Vendor-neutral cloud-security community. 2,000+ practitioners. Free weekly Zoom on Fridays. No marketing.
π csoh.org Β· π Friday Zoom 7am PT Β· π‘ RSS
The vendor-neutral curriculum, written by practitioners. This catalog mirrors the site navigation - Learn, By Cloud, Threat Intel, Careers, and Community - so the README and the nav stay in step. (The nav itself is canonical in tools/sync_chrome.py.)
| Guide | What it covers |
|---|---|
| π What is Cloud Security? | Plain-English foundation - shared responsibility, threats, tool landscape |
| βοΈ Shared Responsibility Model | What the cloud provider secures vs. what you secure (AWS / Azure / GCP) |
| π οΈ CSPM vs CNAPP vs CWPP vs CIEM vs DSPM | The acronym soup decoded - when you need each tool |
| β Cloud Security Best Practices | The controls that actually prevent breaches, ranked by real incidents |
| πΊοΈ Vendor Landscape | 350+ cloud-security vendors across 30 categories. No rankings, just orientation |
| π Glossary | 300+ cloud-security terms, plain-English, every cross-reference hyperlinked |
| β FAQ | Format, mailing list, recording policy, contributing, presenter pitches (FAQ schema) |
| Guide | What it covers |
|---|---|
| π¦ Containers & Cloud Security | Trust boundary, escape paths, identity chaining via IMDS, supply chain |
| βΈοΈ Kubernetes & Managed Kubernetes | EKS / AKS / GKE - shared responsibility, workload identity, RBAC, admission |
| β‘ Serverless Functions | Lambda / Azure Functions / Cloud Functions - event injection, IAM, denial of wallet |
| πΈοΈ Service Mesh Security | Istio / Linkerd / Cilium / Consul, mTLS, SPIFFE/SPIRE, ambient mode |
| π CI/CD for Cloud Deployments | Pipeline anatomy, OIDC federation, AWS/Azure/GCP toolchains |
| π Landing Zones | Cloud foundations - Control Tower / Azure CAF / GCP blueprint |
| Guide | What it covers |
|---|---|
| π IAM & Cloud Identity | Federation, RBAC/ABAC, JIT, workload identity, privilege-escalation paths |
| π‘οΈ Zero Trust Architecture | NIST SP 800-207, BeyondCorp, CISA Maturity Model, ZTNA, microsegmentation |
| π Cloud Network Security | VPC design, private endpoints, egress controls, WAF, DDoS, SASE/ZTNA |
| ποΈ Data Security, KMS & Secrets | Envelope encryption, BYOK/HSM, secrets management, key rotation |
| π Vulnerability Management | CVSS/EPSS/KEV prioritization, reachability, SAST/SCA/DAST, SBOM/VEX, ASPM |
| π API Security | OWASP API Top 10, BOLA, JWT pitfalls, GraphQL/gRPC, runtime defense |
| π‘ SaaS Security (SSPM) | M365 / Workspace / Salesforce / GitHub / Slack, OAuth app risk, ITDR |
| Guide | What it covers |
|---|---|
| πΎ Backup, DR & Ransomware | 3-2-1-1-0, immutability per cloud, ransomware kill chain, key custody |
| π§ Threat Modeling | STRIDE/PASTA/LINDDUN, attack trees, ATT&CK Cloud, three worked examples |
| π GRC for Cloud | Governance, Risk, Compliance - frameworks, policy-as-code, audit evidence |
| π Compliance Frameworks | SOC 2, ISO 27001, PCI DSS, HIPAA, FedRAMP, CMMC, NIST CSF, GDPR |
| π‘ AI Learning | Using AI assistants to learn cloud security faster - prompts, workflows, study tactics |
| π€ AI/ML & LLM Security | OWASP LLM Top 10, prompt injection, agentic AI, model supply chain, ATLAS |
| Guide | What it covers |
|---|---|
| βοΈ Multi-Cloud Secure Deploy | One static site, three active/active cloud origins behind Cloudflare, keyless OIDC deploys - the full dogfooded stack |
| βοΈ How We Use GitHub Actions | Learn CI/CD by reading our heavily-commented workflows |
| π§± How We Use Terraform | Learn IaC by reading the line-by-line-commented Terraform that provisions our own multi-cloud infra |
| π Git & Version Control | Version-control fundamentals taught through this repo's own history |
| Hub | Focus |
|---|---|
| π§ AWS Security | Well-Architected, service catalog, top-10 misconfigs, AWS attack paths |
| π¦ Azure Security | CAF Secure, Entra/Defender/Sentinel, Entra-vs-AD, Azure attack paths |
| π© GCP Security | Encryption-by-default, SCC Enterprise, VPC Service Controls deep-dive |
| βοΈ AWS vs Azure vs GCP | Definitive side-by-side - 10 comparison tables and a 20-row scorecard |
| Guide | What it covers |
|---|---|
| π° Cloud Security News | 120+ articles, refreshed every 3 hours from 39 sources |
| π¬ Threat Research Sources | Curated directory of vendor research, IOC feeds, advisories - includes a Supply Chain Attacks section |
| π Breach Kill Chains | 13 real cloud breaches mapped to MITRE ATT&CK |
| π°οΈ Cloud SOC & Threat Monitoring | Log-driven detection, native services, SIEM, detection engineering, IR |
| π΅οΈ Detection Engineering | Sigma, ATT&CK Cloud Matrix, detection-as-code, SIEM/lake/XDR |
| π¨ Incident Response & Forensics | IR lifecycle, EC2/EKS/Lambda evidence, memory forensics, runbooks |
| π― Cloud Pentesting & Red Teaming | AWS/Azure/GCP attack paths, Pacu/ROADtools/BloodHound, MITRE ATT&CK Cloud |
| π© CTF Challenges | 39+ hands-on cloud CTFs across AWS / Azure / GCP / Kubernetes / AI |
| Guide | What it covers |
|---|---|
| π§ Cloud Security Careers | Roles, salary bands, interview formats, portfolio projects |
| π£οΈ Cloud Security Learning Path | Beginner β working practitioner roadmap with milestones |
| πͺ Help Desk β Cloud Security | The realistic transition from IT support |
| π Cloud Security Certifications | CCSK, CCSP, AWS, Azure, GCP, CKS compared side by side |
| π Cloud Security Degree Programs | Academic paths, what to look for, named US/international universities |
| π§° Cloud Security Home Lab | Free-tier setups, budget guardrails, kill-switches |
| π οΈ Portfolio Projects | Build-it-yourself projects that prove skills to hiring managers (walkthroughs below) |
| π Cloud Security Reading List | Books, blogs, podcasts, newsletters & people to follow - staleness-checked monthly |
| π€ Mentorship | How CSOH connects mentors and mentees in the community |
| Role | Track |
|---|---|
| Cloud Security Engineer | The generalist core role |
| Cloud Security Architect | Staff+ IC design track |
| Security SRE / Platform Security Engineer | Security platform & reliability |
| Cloud AppSec / IaC Security Engineer | Shift-left, pipeline & IaC |
| CSPM / CNAPP Analyst | Posture & findings triage |
| IAM / Identity Architect | Identity-first specialization |
| Role | Track |
|---|---|
| Cloud Detection Engineer | Detection-as-code |
| Cloud Incident Responder (DFIR) | Cloud forensics & IR |
| Cloud Penetration Tester / Red Team | Offensive cloud |
| Cloud GRC / Compliance Engineer | Governance, risk, audit |
| Cloud Security Sales Engineer | Pre-sales / SE track |
| Cloud Security Customer Success Engineer | Post-sales / CSE track |
Cloud Security Portfolio Projects is a hub of build-it-yourself projects that prove cloud-security skills to hiring managers. Each has a full step-by-step walkthrough under portfolio/:
| Project | What you build |
|---|---|
| Build a multi-account AWS Org with SCPs | 3-account AWS Org, Identity Center, guardrail SCPs, centralized CloudTrail |
| Walk every CloudGoat scenario | Complete and write up Rhino's CloudGoat AWS-attack labs |
| Write a CNAPP comparison | Trial 3 CNAPPs against one vulnerable account, compare findings |
| Build 5 detections in a lab SIEM | Free SIEM + CloudTrail + Sigma rules, validated with Stratus Red Team |
| Prowler audit + remediation | Audit your own AWS account, Terraform a fix for every finding |
| Recreate the Capital One breach | Build the vulnerable SSRF/IMDSv1 stack, exploit it, then detect it |
| Contribute to OSS cloud security | Ship your first PR to Prowler / Cloud Custodian / Pacu / etc. |
| Resource | What it covers |
|---|---|
| π Friday Zoom Sessions | Every Friday 7am PT - format, speakers, and how to join |
| π¬ Community & Signal | The Signal chat and how to join the conversation between Fridays |
| π€ Mentorship | How CSOH connects mentors and mentees in the community |
| ποΈ Conferences | 27 security & hacker conferences, with pros & cons |
| Resource | What it covers |
|---|---|
| π Meeting Recaps | 102 weekly session recaps, searchable |
| π¬ Presentations | Archive of recorded talks with topic tags and direct video links |
| π¬ Chat Resources | 580+ community-shared URLs from live sessions, security-validated |
Cross-cutting entry points that sit outside the topic menus (everything else now lives under its nav section above):
| Resource | What it is |
|---|---|
| π‘οΈ Resources Directory | 370+ tools, labs, CTFs, certifications - top-level nav link, auto-refreshed weekly |
| π Site-wide Search | MiniSearch full-text index across every page, with section-anchor results and synonym expansion |
Cloud Security Office Hours is a vendor-neutral, free community founded in February 2023. We meet on Zoom every Friday at 7am PT, share what we're learning, and maintain this resource hub. Everything on the site is free, no trackers, no analytics, no on-site advertising. (The mailing list occasionally includes a clearly-labeled sponsored link from a community-aligned partner - never a separate promotional email.)
