Security Research Methodology
What You Will Learn
- How to approach security research in a structured way
- How to enumerate targets and find attack surfaces
- How to document and report findings
- Common research techniques used in bug bounty and pentesting
What Is It?
Security research is the process of finding vulnerabilities in systems, applications, or networks. Good research is systematic — you follow a methodology so you do not miss anything.
This topic covers how to research a target from scratch. The skills here apply to bug bounty hunting, penetration testing, and competitive CTFs.
Why It Matters
Without structure, security testing becomes guesswork. A methodology ensures:
- You cover the entire attack surface
- You document what you find
- You can reproduce and explain your findings
- You do not break anything you are not supposed to
Key Concepts
The Research Phases
- Reconnaissance — Gather information about the target
- Enumeration — Map out services, endpoints, and potential entry points
- Vulnerability Analysis — Identify weaknesses in what you found
- Exploitation — Confirm the vulnerability is real and exploitable
- Documentation — Write up what you found, how, and why it matters
Passive vs. Active Recon
| Type | Description | Examples |
|---|---|---|
| Passive | No direct interaction with target | WHOIS, Shodan, Google Dorking |
| Active | Direct interaction with target | Port scanning, directory fuzzing |
Hands-On
Enumerate a Target
# WHOIS lookup
whois example.com
# DNS enumeration
dig example.com ANY
subfinder -d example.com
# Port scan
nmap -sV -p- example.com
# Directory brute force
ffuf -w /usr/share/wordlists/dirb/common.txt -u https://example.com/FUZZ
Finding Attack Surfaces
# Find subdomains
amass enum -d example.com
# Search for exposed files
google dork: site:example.com filetype:pdf
# Find JavaScript files and endpoints
katana -u https://example.com
Testing Router and IoT Firmware
When researching embedded devices like routers:
# Extract firmware
binwalk -e firmware.bin
# Look for hardcoded credentials
grep -r "password" ./extracted_firmware/
grep -r "admin" ./extracted_firmware/
# Find web interfaces
find . -name "*.cgi" -o -name "*.php"
Documentation Template
When you find something, document it:
Title: [Short description]
Severity: Critical / High / Medium / Low
Target: [URL or component]
Description:
[What the vulnerability is]
Steps to Reproduce:
1. Go to...
2. Enter...
3. Observe...
Impact:
[What an attacker can do]
Suggested Fix:
[How the developer should fix it]