The Failed Security Research Postmortems

calendar Dec 1, 2025 · 2 min read · Technology Security Presentation  ·
Share on: linkedin copy

"It is not the critic who counts; not the man who points out how the strong man stumbles, or where the doer of deeds could have done them better. The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood; who strives valiantly; who errs, who comes short again and again, because there is no effort without error and shortcoming; but who does actually strive to do the deeds; who knows great enthusiasms, the great devotions; who spends himself in a worthy cause; who at the best knows in the end the triumph of high achievement, and who at the worst, if he fails, at least fails while daring greatly, so that his place shall never be with those cold and timid souls who neither know victory nor defeat." — Theodore Roosevelt

After spending the last three years pivoting fully into security research—coming from a deep infrastructure engineering background—I’ve decided to launch a security research postmortem series. This series will explore failed research attempts: not the vulnerabilities I found, but the ones I didn’t. Why? Because that’s where the real learning happened.

I want to openly examine:

  • how I approached certain research sessions
  • where I looked
  • what I did
  • why I suspected something might be a flaw

And I want to hear from other security researchers:

  • how they would have approached the same problem
  • what they would have done differently—patterns I may have missed or mindsets I didn’t bring to bear
  • when I should have refined or completely switched threat models
  • where the signals should have guided my focus

I believe these transparent breakdowns will give newcomers a far clearer head start. Too many people are overwhelmed by vague writeups, missing context, incomplete methodology, or the marketing gloss that obscures the real investigative process.

My goal is to help beginners see the actual thinking behind research, and to learn from more experienced researchers so I can continue refining my own approach.

If we only share our successes, we erase the struggle that actually makes us better.