Sign up for the weekly Zoom link at csoh.kit.com. Subscribe to our cloud-security news at csoh.org/feed.xml (or visit the RSS subscribe page for setup help).
New to cloud security? It's the practice of protecting data, applications, and infrastructure hosted in cloud environments like AWS, Azure, and Google Cloud - one of the fastest-growing areas in cybersecurity.
Our recommended learning sequence:
- Get the Lay of the Land: What is Cloud Security? - vendor-neutral pillar overview of the field
- Follow the Roadmap: Cloud Security Learning Path - beginner β advanced with milestones, free labs, study targets
- Master the Fundamentals: Best Practices and the Shared Responsibility Model
- Decode the Acronyms: Glossary - 300+ terms, every cross-reference hyperlinked
- Get Hands-On: CTF Challenges and Resources for practice
- Choose a Certification: Cloud Security Certifications guide - CCSK, CCSP, AWS, Azure, GCP, CKS
- Read Real Breaches: Breach Kill Chains - see how attacks actually happen
- Join the Community: csoh.kit.com for the Friday Zoom link
- Stay Updated: News, RSS feed, or any Friday Zoom recap
Central hub featuring:
- Community overview and value proposition
- Featured resource categories with quick navigation
- Call-to-action buttons for mailing list signup (which delivers the Zoom link)
- Enhanced schema markup for improved SERP visibility
- Testimonials and member count (2000+)
Vendor-neutral pillar page introducing the field - shared responsibility model, core pillars, top threats, the CSPM/CNAPP/CWPP/CIEM tool landscape, and a pointer-rich getting-started roadmap. Targets the high-volume "what is cloud security" search query and serves as the hub that links into the rest of the site. FAQ schema for rich snippets.
Step-by-step roadmap from "no cloud experience" to working practitioner: prerequisites, beginner / intermediate / advanced stages with milestones, specialization tracks, and a "stay current" rhythm. Marked up with HowTo schema. Built from what actually works for the 2000+ members of the community.
Academic paths for cloud security: when a degree pays off, degree types and what they fit, what to look for in a program, NSA/CISA CAE and equivalent designations, named US universities (research, federal-track, applied), online and professional master's, and international programs (UK, EU, Canada, Australia, Israel, Asia). FAQ schema.
Roles and salary bands, what hiring managers actually look for, interview formats, portfolio projects, and how to translate from adjacent roles. FAQ schema. The careers hub fans out to a role-in-depth series and a portfolio-projects hub (below).
A series of one-page-per-role deep dives covering day-to-day work, the skills that actually matter, salary signals, and how to break in: Cloud Security Engineer, Cloud Security Architect (Staff+ IC), IAM / Identity Architect, Cloud AppSec / IaC Security Engineer, CSPM / CNAPP Analyst, Cloud Detection Engineer, Cloud Incident Responder (DFIR), Cloud Penetration Tester / Red Team, Security SRE / Platform Security Engineer, Cloud GRC / Compliance Engineer, Cloud Security Sales Engineer, and Cloud Security Customer Success Engineer. help-desk-to-cloud-security.html is the companion transition guide for people coming from IT support. Each role page carries FAQ schema.
A hub of build-it-yourself projects that demonstrate real cloud-security skill to hiring managers, each with a full step-by-step walkthrough under portfolio/: build a multi-account AWS Org with SCPs, walk every CloudGoat scenario, write a CNAPP comparison, build 5 detections in a lab SIEM, run a Prowler audit and Terraform the fixes, recreate the Capital One breach end to end, and ship a first OSS contribution to a cloud-security project.
A hand-curated, opinionated list of books, blogs, podcasts, newsletters, and people to follow. A monthly GitHub Actions workflow (check-reading-list-staleness.yml) discovers each source's feed and flags anything that has gone quiet - it never edits the page, only files a tracking issue for a human to review.
How CSOH connects mentors and mentees within the community, what to expect, and how to take part.
The community Signal chat and how to join the conversation between Friday sessions.
Free-tier setups across AWS / Azure / GCP, budget guardrails, kill-switches, and the lab progression that builds a real portfolio without a surprise bill.
Side-by-side comparison of the major cloud security certifications - CCSK, CCSP, AWS Security Specialty, Microsoft AZ-500/SC-100, Google PCSE, and CKS. Includes a comparison table, recommended paths by role (career switcher / established engineer / senior architect / detection specialist), and an FAQ.
Practitioner's checklist of the controls that actually prevent breaches, ordered by what shows up as root cause in our breach kill chains. Covers identity, configuration, network, data, detection, supply chain, workloads, AI, governance - plus an explicit "anti-patterns" section.
What the cloud provider secures vs. what you secure across IaaS, PaaS, SaaS, and FaaS. Includes the AWS / Azure / GCP differences (and Google's "shared fate" extension), a per-service-tier table, the contractual layer, and the gotchas behind every "who's responsible for X?" argument.
The acronym soup decoded. Side-by-side comparison of cloud-security tool categories with explicit "when do I need each" guidance, an open-source-only reference stack, and an FAQ on whether CNAPP is "just marketing" (mostly: no).
Vendor-neutral guide to containers in the cloud - what they actually are, why the boundary is process-isolation rather than tenant-isolation, the real escape paths (privileged flags, kernel CVEs, hostPath, docker.sock), identity chaining via the instance metadata service, flat networking, supply chain, minimal/hardened base images (Chainguard, Minimus, Wiz, Distroless), runtime detection, and an AWS/Azure/GCP service comparison.
Practitioner's guide to EKS / AKS / GKE - what's managed vs. what you still own, the pod-to-node-to-cloud threat arc, workload identity (IRSA / WIF / AKS Workload Identity), RBAC sprawl, Pod Security Standards, default-flat pod networking, admission control (Kyverno / OPA Gatekeeper), and a side-by-side comparison of the three managed offerings.
Practitioner's guide to AWS Lambda, Azure Functions, and Google Cloud Functions - what they are, when to use them, the good/bad tradeoffs, and the seven security risk categories: event injection from S3/SQS/HTTP triggers, identity sprawl across per-function roles, supply-chain risk, secrets handling, network egress, denial of wallet, and the observability gap.
