On Learning
You won't become a better security researcher just by reading or doing easy labs. That's only one part; there are multiple aspects to it.
Reading gives you instant gratification, almost creating the illusion that you understand the topic. But you don't, you just partially understand what you read. Reading about buffer overflows or XSS gives you surface-level clarity, but until you debug a crash in GDB or manually craft a payload that bypasses sanitization, you haven't really understood the underlying mechanism. Most people stop here—they “know of” the vulnerability but don’t understand it.
Doing, but doing something that might not even add value. Let's say you solve a CTF challenge or a lab like HTB or Web Security Academy. The lab was easy, it gives you instant gratification (which can be addictive), and if not managed properly, you'll find yourself in a loop of just doing these easy challenges. You'll be feeding the dopamine of solving labs to your brain, but your skills will have now plateaued and stagnated. Many researchers stay stuck here. You can spend hundreds of hours on repetitive tasks and still not evolve, because your brain never faces something that truly confuses or humbles it.
I follow a mixed approach of reading + spaced repetition + jumping to complex topics once I understand the basics. The more complex, the better, things the majority of people in the industry won't know about, because they never crossed that barrier of just lurking over easy topics and never truly dove into complex stuff. For instance, once you’re comfortable with memory corruption basics, dive into kernel exploitation or hypervisor bugs. When you understand basic web vulnerabilities, move toward browser exploitation or deserialization chains. The goal is to deliberately enter territory where you’re no longer comfortable, where reading isn’t enough and guessing doesn’t work. That’s where the learning curve gets steep, and meaningful.
That's where mediocrity develops — in comfort. Your brain can only develop intuitions and pattern-recognition skills once you've seen enough of them. But that can also be dangerous; I've always struggled with over-learning (I still do!). I go into topics I needn't to, which creates a diversion, so you need to hold yourself accountable to stay on track. It’s easy to spiral into endless theory reading papers on mitigations or obscure architectures, but without applying them, the knowledge fades. You need to oscillate between learning and experimenting.
Do test yourself - do it very often. CTFs are one way to do it; others include research work or testing out things in the wild. Analyze real-world vulnerabilities on CVE databases, read exploit write-ups, try reproducing bugs from advisories, do patch diffing, or review patches, PRs to fix bugs. When you break something unintentionally, figure out why. When you can’t break it, figure out why not. Make sure to document everything, even half-finished experiments, strange bugs, or failed ideas. Many of those “failures” become insights later when you encounter similar behavior in a different target.
Most stuff you read as a beginner won't make sense to you and will feel overwhelming — and that's a natural brain response — but do make a note of them for the future. You'll thank yourself for doing that. Months later, when you revisit those notes after more hands-on work, the same papers and blog posts suddenly “click.” That’s the real dopamine — not from instant results, but from the slow realization that your brain is now capable of connecting ideas that used to confuse you.
As Steve Jobs said:
“You can’t connect the dots looking forward; you can only connect them looking backward. So you have to trust that the dots will somehow connect in your future. You have to trust in something — your gut, destiny, life, karma, whatever. This approach has never let me down, and it has made all the difference in my life.”
And that applies perfectly to learning security. You might not see how reading about heap metadata today connects to a deserialization bug months later, or how reversing a random firmware will someday help you exploit IoT devices. But if you keep learning deeply, not just widely, the dots do connect — and when they do, that’s when real expertise begins, and you escape mediocrity.