How can I get into cyber security research?

Assuming vulnerability research, you need to be able to recognize bug patterns (buffer overflows, use-after-frees and such), be familiar with fuzzing, code audits, debugging. Of course understanding the code usually in C/C++ and assembly.

Assuming you have the technical skills there are companies that hire for such positions ranging at varying degrees in the "ethical" scale. See Google Project Zero and Zerodium for instance.

You don't need a PhD, CISSP, a cybersecurity bootcamp, a relevant degree or pretty much anything. You need to understand how the computer actually works. Most of the stuff needed are left out of a typical computer science curriculum. And (most) of the people hiring actually know that.

In order to do it you must simply spend so many hours to learn that stuff and then not be disheartened by the work that needs to be done. Example: No one has compiled a binary with ASAN. Do it (by spending an exorbitant amount of time to fix all the linking errors during compilation). Run the binary with literally any input. Boom, you got a bug.

Getting the role is pretty much like any other, you pass the interviews. Solving ctf like challenges is common. Finding all the bugs in a toy C program. Elaborating on the exploit ability of a latest CVE, etc.

My favorite interview question:

1. Write a hello world in C. 2. Run it 3. Explain how it works

You'd be surprised how many people actually have even a vague ideas what happens.

I would like to challenge the conventional approach and suggest starting with reverse engineering, particularly malware reverse engineering, as a foundation before engaging in research. Engaging in activities such as participating in CTFs, hacking boxes, and reproducing CVEs is valuable, but without the fundamental knowledge, it is akin to attempting to run before learning to walk.

I recommend exploring OpenSecurity's courses to gain a comprehensive understanding of topics such as assembly, debuggers, and x86 architecture. It is essential to have a solid grasp of these concepts before diving into malware analysis.

Then, I suggest watching OALab's YouTube channel and streams for excellent malware analysis content, and practicing by following along with his videos, reversing malware with Ghidra (if you do not have access to an IDAPro license). Additionally, if you have the money for it, also participate in virtual machine-based malware analysis exercises, such as those offered by the SANS Institute, to gain hands-on experience.

Once you are confident with the material from these resources, you can choose to specialize in a specific area that interests you. Would you like to delve into Linux Kernel security, Windows internals? Perhaps mobile security or ARM? By having a strong foundation, the research papers, CVEs, and exploits will be easier to comprehend and analyze.

Don't get discouraged by setbacks, it's a difficult field, just always strive to expand your knowledge and skills.

"Cybersecurity research" is a very large domain, so it's hard to offer a wholly encompassing answer here! The company I work for[1] does a great deal of program analysis research, primarily in and around the LLVM ecosystem. Other companies/groups in our domain(s) include Galois, Inria, and GrammaTech.

In terms of working in our domain: we frequently find it difficult to hire for pre-existing compilers or program analysis skills (it's a small community!), so we generally long for strong engineers with security/low-level fundamentals who don't mind making a pivot.

As for how the job is: I personally find it very fulfilling, but it definitely contains a degree of uncertainty (particularly when doing government-funded research) that ordinary SWEs/SREs may not be used to. I've noticed that it takes new hires a decent amount of time to acclimate and become comfortable with the idea of research engineering, meaning engineering where we expect less than 100% of all exploratory avenues to have productive outcomes. This can be a large culture shock compared to typical engineering, where tasking is defined primarily by business requirements that don't contain a large degree of uncertainty or ambiguity in terms of implementation approach.

[1]: https://www.trailofbits.com/

Do you want to work for a government contractor?

If so, they're always looking to expand and hire more great minds. Many people who are technically skilled but relatively new to RE/VR get hired because it's such a niche field and they teach on the job.

If you don't want to work for a government contractor, gl;hf because most of the money lies in alphabet agency contracts and the vulnerabilities WILL be weaponized and left open. This will often cause things like the ransomware attack on the NHS.

If you're cool with keeping systems vulnerable for cyber weapons and you're a US citizen, throw a rock in the Northern VA region and you'll hit a building that will hire you.

Great question!

For context, I transitioned from publishing top academic papers in security to building & growing a visual graph AI startup where, for one of our bigger customer bases, we work with top enterprise & military security teams. We're actively hiring here so some quick responses based on what I look for and have seen:

* Red team makes sexy headlines, but it's the blue team who gets the seat on the board. Think prioritizing areas like detection, hardening, new protocols, thorough fuzzing, SDLC, vs finding bugs with a security flavor. Red team does have its niche, as pen testing + compliance audits form an important services industry, but the research opportunities are more limited.

* Education: Cybersecurity fundamentals are super approachable and CS ugrads who did systems courses already have the harder basics: networking, OS, and compilers. Cyber-specific coursework mostly just revisits the harder fundamentals with a "gotcha" perspective. For more modern AI-ish roles, a classical math/cs background is typical.

