Daemon Time with Lee McWhorter

The guest today is someone very important to me and a major influence on who I am to this day. I had the honor of speaking with him after we reconnected at DEFCON by sheer luck. This man is a legend in the cyber-security community, boasting over 30 years of experience and is a hardcore raver as well, Lee McWhorter!

How did Lee get into technology?

Lee’s journey in technology began during his childhood with the Commodore VIC-20, which ran on an 8-bit processor. Being young and eager to get more out of the machine, Lee bought a book of 101 DOS Games—a collection of source code that had to be saved onto cassette tapes and manually annotated to mark where each program was stored. When he attempted to run the games, Lee was often met with failure. These setbacks, however, sparked his curiosity. He began identifying early instances of bugs in the code and, through pattern recognition and a growing understanding of basic programming, he debugged the programs until they worked properly. This experience ignited his passion for coding and drove him to continue experimenting, eventually teaching himself the BASIC programming language.

Moving forward with his growing passion for technology, Lee continued exploring how systems worked—most notably experimenting with access to Bulletin Board Systems (BBS’s). During his research, he unintentionally gained access to one of these systems. Instead of facing backlash, the system operator reached out, curious about how Lee had managed to get that far. That conversation ultimately led to Lee becoming the system administrator for the BBS. From there, he continued his research, gaining access to numerous sites and networks, which further deepened his understanding of the early days of the internet.

Flash forward to Lee’s college years, where he initially pursued a path in architecture. However, this was short-lived. The pace of the curriculum wasn’t fast enough to keep up with his drive, which eventually led to academic suspension. Taking this as a moment to pause and reflect, Lee stepped back to reconsider his future. During this break, he found himself working as a manager at a restaurant chain. He excelled in the role and found success in his career, but the lack of vertical growth left him unfulfilled. Ultimately, this realization pushed Lee to return to college, determined to continue pursuing his true passions.

Lee earned his Bachelor’s degree in Business in 1990, graduating during a high point in the market. Opportunities were abundant, and he received a surplus of offers from a variety of companies eager to bring him on board. Rather than stepping directly into the workforce, Lee chose to continue his education. In 1992, he completed his Master’s degree in Business. Unfortunately, this achievement coincided with a recession in the United States. Unlike two years before, the market had shifted dramatically, and job offers were scarce. Despite his advanced degree, Lee graduated into an environment where opportunities were virtually nonexistent.

With no clear job prospects after graduation, Lee decided to put his newly earned degree to work by starting his own business. While operating in the business world, his clients quickly discovered that he possessed a deep knowledge of technology. This ability soon became a defining strength. Lee introduced and implemented new technologies across multiple industries—including the medical field—bringing innovation and efficiency where it was most needed. His growing reputation eventually led him to become one of the very first Microsoft Certified Instructors, a milestone that opened the door to further certifications and a deeper mastery of technology.

In his early career, Lee moved frequently before eventually returning to Texas—just before the dot-com boom of the late 1990s, a period marked by rapid growth and speculation in internet-based companies. At the time, Lee aspired to launch a standalone online education business. While that vision wasn’t immediately possible, he was able to establish the venture as a subsidiary under a marketing and communications company. This opportunity proved invaluable, rapidly expanding his knowledge of both printing technologies and web development. His skills and leadership quickly set him apart, and he eventually rose to the role of Chief Operations Officer (COO) within the company.

Fast forward to 2008, Lee stepped out of his role to launch his own company, McWhorter Technologies. Many of his former clients followed him into this new venture—most of whom remain loyal customers to this day. Through this company, Lee established himself as a managed service provider (MSP) and a seasoned cyber-security expert. Beyond running numerous websites, he has become a respected speaker at events such as DEFCON, the Texas Cyber Summit, and local BSides conferences. For Lee, the web was more than just a career—it was life-changing. From the very beginning, he recognized that it would transform the world, and he has dedicated himself to following, shaping, and contributing to that evolution ever since.

Question Time:

With our legendary guest’s background now known, let’s get into some questions! Below, in bold, are the questions I asked, followed by Lee’s summarized answers.

What are the biggest misconceptions people have about offensive security or red teaming?

