I'm in my late 20s and got into the field professionally just a couple years ago. Prior to that I had been working as a software developer.
I believe what helped was a handful of personal projects related to security: reverse engineering firmware, finding bugs in web apps. Also I emphasised the parts of my software development work that had some overlap, such as debugging Windows kernel drivers, and doing security reviews of network services we were writing and deploying.
Now I'm doing full-time vulnerability research and writing software to help do that. Much more enjoyable and pays better too.
I believe what helped was a handful of personal projects related to security: reverse engineering firmware, finding bugs in web apps. Also I emphasised the parts of my software development work that had some overlap, such as debugging Windows kernel drivers, and doing security reviews of network services we were writing and deploying.
Now I'm doing full-time vulnerability research and writing software to help do that. Much more enjoyable and pays better too.