* Industrial education: Interestingly, SOC/IR/Hunt are NOT taught in school. Likewise, industrial experience in AI/data engineering/software can often be way more valuable than university-flavor, so career pivots are doable.

It can be hard to do R&D within a regular operational security team. However, early-stage vendors like us inherently have to do it, and we work with top enterprise/tech/mil teams who in turn do research internally & through us. US, esp DC-area with clearance (ex: drugs can be problematic), opens a lot of doors. If anyone is like that for cyber AI or sec eng, either US or Australia, we're def looking for senior, and aim to have mid/junior later in the year :)

Trail of Bits does this kind of work (https://www.trailofbits.com)!

Tbh there is a much larger market for application of existing technology (e.g., pentests) than development of new technology (e.g., DARPA programs and the 1% of tech firms that need something new). There are a handful of others, but the market doesn't support dozens of other firms like Trail of Bits. There is some innovation that happens in Series A and B security startups but IMHO that quickly gives way to pressures of building an enterprise sales team.

Lots of folks can make the hop from SRE to pentesting; much of the knowledge space - especially post-exploitation - is very similar! You have the advantage that you know how to operate on a production box without accidentally destroying or interrupting it. There are tools to learn, but I think you would find it to be an easy transition.

In more mature environments I would say up to 20-30% of a pentester's job can be finding bespoke vulnerabilities, 30+% is writing reports, so you get some good exposure to those; these are the exact skills you need in vulnerability research. If possible, request a ridealong with your company's pentesters in your environment, usually they love that: SREs know where the bodies are buried.

Research itself is a bit harder leap to get into straight from SRE; definitely far fewer junior roles. A lot of companies hire up researchers internally from their red and blue teams. Bug bounties are a way in without operational experience; without doing one or the other it's a bit of a tough sell. I would recommend a year or so on a red team and try to spend as much time as possible doing vuln-researchy things. Find some interesting things, communicate them effectively, and you will be well-poised to get into research.

I work for the Adversary Simulation arm at IBM X-Force Red. Prior to that, I worked at Mandiant and left as a technical manager for the proactive (offensive security) consulting branch.

I’d be happy to chat with you and answer any questions. I have interviewed and hired candidates for these positions many times, and have also been the one in the interview chair. My Twitter handle is in my profile.

In case you’re wondering, Adversary Simulation is a mix of research, implementation, and application of techniques to test security gaps in an organization. Typically, we use social engineering to gain access and must avoid detection by a variety of security measures. The goal is usually to gain access to something specified by the organization without being detected, as the testing is not announced to the security team in advance.

1. Browse through major findings in USENIX security conferences and make note of major authors and their affiliations.

2. Think about what challenges are generally faced in the field in whatever capacity you're interested in (network security, hardware security, etc.) and what organizations (public/private/solo hacker groups) are actively working towards addressing these challenges.

3. Do some work, reach out to people, ask some questions, assert your solutions.

As others have noted, that's a pretty broad question. Are you interested in the theoretical or the practical? Do you prefer a scrappy, creative investigation or one within the walls of a big, well-resourced, legitimizing, and bureaucratic organization? How will you serve the needs of others (aka the only way to make money in this world)? What's your current background, professionally and educationally?

Feel free to DM me if you want... I work in cybersecurity at a major university. My role is primarily operational, but I also manage and conduct research. Before that, I was a more independent sort of security geek.

What do you mean “discovering new stuff”?

New vulnerabilities?

New attack vectors against new technology?

New defensive ideas?

Quite some time ago a colleague and myself put together a seminar paper on binary exploitation techniques and their mitigations. Maybe it's helpful to you:

https://github.com/W4RH4WK/ETnM/blob/master/docs/paper.pdf

I know you explicitly said you don't want to, but: participate in all the bug bounty programs you can, responsibly disclose through them, wait until patched (or give a hard deadline), then post a technical writeup of the bug to a Substack or the like. That will become your "resume" to get your foot in doors.

Could you give us a few examples of security research jobs?

It seems pretty obvious that you’d need to go into a PhD program in cybersecurity to work on groundbreaking research. Perhaps you mean industry or implementation specific research?

landing a cyber job isn't too hard but getting a "research" based position is going to be extremely difficult even if you already have a decade+ of cyber experience. "Research" may be a better home/fun activity. If you want a security-based job, first figure out what niches you enjoy the most: mobile, vulnerability writing, mobile, reversing, web apps, forensics, etc.

please add contact info to your profile or reply here. i work for a team you would be interested in, and we're looking for people exactly like you.

A side question, for Canadians, which gigs offer "teach on the job" as MSFT_Edging mentioned in his comment? Maybe government too?

Find out ways to completely obviate classes of bugs.

Start doing research, find some 0day, publish work.

Something not covered by the many knowledgeable commenters here:

What’s the pay?

Is it competitive with FAANG? (See levels.fyi)

find some bugs