Page cover image

My Second Year In InfoSec: OSEE, the Odyssey

In 2024, I took a second gap year to pursue the OffSec Exploitation Expert (OSEE) certification. Over the next seven months, I spent hours studying full time, eventually acquiring the OSEE. Along the way, I attended six live trainings and five conferences. Additionally, I found and reported to Microsoft, making the 2024 Q3 Leaderboard. I also joined PixiePoint Security as a Security Researcher. I think I may have had a miracle year.

This post builds directly off my 2023 year in review. Once again, I've documented the resources I used to obtain the certification. I'll share the lessons learned, my experiences doing security research and going to conferences. I'll also try to answer whether the OSEE will help you find a job and why I changed my mind about going to college.

Prelude

Below is a table of the study resources I used to build my initial foundation:

Study Resource
Notes

Off By One Security is a great source for advanced-level binary exploitation presentations and security interviews.

Connor McGarr also has a great blog with numerous blogposts about topics covered in the OSEE ( e.g. : Browser Exploitation, Windows Kernelmode exploitation)

State of Exploit Development Part 1 and Part 2 by Connor McGarr

I read the first few chapters and gave up. Skimming it now, it looks good. I just think it was not suitable for my situation (learning C to write exploits/find vulnerabilities) at the time.

A lot of the content flew past me on my first time doing this course.

This course helped me break out of C tutorial hell.

I did not do the Computer-Vision related exercises.

Introduction to Linux Heap Internals by Stephen Sims (Off By One Security)

On my first time I completed about ~half of the course, but I didn't fully understand the course materials.

Don't rush into decisions

It all began with a spur-of-the-moment decision. In August 2023, I thoughtlessly signed up for the live training (AWE) organized by SINCON. At the time, the AWE had not been offered in Singapore (my home country) for years, so seeing its return felt like a once-in-a-lifetime opportunity. At the time, I was preparing for the OSCE3 and had a 12 month gap before starting college. I estimated I'd complete the OSCE3 by early January 2024 , which left me with five months to prepare for the training and two months to pass the exam.

The extent of my thinking amounted to: "Since I took about three months per certification, seven months should be enough time for this harder certification. I mean, how hard could it be? I need something to do for the seven months after the OSCE3 anyways".

Having heard horror stories of the AWE live training selling out within 15 minutes of opening, I panicked and hurriedly convinced my parents to purchase the course. I had no knowledge of Windows exploitation, no idea what the OSEE covered, and no clue whether the OSEE was worth it.

Let me be clear - this was objectively a terrible mistake. Just because it worked out well for me in the end doesn't change the fact that I essentially signed my own death warrant.

First Principles Thinking

Fast forward five months: I was now an OSCE3 holder. There was no time to celebrate though, as now I had to pay the piper. I realized early on that I couldn't approach the OSEE the same way I approached the OSCE3. Last year, I used a three step approach to acquire the OSCE3:

  1. Read every resource and write a roadmap

  2. Dive in to the course and patch learning gaps as you go

  3. Do all the exercises, extra miles, and practice exams

These three steps exploited these three respective qualities of the OSCE3:

  1. They were widely reviewed, so I could create a roadmap of what to study and prepare for

  2. They had minimal prerequisites, so I could just dive in from zero and learn as I go

  3. They were pre-recorded, so I could rewatch the course videos again if I got stuck

The OSEE is a different beast entirely:

As an apex certification, there were very few certificate holders, and thus even fewer reviews of the course. In addition, the course was updated in 2021 - narrowing the set of relevant reviews even smaller. The two best reviews were Andres Roldan's OSEE, an Unexpected Journey (plus associated webinar) and Paolo Stagano (VoidSec)'s AWE live training review. It's no exaggeration to say that without these two reviews, I may not have become an OSEE holder as quickly as I did.

From reading the OSEE Syllabus, I could see there was a mountain of prerequisite knowledge I would need to learn. It looked closer to another language when I first read it. What in the world were IRQL Levels? What is a PML4 EXB Bit - could I eat it? Does a pWND[0].cbWndExtra dream of robotic sheep?

