About Aditya

Aditya K Sood (Ph.D.) is a cybersecurity advisor, practitioner, researcher, and consultant. With the experience of more than 13 years, he provides strategic leadership in the field of information security covering products and infrastructure. He is well experienced in propelling businesses by making security a salable business trait. Dr. Sood is well versed in designing algorithms by harnessing security intelligence and data science. During his career, he has worked with cross functional teams, management and customers thereby providing them with the best of the breed information security experience. Dr. Sood has research interests in cloud security, IoT security, malware automation and analysis, application security, and secure software design. He has worked on a number of projects pertaining to product/appliance security, networks, mobile, and web applications while serving Fortune 500 clients for IOActive, KPMG and others. He has authored several papers for various magazines and journals including IEEE, Elsevier, Crosstalk, ISACA, Virus Bulletin, and Usenix. His work has been featured in several media outlets including Associated Press, Fox News, The Register, Guardian, Business Insider, CBC, and others. He has been an active speaker at industry conferences and presented at Blackhat, DEFCON, HackInTheBox, RSA, Virus Bulletin, OWASP, and many others. Dr. Sood obtained his Ph.D. from Michigan State University in Computer Sciences. Dr. Sood is also an author of "Targeted Cyber Attacks" and "Empirical Cloud Security" books.

Professional Experience

He held positions such as Senior Director of Threat Research and Security Strategy, Head (Director) of Cloud Security, Chief Architect of Cloud Threat Labs, Lead Architect and Researcher, Senior Consultant, and others while working for companies such as F5 Networks, Symantec, Blue Coat, Elastica, IOActive, Coseinc, and KPMG.


Empirical Cloud Security

Mercury Learning , April 2021

This book is designed for security and risk assessment professionals, DevOps engineers, penetration testers, cloud security engineers, and cloud software developers who are interested in learning practical approaches to cloud security. It covers practical strategies for assessing the security and privacy of your cloud infrastructure and applications and shows how to make your cloud infrastructure secure to combat threats, attacks, and prevent data breaches. The chapters are designed with a granular framework, starting with the security concepts, followed by hand-on assessment techniques based on real-world studies, and concluding with recommendations including best practices.

More details can be found here: https://empirical-cloudsecurity.adityaksood.com/

Targeted Cyber Attacks

Syngress, April 2014

Cyber-crime increasingly impacts both the online and offline world, and targeted attacks play a significant role in disrupting services in both. Targeted Cyber Attacks examines real-world examples of directed attacks and provides insight into what techniques and resources are used to stage these attacks so that you can counter them more effectively.

Syngress published this book (ISBN-10: 0128006048 | ISBN-13: 978-0128006047) and it is available at : Amazon, Elsevier Store, Barnes and Nobles and others. Third-party reviews about the book is available at : Help Net Security and RSA Conference Blog. Search Security Techtarget has displayed a one chapter of the book here : Bookshelf. The book is also hosted in the Toronto Public Library. The book is also available through Google Play.

Chinese transaltion is available at Amazon Bookstore.


  • ".the book works its way through how attacks are planned and executed, following by a description of protective measures and concluding with a bit of myth-busting in order to leave readers with a clear and accurate picture of what the threat really means for them.you get a very sharp sense of how and why these attacks are possible."

    Network Security
  • "The most complete text in targeted cyber attacks to date. Dr. Sood and Dr. Enbody are able to present the topic in an easy to read format that introduces the reader into the basics of targeted cyber attacks, how the attackers gather information about their target, what strategies are used to compromise a system, and how information is being exfiltrated out from the target systems. The book then concludes on how to build multi-layer defenses to protect against cyber attacks. In other words, the book describes the problem and presents a solution. If you are new to targeted attacks or a seasoned professional who wants to sharpen his or her skills, then this book is for you."

    Christopher Elisan, Principal Malware Scientist, RSA -The Division of EMC
  • "Sood and Enbody have taken a systematic, step by step approach to break down a pretty complex topic into bite-sized chunks that are easily digestible. They cover everything from the basics and 'need to know' of targeted attacks to the more advanced insights into the world of exploit packs, attack techniques and more."

    Dhillon Andrew Kannabhiran, Founder/Chief Executive Officer, Hack In The Box
  • "Targeted Cyber Attacks is by far the perfect manual to dive into the dark borders of cybercrime. The book thoroughly describes the model and the mechanisms used by criminals to achieve the cyber attack to exfiltrate information or steal money. From a pen-tester’s perspective, the ethical hackers will certainly find the fundamental factors to prepare a better approach to conduct high level penetration testing. Aditya and Richard deliver the secrets used by cyber-criminals to get inside the most secured companies. I learned a lot from this stunning publication authored by a BlackHat Arsenal Jedi."

