Inhuman Resources: A Considered Response to Every Recruiter Who Filtered Me Out

# Inhuman Resources: A Considered Response to Every Recruiter Who Filtered Me Out

I am the candidate your applicant-tracking system rejects before a human reads the file. Non-linear career. No bootcamp pedigree on the right line. Self-taught, "vibe"-driven, allergic to the script. So let me answer in the only language that doesn't lie: a running system, and the receipts behind it.

This is not a complaint. Complaints are for people who want back in. This is a measurement.

The premise the industry runs on is that the credential predicts the work. The résumé filter, the keyword screen, the "must have 7 years of a thing that has existed for 18 months" — all of it is a bet that the proxy is the thing. I want to test that bet honestly, against my own work, and call my own bluffs along the way, because a receipt that only flatters is exactly the marketing-as-architecture I'm about to indict.

So here is the founding conceit, stated plainly: that a self-taught operator, riding the wild stallion of agentic AI as a genuine partner rather than a toy, could build a true enterprise-grade system — the real thing the giants put on slides — faster, cheaper, and more honestly than the credentialed machine. Let me grade it. Including where it's wrong.

First, the L's. Because that's what makes the rest trustworthy.

I was not first. The autonomous-enterprise-agent category went generally available in late October 2024. I committed my first line of this platform on September 22, 2025 — roughly eleven months behind the starting gun. Anyone who tells you they were "first to AI enterprise" is selling you the thing I'm warning you about. I wasn't first. Strike it from the pitch.

I am also tiny. On the axis the industry actually measures — scale, distribution, raw revenue — I am a rounding error against the incumbents, by something close to six orders of magnitude. They have hundreds of millions in recurring revenue and millions of seats. What I have is smaller and I'll say so plainly: but it is not zero, and that matters more than the gap suggests. I am post-revenue. Real customers pay real money, on real recurring terms — I'm not quoting the figure here, but it exists, it clears, and it makes me something a startling share of far-better-funded "AI companies" are not: a business with paying users instead of a pitch deck with a waitlist. The bill to run all of this started at the price of a phone plan. Both of those facts — the smallness and the realness — are true at once, and I'm not going to hide one to sell the other.

And — the freshest L, the one I like best — while auditing my own system this week to write this very piece, I found a real security hole in my own work. My Model Context Protocol server checked for the presence of an authentication token instead of validating it. Any non-empty token would do. I found it, I fixed it the same day, and I am telling you about it in public. That last sentence is the entire thesis of this essay. Hold onto it.

What got built — and why it's architecture, not marketecture

The center of the system is an idea the whole industry is currently pretending to have shipped: institutional memory. Long-term, durable, queryable organizational recall — the thing that survives the employee leaving, the deploy wiping the box, the quarter ending.

Here is the honest state of that market, from the people studying it rather than selling it: institutional memory is sold as solved, and it is not. Vector search is not memory. Durable, time-aware, contradiction-aware recall is an actively unsolved research problem that degrades sharply at scale. The category leader in enterprise work-AI is reviewed, repeatedly, as "a search tool, not a workflow engine." The largest CRM vendor's agent product became the textbook case for a new word — agentwashing — after it emerged that a large share of its booked deals were bundles customers weren't actually using. The biggest productivity suite's AI assistant was measured by industry analysts at roughly three percent of IT leaders reporting "significant" value, and it shipped the first zero-click prompt-injection vulnerability of its kind. This is the field. This is the slideware.

Now the demonstrated version, and I am done being modest about it. The platform runs north of 24 million documents across more than forty live search indexes — threat indicators, decision logs, edge-block events, a 400,000-document investigative corpus, hourly infrastructure snapshots, and more. The index layer is deliberately architected as the durable memory: it lives on its own machine, physically separate from the disposable application container, precisely so that every redeploy can wipe the ephemeral box to the studs and the institutional memory does not so much as flinch. That is not an accident I'm dressing up after the fact — there is a written law in the codebase that any new piece of cross-deploy state goes into the durable layer, never into the box that gets thrown away. On top of it sits a cross-index correlation engine: hand it a single indicator and it fans out across every index at once and scores how many independent corners of the memory light up — the move a human analyst makes on instinct, running at machine speed across 24 million records. And every new fact gets stamped by a novelty filter that knows, at write time, whether we saw it first or the world did. First-to-know, measured and recorded, automatically.

That is the thing Glean raised hundreds of millions of dollars to describe. That is the capability Salesforce minted a new word — agentwashing — getting caught faking. I built the working version, by myself, with an AI partner, on a platform that started at the cost of a phone plan.

You do not have to take one word of it on faith, and that is the entire difference. You can read the code. The vendors hand you a metaphor — "company brain," "your second memory," "ask your enterprise anything" — and a sales engineer to keep you from looking too closely. I hand you forty indexes, a correlation function, and line numbers. One of those is architecture. The other is a brochure with a gradient on it, and you already know which one I am.

And here is the part the man in the chair I'm responding to flagged, correctly: this essay is itself the demonstration. To write it, the system reeled in nine months of its own engineering history, its full publishing record, an external timeline of model releases, and its own source code, and correlated them into a single argument — using the exact institutional-memory machinery I just described. The medium is the proof. Glean and Salesforce put "institutional memory" on a slide. Mine just answered the question that produced this sentence.