The AWE was a five-day live training. I couldn't rewatch it if I got stuck - so it was paramount that I came prepared. If I fell behind in class, I would have to catch up by relying solely the textbook and slides - something I couldn't afford with my short timeline.

It was clear I needed a new approach. What got me here, would not get me there. I had a poor idea of what I needed to study for and I only had five months before the live training began. In these kinds of situations - I rely on first principles. Since OSEE focuses on Windows Exploit Development, I assumed the exam would require writing Windows exploits. The AWE syllabus covers exploiting a hypervisor, a browser and a kernel driver, so I could use my ability to do those things as reasonable proxy for my progress at preparing for the live training. Developing a roadmap for how to exploit a hypervisor/browser/kernel driver was much easier. Searching GitHub for sample exploits told me that I needed to learn

  1. C/C++ to write hypervisor and kernel exploits

  2. What bug classes exist

  3. How to exploit the heap

  4. What exploit mitigations exist and how to bypass them.

This list was far from perfect, but it was enough to get started.

Beware Tutorial Hell

I started by watching some presentations to get a high-level understanding of Windows Usermode and Kernelmode Exploitation. I would take notes, then look into each part of the talk I didn't understand until I had a big-picture understanding of what each presentation was about.

After that, I took my first stab at learning C and C++. I started out with a video tutorial, which I quickly finished. However, I didn't feel "knowledgeable enough" after watching to move on, so I looked for another tutorial. I would then look at a windows kernel exploit on Github and ask myself, could I write that? Obviously I couldn't, so I felt like I had failed at "learning C" and needed more tutorials. Unknowingly, I had once again found myself stuck in tutorial hell.

I tried to escape by learning from books instead of videos. I searched far and wide for the "best book to learn C" - but I could never stick with each book because either it wasn't relevant enough for my needs (learning to write exploits) or that finishing the book would take months - time I did not have.

Eventually, I ended up abandoning my attempt to learn C and shifted my focus on understanding the various bug classes. I stumbled upon OpenSecurityTraining2's Vulnerabilities 1001 course, which delivered the content superbly but more importantly - forced me to just dive in to real C codebases and find real vulnerabilities. I cut my teeth staring at C code, and I came out of the course able to read and write C enough to carry on. Looking back, I have found no better way to learn something than by doing the real thing.

Live Trainings

After the course, I looked for resources to learn Hypervisor Exploitation. I stumbled upon Zero Day Engineering through their Hypervisor Vulnerability Research . I ended up taking the Zero Day Engineering's Zero Day Vulnerability Research course, which while not directly relevant to the OSEE, gave me a neat beginner-friendly overview of the art of Vulnerability Research.

My next topic was learning about Heap Exploitation - which proved to be a challenge. Most of the resources I found were either for Linux or older versions of Windows like Win 7/XP. The ones that were modern were too technical for me to understand. I briefly considered learning Linux Heap Exploitation and then trying to map it over into Windows myself, but I dismissed the idea as it would take too long.

The best resources I found were from Peter Van Eeckhoutte's Corelan.be blog, but since they were written for Windows 7/XP, I realized I would need to go to attend Peter's Heap Exploitation Masterclass to learn comprehensively and efficiently.

Eudaimonia

Below is a table of the Study Resources I used to prepare for the AWE live training:

Study Resource
Review

This is a fantastic resource but it was too technical for me at the time an largely flew over my head Links: slides, whitepaper

I watched this in preparation for the Corelan HEAP Masterclass. Very helpful.

This was one of the best courses I've taken. My experience was so positive that I realized in-person courses could short-circuit the learning process and enable me to prepare for the AWE in time. I've spilled a lot of ink about why the Corelan Heap Exploitation Masterclass is so good: see my Review of the Masterclass and Review of the OSEE.

Corelan HEAP Exploit Development Masterclass exercises

I decided to go through the course again, and this time I understood much more. The course is absolutely stellar and gave me the confidence to do independent security research. See my review of the course. Cedric also teaches this course live as "Windows Exploit Engineering Foundation"

I decided to revisit this course again to prepare for the Windows Internals For Security Engineers training. This time, I could understand the course much better.

The Researcher's Toolbox by Yarden Shafir

Another great course.