    Nabil Ouchn, Founder of ToolsWatch.org and Organizer of BlackHat Arsenal


Contributing Author


Articles / Papers / Magazines / Journals

Elsevier Journals

Virus Bulletin: Research Reports and Articles

Hack-in-the-Box: Magazine




  • Combating Ransom-Wars: Evolving Landscape of Ransomware Infections in Cloud Databases, Hackers on Planet Earth (HOPE) Conference, New York, 2022.
  • World of Modern Apps: Dissecting Ransomware and Botnet Threats in Cloud Databases, Secure 360 Conference, Prior Lake Minnesota, 2022.
  • Dethroning Ransomware Infections in the Cloud Databases used for Modern Applications, Texas Cyber Security Summit, San Antonio, 2021.
  • {Internet of Things or Threats}: Anatomizing the Structure of IoT Botnets, Hack in Paris (HiP) Conference, San Antonio, 2021.
  • Internet of {Things or Threats}, BSides, Berlin, 2021.
  • Enfilade: A Tool to Detect Potential Ransomware Infections in MongoDB Instances, BlackHat Arsenal USA, 2021.
  • Uncovering Botnets in IOT Hemisphere, Secure 360 Conference, St. Paul Minnesota, 2020.
  • Strafer: A Tool to Detect Potential Infections in Elasticsearch Instances, BlackHat Arsenal Europe, 2020.
  • Compromising IoT C&C panels for Unearthing Infections, Virus Bulletin Local Host, 2020.
  • Jamming into the World of IoT Botnets: The Hacker’s Way, UTSA, San Antonio, Texas, 2020.
  • Connected World of Devices - Exploiting the Embedded Web Security Pacific Hackers Conference , Santa Clara, CA, 2019.
  • Embedding Security and Privacy in DevOps - Real World Case Studies SANS DevOps Summit, Denver, Colorado, 2019.
  • The State of Embedded Web Security in IOT Devices, Texas Cyber Security Summit, San Antonio, 2019.
  • IoT Botnet Chaos, ToorCon Security Conference, San Diego, California, 2018.
  • The State of IoT Botnets - The Bad and The Ugly, Hackers on Planet Earth (HOPE) Security Conference, New York, NY, USA, 2018.
  • Crimeware Chaos: Empirical Analysis of HTTP-based Botnet C&C Panels, BSides SF , San Francisco, USA, 2018.
  • The State of IoT Botnets: An Overview, IoT Security Symposium, Burlingame, CA, USA, 2018.
  • Cloud Storage Abuse and Exploitation, EDGE Security Conference, Knoxville, Tennesse, USA, 2017.
  • The Budding World of Cloud Storage Abuse and Exploitation : A Technical Deep Dive, FIRST Security Conference, Puerto Rico, USA, 2017.
  • The TAO of Automated Iframe Injectors - Building Drive-by Platforms For Fun and Profit, Virus Bulletin, Denver, USA, 2016.
  • Understanding the Crux - Abuse of Cloud Storage Apps, CSA Secure Cloud , Dublin, Ireland, 2016.
  • Delivering Security in Cloud Generation World, RSA, San Francisco, USA, 2016.
  • Sanctioned to Hack - Hunting Vulnerabilities in SCADA HMIs, Ground Zero, New Delhi, India, 2015
  • Design Flaws in Network Switches - Your Network Devices Belong to Us!, ToorCon, San Diego, CA, USA, 2015
  • Dynamics of Cloud Storage Abuse and Exploitation - One More for the Road!, ToorCon, San Diego, CA, USA, 2015
  • Applying Data Science to Cloud Services Auditing, Compliance, Monitoring and Security, PSR (Privacy Security Risk), Las Vegas, USA
