I work the cyber security trade, that is to say
that my occupation is cyber security. Note that I said "occupation"
rather than "profession." On 18 September, the U.S. National Academy
of Sciences, on behalf of the Department of Homeland Security,
concluded that cyber security should be seen as an occupation and
not a profession because the rate of change is too great to consider
professionalization.

There was a time when flaws were predominantly found by adventurers
and braggarts. Ten plus years of good work by the operating system
vendors elbowed the flaw finders out of the operating system and,
as a result, our principal opponents changed over from adventurers
and braggarts to being professionals. Finding vulnerabilities and
exploiting them is now hard enough that it has moved out of the
realm of being a hobby and into the realm of being a job. This
changed several things, notably that braggarts share their findings
because they are paid in bragging rights. By contrast, professionals
do not share and are paid in something more substantial than fame.
The side effect has been a continued rise in the percentage of all
vulnerabilities that are previously unknown. The trend, in other
words, is that by crushing hobbyists we've raised the market price
of working exploits to where now our opponents pay for research and
development out of revenue.

Simulating what the opponent can do thus remains the central task
of defensive research. Much of that research is in crafting proofs
of concept that such and such a flaw can be taken advantage of.
Corman's neologism of "HD Moore's Law" says that the trend in the
power of the casual attacker grows as does the trend of the power
in Metasploit.[9] It is hard to think of a better description of
dual use.