All Classes
red teamSecurity Researcher / Vulnerability Researcher
Sorcerer → Security Researcher character illustration
Earn Some GoldFind remote Security Researcher / Vulnerability Researcher jobs on Hiring Cafe

⚡ Sorcerer → Security Researcher

“The vulnerability was always there. I just found it first.”

Your Role in the Party

You find the vulnerabilities before attackers do. While pentesters exploit known bugs with established tools, you discover new ones—0-days that nobody has seen, attack surfaces that others overlooked, techniques that push the boundaries of what’s possible. Your research protects millions of users when vendors patch what you find.

Security Researchers operate at the frontier of offensive security. You study systems deeply enough to find their flaws, develop proof-of-concept exploits to demonstrate impact, and responsibly disclose your findings. Some work for companies finding bugs in their own products; others hunt bugs for bounties; others push the state of the art in academic or vendor research labs.

This role rewards curiosity and persistence. Finding real vulnerabilities often means weeks of research with no results, followed by a breakthrough moment. The best researchers are driven by genuine curiosity about how systems work—and how they break.


📊 Your Stat Spread

Stat Score What It Means for You
STR ⭐⭐⭐⭐⭐ Hands-on experimentation is your primary mode. You learn by fuzzing, poking, breaking.
CON ⭐⭐⭐⭐⭐ Extended research sessions. Weeks on a single target. Persistence through dead ends.
DEX ⭐⭐⭐⭐ Pivot between research areas. Move from web to binary to cloud as opportunities arise.
INT ⭐⭐⭐ Learn what you need for the current target. Deep knowledge in areas of focus.
WIS ⭐⭐⭐ Intuition for where vulnerabilities hide. “Something feels wrong here” instincts.
CHA ⭐⭐ Your findings speak for themselves. CVEs and writeups over presentations.

🎭 Neurodivergent Advantages

Your traits are class features, not bugs:

  • Hyperfocus on Research (CON): Those week-long research sessions where you’re completely absorbed in understanding a system? That’s not obsession—that’s exactly what vulnerability research requires. Your ability to maintain focus on a single target is your primary weapon.

  • Learning by Breaking (STR): Reading documentation tells you how systems are supposed to work. Your brain wants to know how they actually work—which means running them, fuzzing them, crashing them. Research rewards this approach completely.

  • Unconventional Thinking: The bugs that matter are the ones others didn’t see. ADHD’s divergent thinking and autistic pattern recognition both produce the “weird” approaches that find real vulnerabilities.

  • Special Interests in Systems: If you’ve ever fallen down a rabbit hole understanding how a protocol works, how memory management functions, or how a particular API behaves—that knowledge finds bugs.

  • Persistence Through Failure: Research is mostly dead ends. If your brain can handle “this didn’t work, try something else” without getting discouraged, you’re built for this.

  • Detail Orientation: The difference between exploitable and non-exploitable often lives in edge cases. Your attention to detail catches the boundary condition others miss.


🗺️ Career Path

Pentester → Security Researcher → Senior Researcher → Principal Researcher
      ↓             ↓                    ↓                    ↓
 (Foundation)   (Find bugs)        (Lead research)     (Shape the field)

Alternative Entry Points:

  • Software Developer → Security Researcher (understand what you’re breaking)
  • CTF Player → Security Researcher (exploitation skills transfer)
  • Malware Analyst → Security Researcher (reverse engineering foundation)

Common Sorcerer Multiclasses:

  • Sorcerer/Rogue: Security Researcher + Pentester (find bugs AND exploit them in engagements)
  • Sorcerer/Monk: Security Researcher + Malware Analyst (find vulns AND analyze exploitation)
  • Sorcerer/Artificer: Security Researcher + Tool Developer (build fuzzing infrastructure and exploit frameworks)

📜 Certification Pathway

Level 1-5: Foundation (0-2 years)

Certification Org Type Cost Why It Fits
CompTIA Security+ CompTIA Multiple Choice ~$425 Foundation. Understand security concepts before breaking systems.
eJPT (Junior Penetration Tester) INE Security Practical (48-hr) ~$200 Entry-level offensive skills. Affordable, practical exam.
CompTIA PenTest+ CompTIA Multiple Choice ~$404 Pentesting fundamentals. Stepping stone to research.

