Arnie

Many people DM me asking how to land audit/contractor work. Here’s what worked for me: -Learn to audit. You don’t need to be the best yet, but you need experience, cyfrin updraft is enough. -Build public, verifiable proof (contests, shadow audits, writeups). -Start by providing value at low cost (even free). Perform well. Many people will give you a shot, especially if it will not cost them anything. -Use that experience to slowly raise your rates and finally start getting paid. -Repeat until you’re trusted and in demand. No shortcuts. Skill → proof → trust → income.

@TopengaNFT please share your results with me if you do! Currently working on this on my free time so im limited on how much i can test and improve it.

@ArnieSec Hmm interesting will test it out

ROAD TO LSR: Week 6 As you may or may have noticed, this posts is the first in about 2 weeks. The reason for this was that i started to notice decreased work motivation from daily posts as i'd sometimes continue on X ,for sometimes long durations, even after i had made my post. I decided to take a small break from posting to recalibrate and come back disciplined. However, the work stayed consistent. The past 2 weeks saw me finishing 2 audits. For each day of the week i also continued studying math and ai. On my time away, i decided this series works best on bi-weekly or monthly scheduling as thats when milestones or achievements are likely to happen. My goal is to provide good insight or a fresh perspective while also providing informational content on here. Simple daily updates are not my style!

The arrogance I’m seeing on here is concerning. People are so excited to not pay for security. You always pay for security, the question is whether you pay before or after deployment.

@0xSlowbug Marketers without actual skill is noise not signal. Anyone skilled/ experienced can easily distinguish them or they will stop getting jobs due to bad performance. There is no alternative besides maybe bounties now.

@ArnieSec This is would be a worse pointer than contests on evaluating good researchers. We will be having good marketers instead of researchers.

Audit contests dying doesn’t mean new researchers won’t get onboarded. It changes the selection pressure. Contests were a clean signal amplifier, a structured scoreboard. A technically strong individual could win once and instantly gain attention, status, and credibility. One leaderboard result = hundreds of eyes. That era is fading. There’s no longer a public scoreboard doing the signaling for you. Now you have to manufacture your own proof of skill. The next wave of researchers won’t just be technical. They’ll be self directed, disciplined, and capable of building their own visibility. If you can’t create signal, the market won’t see you, no matter how skilled you are.

One thing I’ve noticed after 3 years of being a security researcher is how much the skill transfers into almost everything else. Math feels more intuitive and easier to understand than it used to, and I was always good at it. The difference now is structural. I don’t approach problems the same way. What changed isn’t just knowledge. My brain literally adapted. Spending thousands of hours reasoning about attack surfaces, invariants, state transitions, and edge cases rewired how I process complexity. Neural pathways strengthened around abstraction, error detection, and multi layer simulation. Debugging contracts became debugging systems. Debugging systems became debugging life. My thinking, and even what interests me, has shifted. Learning security research pulled me toward understanding deeper systems. How does the brain actually work? Where are its vulnerabilities? What are its cognitive exploits? How can i use this to my advantage? I started viewing biases like bugs, identity like architecture, philosophy like a framework for behavior under constraints. The same skills used to find protocol weaknesses now help me analyze my own reactions, redesign habits, and respond more intentionally in high pressure situations. This wasn’t a mindset shift, it was neuroplasticity. The brain adapts to the problems it repeatedly solves. And security research trains you to think in systems, adversarially, and structurally. After enough time, that stops being something you do, It becomes how you think.

For a long time, contests sat at the top as the primary metric for gauging a researcher’s skill when deciding who to hire. But contests are actually a poor predictor of ability for a large subset of security researchers. Their structure favors a specific motivational profile, high tolerance for uncertainty, competitive reward chasing, and sustained effort under probabilistic payoff. For many neurodivergent researchers, especially those with ADHD, this format is misaligned. Contests offer no guaranteed reward, no clear obligation, and no social accountability. If you don’t succeed, the only person affected is you. There’s no client waiting. No team relying on you. No defined finish line beyond “maybe you win.” That incentive structure doesn’t measure depth of reasoning, systems thinking, or long horizon protocol modeling. It measures performance under competitive uncertainty. I noticed this in myself. Contests never held my attention for long. I could tolerate very short ones, but the open ended, winner takes most format didn’t engage me. That didn’t reflect a lack of skill, it reflected a mismatch in motivational architecture. The researchers who excel in structured audits, where there is responsibility, guaranteed reward, and real impact, are not always the same ones who dominate contest leaderboards. If hiring decisions rely too heavily on contests, we risk selecting for a narrow cognitive profile and overlooking deeply capable researchers whose strengths show up in different environments.

