I’m a security engineer at a small cybersecurity startup (about 5 people). We recently hired a college intern. smart, motivated, very eager to prove themselves. No major red flags at first.
Part of our onboarding is very explicit: do not test, probe, or experiment on production systems unless explicitly authorized. This is drilled into everyone especially interns. We work with real customer data and real security controls.
A few weeks in we noticed unusual activity in our logs tied to an internal admin function. Long story short, the intern had been
* Using their access to explore internal tools outside their scope
* Attempting to bypass a control “to see if it was possible”
* Doing this without telling anyone, documenting it, or asking permission
They didn’t break anything but they did intentionally try to circumvent safeguards in a live environment. When confronted they said they were “thinking like an attacker” and wanted to show initiative. They genuinely didn’t seem malicious but also didn’t seem to understand why this was a hard line.
After discussing it internally decided to terminate the internship immediately. We explained that in security, intent doesn’t matter as much as boundaries and this was a trust issue.
Now here’s where I’m conflicted:
They’re young, this was their first security role and nothing catastrophic happened. Part of me wonders if this should’ve been a harsh warning and a teachable moment instead of firing them. On the other hand if anyone else had done this it would’ve been a serious incident.
Some coworkers think we overreacted and potentially damaged someone’s career over a mistake. Others think letting it slide would’ve sent the wrong message about security culture.
So… AITA for firing the intern?
NTA
The rules were clear. They FAAFO.
It’s a hard line so I cant blame you for taking the action you did.
but saying that. An intern shouldn’t be able to access the prod systems willy nilly like that. They are toddlers running around and will poke and prod anything they have access too
What they did was stupid. The system in place needs to be looked at to avoid these stupid situations in the future
Snowden was caught red handed several times before he exfiltrated the data he did, zero tolerance is the law in security. If you don’t follow it you get what you deserve
NTA They were informed of the rules and chose to break them anyways
NTA – You did the correct thing. And you’d be teaching the wrong lesson if you had “let this slide.” This was a conscious decision on their part. Sounds like they didn’t really think it though. But a very clear failing to follow protocol in a job that is all about protocol.
Also, as a short-lived internship, it’s not like this is something that will follow them unless they choose to add it to their resume. Hopefully they’ll retain this lesson in their future positions.
NTA. That kid needs the shock to understand what they did can not fly in the real world. You did the right thing, interns can also be attack vectors. It’s really the “ask for forgiveness rather than permission” that sealed their fate. Want to be on the red team? fine, lets get everyone onboard and brainstorm the scenario, there is no room for cowboys in this business.
I don’t work in cybersecurity but I would say NTA.
The intern didn’t follow the one very explicit rule that you gave.
He tried to breach the security as an “attacker”. The key part of the job his security and he tried to break it.
I feel like as long as you explained fully why he was being let go and why it is hard to accept the intern still but will provide a reference if needed.
It was his first role sure but the intern crossed a very serious line in security and they didn’t follow the one very explicit rule that was drilled in.
NTA.
Either they didn’t listen to the rules, didn’t believe you that it was important, or lied to you about what they were doing or why they were doing it. None are a good thing when an intern dealing with a superior in cyber security.
Compare this to another field, if a pharmacist willingly tries to give different doses to patients that aren’t prescribed them, they lose their license immediately. Why should messing with people’s valuable data be any less regulated than this when it was explicitly told not to do such a thing? And if they wanted to “take initiative” then they should ask at the very minimum instead of trying to break in while nobody was informed. Imagine being a prisoner and telling the guards you’re trying to break out so you can inform them of a real prison break? it just doesn’t make sense. It sounds like that person has some growing to do before they get into high risk environments like that again. NTA
NTA. Violated terms of their employment. Better to learn now than later.
This is why we have policies in place to dictate what steps should be taken if anyone breaks said policies.
The intention may not have been malicious, but the actions were breaking policy and the intern must have been aware.
They could have easily informed a high-up of their desires and given a proper plan and proposal, but they chose to do the “bad” things and then cover their tracks.
And security is huge, especially in a cybersecurity firm which has access to client information, PII, PHI, etc. THIS time the intern didn’t break, expose, or “hurt” anything, but who to say next time wouldn’t be worse.
And believe me, there would have been a next time because a warning and reprimand doesn’t scare “initiative minded” folks. It’s more of “asking for forgiveness” versus asking for permission it seems.
NTA – they learned a hard lesson and will do better at their next company.
Nta
They had been explicitly warned/instructed to not do that.
When confronted they didn’t say “oh no! Sorry I forgot we were told not to do that” they instead continued to act like they did nothing wrong – therefore they were an ongoing risk.
NTA.
Nothing catastrophic happened *this time*. Next time an intern pulls something like that, maybe not. You’re following rules established not just for this person, but for the company. The time for teachable moments is in the classroom, not here.
Additional point: it shows an extreme lack of critical thinking and understanding of risk management to have been doing any of this in prod. Even if the probing they’d been doing had been within the scope of their position, the foolishness of running what is essentially a test attack in a live instance can’t be overlooked. Until they’ve matured enough to understand the nature of their position, that means they shouldn’t be in a position to have access to live systems. If that means terminating the internship, so be it.
NTA
The first and most important part of an internship is *learning*, particularly in your chosen field. They clearly didn’t learn from the explicit onboarding, so hopefully this will be a lesson for them that will actually sink in. **You do not test in production under any circumstances** is a lesson that anyone working in cybersecurity needs to know by heart.
If they had been reprimanded they would have just done it again. The people who “take initiative” like this don’t understand anything short of hard consequences.