Cybersecurity research has, it seems, two main thrusts. Both of them seem similar at first glance, but one is more lucrative (though not as impactful) while the other has much more impact (but doesn't seem to pull in the cash). Let's give an overview of various cybersecurity careers first, and then segue into what cyber R&D is today.
From a career perspective, you can first split jobs into either offensive or defensive specialties. Now, granted, this is a somewhat artificial delineation. After all, if you work in any corporate cybersecurity department, you've got someone either on staff or on call that can analyze suspected malware or do some post-incident forensics. But generally, offensive folks do things like pen testing and vulnerability analysis while defensive folks implement and monitor cybersecurity controls and policies in organizations. We can include forensics work and malware analysis as defensive fields. They're not a perfect fit, but as they're not focused specifically on attacking systems, let's lump them in with defensive fields.