I loved how Yarden covers the major components of Windows by sharing stories about why Microsoft made certain design decisions. She also taught me how to use dxcommands in WinDBG which are helpful.

See my review of this course.

One of the best courses I have taken.

See my review of this course.

How I approach Live Trainings

It wasn't the first time hearing of the Corelan Heap Exploitation Masterclass. SINCON was also offering it in March the same year. However, as learning Heap Exploitation is a prerequisite to learning Hypervisors and Browser exploitation, I needed to take it as soon as possible. Checking the corelan training schedule I found that Peter was teaching a class one month earlier - in Sydney.

As such, despite being a homebody who hadn't left my country in over half a decade, I prepared to travel to Sydney alone for the first time. I was anxious whether I would be able to keep pace with the in-person course. In my experience doing pre-recorded courses from OffSec and OpenSecurityTraining2, I would often rewind sections of each video multiple times because I missed something. I also frequently paused the video to take notes. I wouldn't be able to do either in a live setting - so I knew I had to work on my approach. I found this lecture about How To Take Better Lecture Notes very practical and useful.

Based on the lecture, I developed a three step approached that worked well, and I've used it in every live training I've attended since.

  1. Before the training, try to read as much information about the topic as possible.

By reading a few Heap Exploitation blogposts before the Corelan Training, I familiarized myself with the core concepts, terminology and methodologies - reducing the chances I fell behind. This also allowed me to identify parts of the subject I had trouble understanding, which I could then bring as questions to Peter during the training.

  1. During the training: Process the information, Summarize with Abbreviations, Develop a Question.

During the training, I directed my attention almost entirely on Peter, instead of the slides on the wall. I kept a list of abbreviations at the beginning of my notes. ( HM for Heap Manager, LFH for Low Fragmentation Heap, BEA for Back End Allocator) After each sentence, I would try to summarize each line Peter spoke using my abbreviations, write a few short bullet points in my notes. I did not mind if there were spelling mistakes.

At the same time, I would constantly try to engage with the material by developing questions. Some examples of ways I engaged include creating metaphors for the concepts being shared, trying to come up with ways to improve an exploit technique/bypass a mitigation that was taught. I would then write these "candidate questions" in italics besides the bullet points in my notes. If the question was important for me to understand the information being spoken currently, I would immediately raise my hand and ask it. An example of this would be clarifying the meaning of a specific term or resolving a contradiction between what was being said and my internal mental models.

If the question was an extension or example of what's currently being spoken, I would use my own discretion to decide between asking now and asking later when Peter was done with the topic. Examples of this would be like "Instead of doing X, could I do Y instead? Would it be better/worse and why?" or "Just to confirm, if for example there was an A, and we did B, C would happen?.

Initially, I was afraid of using this approach as I felt it was going to be disruptive to my classmates and disrespectful to the instructor. After all, that had been my experience within the traditional educational system - being the nail that sticks out and getting hammered down. I decided to employ the strategy because I was desperate to obtain the OSEE, and that it was better to ask for forgiveness than permission.

To my surprise, I was entirely wrong. Peter - and every instructor I've met since - patiently answered all my questions and even welcomed them eagerly. Instead of criticizing me, my classmates praised me for asking questions, as they gave them the chance to learn new insights from the instructor's answers.

If you're attending a live training and have a question - please don't be afraid to ask. There are no such things as "stupid questions" - asking questions allowed Peter to correct any misunderstandings I had about the topic, deepened my knowledge of the subject and gave me ideas to research when I got back.

  1. After the training: I would practice applying the knowledge as much as I could.

After the course, I spent the entirety of the next month completing the first seven homework exercises from the Heap Masterclass. This was incredibly challenging and rewarding - it got me extremely comfortable with Heap Exploitation.

At the end of the month, I was confident I was ready for the Usermode half of the AWE live training. With a few months remaining, I set my sights on the final half: Kernelmode.

As an aside, my experience in Sydney was a showstopper. The food was top-notch, the training venue (PwC Australia) had a gorgeous view of the Sydney Harbor - and the facilities are excellent. If you're interested, Peter is offering the very same training this year in Sydney as well (as well as other locations ) - I can't recommend it enough if you're trying to learn Windows Heap Exploitation.

