About Research Experience Publications Contact Resume ↗

Security Engineer  ·  Security Researcher  ·  Applied Scientist  ·  PhD Candidate  ·  Stony Brook University

Maryam
Rostamipoor

Building production-grade security systems that protect real-world applications at scale — from serverless platforms to Kubernetes clusters.

NDSS 2025 IEEE EuroS&P 2025 Catacosinos Fellow NDSS Fellow
Resume Google Scholar Get in Touch →
10+Years in
Security
3Top-Tier
Publications
498Real-World
Apps Secured
1,400+Secrets
Exposed
90+Pen Tests
Conducted
Maryam Rostamipoor

About

Security Engineer  ·  Researcher
& Applied Scientist

I am a Security Engineer, Researcher, and Applied Scientist completing a PhD in Computer Science at Stony Brook University, advised by Dr. Michalis Polychronakis. I bring 10+ years of combined industry and research experience spanning cloud and platform security, Kubernetes hardening, secrets management, static analysis, and penetration testing.

My research produces production-grade security systems deployed across hundreds of real-world applications. I designed and built LeakLess (NDSS 2025), KubeKeeper (EuroS&P 2025), LeakGauge, and Confine — each combining systems research with large-scale empirical evaluation. I am a Catacosinos Fellow and Internet Society NDSS Fellow (both 2025).

Before my PhD, I was Head of Software Security at Sadad Electronic Payment Company, leading threat modeling, architecture reviews, and penetration testing for a national-scale banking ecosystem — manually exploiting XSS, SQL injection, SSRF, IDOR, authentication bypass, and RCE vulnerabilities in production financial infrastructure.

I am seeking roles in Security Engineering, Security Research, or Applied Scientist positions — with a focus on cloud security, platform security, security tooling, and applied security research. Green Card Holder.

Cloud & Platform Security Kubernetes Security Secrets Management Penetration Testing Static Analysis CI/CD Security Threat Modeling

Research & Projects

Security Systems at Scale

Production-grade tools deployed across hundreds of real-world applications, translating cutting-edge research into practical defenses.

NDSS 2025Serverless Security

LeakLess

In-memory encryption protecting sensitive data against Spectre/Meltdown-class transient execution attacks in serverless platforms. Implemented on Spin and evaluated on real-world serverless applications.

91%apps protected
2.8–8.5%overhead
Paper Code
IEEE EuroS&P 2025Kubernetes Security

KubeKeeper

Cryptographic Secrets protection for Kubernetes using RBAC and Admission Webhooks, eliminating excessive-permission exposures across real-world cluster deployments.

498apps secured
0runtime overhead
Paper Code
In PreparationCI/CD Security

LeakGauge

IaC-aware static analysis framework (CodeQL) tracing sensitive data flows across serverless deployments. Designed as a CI/CD security guardrail to catch secret exposure before deployment.

1,400+secrets found
500+apps analyzed
Coming Soon
Computers & Security 2023Container Security

Confine

Automated seccomp policy generation for containers via static binary analysis, filtering unnecessary system calls to dramatically reduce the kernel attack surface.

144+syscalls filtered
28CVEs mitigated
Paper Code

Experience

10+ Years in Security

Feb 2021 – May 2026

Security & Privacy Researcher

HexLab, Stony Brook University — Stony Brook, NY

  • Built LeakLess: in-memory encryption protecting against Spectre/Meltdown-class attacks in 91% of serverless apps with only 2.8–8.5% overhead. Published at NDSS 2025.
  • Built KubeKeeper: cryptographic Kubernetes Secrets protection across 498 real-world apps with zero runtime overhead. Published at EuroS&P 2025.
  • Developed LeakGauge: IaC-aware CodeQL framework identifying 1,400+ secret-exposure paths across 500+ serverless applications.
  • Created Confine: automated seccomp policy generation filtering 144+ syscalls and mitigating 28 Linux kernel CVEs. Published in Computers & Security, 2023.

