[micaksica]

I work in product security. Early in my career, I often did bug bounties, CTFs/wargames, but I didn't really get into "software security" until I had spent some years doing some large scale production-level software engineering.

Software security is a big space. There are pentesters, exploit developers, researchers, application security people that work attached to product engineering teams, et cetera. What is it that you really want to do?

IMO to really understand how to break things and how things break, you need to be able to build things as well. Outside of very limited circumstances, you need to be able to communicate to product teams and other developers why a certain exploit class succeeded, what they can do to mitigate the issue in prod now, and what best practices to follow to mitigate the issue class in the future.