When I open a new application, I don’t start with payloads or tools.

First thing I try to understand is:
what actually matters in this app.

I look for things like:
• where user data is created or changed
• where permissions are checked
• where money, credits, points, or actions move
• where one user can affect another user

Then I follow the main flows as a normal user.
Login, profile, settings, actions, exports, anything that changes state.

Only after this, I decide what to test.
Sometimes it’s access control.
Sometimes it’s logic.
Sometimes it’s input handling.

If you start with “let me test XSS or SQLi”, you’re guessing.
If you start with “what would be dangerous if this breaks”, you’re hunting.

This mindset saves time and leads to better bugs.