Sure. Not sure how that’s relevant though?
In general, finding an exploit requires looking for little tiny details that could exist in, really, any area of a given system; looking for a bug, and then exploiting that bug by understanding how input data can be used to create a deterministic chain of events.
This almost always requires thinking outside of the box.
There are people who are also paid to find these before malicious actors do.
It’s always going to be creative in some way, at least in the beginning.
It’s like when people first discover Quake’s fast inverse square root. Sure, the first time around it seems genius. In reality, code like that is actually everywhere, and there is a somewhat trivial aspect to optimizing those kinds of problems.
Be patient. It takes time to “get going”.
If you know how to program, you’re in a good spot. If you don’t know how to program, start with fundamentals.
SICP is good. It’s Lisp. You’ll probably never write a line of Lisp professionally, but it will help shape how you reason about solving problems.
Develop some solid fundamentals.