Many people believe you need to be a math expert to get into a technical field like cyber-security, but that’s really not the case. A solid understanding of networking fundamentals and some coding skills go a lot further. Another common misconception comes from media portrayals—for example, shows like Mr. Robot often give the impression that you can just fire up a Kali VM and instantly become a hacker, which isn’t how it works in reality.

Do you think the certification-driven market shapes how new professionals approach offensive security?

The rise of certifications has definitely changed the industry, making it possible for many newcomers to show rapid growth. Take something like Security+ as an example—it’s intended for people with about three years of experience. But if someone can study and earn it in just a few months, they’re essentially demonstrating they already have the knowledge base of someone with years in the field.

How do you balance creativity—thinking like a real attacker—with the need to stay within the agreed scope of an engagement?

A lot of it comes down to experience. Over time, you learn how to get creative even when there are constraints. The scope and targets of an engagement naturally set the boundaries, but cost is usually the biggest factor that shapes what you can actually do. The key is to use your creativity in a way that still respects those limits—finding clever approaches without going outside what’s agreed on.

Without breaking confidentiality, can you share a particularly memorable engagement and what made it stand out?

During an incident response engagement, I came across a firewall management interface that was exposed to the internet, which posed a significant risk. On top of that, I discovered their ISP routers were also publicly facing. Those kinds of findings really stand out, because they highlight how a single oversight can create serious exposure for an organization.

In your experience, what defensive techniques or practices are underutilized, and how has its absence created security issues?

One thing that immediately comes to mind is the manual review of critical logs. The industry is leaning heavily toward AI-driven monitoring, but removing human oversight can create gaps in detection that automated systems may miss.

Another often-overlooked practice is security through obfuscation—when used within reason. For example, hosting critical web portals on non-standard ports won’t stop a determined attacker, but it can reduce noise by preventing bots that constantly crawl the web from easily finding login pages.

Finally, defense in depth is something many organizations don’t fully implement. They might block a lot of outside traffic and monitor perimeter activity, but once an attacker gets inside, monitoring often drops off. At that point, detection relies almost entirely on domain or endpoint agents, which can leave critical blind spots.

With the growing number of zero-day vulnerabilities disclosed among vendors, do you think software and hardware vendors should be held more accountable for security flaws?

Lee had two main thoughts with this rising issue:

1. Vendor accountability. There need to be real changes in how we deal with cybercrime from the vendor side. Vendors should be held to a higher standard of accountability, and part of that means providing faster, more transparent, and more detailed disclosures when vulnerabilities are discovered.
2. Banning ransom payments. Lee also believes we should outlaw paying ransoms altogether. Paying is essentially legalizing extortion, and it only encourages attackers to keep targeting companies. If we remove the option to pay, organizations will be forced to take security risks more seriously and invest in stronger protections up front.

What’s your perspective on AI as a tool for learning and practicing offensive security?

The concern right now is an over-reliance on AI. Instead of simply learning from AI, we should be focusing on learning about AI—understanding how it works and where its limitations are. We’re walking a fine line with this technology: it could empower a smarter generation of security professionals, or it could lead to a decline in deeper critical thinking and technical skills. In the end, only time will tell which way it goes.

Do you think individuals are giving away too much of their privacy?

Unfortunately, we’ve reached a point where most people have given up on privacy without even realizing it. Simply browsing the internet leaves trails—browsers can fingerprint nearly every action we take, often without the user having any real awareness. At this stage, the focus shouldn’t just be on what data is collected, but on how we can control the broader public narrative around privacy and data use.

If you could restart your journey in technology and security, would you take the same path, or change anything along the way?

Generally speaking I have no regrets about the path I have chosen in life.

Thank you all for reading! A huge shout out to Lee for taking the time to share his insights and experiences, which made this article possible.

If you’d like to connect with Lee and keep up with his work, you can find him on LinkedIn here:

Lee McWhorter - Covered 6 | LinkedIn

My love affair with technology began with my very first computer...a Commodore VIC-20. I… · Experience: Covered 6 · Education: Midwestern State University · Location: Austin, Texas Metropolitan Area · 500+ connections on LinkedIn. View Lee McWhorter’s profile on LinkedIn, a professional community of 1 billion members.

LinkedInLee McWhorter