TL;DR

  • Burnout is a goal you chose. You don’t have burnout because infosec is toxic. You chose the stress because it serves a purpose you actually want.
  • Your task ends at the report. The client’s feelings about your findings are not your task. Their defensiveness is not feedback on your competence.
  • Approval-seeking corrupts findings. If you need to be liked, you cannot be effective. The checkbox assessment industry exists because most people aren’t willing to risk being disliked.
  • Contribution > Recognition. The dev who fixed the SQLi because your report was clear will never know your name. But the security improved. That’s the measure.

The Book I Didn’t Expect

I found it in a bookstore at a shopping mall.

At that time I was at a low point, especially with socialization. I was struggling with the whole “society is for other people” thing. Didn’t matter if I knew them or not. Just felt off.

I was grinding CRTO at 2 AM, writing reports, one of those late nights where you’re either labbing or documenting. The book caught my eye. Japanese authors. Sounded weird. I checked the reviews. People said it slaps. I thought fuck it, I’ll give it a go.

It’s by Ichiro Kishimi and Fumitake Koga. Built around Alfred Adler’s psychology.

The whole thing is a dialogue between a philosopher and a pissed-off young man in a Kyoto apartment who avoids people and blames his past for everything. Think Socrates meets a hacker who just got his shell killed by CrowdStrike. The philosopher slowly breaks this kid down over five nights.

The prose is simple, repetitive, occasionally makes you want to yell OK BOOMER.

But then it hits you.

The “courage to be disliked” isn’t some Instagram quote over a sunset. It’s the willingness to do what you know is correct even when everyone in the room wishes you’d shut up and take the check.

That’s not therapy. That’s the job description for anyone who’s ever had to tell a CISO their domain admin password is Welcome123.


Teleology: Your Burnout Is a Goal You Chose

Adler’s big move is this:

You don’t do things because of your past. You do things because of your goals.

In the book, there’s this anxious guy who avoids social life. He claims past trauma damaged him. The philosopher says no. The kid uses the trauma story to justify his real goal: staying inside and avoiding people.

The anxiety isn’t the root cause. It’s the excuse he runs on himself to avoid patching the real vulnerability.

I did this for two years. Blamed the industry for my burnout. Late nights, toxic clients, the whole narrative. Then I realized I was choosing the burnout because it justified not learning to communicate findings better.

The stress wasn’t weather I failed to forecast. It was the price of admission for the goal I actually wanted: being the person who tells the truth before someone malicious does.

That’s the shift.

  • Etiology says “the world is unfair and I’m tired.”
  • Teleology asks: “What goal am I still pursuing through this exhaustion?”

It reconnects you to why you showed up.

Also, let’s be precise about the goal. It’s not “breaking shit.” Breaking shit is easy. My cat walking on my keyboard could probably crash a Windows server.

The goal is a specific kind of truth-telling that happens to require breaking things as proof. You want to demonstrate that the confident surface is resting on garbage, and you want receipts, not opinions.

That’s expensive. It costs sleep, social ease, and any chance of being invited to the company Christmas party.

You keep paying because the goal is worth more than the cost.

Monday morning: Next time you’re in a retest that shouldn’t exist, write down the goal you’re still pursuing. If you can’t name it, stop. You’re paying a price for nothing.


Separation of Tasks: The Firewall for Your Mind

Your task is yours. Their task is theirs.

The boundary isn’t a suggestion. It’s a structural fact.

In pentesting, your task is:

  • Find vulns
  • Document with evidence
  • Communicate clearly

That’s it. Full stop. End of scope.

The client’s task:

  • Receive that information
  • Do whatever they do with it

Denial. Anger. Quiet panic followed by a budget request approved in 2027.

Not your department.

I learned this the hard way. I was in the shower at 11 PM rehearsing counterarguments to a client who said my SQL injection finding “isn’t exploitable because the database is internal.”

My chest was tight. I was writing the email in my head.

I had collapsed two tasks into one.

Their defensiveness is not feedback on your competence. The angry CISO is not a peer reviewer of your craft. They’re a human being responding to information they did not want, whose political survival depends on not admitting their environment is a house of cards.

When a client pushes back, ask yourself:

Is this about my work product, or their reaction to it?

If they found a genuine gap in your evidence, that’s your task. Fix it.

