⚡ Sorcerer → Security Researcher
“The vulnerability was always there. I just found it first.”
Your Role in the Party
You find the vulnerabilities before attackers do. While pentesters exploit known bugs with established tools, you discover new ones—0-days that nobody has seen, attack surfaces that others overlooked, techniques that push the boundaries of what’s possible. Your research protects millions of users when vendors patch what you find.
Security Researchers operate at the frontier of offensive security. You study systems deeply enough to find their flaws, develop proof-of-concept exploits to demonstrate impact, and responsibly disclose your findings. Some work for companies finding bugs in their own products; others hunt bugs for bounties; others push the state of the art in academic or vendor research labs.
This role rewards curiosity and persistence. Finding real vulnerabilities often means weeks of research with no results, followed by a breakthrough moment. The best researchers are driven by genuine curiosity about how systems work—and how they break.
📊 Your Stat Spread
| Stat | Score | What It Means for You |
|---|---|---|
| STR | ⭐⭐⭐⭐⭐ | Hands-on experimentation is your primary mode. You learn by fuzzing, poking, breaking. |
| CON | ⭐⭐⭐⭐⭐ | Extended research sessions. Weeks on a single target. Persistence through dead ends. |
| DEX | ⭐⭐⭐⭐ | Pivot between research areas. Move from web to binary to cloud as opportunities arise. |
| INT | ⭐⭐⭐ | Learn what you need for the current target. Deep knowledge in areas of focus. |
| WIS | ⭐⭐⭐ | Intuition for where vulnerabilities hide. “Something feels wrong here” instincts. |
| CHA | ⭐⭐ | Your findings speak for themselves. CVEs and writeups over presentations. |
🎭 Neurodivergent Advantages
Your traits are class features, not bugs:
-
Hyperfocus on Research (CON): Those week-long research sessions where you’re completely absorbed in understanding a system? That’s not obsession—that’s exactly what vulnerability research requires. Your ability to maintain focus on a single target is your primary weapon.
-
Learning by Breaking (STR): Reading documentation tells you how systems are supposed to work. Your brain wants to know how they actually work—which means running them, fuzzing them, crashing them. Research rewards this approach completely.
-
Unconventional Thinking: The bugs that matter are the ones others didn’t see. ADHD’s divergent thinking and autistic pattern recognition both produce the “weird” approaches that find real vulnerabilities.
-
Special Interests in Systems: If you’ve ever fallen down a rabbit hole understanding how a protocol works, how memory management functions, or how a particular API behaves—that knowledge finds bugs.
-
Persistence Through Failure: Research is mostly dead ends. If your brain can handle “this didn’t work, try something else” without getting discouraged, you’re built for this.
-
Detail Orientation: The difference between exploitable and non-exploitable often lives in edge cases. Your attention to detail catches the boundary condition others miss.
🗺️ Career Path
Pentester → Security Researcher → Senior Researcher → Principal Researcher
↓ ↓ ↓ ↓
(Foundation) (Find bugs) (Lead research) (Shape the field)Alternative Entry Points:
- Software Developer → Security Researcher (understand what you’re breaking)
- CTF Player → Security Researcher (exploitation skills transfer)
- Malware Analyst → Security Researcher (reverse engineering foundation)
Common Sorcerer Multiclasses:
- Sorcerer/Rogue: Security Researcher + Pentester (find bugs AND exploit them in engagements)
- Sorcerer/Monk: Security Researcher + Malware Analyst (find vulns AND analyze exploitation)
- Sorcerer/Artificer: Security Researcher + Tool Developer (build fuzzing infrastructure and exploit frameworks)
📜 Certification Pathway
Level 1-5: Foundation (0-2 years)
| Certification | Org | Type | Cost | Why It Fits |
|---|---|---|---|---|
| CompTIA Security+ | CompTIA | Multiple Choice | ~$425 | Foundation. Understand security concepts before breaking systems. |
| eJPT (Junior Penetration Tester) | INE Security | Practical (48-hr) | ~$200 | Entry-level offensive skills. Affordable, practical exam. |
| CompTIA PenTest+ | CompTIA | Multiple Choice | ~$404 | Pentesting fundamentals. Stepping stone to research. |
Neurodivergent Note: Get basic pentesting skills first—you need to understand exploitation before you can find new vulnerabilities. eJPT’s practical format suits hands-on learners.
