Cybersecurity Research Papers
Master's degree candidates at SANS.edu conduct research that is relevant, has real world impact, and often provides cutting-edge advancements to the field of cybersecurity, all under the guidance and review of our world-class instructors.
Evaluating the Detection Effectiveness of Network Monitoring Tools Against Modern Command-and-Control Frameworks
Research PaperCyber DefenseThis research measures the effectiveness of Zeek, Suricata, and Security Onion against representative modern C2 frameworks in a controlled laboratory environment.
- 9 Jul 2026
- Joseph Zderadicka
Practical MFA for the Enterprise: Enforcing Strong Authentication for Non-Human Identities Using Compensating Controls
Research PaperCyber DefenseThis paper’s case study examined a production Microsoft Entra ID environment at a large North American organization encompassing more than 500 app registrations and 21,000 directory accounts.
- 9 Jul 2026
- Fredrick Stock
USB: Universal Security Breach or Uniquely Secured Bus? Assessing the Effectiveness of Windows 11 Group Policy at Controlling USB Device Installation for Budget-Constrained Security Teams
Research PaperCyber DefenseThis study evaluates three progressively granular Windows 11 Group Policy (GPO) configurations—class-based blocking, VID/PID allowlisting, and Device Instance ID allowlisting—against legitimate business peripherals and a Hak5 USB Rubber Ducky configured as a composite BadUSB device, using the Windows 11 v25H2 Security Baseline as the unmodified reference state.
- 22 Jun 2026
- Kire Jacobson
Investigating Operating System Variations in IPv6 Implementations
Research PaperCyber DefenseThis research tested the four most common operating system families, Windows, Linux, macOS, and BSD, for RFC compliance and behavioral differences across a controlled set of IPv6 test cases. Because RFC specifications leave many implementation details to the developer, behavior was expected to diverge, and the testing confirmed that it did.
- 22 Jun 2026
- Donovan Rodriguez
macOS Infostealer Exfiltration Techniques via Native Tooling: Behavioral Analysis and Defenses
Research PaperCyber DefenseThis paper analyzes macOS infostealers and their reliance on native system utilities. The use of specific command-line options and arguments should be predictable and detectable with proper analysis.
- 22 Jun 2026
- Cory Findley
Detection Strategies for AskCreds Beacon Object File Credential Harvesting Across Multiple C2 Frameworks
Research PaperDigital Forensics and Incident ResponseThis study evaluates layered detection strategies against AskCreds BOF execution in an isolated Azure lab using Cobalt Strike 4.12 and Outflank C2 v2.11.1, with Velociraptor as the primary DFIR platform.
- 22 Jun 2026
- Eric Fletcher
Capturing the Click: Process-Based Detection of Malicious Link Interactions
Research PaperDigital Forensics and Incident ResponseThis research validates the browser command-line flags used by Chrome, Edge, and Firefox as parameters in process-creation events, capturing both the clicked URL and the parent application, document, or script that delivered it.
- 22 Jun 2026
- Daniel Gott
Securing the Sun: Impact-Effective Cybersecurity Controls for Solar SCADA
Research PaperIndustrial Control Systems SecurityBased on research conducted with a custom-built lab emulating a utility-grade solar SCADA network, this paper details the greatest impact on a solar site, in the form of physical consequences to power generation capabilities.
- 11 Jun 2026
- Wesley D. Barrier
From Alert to Evidence: Evaluating AI Agents for Cyber Forensic Triage
Research PaperArtificial IntelligenceCyber defense teams are beginning to experiment with large language models in security operations, but their usefulness in digital forensics and incident triage is still uncertain.
- 11 Jun 2026
- Connor Blackard
Know Your Blind Spots: Better Visibility Through EDR Policy Hardening
Research PaperDigital Forensics and Incident ResponseEndpoint Detection and Response (EDR) tools identify, detect, and respond to anomalous behavior.
- 9 Jun 2026
- Joshuah Williams
Secure By Design: An Exploration of the Application of Generative AI in Threat Modeling Technical Design Documents
Research PaperArtificial IntelligenceThis paper explores the efficacy of large language models (LLMs) for creating comprehensive threat models by analyzing technical design documents, particularly when provided with additional contextual information about the product's underlying infrastructure and deployment environment.
- 27 May 2026
- Mark Oswald
Identifying Security Vulnerabilities in Kubernetes Environments
Research PaperCloud SecurityThis research aims to develop a practical methodology for identifying security misconfigurations in Kubernetes environments, across both Infrastructure-as-Code (IaC) and live cluster states.
- 14 May 2026
- Patrick Trecek