Vendor-neutral CI/CD reference focused on cloud - pipeline anatomy, OIDC federation (replacing long-lived cloud keys), AWS / Azure / GCP per-cloud deep dives, deployment strategies (blue/green, canary, rolling), securing the pipeline itself, IaC in the pipeline, and the DORA-aligned bootstrapping path.
Cloud-side detection and response - how cloud SOC differs from packet-driven traditional SOC, the log sources that matter (CloudTrail / Activity Log / Cloud Audit Logs, identity events, VPC flow, DNS, data plane), native cloud detection (GuardDuty / Defender for Cloud / SCC), the modern SIEM landscape (Splunk, Sentinel, Chronicle, Elastic, CrowdStrike, Datadog), detection engineering as a practice, MITRE-mapped detection categories, threat intel, IR specifics, and a 4-stage SOC maturity model.
Cloud identity is the #1 root-cause category in breach reports. This page covers federation (SAML/OIDC/SCIM), RBAC vs ABAC vs ReBAC, JIT access and PAM, workload identity (IRSA / Workload Identity Federation / Managed Identities), and the per-cloud privilege-escalation paths (iam:PassRole, AssumeRole chains, GCP service-account impersonation, Azure managed-identity abuse). FAQ schema.
NIST SP 800-207 explained, the BeyondCorp origin story, the seven tenets, PDP/PEP/Policy Engine, ZTNA vs VPN, microsegmentation (host-based vs network-based vs service-mesh), continuous verification, CISA Zero Trust Maturity Model, and per-cloud patterns for AWS / Azure / GCP. Explicitly debunks "Zero Trust as a product."
VPC/VNet design, private endpoints (PrivateLink / Private Link / Private Service Connect), egress controls, DNS security, WAF / DDoS / bot management, service mesh east-west, SASE/SSE landscape, ZTNA, microsegmentation, eBPF (Cilium/Tetragon), and a flow-logs + observability section. "Egress is the new ingress" through-line.
Data classification, encryption at rest / in transit, envelope encryption with DEK/KEK, BYOK vs HYOK vs CMK, HSMs (FIPS 140-2/140-3), secrets managers (AWS Secrets Manager / Azure Key Vault / GCP Secret Manager / HashiCorp Vault), Kubernetes secrets patterns (sealed-secrets, ESO, SOPS), tokenization vs encryption, DLP, confidential computing, and database encryption nuances.
CVSS is not a priority score. The prioritization stack: CVSS β EPSS β KEV β reachability β asset criticality. SCA, SAST, DAST, container image scanning, IaC scanning, agentless vs agent-based cloud scanners, SBOM (CycloneDX/SPDX), VEX, runtime detection (eBPF), patch management in cloud, ASPM, and SLAs by severity.
OWASP API Security Top 10 (2023) walked end to end - BOLA, broken auth, BOPLA, unrestricted resource consumption, BFLA, business-flow abuse, SSRF, misconfig, inventory drift, unsafe consumption. Plus auth patterns (OAuth/OIDC/JWT pitfalls/mTLS), rate limiting, gateway landscape, schema validation, GraphQL/gRPC specifics, runtime API platforms, and testing.
The third leg of the *PM stool. Four pillars (identity / config / data / detection), the OAuth-app problem, shadow IT discovery, SSPM vs CASB, ITDR, and per-app guides for Microsoft 365, Google Workspace, Salesforce, GitHub, Slack/Teams. SSPM and CASB landscape, plus a SaaS security program model.
Why backup became a security control. 3-2-1-1-0, RTO/RPO, immutability (S3 Object Lock Compliance, Azure Immutable Storage, GCS Bucket Lock), virtual air gap, KMS key custody (the killer detail), the cloud-ransomware kill chain (encrypt backups FIRST), per-cloud landscape, restoration drills, cyber insurance reality, and tabletop scenarios.
Shostack's four questions, STRIDE / PASTA / LINDDUN compared, attack trees, MITRE ATT&CK Cloud as a threat library, OWASP Threat Dragon and Microsoft TMT, commercial platforms (IriusRisk, ThreatModeler), and three worked examples - a 3-tier AWS app, an LLM RAG app, and a multi-account landing zone.
The build side of cloud SOC. Detection-engineering lifecycle (research β develop β tune β deploy β validate), cloud logging fundamentals per cloud, Sigma + vendor detection languages, MITRE ATT&CK Cloud Matrix, detection-as-code workflow, SIEM vs Data Lake vs XDR, log retention economics, and validation tooling (Atomic / Stratus Red Team / CALDERA).
The IR lifecycle adapted for cloud. Forensic readiness before the incident (immutable log archive, dedicated forensics account, snapshot pipelines, SCPs to block evidence destruction). Evidence collection by workload type (EC2 / EKS / Lambda / S3 / IAM), memory forensics, container forensics, isolation patterns, credential rotation under incident, six standard cloud IR runbooks, retainers, and breach-notification timing.
The offensive complement to detection-engineering. Provider testing policies, RoE, methodology (PTES / ATT&CK / Hacking the Cloud), per-cloud attack paths (AWS / Azure / GCP / Kubernetes), the open-source toolkit catalog (Pacu, ROADtools, BloodHound, Cloudfox, MicroBurst, Stratus Red Team, CloudGoat, AzureHound). Explicit authorized-testing-only banner.
Governance, Risk, Compliance - the discipline that makes cloud security legible to auditors and regulators. Three pillars, framework landscape (SOC 2, ISO 27001, PCI DSS, HIPAA, FedRAMP, NIST CSF, CIS, GDPR), policy-as-code, compliance-as-code, continuous compliance with CSPM/CNAPP, audit evidence in cloud, AWS Audit Manager vs Azure Policy vs GCP Assured Workloads.
The deep-dive companion to GRC: framework-by-framework breakdowns (SOC 2 Type I/II, ISO 27001/27017/27018, PCI DSS v4, HIPAA, FedRAMP Low/Mod/High + 20x, CMMC 2.0, NIST CSF 2.0, NIST SP 800-53/171, CIS Benchmarks, GDPR, SOX, NIS2, DORA, plus industry-specific). Control crosswalks, GRC platform landscape, and AWS / Azure / GCP compliance program comparison.
Securing AI workloads (distinct from ai-learning.html, which is about using AI to learn cloud security). OWASP LLM Top 10 walked item by item, OWASP ML Top 10, prompt-injection defenses, agentic AI risks, model supply chain, training-data security, vector DB and RAG security, AI governance frameworks (NIST AI RMF, EU AI Act, ISO/IEC 42001, MITRE ATLAS), and per-cloud AI service controls.
Securing east-west traffic. Istio / Linkerd / Cilium / Consul Connect, mTLS, authentication (SPIFFE/SPIRE workload identity), authorization policy, observability (Hubble, Kiali), sidecar vs sidecarless (ambient mode, eBPF), multi-cluster meshes, mesh attack surface, AWS App Mesh / Anthos Service Mesh / AKS Istio add-on.
The foundation layer - AWS Control Tower + Organizations + SCPs, Azure CAF Enterprise-scale + Management Groups + Azure Policy, GCP Org β Folders β Projects + Org Policies + VPC Service Controls. Account-vault patterns, identity layer placement, tagging strategy.
SEO-targeted hub page for the "AWS security" search intent (~10Γ the volume of "cloud security"). Well-Architected Security pillar, the full AWS service catalog (detection / identity / data / network / compliance / IR), reference landing-zone architecture, top-10 AWS misconfigurations, AWS attack paths, and discipline cross-links with #aws anchors.
Same SEO play for Azure. CAF Secure methodology, the Microsoft service catalog (Defender for Cloud / Sentinel / Entra ID / Purview / Key Vault / Front Door / NSGs), Entra-ID-vs-traditional-AD, Azure attack paths (managed identity abuse, illicit consent grants, Conditional Access bypass), and the Microsoft Defender licensing maze.
Same SEO play for Google Cloud. Encryption-by-default story, Security Command Center Standard/Premium/Enterprise, BeyondCorp Enterprise, VPC Service Controls deep-dive, GCP attack paths (service-account impersonation, deployment-manager privesc, metadata SSH-key injection), and Assured Workloads.
