My Strategy for Winning

October 20, 2025

After writing my last post on A Plan Is Not a Strategy, I started thinking about my own work. For a long time, I’ve just been making plans, a list of things to do. This year, I want to focus on having a real strategy for winning as a security researcher.

A strategy isn’t a to-do list. It’s a set of choices that explains how you’re going to win on a specific playing field. So I decided to build one for myself.

My Focus: Smart Contract Contests

The first choice is defining the playing field. I can’t be an expert in everything. So I’m narrowing my focus to one area: Solidity smart contract audit contests.

That’s it. No more getting distracted by other languages or different kinds of security work. By focusing on one area, I can go deep instead of wide. The goal in these contests is simple: find as many valid bugs as possible within a given time.

My Edge: An Integrated Workflow

This is the core of the strategy. My theory for winning is to achieve unmatched efficiency through a deeply integrated and customized workflow inside Visual Studio Code.

My competitors are smart, but many of them are slowed down by switching between different tools and contexts. My plan is to build an environment where I can find bugs faster because all my tools are connected and work together smoothly.

Here are the specific choices that support this theory:

• Focus on one contest at a time: No more splitting my attention. Full focus means I can get into a state of flow and dedicate all my energy to a single codebase.
• Use VS Code as my central hub: Everything will happen inside my editor. I won’t need to jump between a terminal, a browser, and other apps.
• Standardize my core tools: I’m committing to using Foundry for testing and Medusa for fuzzing. By using the same tools every time, I can master them instead of just being familiar with a dozen.
• Build my own tools inside VS Code: This is the most important part. I will write custom extensions and scripts to connect everything. Imagine running a fuzzing campaign with Medusa, getting a crash, and having it automatically generate a Foundry test case, all without leaving my editor. That’s the kind of edge I’m aiming for.

The Bets I’m Making

A strategy isn’t a fixed plan. It’s a set of bets. So to make sure I’m not just guessing, I’ve listed out the assumptions I’m making. For my strategy to work, these things must be true:

1. My integrated VS Code setup will actually be faster than using separate, specialized tools.
2. The time I spend building custom tools will pay off by helping me find more bugs than if I had just spent that time auditing manually.
3. Focusing on a single contest really does lead to better results than working on multiple contests at once.
4. Foundry and Medusa are the right tools for finding high-impact bugs in the kinds of contests I’m targeting.

By writing these down, I can test them. If I find out that building tools is taking too much time, I can adjust. A strategy is a living thing.

So that’s the plan, or rather, the strategy. It’s not just a list of things to do. It’s a theory for how to win. Now I just have to build it and see if I’m right.