Level 6-10: Specialization (2-5 years)
| Certification | Org | Type | Cost | Why It Fits |
|---|---|---|---|---|
| OSCP (Offensive Security Certified Professional) | OffSec | Practical (24-hr) | ~$1,749 | Industry standard offensive cert. “Try Harder” methodology. Proves you can exploit systems. |
| OSWE (Offensive Security Web Expert) | OffSec | Practical (48-hr) | ~$1,749 | Web application research. Source code review, vulnerability discovery. |
| GXPN (GIAC Exploit Researcher) | SANS/GIAC | Practical | ~$999 (exam) + ~$8,500 (SEC660) | Advanced exploitation. Memory corruption, custom exploits. Only ~2,600 holders globally. |
| CPTS (Certified Penetration Testing Specialist) | Hack The Box | Practical | ~$490 | HTB’s practical cert. Rigorous, affordable alternative to OSCP. |
Neurodivergent Note: OSCP is the rite of passage—24-hour time pressure isn’t ideal for everyone, but it’s highly respected. GXPN has only ~2,600 certified professionals globally—scarcity itself creates value. OSWE is excellent if web is your research focus.
Level 11-15: Advanced (5-8 years)
| Certification | Org | Type | Cost | Why It Fits |
|---|---|---|---|---|
| OSEP (Offensive Security Experienced Penetration Tester) | OffSec | Practical (48-hr) | ~$1,749 | Advanced evasion, custom payloads, mature environments. |
| OSED (Offensive Security Exploit Developer) | OffSec | Practical (48-hr) | ~$1,749 | Windows exploit development. ROP, shellcode, evasion. |
| GREM (GIAC Reverse Engineering Malware) | SANS/GIAC | Practical | ~$999 (exam) + course | Understand exploitation from the malware side. |
Neurodivergent Note: OSED is pure exploit development—if binary exploitation is your special interest, this validates it. The 48-hour format is more accommodating than OSCP’s 24.
Level 16-20: Mastery (8+ years)
| Certification | Org | Type | Cost | Why It Fits |
|---|---|---|---|---|
| OSEE (Offensive Security Exploitation Expert) | OffSec | Practical (72-hr) | ~$2,499 | Windows kernel exploitation. The hardest offensive cert. Very few holders. |
| OSCE3 | OffSec | Trilogy Completion | Pass OSEP + OSWE + OSED | Proves mastery across web, network, and exploit development. |
Neurodivergent Note: OSEE is elite-level validation. Very few people hold it. If kernel exploitation is your passion, this is the summit.
🛠️ Your Toolkit
Primary Weapons
| Tool | Type | What It Does | Link |
|---|---|---|---|
| AFL++ | Fuzzer | State-of-the-art coverage-guided fuzzer. Finds bugs automatically. | GitHub |
| Ghidra | Disassembler | NSA’s free reverse engineering suite. Understand code to find bugs. | ghidra-sre.org |
| GDB + pwndbg | Debugger | Linux debugging with exploitation focus. | pwndbg |
| Burp Suite | Web Proxy | Web application research. Intercept, modify, analyze. | portswigger.net |
Fuzzing Infrastructure
| Tool | Purpose | Link |
|---|---|---|
| LibFuzzer | LLVM-based fuzzer. Integrates with address sanitizers. | LLVM |
| Honggfuzz | Security-oriented fuzzer from Google. | GitHub |
| OSS-Fuzz | Google’s continuous fuzzing service for open-source. | GitHub |
| ClusterFuzz | Scalable fuzzing infrastructure. | GitHub |
| Boofuzz | Network protocol fuzzing framework. | GitHub |
Exploitation Development
| Tool | Purpose | Link |
|---|---|---|
| Pwntools | CTF and exploit development framework. | GitHub |
| ROPgadget | Find ROP gadgets in binaries. | GitHub |
| Ropper | ROP chain generation. | GitHub |
| Angr | Binary analysis framework. Symbolic execution. | GitHub |
| Triton | Dynamic binary analysis and symbolic execution. | GitHub |
Web Research
| Tool | Purpose | Link |
|---|---|---|
| SQLMap | Automated SQL injection. | sqlmap.org |
| Nuclei | Template-based vulnerability scanner. | GitHub |
| ParamSpider | Parameter discovery for web applications. | GitHub |
| Arjun | HTTP parameter discovery. | GitHub |
Fun Tools from Awesome Lists
Source: Awesome-Vulnerability-Research
| Tool | What It Does |
|---|---|
| Lighthouse | IDA/Binary Ninja code coverage plugin |
| Frida | Dynamic instrumentation toolkit |
| DynamoRIO | Runtime code manipulation |
| QEMU | System emulation for research |
| Manticore | Symbolic execution for bug finding |
| Vuzzer | Application-aware fuzzing |
📚 Learning Resources
Free Resources
YouTube Channels:
- LiveOverflow - Essential binary exploitation and research
- GynvaelColdwind - CTF and security research streams
- John Hammond - CTF walkthroughs and exploitation
- ippsec - HackTheBox with research methodology
- PwnFunction - Web security animations
Practice Platforms:
- pwn.college - Arizona State’s exploitation course. Exceptional and free.
- Hack The Box - Practice exploitation at scale.