May 2018 – Feb 2021

Head of Software Security Team

Sadad Electronic Payment Company — Tehran, Iran

  • Led product and platform security for a national-scale banking ecosystem — threat modeling, security architecture reviews, and risk assessments across web, mobile, and API systems.
  • Manually exploited real-world vulnerabilities including XSS, SQL injection, SSRF, IDOR, authentication bypass, and RCE in production financial applications.
  • Conducted penetration testing of 20+ web/mobile services and APIs, integrating secure development practices into the SDLC.
  • Automated vulnerability triage and remediation workflows, reducing remediation time by 40%.

Feb 2017 – May 2018

Researcher & Senior Software Security Engineer

APA Research Center, Amirkabir University of Technology — Tehran, Iran

  • Performed penetration testing across 90+ web, mobile, and API systems, discovering CVSS ≥ 9 vulnerabilities in national stock exchange infrastructure.
  • Designed secure baselines and automated auditing scripts for 54 production servers — guidance adopted by 100+ organizations, reducing review time by 70%.

Dec 2015 – Feb 2017

Senior Web Application Security Engineer

Stock Exchange Organization — Tehran, Iran

  • Led offensive security assessments across 50+ production web applications and APIs supporting national financial trading platforms, mitigating high-risk attack paths.
  • Hardened 54 production servers by designing secure baselines and automated auditing scripts, reducing configuration review time by 70%.

Skills

Technical Expertise

Security & Privacy
Applied CryptographyIn-Memory EncryptionSecrets ManagementThreat Modeling (STRIDE)Data-Flow & Taint AnalysisContainer IsolationDevSecOps
Cloud & Infrastructure
AWS (IAM, VPC, Lambda, Security Hub)Kubernetes (RBAC, Admission Webhooks)DockerIaC SecurityCI/CD Security (GitHub Actions)Secure-by-Default Architecture
Offensive Security
XSSSQL InjectionSSRFIDORCSRFRCEAuth BypassBurp SuiteMetasploitNessusSQLmap
Program Analysis
CodeQLangrGhidraStatic & Dynamic AnalysisELF & Binary AnalysisTaint-Flow Tracking
Languages
PythonCGoRustJavaScript

Publications

Research Output

NDSS 2025 February 2025  ·  San Diego, CA

LeakLess: Selective Data Protection Against Memory Leakage Attacks for Serverless Platforms

Maryam Rostamipoor, Seyedhamed Ghavamnia, Michalis Polychronakis

PDF Code
IEEE EuroS&P 2025 June 2025  ·  Venice, Italy

KubeKeeper: Protecting Kubernetes Secrets Against Excessive Permissions

Maryam Rostamipoor, Aliakbar Sadeghi, Michalis Polychronakis

PDF Code
Computers & Security 2023 2023

Confine: Fine-grained System Call Filtering for Container Attack Surface Reduction

Maryam Rostamipoor, Seyedhamed Ghavamnia, Michalis Polychronakis

PDF Code
Under Submission 2026

Fake APIs, Real Threats: Studying Activities Targeting APIs in the Wild

Aliakbar Sadeghi, Maryam Rostamipoor, Nick Nikiforakis, Omar Chowdhury

In Preparation 2026

LeakGauge: Infrastructure-as-Code–Aware Sensitive Data Flow Analysis in Event-Driven Serverless Applications

Maryam Rostamipoor, Michalis Polychronakis

Awards & Honors

Recognition

2025

Catacosinos Fellowship for Academic Excellence and Research Potential

Department of Computer Science, Stony Brook University

2025

Internet Society NDSS Fellowship

Network and Distributed System Security Symposium

2025

CRA-WP Grad Cohort for Women & IDEALS

Computing Research Association

2023

GAANN Fellowship (Graduate Assistance in Areas of National Need)

U.S. Department of Education

2023

Graduate Students in STEM Leadership & Life Design Fellowship

Stony Brook University

Contact

Let's Connect

Open to Security Engineering, Security Research, and Applied Scientist roles. Feel free to reach out.

GitHub LinkedIn Google Scholar Twitter Resume