Web3 Security, as any other field require determination and patience.
Success isn’t built on the motivation, but on the hard work.
Every day we enter the battlefield, where we need to fight against others and most importantly, ourselves.

I made some notes, which i believe would be helpful.

Part #1 - The Fighting Attitude

People tend to overestimate their skills. We always think we ‘can’, we ‘can do it’, we ‘can manage it’, even if it above our professionalism . Very often this leads to taking on responsibilities that we can't handle. This applies to any endeavour. A young person on the wings of motivation rushes into any industry. He buys all sorts of online courses, decides firmly that from Monday he is a ‘security researcher’. With great motivation and enthusiasm he takes courses from ‘Patric Collins’, watches videos from ‘Owen Thurm’, which causes euphoria and the feeling that it is very interesting, and most importantly not so hard, “I understand everything” , “I can solve the first vulnerabilities”. It can go on like this for a month, two, three months, you will be learning, learning, which creates the impression of a certain ‘professionalism’. However, this state of affairs cannot last long, and very soon you will have to leave the cozy house of “motivation and euphoria“ and enter the heavy battle with the best researchers in the industry.

Part #2 - A clean view on the things

When you enter the battlefield, you really notice how weak you are. Can you think of any people who have made the top 3 at their first competition? You might say there are some, and you might even be able to name a couple of names, but i would stay that luck exists . Real professionalism is hitting the bull's-eye with every shot, take for example @cmichel, but sometimes luck is involved, and you can't take that away.

Nevertheless, at this stage a lot of people drop out, or as they make some “visibility”, that they stay in the field, however it is done simply because people don’t want to face the truth, the truth that they can’t handle it.

I am sure enough that many people had some kind of similar thoughts in their head.

• ‘There are so many people who are smarter, with more experience in Web3/Web2 Security. You can't compete with them.’

• ‘I can't find a single vulnerability,’ but at the end of the contests there are 5H, 10M findings.

• ‘The protocol is so tough. I can’t understand it at all. It is not for me.’

The list is endless, you get the point. I am sure that a lot of researcher have gone through some kind of thoughts. Personally, i had such experience.

Few people want to get their hands dirty, few people want to feel like an idiot, few people want to taste shit.

Motivation has passed, your head is filled with many different thoughts, and you've chosen the easy way out, which is natural to human nature.

Part #3 - Real Start

This stage is for those who haven't given up, who really want to become great researcher, who realise that the path won't be easy. This is where the future Dark Horses are born.

First of all, let me make it clear, if you don't love what you do, you can't do it for a long time.
You have to answer yourself ‘are you ready to dedicate your life to this?’. It is important, because Web3 Security is not some memcoin shit trading, it is not some abstract stuff, or some side-business that you can support while having multiple other projects.

Security is state of mind, way of living. All your thoughts would be “eaten“ by contests/bug-bounties/private-audits. You will think about it 24/7.

If you are truly want to enter the list of the top auditors, you must work hard. I love to repeat that you can compare it with the real Olympic sport. Someone, who are not lucky enough to jump into web3 security immediately and have to feed the family with other job, i would advice to not hurry, learn/hunt as much as possible, meanwhile strategically planning the smooth transition.

Eventually, how to do it correctly? What strategy i need to take to enter the top leage?

Simplicity is a key. There is no moon math here. Pure dedication and patience. However, still you need to remember that you are an athlete.

You need to eat / learn / sleep / think like a professional athlete.

To be concise, i want to state that you need a system. Strong one, that you would follow for years. Every one is unique, and must think in a way how it better fit you your personal lifestyle. I like what deadrosesxyz said once in his interview:

At the end of the day you need to ask yourself: “whether i do everything correctly? What do i need to adjust. Just constantly think about how you can improve yourself“

Here are some notes from myself that would be helpful for you to build your own strategy.

Firstly, we need to divide work and learning. During the actual work, i already study a lot, but based on my experience, it is awesome if you already confidently do contests/audits but meanwhile dedicate every day some time for pure studying.

Whether it would be 30m a day or 1 hour, choose what best fits you.
You need to think in 2 ways, learning new stuff while strength your weak parts.

What gets measured, gets managed.

Make a small and simple to-do list of your studying topics. Prepare it in advance for the whole week, so you don’t spend time. Here is example how i try to do it.
On Sunday i dedicate some time to ask myself “What topics i must learn/revise?“, after i open the Twitter/Notion bookmarks where i put interesting articles and try to set it to each day. For example, here i evaluate “Blast Integrations“ as pure studying while “Testing Invariants“ as my weak parts that need to be improved.
Overall, you need to think i way how to learn new, and strength what is already available.

Let’s move forward to the real battle. Here you must spend as much time as possible and drain yourself every day.

If you have some energy left at the end of the day, remember, you haven’t done it.

Code4arena / Codehawks / Hats / Sherlock / Cantina / Immunefi must be your best friends!
You have to be greedy, you have to see it not like some nice contest that you will compete at and maybe earn something, you need to think about it like a fight, like a hunting. Eat or be eaten.
Every day more and more young, hungry guys with huge Web2 Security background enter our field, and if we would not work as hard as possible they soon will beat us.

I remember that @ddimitrovv22 once wrote nice thing

You need to eliminate the timeframe of receiving the feedback as soon as possible.

Don’t wait once the report will be public, get the backstage role and grind every vulnerability that is validated. Make some kind of list, explain the vulnerabilities, re-write it and be sure that you truly understand it.

After you have done with the bugs, answer these questions.

• What topic i need to learn?

• Which was the important edges that i have skipped?

• What should i do better and concentrate myself more in future?

Be obsessed. Remember that you always haven’t done enough. You always could do better.

It is indeed scary how easy and in the meantime complicated. The discipline in the key. Sure you know this legend (if not, check the code4arena leaderboard). I’ve asked him a question once “How he does it?“, here is the answer…

Part #4 - Following the plan

Assume you have done everything correctly, you have prepared the schedule and you crash it.

The most difficult is to do it constantly, every day.

Sometimes i feel exhausted because i don’t see the results, sometimes even some strange thoughts come into my mind, but it is okay, we must just throw them away, because in the head of warriorthere should be no thoughts except about the fight.

Don’t compare, yourself with other. Everyone has his own path and his own life clock. Try to do your best and not allow the thoughts to take some place in your head. Don’t scroll twitter a lot, and concentrate more on yourself. Take it seriously and believe.

Step by step every day. As hard as you can. Trust the process.