The definitive vendor-neutral comparison. Ten side-by-side .comparison-table blocks (identity, detection, data, network, compliance, pricing, customer identity, compute, container, serverless), conceptual differences that bite you (IAM-policy languages, org-boundary models, log pricing, VPC SC), a "which cloud for which job" guidance section, and a 20-row score-card summary.
A directory of 350+ cloud-security vendors across 30 categories - CNAPP, CSPM, KSPM, CIEM, SSPM, DSPM, SIEM, EDR/XDR, MDR, SOAR, ASPM, SAST/SCA, IaC scanning, secrets, PAM, IdP, WAF/DDoS, API security, CASB, SASE, ZTNA, DevSecOps, image hardening, supply chain, AI security, vuln mgmt, forensics, MSSPs, GRC platforms. Vendor-neutral one-liners, no rankings. Wiz affiliation disclosed.
MiniSearch-powered full-text search across every page, with section-anchor results and synonym expansion. tools/build_search_index.py builds search-index.json at deploy time (one entry per <section id> + one per glossary term), search-init.js lazy-loads it on first keystroke, and search-synonyms.json maps acronyms to expansions so NHI finds every "non-human identity" mention site-wide. CSP stays strict - script-src 'self', no unsafe-eval, no wasm-unsafe-eval.
Learn-by-example explainer for GitHub Actions, using CSOH's workflow files as the teaching material. Covers triggers, concurrency, secrets, the GITHUB_TOKEN vs PAT distinction, the workflow scope gotcha, OIDC trust to GCP, and a recommended reading order through the workflow files - every one of which is commented line by line (roughly half of each file is explanatory comments) specifically so a newcomer can read it top to bottom and understand it.
The dogfooded multi-cloud architecture: one static site served active/active from AWS (S3 + CloudFront), GCP (Cloud Run), and Azure (Blob static website) behind a single Cloudflare edge (TLS, WAF, security headers, redirects, Load Balancer with health-check failover), deployed to each cloud with keyless OIDC. Security controls called out at every layer. Pairs with the GitHub Actions explainer to give a complete CI/CD-to-cloud reference.
Learn-by-example IaC explainer, using the Terraform that provisions CSOH's own multi-cloud infrastructure (AWS, GCP, Azure, Cloudflare) as the teaching material. Every .tf file under infra/terraform/ is exhaustively commented inline - roughly two of every three lines is a comment, and even core Terraform vocabulary ("resource" vs "data", providers, state, dependencies) is explained in place - specifically so a complete newcomer can read the multi-cloud build end to end and understand it. The third leg of the "Behind the Scenes" developer-docs set alongside GitHub Actions and the multi-cloud deploy page.
Version-control fundamentals - branching, commits, pull requests, and history hygiene - taught through this repository's own workflow.
Comprehensive catalog of 370+ cloud security resources organized by 6 categories:
- CloudGoat - Open-source, AWS vulnerable environments by Rhino Security Labs
- AWSGoat - Vulnerable AWS stack from INE (formerly AppSecEngineer)
- Kubernetes Goat - K8s containerized application with intentional vulnerabilities
- AIGoat - AI/ML vulnerable applications
- Blue Team Labs - Hands-on security scenarios
- Plus 15+ additional CTF platforms (OWASP, HackTheBox, TryHackMe, etc.)
- Cybr - Free AWS security labs
- Digital Cloud Training - Comprehensive challenge labs
- AWS Well-Architected Labs - Official AWS security training
- Immersive Labs - Interactive cybersecurity training
- SecureFlag - GCP security labs
- Pwned Labs - Realistic penetration testing scenarios
- Plus 20+ additional training platforms
- CNAPP (Cloud Native Application Protection) - Runtime protection tools
- CSPM (Cloud Security Posture Management) - Configuration & compliance scanning
- KSPM (Kubernetes Security Posture Management) - K8s-specific security
- SIEM & Threat Detection - Splunk, ELK Stack, AWS Security Hub, etc.
- Compliance & Config Management - Terraform, Ansible, CloudFormation
- Vulnerability Management - Snyk, Qualys, Tenable, etc.
- AWS - Security Specialty, Solutions Architect, Database Specialty
- Azure - Security Engineer Associate, Administrator Associate
- Google Cloud - Professional Cloud Security Engineer
- Cloud Security Alliance - CCSK Certification
- Kubernetes - CKA, CKAD, CKS
- General Security - CISSP, CEH, SC-300, AZ-305
- Bootcamps & Prep Courses - Pwned Labs, AWSome Day, etc.
- AI Security Tools - Trend Micro Workload Security, etc.
- AI Vulnerable Environments - AIGoat, AI Security CTFs
- AI Security Research - Papers, whitepapers, research resources
- Job Boards - LinkedIn, Dice, CyberSecJobs, CloudSecurityJobs
- Resume Services - Resume optimization platforms
- Interview Prep - Technical interview guides
- Career Development - Mentorship, networking resources
- Latest articles sorted by publication date (newest first)
- Multi-source aggregation - SecurityWeek, KrebsOnSecurity, CrowdStrike, AWS Security Blog, Microsoft MSRC, SANS ISC, The Register, BleepingComputer, Dark Reading, Palo Alto Unit 42, CISA, and more
- Searchable & filterable by source, topic, date
- Auto-updated every 3 hours via Python news aggregation script
- Rich snippet optimization for featured search results
Community-shared resources from weekly Zoom sessions:
- 580+ URLs shared by community members during live sessions
- Security validated - All URLs automatically checked for malicious patterns
- Filterable by date, person, category - Find resources from specific sessions
- Descriptive titles - Auto-generated from page content
- Continuous protection - GitHub Actions workflow validates new URLs before merge
Information about weekly community gatherings:
- When: Every Friday at 7am PT
- Format: Expert presentations + open discussion + Q&A
- Cost: Completely free
- Registration Link: https://csoh.kit.com/39feb4f397
- Format details and speaker information
A practitioner's directory of security and hacker conferences worldwide - RSA, DEF CON, Black Hat, fwd:cloudsec, KubeCon, CCC, Troopers, OffensiveCon, HITB, NULLCON, BSides, ShmooCon, Pwn2Own, and the rest. Each entry covers what makes the event unique plus its honest pros and cons.
Archive of past Zoom session presentations:
- Recorded sessions from industry experts
- Topic tags (AWS, Azure, GCP, Kubernetes, CSPM, CNAPP, etc.)
- Dates and presentation descriptions
- Direct video links
Topic-by-topic recaps of every weekly session:
- 94+ meeting recaps with per-topic summaries and speaker notes
- Searchable, filterable by tag (AWS, Azure, AI, supply chain, conferences, etc.)
- Speaker filter - auto-detects recurring community members across recaps and surfaces a one-click filter row (Shawn, Neil, Jay, Matt, etc.) with appearance counts
- Auto-ingested from Zoom AI Companion summaries or VTT transcripts via
tools/add_meeting.py
Dedicated directory for hands-on cloud CTF challenges:
- 39+ challenges across AWS, Azure, GCP, Kubernetes, and AI security
- Includes the full Wiz Cloud Security Championship calendar
- Submit a new CTF with
python3 tools/submit_ctf.py- see CONTRIBUTING_CTFS.md
Plain-English landing page for the feed.xml feed: explains what RSS is, recommends readers (Feedly, Inoreader, NetNewsWire, Thunderbird), and gives one-click subscribe instructions.
A plain-English glossary of cloud-security acronyms and concepts:
- 300+ terms across 13 sections - cloud models, IAM, network, data, detection, the *PM family, supply-chain, ATT&CK, AI/LLM, DevOps, standards bodies
- Live search filters terms and definitions as you type, hiding sections with no matches
- Cross-linked: every glossary term mentioned in any other definition is automatically hyperlinked to its entry - see
tools/crosslink_glossary.py - Targeted terms (arrived via
#term-...anchor) get a yellow highlight so the reader can immediately spot them
Frequently asked questions covering CSOH's format, mailing list, recording policy, contributing, and presenter pitches. Backed by FAQPage schema for rich-snippet eligibility.