Going to Conferences

Since taking an in-person course to study Heap Exploitation worked so well, it made sense to try the same approach towards studying Kernelmode Exploitation. I looked around for live trainings on offer and found Yarden Shafir's Windows Internals for Security Engineers at OffensiveCon.

My previous exposure to Yarden was from her OffensiveCon talk which I really enjoyed. The course material seemed very relevant to AWE syllabus, so I decided to go for it. While I was there, I also purchased an OffensiveCon ticket reserved for students, since I thought it might be a fun experience.

I employed the same approach towards Yarden's class as I did with Peter's class and it paid off. After the class, I opted to revisit Cedric's Exploitation 4011 course again to practice Kernelmode Exploitation instead of the assigned homework exercises as they were about using the Debugger Data Model and not as relevant to Kernel Exploitation. While doing the Exploitation 4011 course, I made an effort to use dxcommands whenever I could to practice, as well as try to apply the information I learned from Yarden's class into Cedric's class. By the way, Cedric was also teaching the Exploitation 4011 course live at OffensiveCon that year as "Windows Exploit Engineering Foundation". If I could , I would have attended both courses live. I think that there is enormous value in attending classes in person even if the full course is online. The most important benefit is the ability to ask questions. I have no doubt that I would be able to learn the materials much faster if I was able to ask Cedric questions in-person and then use the

On a side note, my experience at OffensiveCon was also incredibly positive. The training and conference were organized really well. I especially liked the size of the conference room as it was perfect - small enough to meet new people but large enough to have your own space. I was incredibly lucky to have made friends with great people. If you're thinking of whether to go to OffensiveCon 2025 - I can't recommend it enough.

Prioritize Sleep

It wasn't long before it was finally time for the AWE Live Training. Nearly half a year of preparation led me to a single class, and it did not disappoint. Even with all my training and prior preparation, I still learned so much from the class. Morten and Sickness are experts in the topic, and the AWE live training is a marvel - insanely comprehensive, cutting-edge research that's been neatly packaged and masterfully written.

The course covered every mitigation used in modern Windows as well as those yet to be widely adopted, and taught me how to bypass all of them. Morten and Sickness generously shared their experiences and methodology behind how they reverse engineered each target, found the vulnerability and developed an exploit.

As each day went by, the content taught got more and more complex. It was taking my full attention to not fall behind. Somehow, I seemed to have survived the first four days - but the last day was going to be the hardest. There was only one problem - I wasn't going to get a good night's sleep.

The training awarded challenge coins and stickers for students who completed each chapter's Extra Miles before the end of the last day. These swag have zero use and are merely souvenirs for students who want to go for it.

Personally, these Extra Miles ranged from doable ( sticker ) to difficult ( first coin ) to definitely-didn't-stay-up-all-night-and-fail-only-to-spend-the-entire-class-solving-it-instead-of-listening-to-the-instructor. ( second coin ) to didn't-even-bother-attempting. ( secret reward )

I asked a fellow student whether he would be gunning for a challenge coin. He said that he would rather prioritize sleep and that these coins would end up collecting dust in a closet somewhere. He was 100% right. My coins are collecting dust as I type, serving as a physical reminder of the opportunity I squandered to learn the last and arguably most difficult chapter from the instructors. After the course, this mistake compounded to a boatload of stress for me. Due to some sudden time constraints, I ended up having to hurry through the last chapter. Honestly, I didn't get a good understanding of the topic. To add insult to injury, I didn't have time to do the final extra mile, which haunts me to this very day. That's life in the big city.

I'm a competitive person. When I set my sights on something, I work very hard to get it even if it seems impossible. This trait has served me well but if I'm not prudent about the goals I choose, I can end up making critical mistakes.

Blitz

In the 53 days between 6 June and 29 July, I obtained the OSEE, found and reported two bugs in the Windows Kernel to MSRC, and joined PixiePoint Security. It was one of the busiest periods in my life.

