security is an especially bad field for imposter syndrome because the surface area is genuinely infinite. new CVEs every week. new attack vectors, new compliance regimes, cloud-native threats that didn't exist two years ago. you can be very good at AppSec and know almost nothing about hardware security. you can own OWASP top 10 and struggle with threat modeling. you can be a strong pentester and be weak at detection engineering.
the field is too big to know all of it. which means you will constantly feel like you're missing things, because you are.
this creates a specific flavor of imposter syndrome where the cure ("just get better") doesn't fully work because the field moves faster than you can learn. you get better and the goalpost moved.
i've been in AppSec for 7 years. i still regularly encounter areas where i have to say "i don't know, let me look into it." this used to bother me a lot. it bothers me less now, for one reason:
i redefined the job. my job isn't to know everything. my job is to know where to look, when to pull in a specialist, how to assess risk under uncertainty, and how to communicate clearly about what i do and don't know. those things i can actually be good at.
the imposter feeling in fields with infinite scope is often a category error. you're measuring yourself against an impossible standard (complete knowledge) rather than the actual job (effective navigation of incomplete knowledge).
if you're in security, medicine, research, law, or any other domain where the knowledge surface is unbounded: the goal isn't to stop feeling like you don't know everything. the goal is to get comfortable being excellent at the subset you own, and humble and fast about the rest.