If the pushback is emotional or political, that’s their task. You can engage professionally without internalizing it. The distinction saves enormous energy.

It’s like a firewall rule.

Allow professional engagement. Drop emotional packets. Don’t let their ICMP (Insecure CISO Meltdown Protocol) flood your interface.

Monday morning: When a client pushes back, ask: is this about my evidence, or their ego? If it’s ego, disengage and go home.


The Courage to Be Disliked: Your Primary Exploit

The philosopher drops a bomb.

If you’re controlled by the desire for approval, you’re not free.

I know this because I’ve been owned by it:

  • I downgraded a critical to high because I could already hear the argument in the readout
  • I omitted legacy credential findings because “they inherited that system and nobody wants to touch it”
  • I wrote “the development team may wish to consider reviewing input validation practices” instead of “the payment module has unauthenticated SQLi and I just dumped your customer database”
  • I agreed to remove an RCE finding because the client said “we actually knew about that one.” As if “knew about” means “remediated.” It doesn’t. It means they knew and did nothing. I helped them continue doing nothing

This isn’t rare. This is Tuesday.

Here’s the irony. Your professional skillset includes manipulating trust. You know how authority works because you impersonate it. You know how approval works because you exploit it.

The helpful employee who doesn’t want to look uncooperative. The manager who won’t question an official-looking request. You weaponize social pressure.

So here’s the question.

Are you running the same exploit on yourself? Is your need to be liked the backdoor you forgot to patch?

Real courage isn’t the loud guy who yells in meetings. That’s insecurity with a microphone.

Real courage is quieter:

  • Writing “critical” when the client wants “informational”
  • Naming the system owner in the report when everyone would prefer the finding attach to no one
  • Delivering a readout to an exec who paid six figures and explaining that their flagship product has auth bypass, then sitting in the silence that follows

Being disliked by clients who wanted a rubber stamp is proof you did the actual work.

The checkbox assessment industry exists because most people aren’t willing.

But there’s a deeper courage than being disliked by clients. It’s being disliked by yourself. The knowledge that you soft-pedaled a finding because the meeting was running long, that you accepted a severity downgrade because you had a flight to catch.

This self-dislike is particular. A client can fire you. Only you can know you failed yourself.

Monday morning: Look at your last report. Find one finding you softened. Rewrite it honestly. Send it to no one. Just see what it feels like.


Self-Acceptance: When Your Certs Become an Anxiety Treadmill

The book distinguishes self-acceptance from self-affirmation.

  • Self-affirmation is “I can do this.” Positive propaganda aimed at a future, better you.
  • Self-acceptance is quieter. It means acknowledging where you are right now, with no narrative arc attached.

Not the person you’re becoming. The person you are. The one who missed that XSS yesterday and whose report is two days late.

I spent years telling myself “I need to learn more before I can call myself a real red teamer.”

It was rarely about competence. It was an identity choice masquerading as a skills gap. I had delivered real findings. Signed real reports. Caused real patches.

The gap wasn’t between my abilities and the work. It was between my self-concept and permission to claim it.

Adler’s horizontal versus vertical relationships cuts to why this festers.

Vertical relationships are hierarchical, competitive, comparative. The ladder model. Infosec is saturated with vertical thinking:

  • Rank by cert count
  • Rank by CVEs
  • Rank by conference stages
  • Rank by whose name is on a breach disclosure

The field runs on a leaderboard mentality.

Horizontal relationships are different. Cooperative, lateral, grounded in contribution.

  • Did your report help the client understand their exposure?
  • Did the dev who read your remediation notes actually fix the vuln?

That’s horizontal. That’s the measure.

Moving from “Am I good enough?” to “Am I contributing?” changes the game.

One question loops forever because there’s always someone with a cooler exploit, a bigger stage, a cert you don’t have.

The other has an answer: the client patched three criticals because of your work.

That is sufficient.

Monday morning: Stop comparing yourself to the person on Twitter with the CVE. Compare yourself to the version of you from six months ago. Are the reports better? That’s the metric.


Contribution Over Recognition: The Clout Trap

The pentesting industry has a recognition problem. It mirrors the superiority complex Adler warned against.

Chase a CVE for the name in the advisory. Build a following. Keynote a conference. Get called “rockstar.”

