My Advice for Someone Who Wants to Be an Hacker

security

Recently I replied to a tweet from @nahamsec https://x.com/NahamSec/status/1851818696685314160

Bug bounty hunters: What’s your advice for someone who’s trying to make their first $100,000 in 2025? What should they do/learn? What should they avoid?

Here is my personal advice on the question:

Pick a niche, become an expert, find bugs maybe even 0days or reverse n-days, and write blogs. Even if you don’t hit those $100k bounties, it’ll be a stepping stone toward a $100k job.

What niche? How to pick? Examples?

infosec being so vast from web3 sec to web2, mobile, desktop, recon, client-side, server-side, cryptography and so on. These are umbrella terms, but if we zoom in, there are specific areas where spending a lot of focused time will make you a top 20 expert – 100% sure.

The key thing is, that the current top 20 experts in any niche will eventually be replaced as they get bored or burned out. This leaves room for you, and the easiest way to pick a niche is to learn from an existing expert in the niche, take inspiration, and grind to build on top of it.

  1. For instance, I got into the client-side JS niche by following @terjanq’s work. From there, I went down even further to focus specifically on ElectronJS.

  2. Another example: @rootxharsh and @iamnoooob their niche is in reversing n-days and finding new ones based on that knowledge. I don’t think anyone in India can compete with them on reversing n-days, writing blogs, and submitting findings to bounty programs.

  3. And off the top of my head, @ajxchapman, from his tweets, seems to have a specific niche in V8 n-day exploits. I don’t think there’s anyone else in the web security scene who can write V8 exploits 😅.

  4. Like @orange_8361, pick a complex target and grind on it for months eventually uncovering mind-blowing findings.

  5. Or, like @albinowax, choose a complex specification, such as HTTP, and find bugs from every aspect of it from top to bottom

I could list so many more people, but my point is this: if you look at the top bug bounty hunters or experts, there’s a pattern. Their blogs or tweets consistently focus on a specific niche (or two) for years and years. No one ever becomes a pro in a night.

How to Become an Expert in a Specific Niche?

Spend a lot of time. There’s no shortcut. Follow the work of the expert you picked for inspiration, read their blogs, dive into the blogs they learned from, and explore everyone else in that specific niche. Solve CTFs and write about them.

For example, not to make it all about myself, but just as an example. I’ve read every blog from the people I listed as inspirations(https://blog.s1r1us.ninja/inspiration) while learning client-side security.

If it’s taking time to understand, you’re likely on the right path. That’s where most people give up, so keep pushing. Just dedicating days to it will put you ahead of at least 100 others. It’s that simple.

Expert = Spent Time × IQ

Find Bugs or 0days, Reverse n-days, and “Write Blogs

Once you’re an expert, finding bugs will start to feel natural. But let’s be real, sometimes you might not get lucky. When that happens, reverse other n-days and write about it. I mean write about anything. Nothing gives you as much exposure as writing blogs: you’re helping others, plus you’re building a network that will eventually help you land a $100k job or $100k bounties.

Why the above advice might not be easy to execute?

it’s not easy.

Exactly, this is what the equation captures: lower capability (IQ) requires more time, while higher capability requires less time.

Expert = Spent Time × IQ

But honestly, spending more time demands another dimension of brain power. It’s probably more like:

Spending Time = Focus × Persistence × Interest

Here, focus and persistence are largely influenced by brain factors beyond our control like ADHD making uniquely easy or hard for each person.

So being delusional that we are going make it is the way.