About Research Experience Publications Contact Resume ↗

Security Engineer  ·  Security Researcher  ·  Applied Scientist  ·  PhD Candidate  ·  Stony Brook University

Maryam
Rostamipoor

Cloud-native security research — detecting and preventing sensitive-data leakage from serverless platforms to Kubernetes clusters.

NDSS 2025 IEEE EuroS&P 2025 Catacosinos Fellow NDSS Fellow
Resume Google Scholar Get in Touch →
50+Bug Bounty
Programs
3Top-Tier
Publications
498Real-World
Apps Secured
798Secrets
Exposed
90+Pen Tests
Conducted
Maryam Rostamipoor

About

About Me

I am a Security Engineer, Researcher, and Applied Scientist completing a PhD in Computer Science at Stony Brook University, advised by Dr. Michalis Polychronakis. I bring first-author publications at NDSS and IEEE EuroS&P plus six years of pre-PhD offensive-security industry experience across national-scale financial infrastructure — spanning cloud and platform security, Kubernetes hardening, secrets management, static analysis, and penetration testing.

My research produces production-grade security systems evaluated across thousands of real-world applications. I designed and built LeakLess (NDSS 2025), KubeKeeper (EuroS&P 2025), LeakChain, and Confine — each combining systems research with large-scale empirical evaluation. I am a Catacosinos Fellow and Internet Society NDSS Fellow (both 2025).

Before my PhD, I was Head of Software Security at Sadad Electronic Payment Company, leading threat modeling, architecture reviews, and penetration testing for a national-scale banking ecosystem — manually exploiting XSS, SQL injection, SSRF, IDOR, authentication bypass, and RCE vulnerabilities in production financial infrastructure.

I am seeking roles in Security Engineering, Security Research, or Applied Scientist positions — with a focus on cloud security, platform security, security tooling, and applied security research. Green Card Holder.

Cloud & Platform Security Kubernetes Security Secrets Management Penetration Testing Static Analysis CI/CD Security Threat Modeling

Research & Projects

Security Systems at Scale

Production-grade tools deployed across hundreds of real-world applications, translating cutting-edge research into practical defenses.

NDSS 2025Serverless Security

LeakLess

In-memory encryption protecting sensitive data against Spectre/Meltdown-class transient execution attacks in serverless platforms. Implemented on Spin and evaluated on real-world serverless applications.

91%apps protected
2.8–8.5%overhead
Paper Code
IEEE EuroS&P 2025Kubernetes Security

KubeKeeper

Cryptographic Secrets protection for Kubernetes using RBAC and Admission Webhooks, eliminating excessive-permission exposures across real-world cluster deployments.

498apps secured
0runtime overhead
Paper Code
Under SubmissionCI/CD Security

LeakChain

IaC-aware static analysis framework (CodeQL) detecting sensitive-data leakage across distributed serverless applications, with an integrated LLM-based AI agent for flow validation. Designed as a CI/CD security guardrail.

798flows detected
100% / 93.2%precision / recall
Under Submission
Computers & Security 2023Container Security

Confine

Automated seccomp policy generation for containers via static binary analysis, filtering unnecessary system calls to dramatically reduce the kernel attack surface.

144+syscalls filtered
28CVEs mitigated
Paper Code

Experience

10+ Years in Security

Feb 2021 – May 2026

Security & Privacy Researcher

HexLab, Stony Brook University — Stony Brook, NY

  • Built LeakLess: in-memory encryption protecting against Spectre/Meltdown-class attacks in 91% of serverless apps with only 2.8–8.5% overhead. Published at NDSS 2025.
  • Built KubeKeeper: cryptographic Kubernetes Secrets protection across 498 real-world apps with zero runtime overhead. Published at EuroS&P 2025.
  • Developed LeakChain: IaC-aware CodeQL framework with integrated LLM-based AI security agent, detecting 798 confirmed secret-exposure flows across 1,156 real-world serverless applications at 100% precision / 93.2% recall.
  • Created Confine: automated seccomp policy generation filtering 144+ syscalls and mitigating 28 Linux kernel CVEs. Published in Computers & Security, 2023.