These are vertical pursuits. Ladders climbed to be higher than the person below.

They feel like success because you’re winning. But the satisfaction has a half-life of about 48 hours.

Your contribution isn’t the shell you popped. It’s the security posture that improved because you found the weakness first.

The relationship between your adversarial action and their defensive outcome.

You didn’t make systems more secure by being clever. You made them more secure by finding the flaw while there was still time to fix it.

The value is in the timing and the intent, not in the exploit.

This reframes the least glamorous part of the job.

When you write a report, you’re not documenting your cleverness. You’re contributing a roadmap to a more defensible network.

The report, dry and unsexy and probably written at 3 AM with energy drinks, is the actual contribution.

The shell was just the research phase.

Anyone who thinks the exploit is the work and the report is paperwork has the ratio backward.

Contribution-based motivation survives setbacks. Recognition-based motivation does not.

Burnout research flags recognition-chasing as a predictor. One missed vuln, one rejected talk, and your scaffolding of self-worth wobbles.

Recognition is external and conditional. Contribution is internal and renewable.

The dev who fixed the SQLi because your report was clear will never know your name.

But the security improved. Systems slightly harder to compromise, data slightly safer.

That’s what the work produces when you orient toward contribution.

Monday morning: Pick one finding from last month. Trace it. Did the client patch it? If yes, that’s your contribution. Write it down. Keep it somewhere.


Life Lies: The “Friendly” Testing Scam

The philosopher has a devastating move.

When the youth says his unhappiness is structural, the philosopher cuts through it with one word: life lie.

You’re not suffering because the world blocks your goals. You’ve chosen goals that let you keep suffering.

I’ve told all of these. I’ve heard all of these.

“The client isn’t ready for the real findings.”

You found a critical path to domain admin and buried it under “remediation recommended.” The client isn’t avoiding the truth. You are. You chose the goal of being the “reasonable consultant” over the goal of making them fix what matters.

“I need to maintain the relationship for future work.”

Honest about the stakes. But future work for what? More reports that don’t change anything? You’ve built a recurring revenue model on your own cowardice.

“Everyone soft-pedals the critical findings.”

Mass delusion is still delusion. Other people choosing comfort over courage doesn’t make your choice more defensible. It makes the industry collectively less useful than it pretends to be.

These aren’t tactical accommodations. They’re goals.

You’ve chosen the goal of avoiding the moment when a client realizes their security posture is worse than they thought, and they look at you with something other than gratitude.

You want to be liked. So you become less effective.

Every life lie costs unpatched systems. That organization stayed compromised because you chose to be agreeable. Someone else exploited what you found and soft-pedaled.

The breach report won’t name you, but you were there.

Monday morning: Pick one finding you buried last month. Dig it up. Write it honestly. Send it to the client with no apology. See what happens.


The Professional Adversary

Kishimi and Koga never say you should try to be disliked.

They say you should stop trying so hard to be liked.

The distinction matters. One is posturing. The other is liberation.

Penetration testing is not primarily a technical activity. It is an interpersonal one carried out through technical means.

The code is the easy part. The conversation afterward is the craft.

And the conversation fails when the person delivering it is still hoping for applause.

Here’s the framework:

Concept What It Means for Pentesters
Teleology You chose this. The friction was the price, not the weather.
Separation of tasks You own the finding, not the feeling it provokes.
Courage to be disliked Without it, you bury the critical finding on page forty-seven.
Self-acceptance You don’t need to be the best in the room to be the one telling the truth.
Contribution The work gains its meaning from the community it protects.

Rejecting life lies keeps the whole apparatus honest.

The book’s real gift is normalization.

You don’t need to become someone who can handle being disliked. You already are that person. You walked into a conference room and demonstrated that the CFO’s password was Summer2023 in front of his own security team.

There is no popularity contest you were winning after that.

The Courage to Be Disliked doesn’t ask you to transform. It gives you the framework to do what you already do deliberately, with clear eyes.

The essence of offensive security is not breaking into systems.

It is having the courage to be the person who tells the truth that everyone else is too well-liked to say.

That isn’t just happiness. That’s professional integrity.

And in a discipline built on trust, integrity is the only equipment that never fails.

Now go write that report.

And make it honest.


P.S. If this felt obvious, you’re already doing the work. If it stung a little, that sting is useful information.