1

6 June

Completed VMware Guest To Host Escape Chapter and Extra Mile

2

14 June

Completed Microsoft Edge Type Confusion Chapter and Extra Miles

3

24 June

Reported CVE 2024-43570 to MSRC

4

7 July

Reported CVE-2024-43535 to MSRC

5

13 July

Completed Driver Callback Overwrite Chapter and Extra Miles

6

16 July

Completed Unsanitized Usermode Callback Chapter and

7

18 July

Started OSEE Exam

8

20 July (12pm)

Finished OSEE Exam

9

21 July (12am)

Hacksys Kernel Exploitation Foundation & Advanced

10

29 July

Joined PixiePoint Security

Security Research

At this point, I had covered the first half of the OSEE's syllabus, and I was feeling burned out. I'm not exactly sure why, but I ended up putting off the second half of the syllabus to reverse engineer a curious part of the Windows Kernel I had some unanswered questions about. I wanted to try applying the reverse engineering approach Morten shared that he used to find the bugs in the course, and I wanted a break from the grindy, goal-oriented work of studying the textbook to try my hand at something pointless.

I found it exhilarating uncovering esoteric knowledge about a specific part of Windows that seemed completely overlooked - and I dug myself deeper and deeper into the rabbit hole as I started suspecting there might actually be a vulnerability in the code.

I ended up finding nine "bug candidates" in the specific component - but when I looked into them I realized they weren't actual bugs because of one reason or another. As the nights grew longer and I realized how much time I was spending, I became increasingly dejected and desperate, obsessing longer and harder about the component.

After another long night in the office, another bug candidate came into my head. I was halfway about to dismiss it, but decided to bring my laptop home and test it out. I still remember my heart beating wildly as I set up the conditions to trigger the bug within the kernel debugger. I pressed 'g' to continue execution - and it caused a BSOD. I leapt in the air in joy and shouted in the middle of the night "I FOUND A BUG!" before I had just found a zero day in Windows.

I decided to report the bug to Microsoft, and began writing a report. This was my first time doing something like this, so I looked at one of j00ru's reports on the Project Zero bugtracker as a template and filled in the details.

After finding the first bug, I was ready to call it quits. However, I hadn't fully audited the component, and at the advice of a friend, I decided to finish the audit. I'm so glad I did, as I found another bug shortly after.

In the end, Microsoft awarded me a bounty of USD$2000 for each of the bugs I found: CVE 2024-43570 and CVE-2024-43535. For CVE-2024-43535, I was initially told that since I was using a "strict 90-day disclosure policy", and that I was "going to publish an advisory whether or not a fix is available" it meant that my submission was not eligible for an award.

MSRC was right. I should have read the Microsoft Bug Bounty terms more carefully. However, I requested them to reevaluate my bounty eligibility because I did technically extend the disclosure policy by 14 days when my Case Reviewer asked me for an extension.

The bounty team did reevaluate my case and eventually awarded me a USD$2000 for reporting the bug, which was nice of them. In the end, I didn't after the disclosure period so I kind of shot myself in the foot for no reason.

Nice and Lucky

In June 2024, I attended the inaugural Off By One conference organized by STAR Labs. Some of my AWE classmates would be there, and I was looking forward to catching up with them.

By a fortunate stroke of serendipity, this led to a series of events that eventually culminated in me being employed at PixiePoint.

In my eyes, being nice and lucky matters far more than any certificate or training I've earned.

I'm not some super socially adept person. I cringe looking back at the social faux pas I've made, and I have made a lot of them - but I don't need to be one. What really matters is the inverse - just don't be "f*** that guy". Of course, I try to be friendly, I try to see situations as charitably as possible, I try to be positive. But what really matters is avoiding catastrophic mistakes - I try to avoid burning bridges as much as possible, I try to cultivate a positive reputation and I try to make things right when I mess up. I'll be the first one to admit that I've not been very good at it - and I'm doing my best to improve.

I am a beneficiary of undeserved good fortune. I've been enormously privileged to be born in a great country with supportive parents. I was lucky to find the two bugs and I was incredibly lucky for the events that occurred that led me to be employed at PixiePoint. The former was completely out of my control, but the latter was only possible because I increased my surface area of serendipity. I think security conferences are a great way to increase the % chance that something positive happens to you - like a new friend, a job opportunity or a research idea.

Personally, I don't go to conferences hoping to get something out of it - I go to conferences because it's incredibly refreshing to talk to like-minded people. It's a rare chance for me to step back from work and enjoy awesome food. It's also an opportunity for me to help others.

