math tests, and generally doing a disservice to my neck vertebrae by staring down at that screen for hours.
Around that same time I would get my first computer – a Windows XP machine – and a printer to go with it. We had Internet by then, and I passed many nights finding games written in Assembly for the calculator. There was a whole black market back then in our middle school for these games. Block Dude in particular was a hot commodity, and if you were even remotely serious about things you ran Mirage OS (or “Mirage 5” as we thought it was called). I did not end up learning Assembly in those days, mostly because it was a bit advanced for me and we didn’t have nearly the amount of learning resources we do today.
High School
In high school, things really took off. I taught myself perl as my first “real” language, and had a lot of fun using WWW::Mechanize to scrape websites. I enrolled in an elective class covering C++, as well as one that advertised web programming, but which just ended up being HTML and JavaScript (in Dreamweaver…). The C++ class was a highlight of those years – my friend and I made a proper D&D game, or as close to it as we could manage; the class stopped short of teaching functions, so everything was a mess of global variables, and goto statements.
Two other core events occurred in my Freshman year which would shape my career trajectory for the better.
First, I discovered hacking. For the life of me I can’t recall what I was reading, but somehow or other I came to learn about cross-site scripting. And of course, being 14, I tried it on some random site’s search box. And it worked. Even two decades later I still remember that first rush hitting me. It was reflected XSS, and I sent a few payloads to my friends to show off, but that was as far as I took it. Over the next few months I learned about SQL injection, PHP, hex editing, IRC, Phrack, buffer overflows, Samy, exposed directory indexes, electronics, and so much more. I saw Hackers for the first time.
Second, my Windows XP machine blue screened. I was talking with my girlfriend over AIM when it happened, and a reboot didn’t fix it. I was able to get into a DOS console and I knew enough at that time to navigate around a bit, but my troubleshooting options were limited. Dismayed, I checked online at a friend’s house for a fix, and someone recommended installing something called Ubuntu.
Folks, I called Best Buy and asked if they sold Ubuntu.
Needless to say, they did not. But through a series of web searches and emails to something called a “LUG“, I was able to get an ISO for Ubuntu 7.04 burned to a CD and installed over my dead XP box. I struggled at first, wondering why this supposedly “awesome” OS couldn’t even run a .exe file. The terminal was not new to me but these commands were. But as with the hacking and the programming, I spent several months hooked in, occasionally needing to reinstall the OS when things broke.
College
After graduating high school, I enrolled at Century College to pursue my Associate’s in Computer Forensics. I chose that degree because, excepting Computer Graphics (which was not something that held any interest for me), it was the one computer-related area I had zero experience with. I had learned programming and networking and databases and security and Linux in my high school days, and “Computer Science” was too broad for my liking, so Forensics it was. Experientially, I enjoyed it. Practically, I have utilized it maybe two times in total. So it goes.
My First IT Job
My first IT job was in 2012 as a sysadmin at a local ISP called US Internet. It was my first “real” job at the tail end of my time at Century. The bulk of my short time there was spent handling support tickets, and migrating the monitoring platform from [REDACTED] to [REDACTED], a process that let me flex my programming skills and get a first taste of automation. Using a combination of perl and python, I was able to convert the config files between the systems and cut the work down tremendously. This was a trend which would continue for most of my career. It was a short gig however, only six months, before I was on to other things.
As it would turn out, “other things” would mean a brief stint in retail (which I loathed), a summer doing landscaping (which I loved), and a non-trivial amount of time in a restaurant kitchen (which I loathed and loved). Honestly, I think more people in IT need to work some of those jobs so we can appreciate how good we have it; I have yet to be burned by hot oil or stung by hornets in infosec *knock on wood*.
Nagios – Support Technician
My next job would signal the true beginning of my IT career, at a place called Nagios, which does infrastructure monitoring. And as luck would have it, I actually had quite a bit of experience configuring Nagios. The interview process went smoothly, and I started in September of 2013. I have a lot of fond memories of that place (and, truth be told, some not so fond ones) and I am proud of my work and my team in those early days. There were 12 people when I started if memory serves, and about 45 when I left in 2018.
