From Offensive Security to AI — My Two Decades

I go by c4bbage. My career started in 2012 and now, ~14 years in, I can roughly split it into two arcs — the first decade was entirely in network security, the second has been a clean pivot into AI engineering. The GitHub handle was registered in late 2013 and I've kept it ever since.

This is a narrative intro, written chronologically — not as a project list.

First decade (2012–2022): Network security

I started on the offensive side. The first few years were penetration testing, red-teaming, vulnerability reproduction, vulnerability research, and reverse engineering / cracking — writing PoCs, running red-vs-blue exercises, translating tooling docs, and reproducing every public (and semi-public) attack path I could get my hands on. That period also happened to be the busiest stretch of China's offensive security community — a wave of 0days, a wave of APTs, a wave of honeypots and adversary engagement. Most of the small tools and translations still surfacing on my GitHub date back to then.

Mid-way through, I migrated toward enterprise defense — same domain, opposite side:

• Internal asset mapping, CMDB / bastion-host tooling at production scale
• Security monitoring across 2000+ production hosts (EDR, compliance, inspections, vulnerability response loops)
• Zero-trust rollout (identity, device posture, network segmentation, least privilege)
• Situational awareness: log lake, event correlation, alert noise reduction, attack-path reconstruction
• Productized incident response — from log collection and triage all the way to runbooks, SOPs, and on-call rotations
• The unglamorous "blue side" grind in red-vs-blue exercises

The final years were closer to security-product engineering — the shift from "running an incident analysis" to "building a system that lets other people repeatedly run incident analyses." That's where I first internalized the principle that "a one-off script" and "a capability someone else can reuse" are two completely different engineering goals. This principle keeps showing up in my AI work today.

All the bits and pieces I wrote / translated during that era are sealed at the legacy-2017 tag. Not deleted, just no longer updated and no longer in the nav.

The pivot: how I switched to AI

LLMs broke through and I caught the wave. The starting point was not a top-down assignment — it was personal enthusiasm first. The moment ChatGPT shipped, I went straight to Plus; later I jumped on a Poe annual plan and worked through every model I could subscribe to. For a stretch there, basically every fragmentary task I could pin down with AI — scripts, lookups, reports, doc restructuring, small tools — got prompt-ified. The productivity gain on my actual job was visible and real — the earliest payoff from the "AI whale" route.

Eventually my boss (the CTO) noticed the enthusiasm and the concrete results, and formally folded AI into my scope — he brought in a PhD from Zhejiang University to do post-training with me, and I started building systems on my own side: a RAG knowledge base, IT agents, internal Q&A, a bunch of small tools. That was the actual starting line of my "switched to AI" arc.

Only afterwards did it sink in — the design space opened up by models + compute is much larger than the back-and-forth of defensive security alone. So I moved the main line over.

The ten years in security weren't wasted, though — the offensive habit of "assume the system is already wrong" turns out to give me an edge over pure AI-background folks when I'm working on agent runtime safety or AIGC service security.

Second decade (2022–now): AI engineering

Sliced horizontally, my work these years stacks roughly like this, bottom up:

1. Bottom layer — compute

A small training/inference hybrid cluster — a handful of nodes, dozens of enterprise-grade training cards, across two compute tiers (one primary, one backup / batch). Day-to-day comes down to keeping the cards from "lying idle, stepping on each other, or burning money."

Concretely: scheduling and isolation · idle-rate governance · slotting in off-hours work (nightly compiles, scans, async agents) · per-task cost accounting · ROI feedback into the business side.

2. Middle — AIGC generation capabilities

Text → image, image → image, text → video, image → video, super-resolution, matting, portrait restoration — this layer turns models into internal APIs, then surfaces them out to the business.

I've spent time on the training side too: full-parameter fine-tuning (up to 14B scale) / LoRA / distillation / quantization — all of them — and most recently a NTP + flash-attention speedup baseline. But I'm more drawn to model composition than to chasing single-model SOTA — cheap base model holds the floor, premium high-fidelity model gets injected only on the critical path. The cost/quality curve as an engineering problem is far more interesting than "which model is 0.5 points higher."

3. Business side

The middle layer plugs upward into a few concrete products:

• Short-drama platform — composing image gen, video gen, super-resolution into a pipeline for short-form drama production
• Art & ops tooling — the daily image / retouch / video tooling used by internal teams
• Internal learning & docs platform — so the way these tools are used is consumable and auditable

4. Top layer — the AIGC capability platform

The integrated platform tying everything above together, internally. ~60 daily active users — which sounds small, but each one of them is actually burning compute, hitting models, and generating cost. From an operations, cost-governance, reliability, and security-audit standpoint, that scale is not a free ride.

5. Agent systems (the main thread of the past year)

Most of my recent attention sits here — refactoring repeated organizational work into agentic workflows, rather than yet another one-off script.

Three lines by who they serve:

• IT agent — for IT / infrastructure: deployment, inspection, monitoring, change management
• Security agent — for the security side: inspection, daily reports, incident analysis, IR
• Short-drama agent — for the business side: script drafts, storyboards, asset generation, batch image/video output

Underneath, every reusable capability is shaped as a Unix-style small command — one job per command, structured documents on disk as the bus, an automatic check step closing every loop. This is the same idea as the "build capabilities, not one-off scripts" lesson from the security-product era, just one decade later.

I don't try to save money on tools

Continuing the "AI whale" thread from earlier — over a few years the tooling spend has only gotten heavier, and only gotten more worth it. Engineering aesthetic in one line: models change every year; burning money to test them yourself beats reading anyone's "top AI tools" list a thousand times over.

Current subscriptions look roughly like:

• Cursor — around $3000 / month, this is the main battlefield
• Claude — long-term subscription, Claude Code is daily-driver
• ChatGPT — subscription, kept active
• Poe — annual plan, mostly for cross-model prompt benchmarks
• OpenCode and other agentic editors — rotated in for trial

I genuinely treat these tools as "an extra colleague who can write, search, and execute" — not as autocomplete. I'll write up the workflows separately later.

What this blog will cover

Blog v2 is mostly a place for me to leave thinking trails, on a loose cadence —

• AI engineering notes (compute / models / agents)
• Tooling I'm building and tools I'm trying
• Paper reading and new-model takes
• Occasional pieces from the old offensive-security beat — but no longer the main line

Contact

• GitHub: @c4bbage
• RSS: /en/rss.xml

All posts · RSS · 2026 / 05 / 23