The mission-and-ethos page: who we are, why CSOH is vendor-neutral and free, and how the community operates. The founder bio with full Person / ProfilePage schema lives separately at about-shawn-nunley.html (see Author authority).
Community standards for every CSOH-organized space - Friday Zoom session, mailing list, GitHub repo. Covers expected and unacceptable behavior, reporting, and enforcement. Adapted from the Contributor Covenant.
Plain-English privacy policy. Short version: no cookies, no analytics, no marketing trackers, never sell or share data. The only personal data we hold is your mailing-list email. External links are scrubbed of tracking parameters before publication.
RFC 9116-compliant vulnerability disclosure policy. Mirrored at /.well-known/security.txt.
Curated directory of primary sources for cloud-focused threat intel - vendor research teams, annual threat reports, IOC feeds, attack frameworks, and government advisories. Companion to breach-timeline.html: kill chains cover specific historical incidents, threat-research is the living index of where defenders go for ongoing intel. See the full section below.
A community-maintained library of step-by-step cloud breach reconstructions, mapped to MITRE ATT&CK Cloud techniques and sourced from official post-mortems.
| Incident | Year | Provider | Key Techniques |
|---|---|---|---|
| Mitnick / Novell | 1994 | On-Prem | Social engineering, pretexting, credential theft |
| Capital One | 2019 | AWS | T1190, T1552.005, T1619, T1530 |
| SolarWinds | 2020 | Azure AD / AWS | T1195.002, T1071.004, T1606.002, T1114.002 |
| Uber | 2022 | AWS / GCP | T1078, T1621, T1552.001, T1078.004 |
| LastPass | 2022-2023 | LastPass / AWS S3 | T1195.002, T1203, T1555, T1530 |
| Storm-0558 | 2023 | Azure | T1078, T1552, T1606.001, T1114.002 |
| Microsoft SAS Leak | 2023 | Azure | T1552.004, T1530 |
| Scattered Spider / MGM | 2023 | Okta / Azure | T1598, T1078, T1484, T1486 |
| Snowflake / UNC5537 | 2024 | Snowflake | T1078.004, T1555.003, T1530, T1657 |
| Promptware | 2024-2026 | AI / LLM (Gemini, Copilot) | T1566, T1071.001, T1534, T1530 |
| Codefinger / S3 | 2025 | AWS S3 | T1552, T1078.004, T1486, T1657 |
| tj-actions/changed-files | 2025 | GitHub Actions | T1195.001, T1552.001, T1078 |
| Salesloft Drift / UNC6395 | 2025 | Salesforce / SaaS | T1528, T1078.004, T1213, T1530 |
The recurring root causes across all of these are synthesized in breach-lessons.html, and the incidents that defined this past year are collected in the 2025 Cloud Breach Year in Review.
See CONTRIBUTING_KILL_CHAINS.md for the full guide including:
- What qualifies as a good kill chain entry
- A list of candidate incidents with good post-mortems
- The HTML template to copy for a new entry
- The quality checklist before submitting
To nominate an incident without writing it yourself, open an issue using the "π New Kill Chain Request" template.
Kill chain entries require:
- A real post-mortem or official technical disclosure (vendor blog, CISA advisory, court documents)
- Step-by-step technical detail - not just a summary
- Every step mapped to a MITRE ATT&CK Cloud technique
- Actionable defender recommendations tied to specific controls
This is intentionally high-bar. A small number of deeply researched entries is more valuable than many shallow ones.
A curated directory of primary sources for cloud-focused threat research. Unlike Breach Kill Chains (which documents specific historical incidents), this page is a living index of where cloud defenders go for ongoing intel.
- Vendor Research Teams - Wiz Research, Unit 42, Mandiant, Microsoft Threat Intelligence, Google TAG, CrowdStrike Counter Adversary Ops, SentinelLabs, Datadog Security Labs, Sysdig TRT, Aqua Nautilus, Permiso, Cado Security, AWS Security Bulletins, MSRC, IBM X-Force, Trellix, Proofpoint
- Annual Threat Reports - Mandiant M-Trends, CrowdStrike Global Threat Report, Unit 42 Cloud Threat Report, Verizon DBIR, IBM X-Force Index, Datadog State of Cloud Security, CSA Top Threats, ENISA, Sophos State of Ransomware
- Notable Incidents & Post-Mortems - cross-links to
breach-timeline.htmlplus primary sources for Capital One, Storm-0558, SolarWinds, LastPass, Scattered Spider/MGM, Snowflake/UNC5537, Uber, Microsoft SAS Token Leak, Codecov, Okta HAR - IOC Feeds & Threat Intel Platforms - AlienVault OTX, abuse.ch, VirusTotal, MISP, Shodan, GreyNoise, Censys, CIRCL, Feodo Tracker, Spamhaus, IBM X-Force Exchange, OSINT Framework
- Attack Frameworks & Matrices - MITRE ATT&CK Cloud / Containers, D3FEND, Microsoft Kubernetes Threat Matrix, OWASP Cloud-Native Top 10, TheHive, Sigma, Elastic Detection Rules
- Government & Regulatory Advisories - CISA (+KEV), FBI IC3, NSA, UK NCSC, ACSC, NIST NVD, CVE.org
Edit threat-research.html directly - each link is a standard .resource-card in the same format as resources.html and presentations.html. Open a PR with:
- A link to the primary research output (blog index, report landing page, or feed URL - not a marketing page)
- A one-sentence description of what's unique about the source
- 2-3 tags (use existing tag classes where possible:
ctf,tool,lab,certification,job,ai-security,new)
- Static HTML - no database, no server-side code. Published active/active to AWS, GCP & Azure behind a single Cloudflare edge via keyless OIDC (see How Automation Works).
- URL-safety gate - every PR is scanned for unsafe URLs before merge (
check_all_site_urls.py). - RSS feed -
feed.xmlregenerated with each news update. See RSS_FEED_README.md. - Dark mode - toggle plus
prefers-color-schemedetection, persisted inlocalStorage. - Schema markup - NewsArticle, FAQPage, Organization, Event, CollectionPage.
- Accessibility - semantic HTML5, ARIA labels, WCAG AA contrast in both themes.
- Search + tag filtering on news and resources pages.
csoh.org/
βββ index.html # Homepage with hero section & category overview
βββ what-is-cloud-security.html # Pillar: vendor-neutral cloud-security overview (FAQ schema)
βββ learning-path.html # Beginnerβadvanced roadmap (HowTo schema)
βββ cloud-security-degree-programs.html # Academic paths and university programs (FAQ schema)
βββ cloud-security-careers.html # Roles, salaries, interviews, portfolio (FAQ schema)
βββ cloud-security-home-lab.html # Free-tier setups, budget guardrails, kill-switches
βββ cloud-security-certifications.html # CCSK / CCSP / AWS / Azure / GCP / CKS comparison
βββ cloud-security-reading-list.html # Curated reading list (staleness-checked monthly)
βββ cloud-security-portfolio-projects.html # Portfolio projects hub (walkthroughs in portfolio/)
βββ cloud-security-<role>.html # Career role-in-depth series: engineer, architect,
β # iam-architect, appsec-engineer, cnapp-analyst,
β # detection-engineer, incident-responder, penetration-tester,
β # platform-engineer, grc-engineer, sales-engineer,
β # customer-success-engineer (FAQ schema)
βββ help-desk-to-cloud-security.html # Transition guide: IT help desk -> cloud security
βββ github-actions.html # Learn GitHub Actions via our heavily-commented workflows
βββ cloud-deployment.html # Multi-cloud deploy architecture (the dogfooded stack)
βββ terraform.html # Learn Terraform via our own multi-cloud IaC
βββ version-control.html # Git & version-control fundamentals via this repo
βββ resources.html # Main resource directory (370+ resources in 6 categories)
βββ news.html # Cloud security news (120+ articles)
βββ chat-resources.html # Community-shared URLs from Zoom sessions (580+ URLs)
βββ sessions.html # Weekly Zoom session information
βββ community.html # Community & Signal chat
βββ mentorship.html # Community mentorship program
βββ presentations.html # Archive of recorded presentations
βββ meetings.html # Weekly meeting recaps (94+ entries, topic-by-topic)
βββ ctfs.html # Dedicated cloud CTF directory (39+ challenges)
βββ conferences.html # Security & hacker conferences directory with pros/cons
βββ rss.html # Landing page explaining the RSS feed to subscribers
βββ glossary.html # 300+ cloud security terms with live search & cross-links
βββ faq.html # Frequently asked questions (FAQPage schema)
βββ code-of-conduct.html # Community Code of Conduct
βββ privacy.html # Privacy Policy (no cookies, no trackers, no on-site ads)
βββ about.html # About CSOH: mission and ethos
βββ about-shawn-nunley.html # Founder bio (Person / ProfilePage schema, E-E-A-T)
βββ breach-timeline.html # Index of breach kill chains (per-breach pages live in /breaches/)
βββ breaches/ # 13 per-breach kill chain pages (Capital One, SolarWinds, etc.)
