Skip to main content

Cybersecurity Research Papers

Master's degree candidates at SANS.edu conduct research that is relevant, has real world impact, and often provides cutting-edge advancements to the field of cybersecurity, all under the guidance and review of our world-class instructors.

Showing 12 of 762

USB: Universal Security Breach or Uniquely Secured Bus? Assessing the Effectiveness of Windows 11 Group Policy at Controlling USB Device Installation for Budget-Constrained Security Teams

Research PaperCyber Defense

This study evaluates three progressively granular Windows 11 Group Policy (GPO) configurations—class-based blocking, VID/PID allowlisting, and Device Instance ID allowlisting—against legitimate business peripherals and a Hak5 USB Rubber Ducky configured as a composite BadUSB device, using the Windows 11 v25H2 Security Baseline as the unmodified reference state.

  • 22 Jun 2026
  • Kire Jacobson

Investigating Operating System Variations in IPv6 Implementations

Research PaperCyber Defense

This research tested the four most common operating system families, Windows, Linux, macOS, and BSD, for RFC compliance and behavioral differences across a controlled set of IPv6 test cases. Because RFC specifications leave many implementation details to the developer, behavior was expected to diverge, and the testing confirmed that it did.

  • 22 Jun 2026
  • Donovan Rodriguez

macOS Infostealer Exfiltration Techniques via Native Tooling: Behavioral Analysis and Defenses

Research PaperCyber Defense

This paper analyzes macOS infostealers and their reliance on native system utilities. The use of specific command-line options and arguments should be predictable and detectable with proper analysis.

  • 22 Jun 2026
  • Cory Findley

Detection Strategies for AskCreds Beacon Object File Credential Harvesting Across Multiple C2 Frameworks

Research PaperDigital Forensics and Incident Response

This study evaluates layered detection strategies against AskCreds BOF execution in an isolated Azure lab using Cobalt Strike 4.12 and Outflank C2 v2.11.1, with Velociraptor as the primary DFIR platform.

  • 22 Jun 2026
  • Eric Fletcher

Capturing the Click: Process-Based Detection of Malicious Link Interactions

Research PaperDigital Forensics and Incident Response

This research validates the browser command-line flags used by Chrome, Edge, and Firefox as parameters in process-creation events, capturing both the clicked URL and the parent application, document, or script that delivered it.

  • 22 Jun 2026
  • Daniel Gott

Securing the Sun: Impact-Effective Cybersecurity Controls for Solar SCADA

Research PaperIndustrial Control Systems Security

Based on research conducted with a custom-built lab emulating a utility-grade solar SCADA network, this paper details the greatest impact on a solar site, in the form of physical consequences to power generation capabilities.

  • 11 Jun 2026
  • Wesley D. Barrier

From Alert to Evidence: Evaluating AI Agents for Cyber Forensic Triage

Research PaperArtificial Intelligence

Cyber defense teams are beginning to experiment with large language models in security operations, but their usefulness in digital forensics and incident triage is still uncertain.

  • 11 Jun 2026
  • Connor Blackard

Know Your Blind Spots: Better Visibility Through EDR Policy Hardening

Research PaperDigital Forensics and Incident Response

Endpoint Detection and Response (EDR) tools identify, detect, and respond to anomalous behavior.

  • 9 Jun 2026
  • Joshuah Williams

Secure By Design: An Exploration of the Application of Generative AI in Threat Modeling Technical Design Documents

Research PaperArtificial Intelligence

This paper explores the efficacy of large language models (LLMs) for creating comprehensive threat models by analyzing technical design documents, particularly when provided with additional contextual information about the product's underlying infrastructure and deployment environment.

  • 27 May 2026
  • Mark Oswald

Identifying Security Vulnerabilities in Kubernetes Environments

Research PaperCloud Security

This research aims to develop a practical methodology for identifying security misconfigurations in Kubernetes environments, across both Infrastructure-as-Code (IaC) and live cluster states.

  • 14 May 2026
  • Patrick Trecek

Leveraging Large Language Models for Cross-Vendor Firewall Configuration Migration: A Comparative Case Study of Claude and ChatGPT

Research PaperArtificial Intelligence

This paper investigates how two current-generation large language models (LLMs) perform on a single, representative firewall migration task.

  • 12 May 2026
  • Omar Zaman

Applying CIS Controls to AI Workflows

Research PaperDigital Forensics and Incident Response

This research provides guidance on using the CIS Controls in conjunction with AI-specific frameworks to build a robust information security program.

  • 12 May 2026
  • Brian Ventura