Security Researching Explained: How Security Researchers Keep Us Safe

• September 24, 2025
• Andrew

In 2018 British Airways lost the personal data of approximately 400,000 customers in a cyber security attack. Hackers injected JavaScript into the booking website that captured payment card details in real-time. This breach compromised customer information such as name, address, and most significantly banking details. This incident spelled disaster for the company as the skimming attack went undetected for over 2 weeks. Moreover, the company had failed to monitor 3rd party scripts and accurately test its system for flaws. British Airways almost faced £183 million in fines which were only reduced to 20 million due to Covid 19 considerations. This incident clearly outlines the critical value of investigating systems; a key method being known as security researching.

Security Researching, also known as pen testing, is a process in which testers are authorised to stage cyber-attacks on the data systems of responsible organisations. Security. These security researchers primarily assume the position or perspective of real malicious cyber criminals. Their entry methods and tools typically resemble what actual hackers would have in their arsenal, enhancing the gravity and realism of the faux attack. With these means, and the agreement of the responsible organisation, security researchers attempt to break into security systems in hope that they find critical vulnerabilities before a malicious person does. Though, it is noteworthy to mention that there are bars to what security researchers are allowed to do, as their work usually operates under a strict code of ethics. Indeed, in 2024, the Malta Digital Innovation Authority together with the Malta Critical Infrastructure Directorate issued the National Coordinated Vulnerability Disclosure Policy (the ‘NCVDP’) To aid Responsible Organisations in establishing the terms and conditions that a security researcher must be in line with prior to, during and after the security research.

Key tasks in security researching include identifying vulnerabilities, assessing risk, testing defences, and ensuring compliance with regulations. These require a level of expertise in networking, programming, and a deep understanding of operating systems and security tools. Security Researchers must adopt a problem-solving mindset as well as be able to “think like an attacker” whilst still performing ethically. Good communication skills are indispensable for any security researcher as they must be competent in explaining technical findings to non-technical managers in clear, actionable language.

Security Researching can take on multiple forms. In network testing, security researchers are responsible for identifying weaknesses in the internal or external networks of a responsible organisation through focusing on unpatched servers, outdated software or weak firewall configurations. Web applications are also scrutinised for flaws regarding APIs, potential SQL injections, and cross-site scripting. Mobile applications, wireless networks and cloud systems face similar testing, but security researchers also consider that hackers may access their servers and databases physically.

Security Researchers also carry out red team versus blue team exercises whereby the red team pretend to be attackers, simulating a real-world, full-scale attack against a responsible organisation. Meanwhile, the blue team assumes the role of defenders, acting as the security operations team of the Security Researchers responsible for monitoring, detecting, and responding to threats. Sometimes, a “purple team” is introduced, where red and blue teams share knowledge and techniques. This approach turns the exercise into a learning opportunity, rather than just a competition.

Security Researching is not a luxury, but a necessity in today’s digital economy. Technology alone cannot guarantee safety. Firewalls, intrusion detection systems, and encryption are only as strong as the people who test and reinforce them. Without security researchers Responsible Organisations are left guessing where they might be vulnerable, a dangerous gamble in an era of constant cyberattacks.