OSEE

The OSEE exam was easier than I expected. It was still challenging, but I was quite comfortable with exploit development and reverse engineering at this point. Ironically, the main challenge was actually after it. In April, out of an abundance of caution, I signed up for the Hacksys Kernel Exploitation Foundation & Advanced organized by ringzer0.

I made the call to get the OSEE before I got , which unfortunately meant I had to schedule my exam 12 hours before the training. After the exam, I was quite exhausted and completely unprepared for the training which started at midnight. In the end, I was only able to attend the first two days before it started to take a toll on me - and I decided not to attend the last two days. Thankfully, Ashfaq Ansari, the instructor, provided recordings for the class to students, so I didn't miss out.

Note: I'm unable to review the course because I haven't completed it - I have not watched the last two days recordings. It would be unfair for me to prematurely judge the course. The ringzer0 crew was fantastic - they went above and beyond to make sure the virtual training went as smoothly as possible. They also honored a USD$200 discount on the course due to a mistake on their website.

After the OSEE, I attended the inaugural SGHack conference, which was another great offensive security-focused conference in Singapore. The conference has a WhiskeyCon segment in the evening where attendees can drink a shot for five minutes of speaking time. I gave a lightning talk sharing the statistics from my journey thus far. As I'm a teetotal, I'd like to give thanks to the person who drank in my place.

I'm quite happy that the offensive security scene in Singapore has grown so much - two inaugural conferences in one year. I hope this growth continues in the years to come. STAR Labs has already announced Off By One Conference 2025, and I'll do my best to be there.

Lastly, in November I attended Satoshi Tanda's Hypervisor Development for Security Engineers course. This was organized by Hexacon, and I enjoyed the training and conference. You can find my review of the course here.

I had an unforgettable time in Paris. The food was sublime and the venue was beautiful. I enjoyed the conference talks and had a wonderful time meeting and making friends.

Coda

Prices

Here are the prices for each course and conference I attended this year:

Course/Conference
Price (SGD)

Zero Day Engineering Vulnerability Research

$2286 ()

OST2 Architecture 1001

FREE

OST2 Architecture 1002

FREE

OST2 Debuggers 1011

FREE

OST2 Debuggers 2011

FREE

OST2 Architecture 2001

FREE

OST2 Vulns 1001

FREE

OST2 Vulns 1002

FREE

OST2 Debuggers 3011

FREE

Corelan Heap Exploitation Masterclass

$3700

Windows Internals For Security Engineers

$6200

OffensiveCon Ticket

$2200

SINCON Ticket

OST2 Exploitation 4011

FREE

Advanced Windows Exploitation

$16329

Hacksys Windows Kernel Exploitation Foundation & Advanced

$5170 ()

Off By One Conference Ticket

$490.50

SGHack Ticket

$600

Hypervisor Development for Security Analysis

$6154

HEXACON Ticket

$1679

Total:

Note: this table does not include costs such as flight tickets, hotels, living expenses, etc.; the total costs are considerably higher. Please don' t misinterpret the meaning of this table. I'm sharing this table because I think it's important to be transparent about the costs of this journey, and because it's information I wished I knew before thoughtlessly signing up for the AWE live training. My circumstances were extremely unusual - I was committed to taking the AWE live training in May, and I was searching desperately for any way to prepare myself. In-person courses fulfilled that purpose for me, letting me rapidly bridge the gap between the OSCE3 and OSEE. As there was no precedent for what I was doing, I erred on the side of overspending and ended up buying more courses than what I ended up needing for the OSEE.

I'm fully aware that I'm in an extremely privileged position to have parents who financially supported me through these trainings and I'm very grateful for that.

I am NOT implying that trainings and conferences are overpriced. They are NOT. Having spoken to instructors and conference organizers, I know just how expensive it is to organize such events, how much effort it is to teach a class and how small of a cut an instructor gets. I am NOT implying that someone needs to take all of these courses to get the OSEE. They do NOT. They are plenty of free resources out there - such as one of my favorites: OST2 Exploitation 4011. I'm wholly certain that it's possible to get the OSEE with only the AWE and free resources. However, I also don't think that we should dismiss trainings entirely - if you need help learning a particular topic, and you want to learn it as fast as possible - I believe there is no harm trying to convince your company to sponsor a course.

