This is a pretty great post. One of its subtexts is the cliche of people taking jobs in offensive security and complaining that all they get to work on are web apps --- web apps are where all the money is, and where most new software is built. Another interesting subtext: there's a whole variety of low-level targets where modern exploit development techniques would come into play, but since there's no market for those vulnerabilities, there aren't many opportunities to get paid to develop the exploits; all the action is in browsers and mobile operating systems, where competition is incredibly fierce.
>low-level exploitation is rarely needed in cybersecurity<p>Sadly that's true. I am transferring from a low level pentester to web app security engineer. That's where all the jobs are. People don't really care how much you know about low level.
Also, video going over the blog post by the author: <a href="https://www.youtube.com/watch?v=58fwUXvhO3c" rel="nofollow">https://www.youtube.com/watch?v=58fwUXvhO3c</a>
Mark Dowd's 2023 presentation "Inside The Zero Day Market" [0] is extremely informative and a must read for everyone interested in a low-level exploitation career.<p>[0] <a href="https://github.com/mdowd79/presentations/blob/main/bluehat2023-mdowd-final.pdf">https://github.com/mdowd79/presentations/blob/main/bluehat20...</a>
He left out education. Become a computer scientist and do research in exploits and you're getting paid to create exploits. There are lots of profs doing it, I've known some of them, they call it research. Companies don't usually pay for general research in exploits, but universities do.
You can sell low-level exploits quite profitably. You don’t need to make it, like, an official employment. If you can find gold, why be employed in a gold-mining company for a salary if you can just sell your findings?