βββ meetings/ # 102 per-meeting recap pages (split from meetings.html)
βββ portfolio/ # 7 hands-on portfolio-project walkthroughs (see hub page above)
βββ cloud-security-best-practices.html # Practitioner's controls checklist
βββ shared-responsibility-model.html # Provider vs. customer security split
βββ cspm-vs-cnapp.html # Tool-category comparison
βββ landing-zones.html # Cloud foundations (AWS / Azure / GCP reference designs)
βββ containers.html # Container security: boundary, escapes, IMDS, supply chain
βββ kubernetes.html # Kubernetes & managed K8s (EKS / AKS / GKE) security
βββ serverless.html # Lambda / Functions security - event injection, IAM, denial of wallet
βββ ci-cd.html # CI/CD pipelines for cloud, OIDC federation, deploy strategies
βββ cloud-soc.html # Cloud threat monitoring, SIEM, detection engineering, IR
βββ threat-research.html # Curated cloud threat research directory
βββ contribute.html # General contributions guide
βββ contribute-resources.html # Resource submission web form / guide
βββ security-policy.html # Security disclosure policy page
βββ kevin-mitnick.html # Special resource page
βββ 403.html # Custom 403 (Forbidden) error page
βββ 404.html # Custom 404 (Not Found) error page
β
βββ style.css # Main stylesheet (responsive design + dark mode)
βββ main.js # Shared interactive features (search, filter, sort, dark mode)
βββ chat-resources.js # chat-resources.html-specific filtering/search
βββ meetings.js # meetings.html-specific index + filters + speaker filter
βββ glossary.js # glossary.html-specific search/filter
βββ breach-timeline.css # breach-timeline.html-specific styles
βββ breach-timeline.js # breach-timeline.html-specific tab/panel logic
βββ feed.xml # RSS feed (auto-generated by update_news.py)
βββ meetings-search-index.json # Search index for meeting recaps (auto-generated)
β
βββ sitemap.xml # XML sitemap for search engines
βββ robots.txt # Search engine crawling rules
βββ security.txt # Security.txt (root copy)
βββ .well-known/ # Well-known endpoints
β βββ security.txt # Security.txt (RFC 9116 location)
β
βββ img/ # Images and preview thumbnails
β βββ previews/ # Resource preview images
βββ chat-screenshots/ # Per-URL screenshots shown in chat-resources.html
β
βββ tools/ # Automation and maintenance scripts
β βββ submit_resource.py # Interactive tool for submitting new resources
β βββ submit_news_source.py # Interactive tool for submitting news sources
β βββ submit_ctf.py # Interactive tool for submitting cloud CTFs
β βββ add_meeting.py # Append a new meeting recap from an Apple Notes HTML export
β βββ fetch_zoom_transcript.py # Pull a VTT transcript from a Zoom cloud recording (OAuth)
β βββ backfill_zoom_summaries.py # Bulk-import Zoom AI Companion meeting summaries
β βββ generate_preview.py # Generate preview screenshots for resources
β βββ generate_rss.py # Regenerate feed.xml from news.html
β βββ normalize_urls.py # URL normalizer (tracking params, HTTPS, redirects)
β βββ check_url_safety.py # Core URL safety validator with pattern matching
β βββ check_all_site_urls.py # Comprehensive site-wide URL scanner
β βββ update_sitemap.py # Refresh sitemap.xml <lastmod> dates from git history
β βββ update_presentations_schema.py # Regenerate VideoObject JSON-LD on presentations.html
β βββ crosslink_glossary.py # Auto-link every glossary term mention to its <dt> entry
β βββ crosslink_pages.py # Auto-link glossary terms across the rest of the site
β βββ build_meetings_search_index.py # Build meetings-search-index.json from meetings.html
β βββ build_search_index.py # Build site-wide search-index.json (sections + glossary)
β βββ sync_chrome.py # Stamp ONE canonical nav + footer onto every page
β βββ inject_meeting_topic_links.py # Inject contextual topic-page links into recaps
β βββ generate_og_images.py # Generate 1200x630 OG social images (top-level pages)
β βββ generate_meeting_og_images.py # Generate OG images for meeting recaps
β βββ generate_news_banners.py # Generate banner images for news sources
β βββ generate_webp.py # Generate .webp siblings for raster images
β βββ wrap_img_webp.py # Wrap <img> in <picture> with a WebP <source>
β βββ run_seo_audit.py # Deterministic structural SEO audit -> SCORECARD
β βββ check_pagespeed.py # Google PageSpeed Insights run -> SCORECARD
β βββ check_lighthouse.py # Lighthouse SEO / a11y / perf threshold check
β βββ check_mobile_layout.py # Mobile layout regression check
β βββ check_news_banners.py # Verify every news source has a banner image
β βββ check_no_inline_scripts.py # CI gate: no inline <script> blocks in HTML
β βββ check_svg_dimensions.py # CI gate: width/height on every <svg> with viewBox
β βββ check_reading_list_staleness.py # Flag stale reading-list sources (monthly)
β βββ SUBMIT_RESOURCE_README.md # Interactive resource submission docs
β βββ SUBMIT_RESOURCE_EXAMPLE.md # Walkthrough example for the resource tool
β βββ SUBMIT_NEWS_SOURCE_README.md # News source submission docs
β βββ SUBMIT_CTF_README.md # CTF submission docs
β βββ ADD_MEETING_README.md # Meeting recap ingest docs
β βββ FETCH_ZOOM_TRANSCRIPT_README.md # Zoom transcript fetch docs (OAuth setup)
β βββ BACKFILL_ZOOM_SUMMARIES_README.md # Bulk Zoom AI Companion backfill docs
β βββ GENERATE_PREVIEW_README.md # Preview image generation docs
β βββ CHECK_URL_SAFETY_README.md # URL safety checker docs
β βββ UPDATE_NEWS_README.md # News aggregation pipeline docs
β βββ UPDATE_SRI_README.md # SRI hash generator docs
β βββ UPDATE_SITEMAP_README.md # Sitemap refresher docs
β βββ UPDATE_PRESENTATIONS_SCHEMA_README.md # Presentations VideoObject schema docs
β βββ CROSSLINK_GLOSSARY_README.md # Glossary cross-linking docs
β βββ CROSSLINK_PAGES_README.md # Cross-page glossary term linking docs
β
βββ update_news.py # News aggregation script (39 RSS feeds, runs every 3 hours)
βββ update_sri.py # Updates SRI hashes & cache-bust params across HTML files
β
βββ .github/workflows/
β βββ update-news.yml # Automated news + RSS feed updates (every 3 hours)
β βββ update-resources.yml # Weekly auto-generation of resource previews
β βββ site-update-deploy.yml # Unified workflow: SRI, URL normalization, previews, presentations schema, sitemap, deploy
β βββ check-url-safety.yml # URL safety validation on PRs + weekly
β βββ normalize-urls.yml # Monthly URL normalization (tracking params, redirects)
β βββ validate-html.yml # HTML5 validation on PRs + weekly
β βββ lint.yml # actionlint + ruff + yamllint on every push/PR
β βββ check-broken-links.yml # Broken link checker (PRs + weekly)
β βββ check-reading-list-staleness.yml # Monthly reading-list feed staleness -> tracking issue
β βββ check-meeting-staleness.yml # Weekly check that the newest recap isn't stale -> sticky issue
β βββ check-pagespeed.yml # Weekly Google PageSpeed Insights run β SCORECARD row + regression issue (Mon 14:00 UTC)
β βββ run-seo-audit.yml # Weekly deterministic structural SEO audit β SCORECARD row + regression issue (Mon 14:15 UTC)
β βββ deploy.yml # Build once, publish to AWS + GCP + Azure (keyless OIDC)
β βββ CHECK_URL_SAFETY_WORKFLOW.md # Workflow configuration notes
β
βββ preview-mapping.json # Metadata for resource previews
β