  • The State of Web Security in SCADA HMIs, OWASP, San Francisco, CA, USA, 2015
  • Hunting Vulnerabilities in SCADA HMIs, DEFCON, Las Vegas, Nevada, USA, 2015
  • Exploiting Fundamental Weaknesses in Botnet C&C Panels, BlackHat, Las Vegas, Nevada, USA, 2014
  • C-SCAD - Assessing Security Flaws in ClearSCADA WebX Client,BlackHat Arsenal, Las Vegas, Nevada, USA, 2014
  • How I Hacked Your Botnet C&C Panels, ToorCon, San Diego, 2014
  • Sparty : A Tool to Audit FrontPage and SharePoint, BlackHat Arsenal,Las Vegas, Nevada, USA, 2013
  • Emerging Trends in Online Social Network Malware, Secure 360 , St. Paul, Minnesota, 2013
  • Dissecting Socioware - A Study of Online Social Network Malware, InfoSec Security Southwest (ISSW),Austin, Texas, 2013
  • Malandroid - Android Malware Mayhem, ToorCon, San Diego, 2012
  • Bust a Cap in the Mobile App, SANS AppSec, Las Vegas, 2012
  • The Realm of Third Generation Botnet Attacks, GrrCon, Grand Rapids,2012
  • Bonded with Botnets, US-CERT GFIRST, Atlanta, 2012
  • Botnets Die Hard - Owned and Operated, DEFCON, Las Vegas,2012
  • Advancements in Botnet Attacks and Malware Distribution, Hackers on Planet Earth(HOPE), New York,2012
  • Insidious Infections - Mangling with Botnets, Layer One, Anaheim, California, 2012
  • Dissecting the State of Present-day Malware, HackCon, Oslo, Norway, 2012
  • Hunting Web Malware, Hacker Halted, Miami, Florida, 2011
  • Browser Exploit Packs - Death by Bundled Exploits, Virus Bulletin, Barcelona, Spain, 2011
  • Botnets and Browsers - Brothers in the Ghost Shell, BruCon, Brussels, Belgium, 2011
  • The Good Hacker - Dismantling Web Malware, OWASP AppSec, Minnesota, Minneapolis, USA, 2011
  • Browser Exploit Packs - Exploitation Tactics, ToorCon, Seattle, Washington, 2011
  • Art of Info Jacking - Detecting Hidden Devices, Source, Seattle, Washington, 2011
  • Spying on SpyEye Botnet - What Lies Beneath, Hack-in-the-Box (HitB), Amsterdam, Netherlands, 2011
  • Eye for and Eye - SpyEye Banking Trojan, ToorCon, San Diego, California, 2010
  • Web Maniac - Hacking Trust, Hacker Halted, Miami, Florida, 2010
  • The Art of Information Extraction, OWASP AppSec, Brazil, 2010
  • Bug Alcoholic - Untamed World of Web Vulnerabilities, OWASP AppSec, Irvine, California,USA, 2010
  • Scaling Web 2.0 Malware Infections, TRISC - Texas Regional Infrastructure Security , Grapevine, Texas, 2010
  • Untamed XSS Wars - Filters vs Payloads, RSA, San Francisco, California, 2010
  • Browser Design Flaws, Troopers, Munich, Germany, 2009
  • Web Psyschic 2.0, Excalibur , Wuxi, China, 2009
  • Rumbling Infections - Web 2.0 Malware Anatomy, SecurityByte - OWASP AppSec, New Delhi, India, 2009
  • Webnoxious 2.0 - Attacking Open End Web, FOSS (Free and Open Source Software), Bangalore, India, 2009
  • Vulnerability Vectors in PDF - Synthesizing PDF Attacks, EUSecWest, London, UK, 2008
  • Rolling Balls - Can You Hack Clients?, XFOCUS XCON, Beijing, China, 2008
  • KungFoo Jacking Browsers, XFOCUS XCON / XKungFoo, Beijing, China, 2008

