From Day Zero to Zero Day is a practical guide for cybersecurity pros who want to move beyond reading about vulnerabilities and start finding them. It gives a methodical look at how real vulnerability research is done.
About the author
Eugene Lim is a security researcher and white hat hacker. In 2019, he won the Most Valuable Hacker award at the H1-213 live hacking event in Los Angeles organized by Hackerone, the US Air Force, the UK Ministry of Defense, and Verizon Media.
Inside the book
The book is divided into three main parts: code review, reverse engineering, and fuzzing. Each part walks through technical processes that vulnerability researchers use to uncover flaws in software. This is a book with working examples, tooling setups, and references to real-world bugs.
The first section focuses on reading and understanding source code. The walkthroughs are based on actual CVEs, giving readers a sense of how known bugs were discovered in the wild. Later in this section, he covers how to map code to the attack surface and introduces automated tools like CodeQL and Semgrep for large-scale variant analysis.
Next, the reverse engineering section looks at how to approach binaries when source code isn’t available. Lim classifies different types of binaries, from compiled C programs to Java bytecode, and offers tips on how to quickly triage them. He covers the use of tools like Ghidra and Frida and shows how to find vulnerable code paths using static and dynamic techniques. This section builds on the same sink-source thinking from earlier chapters, which helps connect the dots for readers who are new to binary work.
The fuzzing section is the most automation-heavy part of the book. It begins with quick setup fuzzing using tools like boofuzz and radamsa, then moves into coverage-guided fuzzing with AFL++. The author explains how to make fuzzing effective by choosing the right targets, writing better harnesses, and interpreting results. There’s also a full chapter on advanced fuzzing targets, including managed memory binaries and complex file formats.
One of the book’s strengths is that it avoids glossing over the hard parts. Lim doesn’t pretend that vulnerability research is easy or fast. Instead, he shows how breaking problems into smaller steps and applying repeatable workflows can make the work manageable. This is valuable for professionals who already have some experience in red teaming or penetration testing but feel lost when it comes to finding original vulnerabilities.
Who is it for?
From Day Zero to Zero Day is a working manual that encourages hands-on exploration. For cybersecurity pros who want to go deeper into vulnerability discovery, it’s a great guide.
Source link
