🔥 Rebooting the Worst Interview of My Life
A Hard Reminder on Why I Don’t Do Free Work — And Why You Shouldn’t Either
Hello, Hoodies!
This is a reboot of a story that needs to stay in circulation — not because it’s juicy (it is), but because it’s instructive.
Looking back on this 4 years later, it still feels surreal.
Every once in a while I re-share it for two reasons:
It’s a warning to anyone who’s tempted to work for free in cybersecurity “just to get in.”
It’s a reminder that you don’t work for people who have no standards. Period.
I don’t care if it’s your first helpdesk gig or a contract opportunity in cloud security. If the employer doesn't take their own security seriously, why would they take your career seriously?
🚨 The Setup: One Interview, a Million Red Flags
I was interviewing for a position at a small electronics vendor startup (we’ll call them SnapElectronics), doing what many of you are doing right now: shotgun-applying through job boards.
They liked that I knew Python and ELK, so they sent over a challenge. Normal so far. But here’s where it gets wild:
They emailed me credentials to an Elasticsearch cluster. No MFA. No expiration. No indication the data was fake.
I log in...
Boom. It’s not a test environment.
It’s prod. Full access. 1 million+ records.
Oh — and their public website was tied directly to this. As in, you could search “USB Connector” on the site, and the data you were supposed to fix was live in the production pipeline.
This wasn’t a test. This was an outsourced bug bounty, disguised as a job interview.
🧠 "Just Take a Quick Look..."
After solving the metadata issue and getting kudos from the CEO (red flag #84), they wanted to move me forward. Not for a job. For more free work.
“We’ll pay you for a couple of days to look at the API.”
They didn’t send a snippet or obfuscated example. They gave me full GitHub repo access and a secrets.env
file...
via email.
Let me repeat that:
They emailed me a production secrets.env
file, no endpoint control, no logging, no NDA signed at that point, and no method of secure file transfer.
🤯 Security "Plan"
I outlined my recommendations:
2FA on their cluster
Replace all keys and tokens
Remove ex-employees from GitHub
Use a secure method for file transfer
Build a security baseline before moving forward
Their reply?
“We’re not hiring a security engineer. These things only take 5 minutes.”
Let me be clear:
If these things only take 5 minutes... then why haven’t you done them?
(I can’t tell you how much this made my blood boil. The absolute nerve.)
💀 The Hard Lesson: Never Work for Free.
Security is not charity work. It’s not a favor. It’s not a vibe. It’s a discipline, a liability, and a business risk when done wrong.
They tried to hand me a developer hat, a security hat, and a DevOps hat for two days of "paid trial work" — and still never paid me.
No contract. No offer. No ethics. Just exploitation.
🧭 Who You Work For Matters
Here’s the point:
Your first job shapes your career.
The people you let into your inbox, your repo, your headspace — they influence your security habits and your integrity.
You can’t control who interviews you. But you can control who you accept work from.
At BowTiedCyber, we train people to get hired in 90 days, but we also train them to say no to garbage employers. You are not desperate. You are in-demand.
📣 Final Word
If your company has even 10% of the red flags I described, let’s talk.
For $2K–$10K, I’ll find every way your systems can be abused — before someone less ethical than me does it for free.
And if you're still grinding to become a cybersecurity pro?
✅ Subscribe to the Substack
✅ Join the Bootcamp
✅ Send the resume
✅ Learn the trade
✅ Say no to clown employers
We don't train people just to get jobs.
We train them to be high-value professionals that employers have to chase — not exploit.
Love y’all. Talk soon.
Cheers,
Evan Lutz (BowTiedCyber)