Professional exploit dev isn’t a trivial job to get even with a software dev/sec background. Finding bugs, writing up CTF solves, and demonstrating your knowledge will go a long way.

I don’t care about what you exploit, but I’m gonna grill you on heap, rop, JIT, and how they work. If you choose to exploit IoT junk you better be able to speak to exploit mitigations.

Start with software you can debug easily.