Cyber Snake Oil: Badges, Bragging, and Bullshit
Intro
The LinkedIn Legend is someone I used to work with directly, I know some of their background and it isn’t good. I’ve since seen this legend inflate his education, the scale of his business, and present themselves as an authority when they demonstrably aren’t. I see the legends posts and worry that one day a client might hire this person, make security decisions based on their recommendations, and face some devastating consequences.
The Follower Farmer is someone I’ve never met, but I’ve watched from a distance for some time now. They’re a moderately popular “influencer” in the infosec space, the kind who has built a following through a steady stream of content that can look like expertise to the uninformed eye, and I suspect through some less ethical transactions. The Farmer sells training, they push referrals, they review courses, they speak at conferences. I’ve watched the Farmer struggle over the basics, not once, but repeatedly. It can look like the pressure of recording, maybe some nerves, but the mistakes are just a bit too much. I’ve tried to give the farmer the benefit of the doubt.
The doubt comes back stronger and stronger, and it sits too uncomfortably.
Why does it sit uncomfortably? These people build their business on perceived expertise, they sell their training, skills, expertise, advice, and referrals: they operate on trust. I’m not saying this person is a fraud, I’m saying I wonder, and in an industry built on trust, wondering isn’t really good enough.
The Pipeline: How We Got Here
Every industry has sales and marketing, and every industry has a sales and marketing problem, the monetisation of infosec is unsurprisingly ruthless. Scrolling through any major social media platform with a tuned algorithm and you’ll find short videos selling you short-courses to turn you into an expert hacker, a real Guru of the craft. Look through LinkedIn and you’ll see posts declaring ones skillset the best, or their latest challenge pwned, the top % of some platform, surrounding that the declaration that anyone can break into the industry with the right mindset and certification. YouTube channels are built around the aesthetic rather than the substance, training pushed by people who don’t even work in the industry. The message through all of this is consistent: infosec is accessible, lucrative, and you’re only one certificate away. All of this is wrapped in affiliate links, referral codes, sponsored reviews, and a financial model that pays out whether you succeed or not. The Follower Farmer doesn’t care if you get a job, they just want you to click the link.
This pipeline doesn’t sell courses or certifications, it sells a narrative that infosec is a direct entry point rather than what it usually is - a pivot. Most who work in infosec do so as a natural progression from years spent in IT, networking, systems administration, or development. The foundations that make security work intuitive to its experts like understanding how a system behaves before you learn how to break it doesn’t come from a pentesting course, it comes from time and experience. The pipeline doesn’t sell you a story because the story doesn’t convert, it’s too long and boring, so you’re sold a shortcut, optimised for the badge rather than the knowledge the badge is supposed to represent, and you arrive underprepared with a bill you can’t split with the person who sold you the dream.
The Flood: What Washes Up
The pipeline has its consequences and they show up at the application stage. The certifications are real, they have a real name on them! The understanding behind them often isn’t. A candidate can present well on paper, hold the right credentials, and recite the theory, but this is the predictable output of an ecosystem that taught people to optimise the credential over competency.
The market is flooded. Everyone at the “junior” level can feel the water rising. Legitimate career pivots from those who took the slow path with years in something like networking are competing against a wave of candidates holding the same badges but without the foundation. The certification that once signalled something signals less, it has been gamed. Employers have raised the bar, more experience and credentials are demanded, those without are complaining and not realising they’ve been sold a lie. The Farmer spruiks a new course, he says its essential.
The flood isn’t producing professionals, it’s producing performers, we’ve all learned the vocabulary, earned the certs, absorbed some surface knowledge, and we can’t get our foot in the door. We see another post about how the industry has a talent shortage, this is being weaponised to rush people through but the warm body with a certificate was never the answer to a quality problem.
The Cheat: The Badge Becomes the Point?
The goal is represented as a credential over some skill, does this start to rationalise cheating? Not morally of course, rather economically, psychologically, or practically. We aren’t sold a journey we are sold a destination, we optimise our journey for the destination, and we miss all the important parts along the way.
This shows up everywhere when you know what to look for. HackTheBox profiles built on purchased writeups, a complete lack of genuine understanding applied to entering a flag into a box. TryHackMe percentages achieved through repetition and hints, worn as proof of ability in a LinkedIn headline. Certification braindumps sold and traded, reducing qualifications to a memorisation exercise. The platforms do try to combat it, and it isn’t easy, but the community and wider industry enables it. The Farmer will never mention any of this, they’ve engaged in it, they’ve reviewed enormous challenging environments that usually take weeks they appear to have completed in an hour. If they ever acknowledged any of this, they would have to acknowledge what the pipeline produces.
