RoleCybersecurity

Vulnerability Researcher

Bug hunting at scale, fuzzing, CVE drops, conference talks if you're lucky.

The verdict

Elite, niche, and almost impossible to enter without serious prior craft. Pick it as a long-term direction, not a job you can apply for next week.

Pick this if

You've shipped public research, advisories or CVEs already
You can read assembly and source in the same investigation
You're prepared for months of work that may not produce a finding
You're motivated by the work itself, the public credit is intermittent at best

Skip this if

You've never reversed anything seriously outside coursework
You need regular wins and external validation to stay motivated
You expect bug bounty income to substitute for a salary, it usually won't

What "doing well" looks like in the seat

Your findings are reproducible from your writeup alone
Vendors take your disclosures seriously the first time
You contribute to the toolchain other researchers use
You can explain a vulnerability class clearly to a non-researcher

The bit you're probably underestimating

The market in the UK is tiny, the seats are usually offensive vendors, dedicated research teams or government, and the people who hold them tend to stay. Most who chase the role end up doing pentest with a side of research, which is honest work but not the same career. Decide whether you want the title or the practice, and be honest about which one you're actually chasing.

Tradeoffs at a glance

Hover any chip for the calibrated meaning. Ratings are directional, not absolute.

Promotion ceiling

High. Staff researcher comp at security product companies is excellent.

Who actually gets in

+Pentester with depth
+Malware analyst
+Self-taught hacker

Common misconceptions

−That bug bounty income is reliable, it isn't, for most.

Where this leads

Offensive R&D
Exploit Development
Tooling Engineering

Certifications people pair with this

GIAC GXPN

Listed because the graph connects them to this role, not because you need all of them. Most practitioners pick one or two.

Pathways that pass through here

DFIR & Threat Intelligence
When the alert is real. Forensics, IR, malware analysis, threat intel. SANS/GIAC biased.

The serious next step

You've read about the role. The harder question is whether it's the right one for you.

A Career Verdict is the written, practitioner-authored call on your specific route into and out of this role. Six primitives, same format every time.

Plateau zone

The flat year nobody warns you about, named and timed.

Reality vs Fantasy

Your actual five-year curve against the one you've been sold.

What to sit and what to skip

Each cert on your list: useful, optional, or skip, with reasons.

The call

A single written judgment on whether your plan holds up.

Tradeoff spectrum

What you're giving up for what you're choosing, plotted.

Decisive factors

The two or three things that will actually make or break this.

See what a Career Verdict looks like £25 · one verdict, yours to keep

Built on POST's practitioner-authored assessment framework, calibrated by James from twenty years across helpdesk, infrastructure and security. Framework is human-authored; the verdict applies it to your inputs.

All roles