βββ .htaccess # Apache server config (security headers, caching, compression)
βββ nginx.conf # Nginx server config (Docker deployments)
βββ Dockerfile # Container build for local/Docker deployments
βββ docker-compose.yml # Compose config for the Dockerized site
βββ .env.example # Template for Zoom OAuth + other secrets (.env is gitignored)
βββ .lychee.toml # Config for the broken-link-checker workflow
βββ .yamllint.yml # Config for the yamllint job in lint.yml
βββ pyproject.toml # Config for the ruff job in lint.yml (Python lint)
βββ .editorconfig # Editor consistency rules
βββ .dockerignore # Files excluded from the Docker build context
β
βββ infra/ # Infrastructure-as-code for the multi-cloud deploy
β βββ README.md # Architecture, cost, and cutover runbook
β βββ terraform/ # Terraform for AWS, GCP, Azure & Cloudflare - every .tf file
β β # commented line by line so a newcomer can read it
β βββ aws/ # S3 + CloudFront origin, OIDC deploy role
β βββ gcp/ # Cloud Run origin, Workload Identity Federation, Artifact Registry
β βββ azure/ # Blob static-website origin, federated identity
β βββ cloudflare/ # Edge: zone, rules, active/active load balancer + health checks
β
βββ CONTRIBUTING.md # Umbrella contributing guide
βββ CONTRIBUTING_RESOURCES.md # Contributing resources specifically
βββ CONTRIBUTING_CTFS.md # Contributing CTFs specifically
βββ CONTRIBUTING_KILL_CHAINS.md # Contributing breach kill chains specifically
βββ DEVELOPMENT.md # Local development setup & architecture
βββ SECURITY.md # Security reporting policy
βββ RSS_FEED_README.md # RSS feed usage guide for subscribers
βββ .gitignore # Git exclusion rules
βββ README.md # This file
βββ LICENSE # Open content license
Fastest option: Run python3 tools/submit_resource.py to add a resource interactively.
Script guide: tools/SUBMIT_RESOURCE_README.md
- Open
resources.htmlin your editor - Locate the appropriate section (CTF, Labs, Tools, etc.)
- Add a new resource card before the closing
</div>of the section:
<a href="https://resource-url.com" target="_blank" class="card-link" rel="noopener noreferrer">
<div class="resource-card" data-tooltip="Extended 2-3 sentence description shown on hover. Cover what makes it unique, who benefits most, and prerequisites or cost.">
<img src="img/previews/resource-url.com.jpg" alt="Preview" class="resource-preview">
<h3>Resource Name</h3>
<p>Brief description of what this resource offers and why it's valuable for cloud security professionals.</p>
<div class="resource-tags">
<span class="tag">AWS</span>
<span class="tag">Security</span>
<span class="tag new">NEW</span>
</div>
</div>
</a>Preview images: If you do not have a preview image, the workflow will automatically capture a screenshot and update preview-mapping.json after you open a PR.
- Commit and push to update the live site
News articles are updated automatically - you don't need to add them by hand. A GitHub Actions workflow runs every 3 hours, pulls articles from 39 cloud security RSS feeds, and creates a pull request with the new content. See the How Automation Works section below for details, or read the full docs in tools/UPDATE_NEWS_README.md.
To add a new news source, either:
- Run
python3 tools/submit_news_source.py(interactive, recommended) - Or edit the
FEEDSlist at the top ofupdate_news.pymanually
Script guide: tools/SUBMIT_NEWS_SOURCE_README.md
-
For Sessions: Edit
sessions.htmlto add session details -
For Presentations: Edit
presentations.htmland add a new card with:- Date and title
- Speaker name
- Description
- Topic tags
- Video/presentation link
Meeting recaps live on meetings.html and are ingested from Zoom, not written by hand. Two automation paths:
- Single meeting from a VTT transcript:
python3 tools/fetch_zoom_transcript.pypulls the transcript from your Zoom cloud recording, thenpython3 tools/add_meeting.py <note>appends a new<article>block tomeetings.html. See tools/FETCH_ZOOM_TRANSCRIPT_README.md and tools/ADD_MEETING_README.md. - Bulk backfill from Zoom AI Companion summaries:
python3 tools/backfill_zoom_summaries.pyimports every AI Companion summary on the account in one pass. See tools/BACKFILL_ZOOM_SUMMARIES_README.md.
Both require Zoom Server-to-Server OAuth credentials in a local .env (see .env.example).
Run python3 tools/submit_ctf.py to add a challenge to ctfs.html interactively. See tools/SUBMIT_CTF_README.md for the script, or CONTRIBUTING_CTFS.md for the full contribution guide.
- Open
glossary.htmland locate the right<h2 id="...">section (cloud models, compute/containers, IAM, network, data, detection, posture, vuln, compliance, attack, AI, ops, standards bodies). - Add a new
<dt>...</dt>+<dd>...</dd>pair anywhere inside that section's<dl class="glossary-list">. Format the headword asABBR - Long Formor justTerm Name; aliases can be separated by/. - Run
python3 tools/crosslink_glossary.py- it will:- Add an
id="term-..."to your new<dt>. - Hyperlink your new term wherever it appears in other definitions.
- Hyperlink any existing terms that appear in your new definition.
- Add an
- Update the search-bar count and OG description if the total moved past a round number.
The script is idempotent and safe to re-run. See tools/CROSSLINK_GLOSSARY_README.md for details.
Edit the "Resource Categories" section in index.html to:
- Change category descriptions
- Modify call-to-action buttons
- Adjust hero section messaging
This site uses GitHub Actions workflows to automate all major site updates. Most automation is now handled by a unified workflow that runs all key steps in sequence, only when needed.
Workflow file: .github/workflows/site-update-deploy.yml
Triggers on pushes to main when these files change:
*.htmlstyle.css,main.js,chat-resources.js,breach-timeline.css,breach-timeline.jschat-screenshots/**,img/**update_sri.py- Manual trigger via the GitHub Actions tab
What it does (housekeeping only - actual deploy is deploy.yml):
- Updates SRI hashes and cache-busting tags if CSS/JS changed (using
update_sri.py) - Checks URL safety - blocks normalization if unsafe URLs are detected (using
check_all_site_urls.py) - Normalizes URLs - strips tracking parameters, upgrades HTTP to HTTPS, resolves redirects (using
normalize_urls.py) - Regenerates the
VideoObjectJSON-LD onpresentations.html(usingupdate_presentations_schema.py) - Rebuilds the meetings.html search index
- Refreshes
<lastmod>dates insitemap.xmlfrom git history (usingupdate_sitemap.py) - Generates preview images for new resources in
resources.html(usinggenerate_preview.py) - Optimizes generated images
- Each step that mutates files commits the change back to
main(with[skip ci]markers) so the next workflow run sees fresh state
Why this is separate from the deploy: the housekeeping commits this workflow makes (SRI updates, sitemap refreshes, etc.) are themselves what triggers deploy.yml - that workflow watches the same paths and picks up the post-housekeeping state. Splitting them keeps each workflow's responsibility narrow.
News updates are still handled by a separate scheduled workflow (update-news.yml) that runs every 3 hours and creates a PR with new articles. Once merged, the housekeeping workflow runs against the new content, then deploy.yml ships it.