Questions

Will the OSEE help me find a job?

At the start of the year, I asked this question in the OffSec discord. Unfortunately, I didn't . Now that I'm an OSEE holder and I'm employed, I think I have some responsibility to pay it forward so at the risk of being wrong I'll try to perilously give advice. First, "Will the OSEE help me find a job?" is a terrible question - lots of things can help you find a job. Being friendly, going to conferences, writing blogposts, graduating from university are all things that can help you find a job.

The real question I was asking was "Is the OSEE alone enough to get me a job?" and I can say the answer is "very likely no". Let me explain.

The OSEE is an apex windows reverse engineering and exploit development certification. In my opinion, the industry with the most demand for these skills is the One might think that most vulnerability researchers would have this certificate. However, having met and as a (recently hired) vulnerability researcher; I have not met a.

Don't get me wrong - I'm not saying the OSEE is a bad course. In fact, it's one of the best courses I've taken. Rather, I'm saying it's a great way to get to the prerequisite knowledge to be a researcher, but it alone is not enough to get a job in the VR/expdev industry - you'll need to find actual bugs and write actual exploits. It's definitely not the only way to learn this prerequisite knowledge. In fact, it's a very uncommon way.

The last thing I want to do is peddle a myth that the OSEE guarantees a job in the VR/expdev industry. Make no mistake - it does not. I think it's important for me to say this, because I thought it did!

I'm not trying to gatekeep the OSEE or the VR/expdev industry - I think both are great, and I wish people working towards them the best of luck. However, it's important to realize I got extremely lucky this year. The most likely outcome for this year was me having to take another gap year and put in even more work and even then, I might still not have been able to break into the industry.

Why am I no longer going to college?

Now that I'm employed, going to college has a higher opportunity cost. Each year I spend in college is a year's worth of salary and career experience I'm foregoing. ( the cost is even higher when factoring in tuition fees and the time value of money ) Let me be clear - I'm NOT saying that college is useless. There are sizable benefits to going to college for me, such as being able to get a work visa for some countries. I'll probably have to get a bachelor's degree in the future, but I'm not planning on getting one right now.

Reflections

A lot has happened in the two years since I started this journey. Between 3000 hours of studying, four countries and 50,000 dollars, my life has changed so much sometimes I don't believe it's real.

Looking back, most of my memories share a constant feeling of being out of time. Despite having every day to myself, I was always chasing the next certificate. If there was another certificate more difficult than the OSEE, would I still be chasing after it? These days, I don't think about certificates any more. They have definitely changed my life by giving me the skills that formed the basis to what led to a career in the security research industry.

I've learned that I only got to where I am by standing on the shoulders of giants. At every stage of my journey, I overcome challenges because someone far more knowledgeable than me generously shared their expertise. Without OST2, how long would I have spent bouncing back and forth around C tutorials? Without Peter's Heap Masterclass, would I understand Heap Exploitation as well as I do today? Without Cedric's Exploitation 4011, would I have had the confidence to find the two bugs?

If last year was about by going fast alone, this year was about going far together. I've been awestruck by just how warm the security community has been to me. I'm proud to wake up everyday and work alongside some of the brightest minds in the industry. It's been an honor to have spent the last two years setting goals that seemed impossible at the time, conquer it, then share my learnings. I've pushed past limits I thought were unbreakable, and I hope to do the same in the years to come. I hope this retrospective can help you in some small way make better decisions, refine your approach, and avoid the silly mistakes I made.

Souvenirs

To commemorate my journey, I asked five instructors I met in person to autograph a "Reverse Engineer" MTG card. This idea was inspired by LaurieWired, who gives out (far cooler) Pokemon Cards at conferences.

If we met at a conference this year, you received one of these "Reverse Engineer" cards signed by me. I'd like to thank you for playing an irreplaceable part in my journey this year, and I look forward to meeting you again.

I'll be handing "Reverse Engineer" and other security-related MTG cards out in every training/conference I go. I post which events I'll be going to on Twitter/X.

Last updated