20 years in cybersecurity. Trying to get a clue on AI.
Most of my career has been incident response, SOC operations, and firmware security. Classified environments, critical infrastructure, federal and commercial clients. 12 years in the Navy before that as a crypto-linguist.
Co-founded Trapezoid in 2011. Firmware integrity and platform trust. Got a patent on a large scale incident response platform from the Terremark days, which Verizon now owns. Have spoken at a few places.
Spent time as cyber lead on a DARPA AI/ML research program. After that, worked with two different companies that were using AI and machine learning to find bad things in cyber. Algorithms, not models. There is still a use case there that everyone seems to have forgotten since LLMs became popular.
Toward the end of February, something clicked. I don't remember exactly what it was. I just knew I needed to learn this stuff. Now.
I saw a post from Lenny Rachitsky's newsletter. "How to Build AI Product Sense." It walked you through Cursor and Claude hands-on. I didn't know what Cursor was. I was kinda familiar with Claude but not really. I did the project. Then I did almost all of the free Anthropic courses. Then I just kept going.
I picked three tools. Claude, Cursor, NotebookLM. I used them every day. I kept a daily log. I built things.
I asked AI to build me a little page to track what I was doing and it built this app in Flask (what is that even) fed by markdown files. Then a database. Then an MCP server. Then a full frontend in Next.js and GraphQL. Then I had a different model review the code and it more or less told me it was slop. So that model refactored what the first one built while I tried to learn something.
I built a landing page. I built Jupyter labs for exam prep. I registered a domain for a project called Hodjes.ai. Heavily Overengineered Daily Journal and Education System. The name gets more accurate every day.
Most of these projects are half-finished. I'm spending more time fighting tools than building some days. The UI is usually embarrassing. The speed of building isn't.
I went in thinking I needed to understand the security. I still do. But I'm starting to get a clue on how to build things with AI. That part surprised me.
Co-founder and President
Firmware security and platform trust. We built the Firmware Integrity Verification Engine (FIVE) for visibility into vulnerabilities below the operating system. IT, IoT, and OT firmware monitoring.
trapezoid.comPersonal project
Heavily Overengineered Daily Journal and Education System. Yes, it's ridiculous. The name is becoming more accurate every day. Next.js, FastAPI, PostgreSQL, Hasura GraphQL, Docker. Trust boundaries, service layers, security telemetry.
I asked Claude to build the project plan and it burned my entire usage allowance on one question. Building is going great.
Podcast
Relaunching my podcast as soon as I feel like I have something interesting to talk about. More info later this year. I miss connecting with people and having 1:1 discussions. I'm really dying to talk to people about things they are building so I can learn more.
Personal project
A Flask app that reads markdown files and turns them into a browsable website. Daily sessions, tool notes, social media posts. No database. The markdown files are the source of truth.
This was the first thing I built with AI. It's ugly and it works. Everything else grew out of it.
I only talk about things I've actually done or worked on. Happy to do that in English or Spanish.
Two published chapters. ISBN: 978-0123743541
Chapter 32: Introduction to Vulnerabilities Below the Operating System (VBOS). Firmware as an attack vector, detection strategies, real-world attacks including Stuxnet. Chapter 63: Storage Area Networking Devices Security.
Book in progress. Not yet published.
20 years of lessons. Incident response war stories, tool deployment failures, things I wish someone had told me. Written as a reminder to myself as much as anything. "Más sabe el diablo por viejo que por diablo."
BJJ blue belt. My wrestling is ok for a jiu-jitsu guy but sucks for a wrestler. My coach told me if I ever want my purple belt I have to fix my trash guard. Working on it.
The people I train with always want to strike for a few rounds as a warm up. That basically means I'm getting punched for a few rounds as their warm up.
I've done 20-something ultramarathons, a couple hundred milers, and was even a race director for an ultra in Florida before moving to Northern Virginia. That has mostly switched over to martial arts, but I miss the races and the community and hope to get back there someday and kick out a few more. I think I have at least one more hundred miler in me before hanging it up completely.