Presentations - Video Links

A number of videos available for the talks:



  • US 20150264070 - Method and system for detecting algorithm-generated domains: A method and system for detecting algorithm-generated domains (AGDs) is disclosed wherein domain names requested by an internal host are categorized or classified using curated data sets, active services (e.g. Internet services), and certainty scores to match domain names to domain names or IP addresses used by command and control servers.

Research Projects

Botnets and Cybercrime

  • Cybercrime at a Scale: A Practical Study of Deployments of HTTP-Based Botnet Command and Control Panels
    Cybercriminals deploy botnets for conducting nefarious operations on the Internet. Botnets are managed on a large scale and harness the power of compromised machines, which are controlled through centralized portals known as C&C panels. C&C panels are considered as attackers primary operating environment through which bots are controlled and updated at regular intervals of time. C&C panels also store information stolen from the compromised machines as a part of the data exfiltration activity. In this empirical study, we analyzed many over 9000 C&C web URLs to better understand the deployment and the operational characteristics of HTTP-based botnets.

    Published: IEEE Communications Magazine: https://ieeexplore.ieee.org/abstract/document/7981519
  • The Taxonomy of Domain Generation Algorithms
    Domain-generation algorithms (DGAs) allow attackers to manage infection-spreading websites and command-and-control (C&C) deployments by altering domain names on a timely basis. DGAs have made the infection and C&C architecture more robust and supportive for attackers.

    Published: IEEE Security and Privacy Magazine: https://www.computer.org/csdl/magazine/sp/2016/04/msp2016040046/13rRUNvyadg
  • Drive-by Download Attacks: A Comparative Study of Browser Exploit Packs Features and Attack Techniques
    Attackers are using domain-generation algorithms and command-and-control operations to efficiently distribute malware. A detailed taxonomy of DGAs highlights this problem in depth, improving our understanding of various attack techniques and their existing and potential trends.

    Published: IEEE IT Professional: https://ieeexplore.ieee.org/document/7579103
  • An Empirical Study of HTTP-based Financial Botnets
    Cyber criminals are covertly attacking critical infrastructures, and botnets are a common component of those attacks. In recent years, botnets have been shifting their focus from broad-based attacks to more targeted ones such as attacking financial institutions, especially banks.

    Published: IEEE Transactions on Dependable and Secure Computing: https://ieeexplore.ieee.org/document/6991594
  • Exploiting Trust: Stealthy Attacks Through Socioware and Insider Threats
    Online social networks (OSNs) provide a new dimension to people lives by giving birth to online societies. OSNs have revolutionized the human experience, but they have also created a platform for attackers to distribute infections and conduct cybercrime. An OSN provides an opportunistic attack platform for cybercriminals through which they can spread infections at a large scale.

    Published:IEEE Systems Journal: https://ieeexplore.ieee.org/document/7042925?arnumber=7042925
  • Cybercrime - Dissecting the State of Underground Enterprise
    Cybercrime’s tentacles reach deeply into the Internet. A complete, underground criminal economy has developed that lets malicious actors steal money through the Web. The authors detail this enterprise, showing how information, expertise, and money flow through it. Understanding the underground economy’s structure is critical for fighting it.

    Published: IEEE Internet Computing Magazine: https://www.computer.org/csdl/magazine/ic/2013/01/mic2013010060/13rRUILc8bN
  • Targeted Cyberattacks - Superset of Advanced Persistent Attacks
    Targeted cyberattacks play an increasingly significant role in disrupting the online social and economic model, not to mention the threat they pose to nation-states. A variety of components and techniques come together to bring about such attacks.

    Published:IEEE Security and Privacy Magazine: https://ieeexplore.ieee.org/document/6231617
  • Crimeware-as-a-Service (CaaS) - A Survey of Commoditized Crimeware in the Underground Market
    Crimeware-as-a-service (CaaS) has become a prominent component of the underground economy. CaaS provides a new dimension to cyber crime by making it more organized, automated, and accessible to criminals with limited technical skills. This paper dissects CaaS and explains the essence of the underground economy that has grown around it. The paper also describes the various crimeware services that are provided in the underground market.

    Published:International Journal of Critical Infrastructure Protection: https://www.sciencedirect.com/science/article/abs/pii/S1874548213000036
  • The Conundrum of Declarative Security: HTTP Response Headers: Lessons Learned
    The stringency of attacks has grown simultaneously with the development of the web. To combat some of the new attacks, declarative security has been proposed in the form of HTTP response headers from the server side. The declarative model provides an extensible set of security parameters in form of HTTP responses. In this, browsers can respond with a requested security mechanism. This paper explores the state of HTTP declarative security and how it is being applied today.

    Published:Usenix Collsec: https://www.usenix.org/legacy/event/collsec10/tech/full_papers/Sood.pdf
  • Exploiting Fundamental Weaknesses in Botnet C&C Panels
    Bot herders deploy Command and Control (C&C) panels for commanding and collecting exfiltrated data from the infected hosts on the Internet. To protect C&C panels, bot herders deploy several built-in (software-centric) protection mechanisms to restrict direct access to these C&C panels. However, there exist fundamental mistakes in the design and deployment of these C&C panels that can be exploited to take complete control. This talk discusses about the methodology of launching reverse attacks on the centralized C&C panels to derive intelligence that can be used to build automated solutions. This research reveals how to detect vulnerabilities and configuration flaws in the remote C&C panels and exploit them by following the path of penetration testing. This talk is derived from the real time research in which several C&C panels were targeted and intelligence was gathered to attack the next set of C&C panels. A number of case studies will be discussed to elaborate step-by-step process of attacking and compromising C&C panels. This talk also demonstrates the use of automated tools authored for making the testing easier for the researchers.