Neurodivergent Note: Get basic pentesting skills first—you need to understand exploitation before you can find new vulnerabilities. eJPT’s practical format suits hands-on learners.


Level 6-10: Specialization (2-5 years)

Certification Org Type Cost Why It Fits
OSCP (Offensive Security Certified Professional) OffSec Practical (24-hr) ~$1,749 Industry standard offensive cert. “Try Harder” methodology. Proves you can exploit systems.
OSWE (Offensive Security Web Expert) OffSec Practical (48-hr) ~$1,749 Web application research. Source code review, vulnerability discovery.
GXPN (GIAC Exploit Researcher) SANS/GIAC Practical ~$999 (exam) + ~$8,500 (SEC660) Advanced exploitation. Memory corruption, custom exploits. Only ~2,600 holders globally.
CPTS (Certified Penetration Testing Specialist) Hack The Box Practical ~$490 HTB’s practical cert. Rigorous, affordable alternative to OSCP.

Neurodivergent Note: OSCP is the rite of passage—24-hour time pressure isn’t ideal for everyone, but it’s highly respected. GXPN has only ~2,600 certified professionals globally—scarcity itself creates value. OSWE is excellent if web is your research focus.


Level 11-15: Advanced (5-8 years)

Certification Org Type Cost Why It Fits
OSEP (Offensive Security Experienced Penetration Tester) OffSec Practical (48-hr) ~$1,749 Advanced evasion, custom payloads, mature environments.
OSED (Offensive Security Exploit Developer) OffSec Practical (48-hr) ~$1,749 Windows exploit development. ROP, shellcode, evasion.
GREM (GIAC Reverse Engineering Malware) SANS/GIAC Practical ~$999 (exam) + course Understand exploitation from the malware side.

Neurodivergent Note: OSED is pure exploit development—if binary exploitation is your special interest, this validates it. The 48-hour format is more accommodating than OSCP’s 24.


Level 16-20: Mastery (8+ years)

Certification Org Type Cost Why It Fits
OSEE (Offensive Security Exploitation Expert) OffSec Practical (72-hr) ~$2,499 Windows kernel exploitation. The hardest offensive cert. Very few holders.
OSCE3 OffSec Trilogy Completion Pass OSEP + OSWE + OSED Proves mastery across web, network, and exploit development.

Neurodivergent Note: OSEE is elite-level validation. Very few people hold it. If kernel exploitation is your passion, this is the summit.


🛠️ Your Toolkit

Primary Weapons

Tool Type What It Does Link
AFL++ Fuzzer State-of-the-art coverage-guided fuzzer. Finds bugs automatically. GitHub
Ghidra Disassembler NSA’s free reverse engineering suite. Understand code to find bugs. ghidra-sre.org
GDB + pwndbg Debugger Linux debugging with exploitation focus. pwndbg
Burp Suite Web Proxy Web application research. Intercept, modify, analyze. portswigger.net

Fuzzing Infrastructure

Tool Purpose Link
LibFuzzer LLVM-based fuzzer. Integrates with address sanitizers. LLVM
Honggfuzz Security-oriented fuzzer from Google. GitHub
OSS-Fuzz Google’s continuous fuzzing service for open-source. GitHub
ClusterFuzz Scalable fuzzing infrastructure. GitHub
Boofuzz Network protocol fuzzing framework. GitHub

Exploitation Development

Tool Purpose Link
Pwntools CTF and exploit development framework. GitHub
ROPgadget Find ROP gadgets in binaries. GitHub
Ropper ROP chain generation. GitHub
Angr Binary analysis framework. Symbolic execution. GitHub
Triton Dynamic binary analysis and symbolic execution. GitHub

Web Research

Tool Purpose Link
SQLMap Automated SQL injection. sqlmap.org
Nuclei Template-based vulnerability scanner. GitHub
ParamSpider Parameter discovery for web applications. GitHub
Arjun HTTP parameter discovery. GitHub

Fun Tools from Awesome Lists

Source: Awesome-Vulnerability-Research

Tool What It Does
Lighthouse IDA/Binary Ninja code coverage plugin
Frida Dynamic instrumentation toolkit
DynamoRIO Runtime code manipulation
QEMU System emulation for research
Manticore Symbolic execution for bug finding
Vuzzer Application-aware fuzzing

📚 Learning Resources

Free Resources

YouTube Channels:

  • LiveOverflow - Essential binary exploitation and research
  • GynvaelColdwind - CTF and security research streams
  • John Hammond - CTF walkthroughs and exploitation
  • ippsec - HackTheBox with research methodology
  • PwnFunction - Web security animations

Practice Platforms:

Bug Bounty Platforms:

Essential Reading:


Books for Sorcerers

Book Author Why Read It
Hacking: The Art of Exploitation Jon Erickson Classic. Exploitation fundamentals from the ground up.
The Shellcoder’s Handbook Koziol et al. Comprehensive exploit development reference.
A Bug Hunter’s Diary Tobias Klein Real vulnerability research stories. Practical methodology.
The Web Application Hacker’s Handbook Stuttard & Pinto Web security research bible.
Practical Binary Analysis Dennis Andriesse Modern binary analysis and reverse engineering.
The Tangled Web Michal Zalewski Web security from a researcher’s perspective.

Podcasts

Podcast Why Listen
Darknet Diaries Real stories of vulnerability research
Risky Business Weekly security news with research context
Security Now Deep technical security discussions
Malicious Life Security research history

🎓 SANS Courses for Sorcerers

Course Cert Focus Best For
SEC660: Advanced Penetration Testing GXPN Exploitation, custom exploits Core research skills
SEC760: Advanced Exploit Development N/A Windows kernel exploitation Elite binary research
SEC642: Advanced Web App Penetration Testing GWAPT Web vulnerability research Web-focused researchers
SEC561: Immersive Hands-On Hacking Techniques N/A Hands-on exploitation skills Practical foundation

🏆 Building Your Magic Items

Early Career Achievements:

  • Complete pwn.college or Exploit Education exercises
  • Find a bug (any bug) in real software
  • Set up a fuzzing environment with AFL++
  • Earn OSCP or CPTS certification
  • Write an exploitation technique writeup

Mid-Career Achievements:

  • Get a CVE assigned to your research
  • Earn a bug bounty payout
  • Earn OSWE, OSED, or GXPN certification
  • Publish research (blog, conference, paper)
  • Develop an exploitation technique

Senior Achievements:

  • Multiple CVEs with significant impact
  • Earn OSEE or OSCE3
  • Present at a major conference (Black Hat, DEF CON, etc.)
  • Contribute to fuzzing or exploitation tools
  • Shape vulnerability disclosure practices or mentor researchers

🧭 Multiclassing Guide

Adding Rogue Levels (Penetration Testing)

Apply research to real engagements:

  • Use discovered vulnerabilities in pentests
  • SANS SEC560 for enterprise penetration testing
  • Balance research time with client work

“The 0-days I find don’t just get disclosed—they win engagements.”

Adding Monk Levels (Malware Analysis)

Understand exploitation from both sides:

  • SANS FOR610 for malware reverse engineering
  • Analyze real-world exploits to inform research
  • Learn how attackers weaponize vulnerabilities

“I find vulnerabilities AND understand how they’re weaponized in the wild.”

Adding Artificer Levels (Tool Development)

Build fuzzing infrastructure and exploit frameworks:

  • Develop custom fuzzers for your research focus
  • Contribute to pwntools, AFL++, or other frameworks
  • Automate repetitive research tasks

“I build the tools that find the bugs.”


💡 Neurodivergent Learning Strategies

For ADHD:

  • Each target is a new puzzle—novelty helps maintain interest
  • Use the breakthrough moment as dopamine reward
  • Switch between different research areas when stuck
  • Bug bounty hunting provides external motivation and deadlines

For Autism:

  • Build systematic research methodologies
  • Deep-dive on specific vulnerability classes (memory corruption, injection, etc.)
  • Create comprehensive documentation of techniques and findings
  • Pattern recognition helps identify similar bugs across targets

For Both:

  • Hyperfocus on interesting targets is your competitive advantage
  • Your “weird” approaches find bugs others miss
  • Independent, deep work matches your preferences
  • Persistence through dead ends is the job

🎯 Not Sure If You’re a Sorcerer?

Take the Character Creation Quiz to discover your cybersecurity class and get personalized recommendations!


📖 Continue Your Journey


“The code has flaws. Your job is to find them before someone else does.”

Work an Incident

Before you grind certs, try the job. These interactive incidents put you in the Security Researcher / Vulnerability Researcher's seat — read the evidence, make the calls, live with the consequences.