If misrepresentation is the foundation, it moves all the way up the structure. People put it into their CVs, their LinkedIn profiles, their job applications. Their roles are inflated, responsibilities exaggerated, their experience somehow evaporates entirely after a minute of technical conversation. The LinkedIn legend is a logical extreme of a culture that taught people the performance of expertise is a reasonable substitute for the thing itself. In any other safety-critical industry this would be a ginormous scandal. Imagine a doctor who cheated through medical school? A civil engineer who fakes their qualifications? In infosec we look the other way, fear of being labelled a gatekeeper, or for having the drama that comes with exposing a fraud follow you through your career. We should be willing to say plainly that a lot of people in this industry lie, and that lying should have consequences.
The Nameless Ethics Problem
Infosec is wrapped in ethics, we have codes of conduct, responsible disclosure, certifications come with ethics clauses and lessons, the entire value proposition of the industry is built on the assumption that the people doing this work can be trusted to do it honestly. We constantly talk about trust, so why does the community go quiet when one of our own lies?
There is a particular discomfort when someone calls out misrepresentation in infosec. The accused cries gatekeeping, their audience rallies, and the concerned party is forced to defend their motives over the substance of their claim. This is an effective defense mechanism, and it will always be exploited as long as it will keep people silent. It’s easier now to scroll past the LinkedIn Legends latest post rather than to say publicly what you know privately.
The ethics problem doesn’t just apply to these little liars, it applies to the entire industry as long as lying is rational and rewarded without consequences. Vendors sponsor the Farmer because reach is more important than rigour. Smaller conferences will platform speakers because they aren’t aware of the truth and it will draw a crowd. Affiliate programs reward salesmanship over actual expertise. The incentive structure doesn’t award substance, it’s too busy awarding performance, so why are we surprised we’re getting performers? Clowns? The Farmer has real clients, the Legend has real followers, this puts people in danger.
The Real Cost
Performers will be on the stage, Clowns will be at the circus, this is where the cost moves from abstract to real.
The aspiring pentester who copied writeups without understanding them gets a junior role and produces reports that give clients false confidence in their security posture. This isn’t hypothetical, it’s the predictable end of the pipeline and it wasn’t designed to produce competence. The Farmer has collected their referral fee at the start of this, they won’t be there at the end of it.
Then there’s the LinkedIn Legend. A client finds their profile, it looks impressive, the credentials check out on the surface, the business looks established. They get hired. They make recommendations. They have access to systems, to sensitive data, to the architecture of someone’s security posture. And somewhere along the way the gap between the profile and the reality opens up, either quietly, or in the middle of an incident when it matters most. The devastating consequences I spoke of before aren’t just dramatic anymore, they’ve become the reality and conclusion of trusting someone who was never trustworthy at the beginning. The real cost is paid by the person who couldn’t get the entry level job despite doing it all right. It’s paid by the organisation that hired on inflated credentials and found out the hard way. It’s paid by the client whose breach could have been prevented by someone who actually knew what they were doing. The snake oil salesmen have long since moved on to the next sale.
The Community Has to Care
This isn’t a call to make cybersecurity an exclusive club. It isn’t an argument that career changers don’t belong, or that certifications have no value, or that content creators can’t contribute meaningfully to the community. Some of the best practitioners I know came from unexpected backgrounds. Some of the most valuable learning resources I’ve used were made by people with an audience.
This is an argument that the community has to care about the difference between substance and performance, and right now it demonstrably doesn’t. We have built an ecosystem that rewards confidence over competence, reach over rigour, and the credential over the knowledge it’s supposed to represent. We have let the fear of being called a gatekeeper silence legitimate concern. We have watched people lie and looked the other way because calling it out felt like more trouble than it was worth.
It isn’t more trouble than it’s worth. Not when real clients are trusting real recommendations from people who aren’t qualified to make them. Not when the next generation of practitioners is being shaped by Follower Farmers who may not know what they claim to know. Not when the LinkedIn Legend is one good pitch away from a contract that could end badly for someone who had nothing to do with any of this.
Polite scepticism is not gatekeeping. Asking someone to demonstrate what they claim to know is not bullying. Saying plainly that the incentive structures propping up this ecosystem are broken is not drama. These are the minimum requirements of an industry that takes its own ethics seriously.
Will I stay silent and keep buying the snake oil? Probably.
19/03/2026