    Webpage: BlackHat Research
  • Tools

  • Enfilade - A Tool to Detect Infections in Elasticsearch Instances: MongoDB infections are rising exponentially. The adversaries are exploiting open and exposed MongoDB interfaces to trigger infections in the cloud and non-cloud deployments. During this talk, we will release a tool named "ENFILADE" to detect potential infections in the MongoDB instances. The tool allows security researchers, penetration testers, and threat intelligence experts to detect compromised and infected MongoDB instances running malicious code. The tool also enables you to conduct efficient research in the field of malware targeting cloud databases.

    Webpage: Enfilade : BlackHat Arsenal
  • Strafer - A Tool to Detect Infections in Elasticsearch Instances: Elasticsearch infections are rising exponentially. The adversaries are exploiting open and exposed Elasticsearch interfaces to trigger infections in the cloud and non-cloud deployments. During this talk, we will release a tool named "STRAFER" to detect potential infections in the Elasticsearch instances. The tool allows security researchers, penetration testers, and threat intelligence experts to detect compromised and infected Elasticsearch instances running malicious code. The tool also enables you to conduct efficient research in the field of malware targeting cloud databases.

    Webpage: Strafer : BlackHat Arsenal
  • Sparty - Sharepoint Web Application Penetration Testing Tool: Sparty is an open source tool written in python to audit web applications using sharepoint and frontpage architecture. The motivation behind this tool is to provide an easy and robust way to scrutinize the security configurations of sharepoint and frontpage based web applications. Due to the complex nature of these web administration software, it is required to have a simple and efficient tool that gathers information, check access permissions, dump critical information from default files and perform automated exploitation if security risks are identified. A number of automated scanners fall short of this and Sparty is a solution to that.

    Webpage: Sparty : BlackHat Arsenal
  • C-SCAD: Assessing Security Flaws in C-SCAD WebX Client: C-SCAD is an information gathering and penetration testing tool written to assess the security issues present in the Web-X (Internet Explorer-based web interface) client used to interact with the ClearSCADA server. WebX client is hosted on the embedded web server which is shipped as a part of complete ClearSCADA architecture. Primarily, the WebX client is restricted to perform any configuration changes but it can reveal potential information about the ClearSCADA server and associated components. Insecure deployments of WebX client can reveal potential information about the various functions such as alarm pages, SQL lists, and diagnostic checks including various reports.

    Webpage: C-SCAD : BlackHat Arsenal
  • Declarative Security Detector: Mozilla Addons Clickjacking Defense - Declarative Sec Detector and HTTP Content Security Policy Detector.

    Webpage: Declarative Security Addons

Vulnerabilities Discovered

A number of vulnerabilities have been disclosed under the hood of "Responsible Disclosure" and cannot be disclosed due to business and legal constraints. A number of disclosed vulnerabilities are listed below but not limited to:

Note: a number of vulnerabilities are in the process of getting patched and will be added once advisories are released.

Bug Bounties (*FUN*)

Reported many vulnerabilities to vendors as a part of bug bounties (entirely fun). The list of vendors are presented below but are not limited to:

  • NetFlix | PayPal | BlackBerry | Barracuda Networks | Apple | Adobe | Microsoft | ZScaler





Skills / Experience


  • Executing Information Security Management Program (ISMP)
  • Security Assessments - Penetration Testing and Vulnerability Discovery
  • Cloud Security - Architectural Design
  • IOT Security Research and Algorithm Design
  • Vulnerability Research
  • Mobile Security Assessments
  • Source Code Reviews
  • Security and Privacy Risk Assessments including Impact Analysis
  • Malware Research and Analysis
  • Secure Design Reviews
  • Risk Assessments: Security and Privacy
  • Configuration Management Reviews
  • Product Management for Security Initiatives

  • Details: For consulting services, please contact via Linkedin.

Speaking Engagements

  • Details: For speaking engagements, please contact via Linkedin.


Published Blogs

Twitter Stream


  • Education is what remains after one has forgotten what one has learned in school.

    Albert Einstein.
  • Gibbs' Rule #35: Always watch the watchers.

    Season 8, Episode 22 - Baltimore.
  • I think computer viruses should count as life. I think it says something about human nature that the only form of life we have created so far is purely destructive. We’ve created life in our own image..

    Stephen Hawking.
  • Ability is what you're capable of doing. Motivation determines what you do. Attitude determines how well you do it.

    Lou Holtz