Jason Ostrom

Jason has a curiosity for tinkering and building offensive things that has spanned his 23 year career in IT and penetration testing. He is a principal consultant at Stora Security where he helps clients improve their readiness for security incidents. Jason has helped over 225 organizations mature their Cyber Security programs by focusing on an offensive approach coupled with the many hats he has worn rolling up his sleeves within enterprises – CTO, Network Engineer, Coder, System Administrator, Cloud Architect, Incident Handler, and Penetration Tester. Jason has not only built and led Pentest practices, but also delivered SaaS software and new MDR/MSSP service offerings. He believes in giving back to the InfoSec community and enjoys creating open source security tools. Jason holds several certifications, including Cisco CCIE #15239, AWS Certified Solution Architect Associate, GPEN, GCIH, GCFA, AWS Certified Security Specialty, and Azure Security Engineer Associate.

More About Jason


Jason has used his extensive experience to help clients solve a variety of security problems impacting their respective businesses. He helped a solution manufacturer raise their DoD STIG metrics to above 95% for all assessed products, including development of Python hardening scripts that protected federal assets. He coded a Python vulnerability management program that automatically provided remediation timeliness and metrics for closing security issues. In a client-authorized penetration test, he found a 0-day vulnerability (CVE-2016-2783) in a networking platform that was ethically disclosed to the vendor. He is the author of the "VoIP Hopper" network infrastructure pen testing tool, which is included in the popular Kali Linux distribution.

Jason has extensive experience distilling security issues and presenting them to target audiences, including C-Suite and board, and has been quoted in media outlets such as Network World and Wired Magazine. Jason has spoken at many high-profile security events such as DefCon and ShmooCon. He has been invited by federal agencies, SANS Institute (Pentest Summit) and Forrester Research to speak on application security. Jason holds several certifications, including Cisco CCIE #15239, AWS Certified Solution Architect Associate, GPEN, GCIH, GCFA, AWS Certified Security Specialty, and Azure Security Engineer Associate. He earned an M.S. in Information Security from James Madison University, and his B.A. from the University of Michigan.

Here is a presentation by Jason Ostrom:

The End of the PSTN As You Know It | DEF CON 20



VoIP Hopping the Hotel: Attacking the Crown Jewels through VoIP, DEF CON 19

Advancing Video Application Attacks with Video Interception, Recording, and Replay, DEF CON 17


  • Aria Cloud - A remote penetration testing Docker container, with a focus on including cloud penetration testing tools for Azure, AWS, and GCP.
  • Purple Cloud - Deploys a small Active Directory domain in Azure IaaS, using Terraform + Ansible. Joins three Windows 10 endpoints to a domain and includes a Linux Adversary.
  • VoIP hopper - VoIP Hopper is a network infrastructure penetration testing tool to test the (in)security of VLANS as well as mimic the behavior of IP Phones to automatically VLAN Hop and demonstrate risks within IP Telephony network infrastructures.
  • Azure Velociraptor - Deploys the Velociraptor live response DFIR agent in Azure IaaS, using Terraform + Ansible. Deploys one Velociraptor server and one Windows 10 endpoint configured to register the Velociraptor agent to the server.
  • HELK_Azure - Deploys Hunting ELK (HELK) hunting SIEM into Azure IaaS, using Terraform + Ansible. Deploys one HELK server and one Windows 10 endpoint. The endpoint is auto-configured to ship SwiftOnSecurity Sysmon logs via Winlogbeat using Kafka transport. Default support for Mordor.
  • Hammer - A learning demo example of a vulnerable Ruby on Rails application found in the wild. It leaks cloud API keys through a vulnerable middleware component. Docker container support as well as build instructions.