[justsomeadvice0]

Lots of folks can make the hop from SRE to pentesting; much of the knowledge space - especially post-exploitation - is very similar! You have the advantage that you know how to operate on a production box without accidentally destroying or interrupting it. There are tools to learn, but I think you would find it to be an easy transition.

In more mature environments I would say up to 20-30% of a pentester's job can be finding bespoke vulnerabilities, 30+% is writing reports, so you get some good exposure to those; these are the exact skills you need in vulnerability research. If possible, request a ridealong with your company's pentesters in your environment, usually they love that: SREs know where the bodies are buried.

Research itself is a bit harder leap to get into straight from SRE; definitely far fewer junior roles. A lot of companies hire up researchers internally from their red and blue teams. Bug bounties are a way in without operational experience; without doing one or the other it's a bit of a tough sell. I would recommend a year or so on a red team and try to spend as much time as possible doing vuln-researchy things. Find some interesting things, communicate them effectively, and you will be well-poised to get into research.