
Ask HN: Should I just give up my ambition of being a decent security researcher? - kif
Back in my high school days, I was your typical next door script kiddie. I knew x86 assembly and a few programming languages, was capable of hacking some crackmes, SQL injection and the like.<p>That&#x27;s just to say I always had the mindset of breaking stuff. However, lack of resources and guidance, and just life in general, led to a different career path for me as an adult.<p>About 10 years later now, I have had a relatively successful career in software development – though I feel I have so so much to learn yet. I still don&#x27;t feel like a &quot;senior&quot; dev, even though some would say I am.<p>My desire to &quot;break&quot; things has never diminished, however. I have fun doing various exploitation CTF challenges, (e.g. exploit.education), but that&#x27;s where my hacking skills stop.<p>I would like to start working on &quot;real&quot; exploitation, like browser or kernel exploitation, but at this point I&#x27;m wondering whether that&#x27;s the right thing to do. I know it&#x27;s not too late to get started in the literal sense, but I feel like perhaps focusing on improving myself on the development side of things is a better use of my time.<p>Heck, maybe I&#x27;ve already made my decision subconsciously, and I&#x27;m hoping a bunch of internet strangers will approve that decision. Time is a finite resource, and I don&#x27;t know what the best decision would be for me. I&#x27;m sure there&#x27;s a lot of people who&#x27;ve been on the same situation before, so I&#x27;d appreciate your thoughts and experiences.
======
phaus
If you don't feel like you have a hopeless amount of stuff left to learn you
are either a unicorn or the opposite. In this field people who think they know
everything are almost always just oblivious to the fact that they are
incompetent.

Yea, there are minor Internet celebs in the security industry that seem like
gods to most of us, but most of the ones I've spoken to also struggle with
imposter syndrome. At the very least they are usually humble.

However, I think there is a small percentage of very vocal people in the
community that engage in an eternal dick measuring competition on twitter and
elsewhere. They take up enough of the attention to make a lot of us anxious
about our own accomplishments.

Passion is the greatest indicator of success in most endeavors, security
research included. You seem to have it. I'd say you are likely far more
skilled than you give yourself credit for. Perhaps what you really need help
with is figuring out a strategy that helps you pivot into a role where you can
spend more time on what you love.

Something that helped me early on was actually a comment on HN. tptacek
responded to a comment of mine and said something along the lines of "There is
probably less that separates the two of us than you think there is." Instead
of thinking that I wasn't good enough it got me thinking of how to close the
gap between where I was and where I wanted to be. I'm still no industry celeb,
I haven't published any white papers, and I haven't discovered any zero days,
but I do get to work on cool stuff on a regular basis that actually helps
people.

------
chuck9302
What about becoming a penetration tester? Its a much easier to go from
developer to pen tester than from developer to security researcher, though
thats not to say its easy either. Plus working as a pen tester its highly
likely you will have colleagues who are security researchers, you can talk to
and learn from them. There aren't generally "junior security researcher" roles
available, you'll have to start somewhere and pen testing is a good foot in
the door, it also involves breaking things so that might satisfy your itch
too.

------
WayfindMaps
If you don't feel like you can be a professional security researcher, why not
settle for being a hobbyist?

It sounds like you still enjoy the subject matter and it sounds like you know
a lot more about this than the average developer. I've considered a senior
developer and I've never done what you were describing.

I've suffered from impostor syndrome in the past - and I still do to an extent
- but I've never found another hobbyist to be hostile about my knowledge or
lack thereof.

------
manicbits
Perhaps you can find a position within the intersection of development and
security? I don't think this is in any way mutually exclusive.

------
mikaelmello
I support WayfindMap's idea.

What do you hope to achieve by turning your "hobby" into your full-time job?

Do you feel like you will only achieve the level you want if you do not have
other things in the middle, such as a SWE job?

