What it’s really like to be a Cybersecurity Researcher

Working as a cybersecurity researcher is sort of like being an explorer. But instead of trekking through jungles or sailing into uncharted oceans, you’re navigating codebases, poking at systems, and uncovering digital pathways no one’s ever noticed before. It’s exhilarating, frustrating, deeply technical – and often, surprisingly (wildly) creative.

If you ask five cybersecurity researchers what they do in a typical day, you’ll get five very different answers. And that’s kind of the point. The work is so varied that it resists definition. But there are common threads: curiosity, persistence, and a love of the unknown.

We spoke to two researchers – Owais Shaikh (Security Researcher at RedHunt Labs) and Jakub Pruzinec (Security Researcher at Nanyang Technological University) – to better understand the reality of this work, and what makes someone thrive in it.

The day-to-day: A blend of hacking, building, and solving

Ask Owais Shaikh what his average day looks like, and you’ll quickly see just how broad the role can be.

“At work, I write tools to detect web vulnerabilities, user data leaks, broken auth flows, secrets, concurrently scrape data and much more,” he said.

“I also have a developer background, so not only do I write these tools in languages like Go and Python, I also deploy them to Elasticsearch via Logstash pipelines, manage and scale infrastructure at the company I work at and so on.”

It’s not just about finding bugs – it’s about building the systems that find the bugs. Cybersecurity researchers often operate at the intersection of red teaming, development, infrastructure, and data science. You’re expected to learn fast, build fast, and iterate constantly.

The research mindset: Curiosity meets failure (and then tries again)

Both researchers seem to agree that the job demands a thick skin. 

“The most crucial trait for researchers, in my opinion, is the ability to deal with failure,” said Pruzinec. “Lots of ideas prove impractical, tons of paths require enormous effort and lead nowhere. Learning to recover quickly is crucial.”

He came into the field through self-study, interning at Avast, and later joining NTU in Singapore. One of the pivotal lessons from his supervisor, Quynh Anh Nguyen, was to embrace the attitude of “that looks cool, let’s check it out”. It’s about following your curiosity, even if you don’t know where it’ll lead.

Shaikh echoes this with his own philosophy:

“Be eager to be offended: It teaches you about a hundred other ways to do things aside from the one way you’ve already thought of. Diversity of thought and fearless experimentation is the key to innovation.”

It’s about letting go of the idea that there’s one ‘right’ way to approach a problem – and accepting that most paths are dead ends, but the journey is what teaches you how to spot the one that isn’t.

Learning by doing (and breaking things)

Courses and certifications can be useful. But for most researchers, they’re just a starting point – and real-world experience has a bigger impact. 

“No course is ever truly comprehensive,” said Shaikh. “The world is fast-moving. Everything gets outdated within a few years.” 

“Just be eager to try new things and you’ll be fine. As for certifications, they are kinda just like licences. Not having a driver’s licence doesn’t equate to not knowing how to drive.”

The real education happens when you build your own tools, reverse engineer software, trawl GitHub for interesting code, and lose sleep over obscure CVEs. That hands-on, fail-fast ethos is what sharpens your instincts as a researcher.

Discovering the undiscovered (even after 18 years)

In April 2024, researchers at Oligo Security discovered a critical vulnerability they dubbed the ‘0.0.0.0 Day’ – a bug that had quietly existed across major web browsers for nearly two decades. We wrote about it in another blog post, here. 

It allowed malicious websites to bypass browser security and interact with local network services. In other words: it was a potential gateway to massive exploitation, hiding in plain sight.

This isn’t uncommon in cybersecurity research. As tools improve and collective knowledge deepens, buried vulnerabilities rise to the surface.

“Cybersecurity research tools and practices are improving and evolving all the time – so researchers are increasing their potential to uncover vulnerabilities that were missed in previous years,” Oligo noted in their disclosure.

This is one of the most exciting (and humbling) parts of the job. No matter how long a system has been live – or how widely used it is – there’s always a chance it contains flaws no one has spotted yet.

There’s joy in the hunt

At its heart, being a cybersecurity researcher is about loving the chase. That moment when something unexpected happens in a system and you just have to know why.

“As a researcher, you get so absorbed into finding things that there’s always this rush you get when you acquire new information that isn’t otherwise widely known,” said Shaikh. “Achieving this annoying researcher mindset is the best thing that has happened to me in the past decade.”

Pruzinec agreed:

“In security research, you often find yourself in places not intentionally accessible, messing with systems in unprecedented ways. It is exciting to be the first to try something out. Everything is intact; it is like skiing off track.”

Is cybersecurity research for you?

If you’re deeply curious, undeterred by failure, and driven by the thrill of discovery – cybersecurity research might be your calling.

It’s not a path paved with predictability. But that’s the point.

As Pruzinec put it:

“There is no predetermined path to expected outcomes. Sometimes, even the objectives themselves are undefined.” 

“As long as you deliver, you are free to study and delve into areas that interest you.”

And while systems continue to grow more complex, that freedom – to question, break, fix, and learn – might just be one of the most powerful tools we have. 

Register now to join the global cybersecurity community in Riyadh this December.