I have 20 years experience already as a software engineer. I'm currently studying a masters degree in cyber security at a good university. I am participating in CTF team events as part of university, and also I am about to start studying the OSCP.

My question is - how to better position myself for employment in cyber security research?

While the traditional advice seems to be around CTF/hackthebox type stuff.. I wonder, how much of that actually translates into security research?

A lot of CTF games seem.. fun.. but more of a version of leetcode but for wannabe pentesters, than a serious path into security research. I see 'security research' as building homelabs, hosting potential apps to research, reading lots and lots of source code, working on a single app for months and months, doing local fuzzing/dissasembly, and trying to find and publish CVEs.

I am not really sure what the traditional 'CTF/hack the box' path actually gets me, and whether I should just focus on the above?