I started as a Support Technician, and that was an absolute trial by fire. There were five of us, and we learned whatever we needed to in order to fix the customer’s server: database optimization, firewall administration, package management, performance tweaking, you name it. We dove in and out of C and PHP to fix bugs when the devs were too busy. We hacked together solutions on the fly which ended up holding for years. I probably learned more there than at any other single job since.
I also gave two talks while there at our annual world conferences, if you’re at all interested:
- Trevor McDonald: Monitoring The Physical World With Nagios and Arduino – Nagios Con 2014
- Trevor McDonald: Nagios XI Under the Hood | Nagios Con 2015
Nagios – Support Manager
In February of 2015, I was promoted to Support Manager. This was a major high point in my career then, and I still count it as one today. I was a capital-M Manager, and had the pay to match. By then the company had grown, and I had between 4 and 8 people under me throughout the years. I improved processes and documentation. I was the POC for the security@ emails. I handled escalated tickets. I taught 20 interns. I did performance reviews. I approved PTO. I allocated bonuses. I cross-trained people. I hired people. I had to fire some.
I was a capital-M Manager.
But, being a technical person at heart, I couldn’t leave well enough alone. Our QA was still a very manual process, and I wanted to automate it. We had a big whiteboard with a grid of tasks to complete for each release, and to my mind this was a perfect starting point. Without giving too much away, I spent a few months with Jenkins, Ansible, Docker, Testcafe, and some one-off scripts I wrote. At the end of it, we had a push-button solution for automated end-to-end QA from installation right on through to UI testing.
Nagios – Operations Engineer
So naturally, in 2017 I voluntarily traded my Manager title for an Operations Engineer one. I continued down this line of work until my last days there. I worked with the Sales team to build the “Find A Partner” web page (which is, to my delight, still in operation largely unchanged). I automated license renewal reminder emails, leading to (if memory serves) something like a 10% increase in renewal revenue. I leaned more heavily into development, helping pare down a backlog of bug and feature tickets. I found and fixed vulnerabilities. All while frequently landing in the top 25% in CTFs on weekends.
As almost a side note here, a co-worker and I founded a consulting LLC around this time called Gray Duck DevOps. We didn’t land a single client doing DevOps work, but I would later do a few freelance pentest jobs (spoiler alert) through it. My business partner mostly handled the admin and paperwork side while I did the consulting. It was a learning experience for sure, but we shuttered it in 2020.
DC612
Up until this point, security was just a hobby. It was not a major part of my day-to-day, but when a vulnerability report would come in or I’d find one myself that was a good day. In 2016, I took over running the local DefCon group DC612. I had been attending for years by then, and the previous leader stepped down so I asked if I could run it. He said yes, and this would turn out to have several really positive career impacts over the following years.
Freelance
The first is that at the end of one of our meetings, a gentleman by the name of Josh More (who I respect greatly) asked if anyone would be willing and able to take on a penetration test a client of his needed. He stressed that he wanted it to go to someone who was trying to get into the field, which I was. Being the group leader I didn’t want to be the first to jump on it, but when nobody else did he got my contact info and we started talking.
That first penetration test was another high point in my career. I was terrified. Impostor Syndrome set in immediately and didn’t let go until the check cleared weeks later. I had very little experience with network pentesting, having spent considerably more time in the web space. I Googled my heart out, staying up reading articles until 3AM some nights, to make sure I got it right. This was where I learned about Responder, and hashcat, and where I got to practice using Metasploit. So many of the things I read I ended up not using on that test but would lay the groundwork for the future.
I got Domain Admin, and that feeling of popping my first XSS in high school came back in full force.
At this point, I considered moving on from Nagios. There were some things going on at work which I won’t get into here, but suffice it to say they were taking a toll on my mental health. And besides, I had some real security chops now. I took on a few more tests from Josh and started building up my resume. I also learned that my girlfriend (now wife) was pregnant. I had significant motive to move up in life.