May 2018 – Feb 2021

Head of Software Security Team

Sadad Electronic Payment Company — Tehran, Iran

  • Led product and platform security for a national-scale banking ecosystem — threat modeling, security architecture reviews, and risk assessments across web, mobile, and API systems.
  • Manually exploited real-world vulnerabilities including XSS, SQL injection, SSRF, IDOR, authentication bypass, and RCE in production financial applications.
  • Conducted penetration testing of 20+ web/mobile services and APIs, integrating secure development practices into the SDLC.
  • Automated vulnerability triage and remediation workflows, reducing remediation time by 40%.

Feb 2017 – May 2018

Researcher & Senior Software Security Engineer

APA Research Center, Amirkabir University of Technology — Tehran, Iran

  • Performed penetration testing across 90+ web, mobile, and API systems, discovering CVSS ≥ 9 vulnerabilities in national stock exchange infrastructure.
  • Designed secure baselines and automated auditing scripts for 54 production servers — guidance adopted by 100+ organizations, reducing review time by 70%.

Dec 2015 – Feb 2017

Senior Web Application Security Engineer

Stock Exchange Organization — Tehran, Iran

  • Led offensive security assessments across 50+ production web applications and APIs supporting national financial trading platforms, mitigating high-risk attack paths.
  • Hardened 54 production servers by designing secure baselines and automated auditing scripts, reducing configuration review time by 70%.

Skills

Technical Expertise

Application & Web Security
Threat Modeling (STRIDE)OWASP Top 10Secure Code ReviewPoC Exploit DevelopmentXSSSQL InjectionSSRFIDORCSRFDeserializationAuth BypassRCEBurp SuiteSQLmapMetasploitNessus
Cloud & Container Security
AWS (IAM, VPC, S3, Lambda, Security Hub)Kubernetes (RBAC, Secrets, Admission Webhooks)DockerIaC SecurityCI/CD Security (GitHub Actions)Secrets ManagementSecure-by-Default Architecture
Systems & Program Analysis
Linux Kernel InternalsSystem-Call Filtering (seccomp, AppArmor)Container IsolationApplied CryptographyIn-Memory EncryptionCodeQLangrGhidraStatic & Dynamic AnalysisTaint-Flow Tracking
Identity & Access Security
OAuth 2.0OIDCSAMLSCIMWebAuthn / FIDO2Identity Protocol Assessment
AI Security
LLM-Based Agent DevelopmentLLM-Assisted Source/Sink ModelingPrompt Injection ResearchSecurity Automation
Languages
PythonCGoRustJavaScript

Publications

Research Output

NDSS 2025 February 2025  ·  San Diego, CA

LeakLess: Selective Data Protection Against Memory Leakage Attacks for Serverless Platforms

Maryam Rostamipoor, Seyedhamed Ghavamnia, Michalis Polychronakis

Details PDF Code
IEEE EuroS&P 2025 June 2025  ·  Venice, Italy

KubeKeeper: Protecting Kubernetes Secrets Against Excessive Permissions

Maryam Rostamipoor, Aliakbar Sadeghi, Michalis Polychronakis

Details PDF Code
Computers & Security 2023 2023

Confine: Fine-grained System Call Filtering for Container Attack Surface Reduction

Maryam Rostamipoor, Seyedhamed Ghavamnia, Michalis Polychronakis

Details PDF Code
Under Submission 2026

Fake APIs, Real Threats: Studying Activities Targeting APIs in the Wild

Aliakbar Sadeghi, Maryam Rostamipoor, Nick Nikiforakis, Omar Chowdhury

Under Submission 2026

LeakChain: Detecting Sensitive Data Leakage Across Distributed Serverless Applications

Maryam Rostamipoor, Michalis Polychronakis

Under Submission 2026

Breaking the Gate: Detecting Invisible Authentication Slip-Through in NGINX Reverse Proxy

Aliakbar Sadeghi (Samsung Research America), Maryam Rostamipoor, Sai Chand Boyapati (Samsung Research America), Omar Chowdhury

Awards & Honors

Recognition

2025

Catacosinos Fellowship for Academic Excellence and Research Potential

Department of Computer Science, Stony Brook University

2025

Internet Society NDSS Fellowship

Network and Distributed System Security Symposium

2025

CRA-WP Grad Cohort for Women & IDEALS

Computing Research Association

2023

GAANN Fellowship (Graduate Assistance in Areas of National Need)

U.S. Department of Education

2023

Graduate Students in STEM Leadership & Life Design Fellowship

Stony Brook University

Contact

Let's Connect

Open to Security Engineering, Security Research, and Applied Scientist roles. Feel free to reach out.

GitHub LinkedIn Google Scholar Twitter Resume