ROAD TO LSR: Week 4 Again, the same objectives this week. I am reverting the format to 1 large single post on this per week as I don’t want to spam the feed with these posts too much. I have been using AI and integrating heavily, I will make some posts about my process this week, that may be helpful for others who have not yet started integrating or are confused on how to start. Objectives: - audit work (>= 4 hours daily) - AI study (>= 1 hour daily) - Math study (>= 1 hour daily)

ROAD TO LSR: Week 3 Update This week i continued an audit which is nearly complete, and also finished a diff audit. For the diff audit, i found 4/5 H/M issues found in total, with 3 unique. This means that without my work, the report would have been missing 3 important issues. INSIGHT: When reviewing changes made to a codebase you recently audited, do not just review the changes. Going through the codebase even just once may yield new issues you have not thought of, or didn't have enough time to find in the first pass. It is impossible to find everything in an audit 100% of the time since an audit is time boxed, but the risk of missing something goes down drastically if you review again days later when you have had time to process the logic. Objectives and week 4 post tomorrow.

If its not out of reach, then what is the point of all the AI products that firms are selling? The next major upgrade to a frontier model would make them all obsolete, since me typing "find all draining bugs" would provide the same result as all the firms AI products. If you think this is incorrect, this assumes that humans are adding something to the loop that the "superhuman" AI could not figure out or reason of. And if this is true then AI security is not superhuman.

The most profound realization that changed my life was this: You can just do things. You can just start. You can just decide. You can wake up tomorrow and begin moving in a completely different direction. Most people live as if there’s some invisible authority that has to approve their ambition, as if mastery requires permission, It doesnt. When I say believe, I don’t mean motivational quote belief. I mean the deep internal shift where you truly understand that almost everything you admire in other people was learned, built, and practiced. There isn’t some hidden gate keeping you out, there’s only time, effort, and the willingness to try. Once that clicks the world feels different. You stop asking “can I” and start asking “how long will it take”.

Many researchers, including myself, who discovered Ethereum and truly understood smart contracts had the same reaction. We felt that this was the most important thing we could possibly work on. The realization that code could secure and move real value without intermediaries. Many knew instantly, this wasn’t a phase, It was their future.

Whether or not AI replaces auditors doesn’t matter. The truth is, AI is already augmenting auditors. That’s why I see learning AI deeply as crucial for staying competent in security research going forward. You either adapt or fall behind. Someone who has a deep understanding of both security and AI will be in great demand. If you’re serious about adapting, this is a solid place to start! floatingpragma.io/awesome-ai-sec…

@dayOneStudent Check my other reply to the tweet

@ArnieSec what exactly do you study under AI

ROAD TO LSR: Week 3 This week will be exactly the same as basically every past week. Mainly doing private audits and 1 hour of AI and math learning each daily. The first few weeks of this series may be uneventful, but thats the key to success. Boring repetitive work compounds over time. Objectives: - audit work (>= 4 hours daily) - AI study (>= 1 hour daily) - Math study (>= 1 hour daily)

@ParthMandale i am doing 1 hour of math academy, and andrew ng course for now. Math will probably be on math academy until i finish all foundations and math for machine learning etc. For ai i am following this, but wil also expand to other stuff i find interesting. floatingpragma.io/awesome-ai-sec…

@ArnieSec Curious about what you are studying in math and ai for 1 hr daily?

ROAD TO LSR: Week 2 Update Finished a diff audit this week, even with not many major changes, I still managed to find 5 H/M and meet my goals for the week.(>= 80% coverage and daily math and ai learning) Insight: I have been trying to make my auditing process more efficient without losing the depth using AI. What i find most useful is telling AI to plan my audit start points for large codebases. For example i open a large codebase and feel overwhelmed and have decision paralysis because i dont know where to start, now i simply ask ai what it thinks are the best files to audit first and which makes sense to audit last. I now save alot of time of skimming and deciding what makes sense to audit first. For every valid finding, i also pass them through AI to ensure that no false positives get through. I do not delegate bug finding to the AI, this will erode my own auditing ability and make me lazy in the long run. Goals and objectives for this coming week will be on tomorrows start of week 3 post.

@DevDacian Engagement literally fell off a cliff for me on this test lol. Yes auditors can easily spot it, probably due to enhanced pattern recognition etc. I see myself doing this too, i start reading and just disregard as soon as I realize its AI generated.

@ArnieSec I tested this and found the same; I think humans especially auditors can quickly spot AI-generated content and just tune it out, treating it almost as spam.

AI is very smart but its lacking something that we humans have. I tested how well AI generated content would perform, and as expected, it has no idea what humans want to see and are likely to engage with. Every single tweet that i made that was guided or aided by AI was of the lowest performing without exception. You'd think LLMs should be good at this by now, the truth is that humans are wired to interact and socialize with other humans. I believe its something similar to why eye contact feels special, something about ideas generated by humans, our brains have a kind of detector for it that AI has not yet cracked.