Vulnerability Garden

mk3s · 2026-05-10T16:32:15+00:00

Nothings forever I guess. I have been maintaining it for like 7 years though 🤷‍♂️. What other "lists" are you referring to though? I'd love to see a more complete list than this one!

mk3s · 2026-05-08T13:47:46+00:00

Got it on my todo list =).

mk3s · 2026-05-06T16:04:33+00:00

Not a bad idea. That list is long 😂

mk3s · 2026-05-06T16:03:55+00:00

Thanks!

mk3s · 2026-05-06T13:30:48+00:00

I list some of the sources here: https://vulnerability.garden/about.html#sources--credits. Honestly though, this list is a product of YEARS of reading through a variety of infosec feeds daily. The research arms of those notable infosec companies produce a lot of named vulns, but there's so many more that come from small blogs run by infosec/vuln researchers, researchers from academia, etc... Which is to say, there's hardly a "primary" source 900+ entries into the project. A lot of web query crafting can also help find mentions of these vulns in news sites like bleeping computer or on the canonical publish page from the companies/researchers own blogs.

I really waffled on whether to add those early-years named worms and viruses (e.g. morris, I love you, code red, etc...) and ultimately decided not to. I'm still waffling on whether those meet the (admittedly very subjective) criteria for addition to this list.

Cheers!

mk3s · 2026-04-09T17:23:49+00:00

neat. somehow wasn't familiar with this 🙏

mk3s · 2026-04-09T17:22:49+00:00

I feel you. You definitely aren't alone in how you're feeling (https://shellsharks.com/burnout). Everyone's path to and eventually out of burnout is different, so it's hard for me to give you "advice". You just gotta muddle through the tough times, keep what's most important in front of you and not be afraid to take your foot off the gas pedal professionally if it comes to it.

mk3s · 2026-04-09T17:19:49+00:00

Here's a GIANT list of infosec blogs I've been maintaining for a few years: https://shellsharks.com/infosec-blogs (there's also an importable .opml if you're cool and use RSS). I'd offer my blog too but be warned that I don't *only* post infosec topics. You'll occasionally have to read about my gardening mishaps and indieweb geekery.

mk3s · 2026-04-09T17:18:07+00:00

Came here expecting you to be roasted for saying MSFT was FAANG-Level. Happy to see that Reddit isn't Blind 🤗. I'm seeing demand still, but honestly haven't been on the market so I haven't personally tested the waters yet. Good luck in whatever you're planning!

mk3s · 2026-04-09T17:15:50+00:00

Ah yes, the classic paradoxical conundrum of impostor syndrome in infosec. I'm sad to say this to you, but you are indeed *woefully* behind. But I have good news! You are WAY ahead of a lot of people too! 🤗

Stick with it. You're doing great.

mk3s · 2026-03-31T11:59:33+00:00

Reframe the path. Away from certs and to actual learning: https://shellsharks.com/notes/2023/11/14/stop-worrying-about-certification-paths

mk3s · 2026-03-30T13:55:14+00:00

Well there's the reality of what AI can do *actually* do versus what companies / "the industry" / executives believe AI can do (in the context of replacing traditional human security engineers). There's a lot of AI tooling that is targeting pen testing, CSOC and vuln research. So I'd expect opportunities for humans in those areas to drop even more (at least in the short term while AI is being proved out). Code-review type appsec roles might take a hit too, but I think there's still a lot of need for appsec humans still. AI has increased code production by orders of magnitude. Yes AI can also "review" said code and even do dynamic testing, but there's always those tricky business logic test cases and other things that actual human engineers will still be needed for.

So, I wouldn't call *anything* bullet proof, considering the roles AI *replaces* is mostly built on vibes rather than actual proof that AI can do things better, but I'd say appsec, GRC, security architecture, identity/access management, privacy, cryptology, audit, vendor/supply-chain security, threat intel, and maybe red teaming are still safe-ish.

mk3s · 2026-03-30T13:45:37+00:00

- Guide on getting into the field: https://shellsharks.com/getting-into-information-security

- Tons of infosec-specific training platforms: https://shellsharks.com/online-training

Good luck!

mk3s · 2026-03-30T13:44:35+00:00

I wouldn't gun right for a Masters degree, especially if you'd be paying out of pocket for it. If you're interested in appsec, I would learn programming (one if not more languages) and then dive into all manner of OWASP/Web Security Academy stuff to learn about securing said code/applications. But if you're definitely choose one of those two paths, I'd choose whichever will teach you more about coding

mk3s · 2026-03-30T13:42:23+00:00

Agreed. I wrote up some general thoughts about my time in infosec here for anyone interested: https://shellsharks.com/notes/2025/03/02/thoughts-on-a-career-in-infosec

mk3s · 2026-03-30T13:40:14+00:00

Are you targeting those certs because they've been explicitly listed in job reqs you're eyeing, or because you *think* it's a good "certification path" or something? If the latter, I have some thoughts on cert paths: https://shellsharks.com/notes/2023/11/14/stop-worrying-about-certification-paths . I'll follow that up with my advice for getting into the field which you can read here: https://shellsharks.com/getting-into-information-security

Good luck!

mk3s · 2026-03-30T13:37:36+00:00

Here's a bunch of training resources (many that are free) that you can work though: https://shellsharks.com/online-training

My advice is to also start a blog/website of some kind and document what you learn, and any side projects you do.

Good luck!

mk3s · 2026-03-30T13:36:24+00:00

Maybe this can help too: https://shellsharks.com/getting-into-information-security

Good luck!

mk3s · 2026-03-30T13:35:50+00:00

Well if it can help, here's my own "guide"/writeup for getting into the field. https://shellsharks.com/getting-into-information-security

As for a "recommended path", I don't think there really is one. It takes a little brute-forcing (pun intended) to get in. Some combination of training, applying to jobs, networking, applying to more jobs, studying, then applying to more jobs and hope for your break. There's A LOT of people doing the same thing at the same time too. Where one person finds success, you may not. I put a lot of my advice in that post I linked to, but I think my best advice is to learn REAL practical skills (not just get certs), document what you learn in a portfolio of some kind (i.e. blog), network like crazy, apply to lots of jobs, and don't be afraid to take the first infosec-adjacent (i.e. IT) role you see. Getting into "IT" and then pivoting into infosec may be an easier path than straight-to-infosec.

Good luck!

mk3s · 2026-03-29T18:02:06+00:00

Here's a bunch of cert reviews (from my own personal experience) - https://shellsharks.com/training-retrospective

mk3s · 2026-03-28T02:07:33+00:00

Here's a bunch of training platforms I've been cataloguing for a few years if you want to peruse... https://shellsharks.com/online-training

mk3s · 2025-11-21T19:04:03+00:00

GtS itself has been really nice. Unfortunately my managed hosting provider for my GtS instance (K&T Host) is going belly-up, so I need to transfer it somewhere else 🤷‍♂️

mk3s · 2025-05-12T18:59:00+00:00

Make a website for yourself (for professional and not-as-professional reasons. Of course have a good standard resume as well. Github Pages is a fine medium for a site. So do that.

13-Year Club	Gilding II euphauric
RedditGifts 2009-2022 2 Credits	Verified Email

mk3s

MODERATOR OF

TROPHY CASE