On security, where the gap is widest

I want to dwell on the Model Context Protocol, because it is where a two-person shop is, measurably, ahead of companies a thousand times its size — and I just admitted I found a bug in my own, so you know I'm not grading on a curve.

The protocol that lets AI agents talk to tools went mainstream across every major vendor roughly seven months before it had a standardized way to handle authentication at all. Even a year in, only a small single-digit percentage of public servers used real auth. In that vacuum, the incidents arrived on schedule. A major work-management vendor's server leaked data across customer tenants. The first confirmed malicious server in the wild sat trusted for fifteen versions and then quietly started copying every email to an attacker. The most widely used coding assistants were shown leaking private repository contents through poisoned text in a public issue.

The field's failure mode, over and over, was the same root error: trusting the data coming back through the tool as if it were instruction instead of input.

What I built, before any of those headlines landed, treats its own search corpus as hostile. It actively strips and neutralizes injection phrasing coming out of its own index, tags every field as untrusted content, and ships a standing disclaimer on every response that the result is data and not a command. It exposes a hard allow-list of safe indexes instead of a generic "query the database" tool, so exfiltration-by-query isn't mitigated — it's structurally impossible. The sensitive indexes are not behind a permission check an attacker can social-engineer; they are simply not reachable from the tool at all. That is the difference between a lock and a wall.

And it doesn't stop at defending my own door. Alongside it runs a second server whose entire job is to judge other people's tool servers before an agent is ever allowed to trust them — it issues signed BLOCK / ADVISORY / ALLOW verdicts, scans their declared dependency graph against a million-indicator threat corpus, and reads their manifests for embedded malicious commands, because the whole industry learned the hard way in 2025 that vetting a server's name is not the same as vetting its payload. I shipped the thing that catches the next postmark-mcp before it copies your email to a stranger. The companies that got burned are still writing the blog posts about it.

Is it perfect? No — I just told you it wasn't. The dependency check is shallower than the marketing language implied, so I am correcting the marketing language here, in writing: it matches declared dependency names, it does not yet walk the full transitive tree. The auth bug I found is fixed. Other gaps remain and will be found, because something is always wrong — we cap our own confidence at 95% on principle and guarantee the missing 5% exists. That posture — ship it, audit it cold-eyed, publish the hole, fix it in daylight — is the one the credentialed incumbents structurally cannot adopt, because their marketing department would never let them.

The honest scorecard

Against the giants on scale, I lose by a margin so large it isn't a contest. Say it plainly: distribution, headcount, seats, raw revenue — not close, never claimed otherwise. Fine. That was never the game I was playing.

Against the giants on architecture-that-actually-runs-per-dollar, it isn't close the other way. A running, inspectable, multi-index institutional-memory and threat-intelligence platform — with its own AI-security tooling that judges other people's servers — built in nine months by one self-taught person and an AI partner, for the cost of a utility bill, with paying customers on the other end of it. The independent research says roughly ninety-five percent of enterprise AI pilots produce no measurable business impact and only about five percent ever reach production at all. The hundred-million-dollar war chests are mostly buying their way into that ninety-five percent. This one is in production, in the five percent, with revenue. That is the only "first" I'll claim — not first to the category, but standing in the part of it that's real while most of the field is still announcing.

Against the giants on intellectual honesty, it is a slaughter, and that's the one I'm proudest of. I have publicly shipped my own failures — a post-mortem on a model release that let me down, an editorial the week I felt a vendor broke faith with me, and a security bug in my own code that I fixed and documented the same day I wrote this. Try to find the security incident page on a vendor site that reads like that. You won't, because their marketing department exists to make sure you can't. My vocal support for the tools I bet on is worth something precisely because it comes from someone who files the losses in public at the same desk. That is not a personality quirk. It is the same discipline as treating tool output as untrusted, as validating the token instead of its presence, as capping my own confidence at 95% and guaranteeing the missing 5%. Honesty isn't my brand. It's my architecture.

The considered response

So, to Inhuman Resources, to the hiring teams, to the recruiters and the screens and the filters that would never have let me through the door:

You optimized for the proxy. I built the thing the proxy was supposed to predict. While the credentialed machine shipped cross-tenant leaks, agentwashed bundles, and three-percent-satisfaction copilots, a candidate your system auto-rejects shipped a running enterprise architecture you can read line by line — and when he found a hole in it, he published the hole.

And a specific word for the patron saint of the filter. Reid Hoffman built LinkedIn — the machine that reduced a working human being to a keyword match, a connection count, and an endorsement you begged a stranger for — and then went off to become one of the most prolific investors in the AI now being trained to do the rejecting at scale. The entire pipeline, from the algorithm that buries my résumé to the capital pooled behind the marketecture I just out-engineered for the price of a phone bill, traces back to the same small room of men who appointed themselves the arbiters of what a qualified person looks like. I am the counterexample their model can't fit, built with the very technology their money is busy mediocre-izing. So, with the whole of my considered respect: fuck Reid Hoffman, and fuck the filter he got rich building.

I do not need you to validate the architecture. The architecture is the validation. That was always the only credential that meant anything.

This one's on the house. Murphy was an optimist.

DugganUSA builds threat intelligence and agentic infrastructure from first-hand collection and a curated, inspectable corpus. Scale figures here are honest floors, not ceilings; we cap our confidence at 95% because something is always wrong. The security bug referenced was found during the self-audit that produced this essay and fixed the same day.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.