- Exploit Education - Phoenix, Protostar, and more.
- PicoCTF - CMU’s beginner-friendly CTF.
- PortSwigger Web Security Academy - Free web research training.
Bug Bounty Platforms:
- HackerOne - Bug bounty hunting
- Bugcrowd - Bug bounty platform
- Synack Red Team - Invite-only platform for vetted researchers
Essential Reading:
- Google Project Zero Blog - Elite vulnerability research
- Trail of Bits Blog - Security research and tooling
- Phrack Magazine - Classic exploitation research
- PoC||GTFO - Research journal in PDF form
Books for Sorcerers
| Book | Author | Why Read It |
|---|---|---|
| Hacking: The Art of Exploitation | Jon Erickson | Classic. Exploitation fundamentals from the ground up. |
| The Shellcoder’s Handbook | Koziol et al. | Comprehensive exploit development reference. |
| A Bug Hunter’s Diary | Tobias Klein | Real vulnerability research stories. Practical methodology. |
| The Web Application Hacker’s Handbook | Stuttard & Pinto | Web security research bible. |
| Practical Binary Analysis | Dennis Andriesse | Modern binary analysis and reverse engineering. |
| The Tangled Web | Michal Zalewski | Web security from a researcher’s perspective. |
Podcasts
| Podcast | Why Listen |
|---|---|
| Darknet Diaries | Real stories of vulnerability research |
| Risky Business | Weekly security news with research context |
| Security Now | Deep technical security discussions |
| Malicious Life | Security research history |
🎓 SANS Courses for Sorcerers
| Course | Cert | Focus | Best For |
|---|---|---|---|
| SEC660: Advanced Penetration Testing | GXPN | Exploitation, custom exploits | Core research skills |
| SEC760: Advanced Exploit Development | N/A | Windows kernel exploitation | Elite binary research |
| SEC642: Advanced Web App Penetration Testing | GWAPT | Web vulnerability research | Web-focused researchers |
| SEC561: Immersive Hands-On Hacking Techniques | N/A | Hands-on exploitation skills | Practical foundation |
🏆 Building Your Magic Items
Early Career Achievements:
- Complete pwn.college or Exploit Education exercises
- Find a bug (any bug) in real software
- Set up a fuzzing environment with AFL++
- Earn OSCP or CPTS certification
- Write an exploitation technique writeup
Mid-Career Achievements:
- Get a CVE assigned to your research
- Earn a bug bounty payout
- Earn OSWE, OSED, or GXPN certification
- Publish research (blog, conference, paper)
- Develop an exploitation technique
Senior Achievements:
- Multiple CVEs with significant impact
- Earn OSEE or OSCE3
- Present at a major conference (Black Hat, DEF CON, etc.)
- Contribute to fuzzing or exploitation tools
- Shape vulnerability disclosure practices or mentor researchers
🧭 Multiclassing Guide
Adding Rogue Levels (Penetration Testing)
Apply research to real engagements:
- Use discovered vulnerabilities in pentests
- SANS SEC560 for enterprise penetration testing
- Balance research time with client work
“The 0-days I find don’t just get disclosed—they win engagements.”
Adding Monk Levels (Malware Analysis)
Understand exploitation from both sides:
- SANS FOR610 for malware reverse engineering
- Analyze real-world exploits to inform research
- Learn how attackers weaponize vulnerabilities
“I find vulnerabilities AND understand how they’re weaponized in the wild.”
Adding Artificer Levels (Tool Development)
Build fuzzing infrastructure and exploit frameworks:
- Develop custom fuzzers for your research focus
- Contribute to pwntools, AFL++, or other frameworks
- Automate repetitive research tasks
“I build the tools that find the bugs.”
💡 Neurodivergent Learning Strategies
For ADHD:
- Each target is a new puzzle—novelty helps maintain interest
- Use the breakthrough moment as dopamine reward
- Switch between different research areas when stuck
- Bug bounty hunting provides external motivation and deadlines
For Autism:
- Build systematic research methodologies
- Deep-dive on specific vulnerability classes (memory corruption, injection, etc.)
- Create comprehensive documentation of techniques and findings
- Pattern recognition helps identify similar bugs across targets
For Both:
- Hyperfocus on interesting targets is your competitive advantage
- Your “weird” approaches find bugs others miss
- Independent, deep work matches your preferences
- Persistence through dead ends is the job
🎯 Not Sure If You’re a Sorcerer?
Take the Character Creation Quiz to discover your cybersecurity class and get personalized recommendations!
📖 Continue Your Journey
- View All Classes
- Red Team: Rogue - If penetration testing calls to you
- Red Team: Monk - If malware analysis is your focus
- Purple Team: Artificer - If you want to build research tools
“The code has flaws. Your job is to find them before someone else does.”