They did name an office after me though, which is cool:
RedTeam
By pure chance, I ran into another gentleman at a local security conference after-party in a bar. I hadn’t even attended the conference, but the party was open to whoever. He was the only person there who didn’t look like an IT worker. Tattoos, piercings, shaved head, goatee. More a biker than an admin, so of course I introduced myself. Turns out, he was looking to hire a penetration tester for a small consulting firm called RedTeam Security. I’d link to them, but they’re no longer around, having been absorbed at some point in the past few years.
I applied, I interviewed, I got the job. Another high point. I did have to take a pretty hefty salary cut, but it was manageable and worth it in my eyes. RedTeam was even smaller than Nagios, having I believe nine or ten people total, two of which were not involved in the daily operation. Four of us were testers, and we had two sales people and two managers. It was great. We hacked, we drank, we played Hackers on VHS in the background. My son was born (high point). I got in shape (high point). We traveled across the country. I did my first (and so far only) physical pentest, a successful one I might add. And I learned, and improved, and automated, and coded. I’d happily work with any of those testers again.
I was a capital-P Pentester. It was a good time.
Until I applied elsewhere, they called to verify my employment, my manager learned about it, and things went South. Not a story to get into here, but it rapidly accelerated my decision to leave.
Surescripts
Once again, running DC612 would prove to be a career booster. A regular attendee reached out to me on Twitter and we connected and started talking. He was building out an internal red team at a place called Surescripts and wanted me to be his first hire. He had me apply for the Senior Information Security Testing Analyst position, and I landed an interview in late 2019.
Everyone thought I was a good fit, except for one person. Culturally, they were all in agreement. But he had some reservations about the Senior part. And honestly, looking back at it now he was right. I was on the cusp. Probably another year and I’d be there. But thankfully, after some consideration they offered me the non-Senior role and I accepted, starting a day before my 29th birthday. Another high point.
Now out of respect for my current employer, I’m not going to go into as much narrative or technical detail of my current role publicly. You can see the highlights on LinkedIn. Suffice it to say, there is a reason I’ve been there for nearly six years at the time of writing. I landed a promotion to the Senior role in 2021, about a year and a half after starting. COVID hit and we all started working from home. We got a second pentester, who I mentor. I assumed ownership of the Security Champions program, which I run to this day. My boss got a promotion to Director. A new Manager was promoted between us, but I mostly kept working with my first boss. Then he (first boss) was let go. I stepped up to take over some of his responsibilities and started learning about the blue team side of things. I discovered I quite like it. I’ve been doing much more of that this past year, learning about SIEM and SOAR and IR and generally mentoring and supporting that side of the house as well.
If you want to know more about my current work, feel free to email me. Instructions on the home page.
More Freelance
Shortly after COVID, DC612 would once again provide me with a career trajectory alteration. Yet another gentleman – I believe that makes it four now – who I also respect greatly reached out on our Discord asking for help with incident response. Specifically, a client of his had their site hit and infected with a webshell and he wanted a forensic analysis and cleanup. Similarly to when Josh asked if anyone wanted to do a pentest, I deferred to the rest of the group but nobody spoke up, so we started talking.
The work that man sent my way over the next few years and continuing today literally paid for the down payment on my house. It’s no exaggeration to say that I would not be where I am without him.
Today
So that’s my life story, or at least the infosec parts. I officially received my CISSP approval today (October 24, 2025), which sort of prompted the creation of this site and this writeup. There’s only so much you can put into a resume and cover letter, so I figured this could provide some context for anyone who is interested. It also was nice to reminisce about some of those periods of my life.
The Future
I don’t know what the future holds, and that’s probably a good thing. But my plans are to continue learning, stay curious. I am two-thirds of the way through the CISM study guide and I plan to take that exam in a month or so. I am passively studying Swedish (I love world languages, and have a working proficiency in Spanish). I might write about some more of those non-tech things, because I think it’s important – especially for those just getting into the field – that people see there is more to life than bits and bytes.
At any rate, thank you for reading.