This is a pretty great post. One of its subtexts is the cliche of people taking jobs in offensive security and complaining that all they get to work on are web apps --- web apps are where all the money is, and where most new software is built. Another interesting subtext: there's a whole variety of low-level targets where modern exploit development techniques would come into play, but since there's no market for those vulnerabilities, there aren't many opportunities to get paid to develop the exploits; all the action is in browsers and mobile operating systems, where competition is incredibly fierce.
>low-level exploitation is rarely needed in cybersecurity
Sadly that's true. I am transferring from a low level pentester to web app security engineer. That's where all the jobs are. People don't really care how much you know about low level.
Mark Dowd's 2023 presentation "Inside The Zero Day Market" [0] is extremely informative and a must read for everyone interested in a low-level exploitation career.
He left out education. Become a computer scientist and do research in exploits and you're getting paid to create exploits. There are lots of profs doing it, I've known some of them, they call it research. Companies don't usually pay for general research in exploits, but universities do.
You can sell low-level exploits quite profitably. You don’t need to make it, like, an official employment. If you can find gold, why be employed in a gold-mining company for a salary if you can just sell your findings?
Solving puzzles? Then you don’t care who will buy your results.
The joy of outsmarting people who thought that they can match your skills? Ditto.
Making the world a better place? Then you can choose your buyer. Love your country? Sell to your country’s IC. Hate your country? Sell to other countries ICs (discreetly, of course). Hate governments in general? There are buyers for that. Hate corporations? There are _a lot_ of buyers for that. Whatever are your convictions, you can find someone aligned.
Please don't complain about tangential annoyances—e.g. article or website formats, name collisions, or back-button breakage. They're too common to be interesting.