Workflow file: .github/workflows/normalize-urls.yml
In addition to the URL normalization that runs as part of every deploy, a standalone monthly workflow performs a deeper pass across all HTML files:
- Schedule: Monthly on the 1st at 08:00 UTC (also available via manual trigger)
- What it does:
- Checks URL safety first - blocks normalization if unsafe URLs are found
- Strips tracking parameters (
utm_*,fbclid,gclid,msclkid, etc.) - Upgrades HTTP links to HTTPS
- Resolves redirecting URLs to their final destinations
- Output: Creates a PR with a detailed report of all changes, auto-approved for review
Full docs: See tools/UPDATE_SRI_README.md, tools/GENERATE_PREVIEW_README.md, tools/UPDATE_NEWS_README.md, and tools/CHECK_URL_SAFETY_README.md
Workflow file: .github/workflows/deploy.yml
Builds the site once, then publishes it active/active to three cloud origins behind Cloudflare. This is the workflow that actually publishes csoh.org to production.
Triggers on pushes to main when these files change:
- The same path filters as
site-update-deploy.yml(HTML, CSS, JS, screenshots, images) Dockerfile,nginx.conf,tools/stage_site.sh,tools/site-publish.filter,.github/workflows/deploy.yml- Manual trigger via the GitHub Actions tab
What it does - build once, fan out:
- build: regenerates the search index and runs
tools/stage_site.shto producedist/(the public file set - mirrors nginx block rules + the Dockerfile strip list), uploaded as an artifact so all origins serve byte-identical content. - publish-aws: assumes an IAM role via OIDC,
aws s3 sync --deleteto the private bucket, invalidates CloudFront. - publish-azure: logs in via an Entra federated credential (OIDC),
az storage blob syncinto the$webstatic-website container. - publish-gcp: builds the
Dockerfile(digest-pinnednginx:1.27-alpine+apk upgrade), Trivy-scans (fails on fixable HIGH/CRITICAL), pushes an immutable SHA tag to Artifact Registry, deploys a Cloud Run revision. Auth is Workload Identity Federation - no stored key.
Every cloud uses keyless OIDC - no long-lived cloud credentials in the repo. Non-secret resource IDs come from repo Variables (see infra/README.md).
Edge in front of all three origins: Cloudflare (Free plan + Load Balancing add-on) terminates TLS, caches, runs the WAF (free managed ruleset), sets security headers, applies legacy redirects, and load-balances active/active across the origins with health-check failover. (This replaced the old GCP Global HTTPS load balancer + Cloud Armor + Cloud CDN, which were redundant with Cloudflare and cost ~$100/mo.)
Full architecture, cost, and cutover runbook: infra/README.md. The full security walkthrough is the public teaching page cloud-deployment.html. Security model and rotation: SECURITY.md β Deployment Security.
Workflows authenticate to GitHub via a GitHub App (csoh-ci) that mints short-lived (~1h) installation tokens at job start, plus a small fine-grained PAT (CSOH_PAT) used only to approve App-opened PRs (GitHub blocks self-approval). The full model - App config, ruleset bypass, why one PAT remains - is documented in SECURITY.md β CI/CD Authentication. Setup / rotation steps for the PAT are in tools/UPDATE_NEWS_README.md.
deploy.yml does not use the GitHub App - it authenticates to each cloud via keyless OIDC (GCP Workload Identity Federation, an AWS IAM role, an Azure Entra federated credential) and only needs the auto-injected GITHUB_TOKEN (with id-token: write for the OIDC exchanges). There is no cloud-side credential to set up or rotate for any of the three.
Two complementary workflows run every Monday around 14:00 UTC to keep seo-audits/SCORECARD.md current without manual cadence. Both follow the same csoh-ci App + CSOH_PAT pattern as update-news.yml: PR-based update, auto-approved, auto-merged. The deploy and site-housekeeping workflows have path filters that exclude seo-audits/, so SCORECARD-only changes naturally don't trigger a redeploy. Both file a tracking issue (label regression) if the overall score dropped vs the previous row.
check-pagespeed.yml - Mondays 14:00 UTC
Runs tools/check_pagespeed.py against https://csoh.org/ - mobile + desktop in parallel - using Google's PageSpeed Insights v5 API. Captures the four Lighthouse category scores (Performance / Accessibility / Best Practices / SEO), lab Core Web Vitals (LCP, CLS, TBT, FCP, Speed Index), and for any category < 100 the specific failing audit IDs plus the failing DOM nodes' CSS selectors. Appends a row to the PageSpeed Insights table in SCORECARD.md. Requires PSI_API_KEY repo secret (free key from console.cloud.google.com/apis/credentials, restricted to "PageSpeed Insights API").
run-seo-audit.yml - Mondays 14:15 UTC
Runs tools/run_seo_audit.py - a deterministic structural SEO audit across every indexable HTML page (top-level + breaches + portfolio + meetings; the script counts them at runtime). Mirrors the mechanical checks the /seo-audit skill does: canonical, title 30-65 chars, meta description 100-165 chars, og:image β banner.png, full Twitter Card, single H1, robots meta, JSON-LD presence, image alt coverage, <html lang>. Writes a per-day report under seo-audits/YYYY-MM-DD.md and appends a row to the Internal SEO audit table. Stdlib-only, no API costs, no LLM calls.
For qualitative depth (internal-linking strategy, content depth, AI visibility, topical authority) that the deterministic script can't reason about, invoke /seo-audit from Claude Code manually and add a row off-cycle.
Full docs: tools/CHECK_PAGESPEED_README.md, tools/RUN_SEO_AUDIT_README.md.
Workflow file: .github/workflows/check-reading-list-staleness.yml
Once a month, tools/check_reading_list_staleness.py walks every podcast / blog / newsletter / YouTube channel on cloud-security-reading-list.html, discovers its RSS/Atom feed, and flags anything whose newest post is older than the threshold. The reading list is hand-curated and opinionated, so this workflow never edits the page - it only opens (or updates) a single tracking issue with the report for a human to act on.
Full docs: tools/CHECK_READING_LIST_STALENESS_README.md.
CSOH is engineered for organic discovery across traditional search (Google, Bing), AI search/answer engines (ChatGPT, Perplexity, Claude, Gemini), and social previews (LinkedIn, Twitter/X, Slack). The site uses no tracking, no analytics, and no third-party scripts - just clean semantic HTML, structured data, and disciplined metadata.
Page-level schema - each page declares what kind of thing it is:
- β
Article / NewsArticle - pillar pages and the news index, with
datePublished,dateModified,author,publisher - β HowTo + HowToStep - step-by-step content (e.g. learning path, GitHub Actions guide)
- β Course + CourseInstance - learning-path roadmap and certifications comparison (Google Course rich result eligible)
- β FAQPage + Question / Answer - 60 pages with structured Q&A for featured snippets
- β CollectionPage - resource hub pages eligible for sitelinks rich results
- β Event + VirtualLocation + Schedule - weekly Friday Zoom session
- β
VideoObject - each YouTube talk on
presentations.htmland meeting recaps - β DefinedTermSet - the glossary, with 300+ individual terms
Entity schema - who/what is responsible for the content:
- β Organization - CSOH itself, with founding date, contact point, sameAs links, search action
- β
Person + ProfilePage - founder bio with
jobTitle,worksFor,founder,knowsAbout,sameAs - β
Author attribution - pillar articles credit the Person via
@idreference (E-E-A-T signal) - β ItemList - certifications comparison, news listings, and resource directories
- β BreadcrumbList - full navigation hierarchy on every content page
- β
Dedicated bio page at
/about-shawn-nunley.htmlwith full Person schema - β Visible "About the author" card at the bottom of all pillar articles (65 pages and counting)
- β Visible byline + footer "Founded by" link site-wide
- β
rel="author"on every author link - β
sameAsexternal profile links (LinkedIn, GitHub, csoh.org)
- β
sitemap.xml- 218 URLs,<lastmod>refreshed from git commit dates on every deploy (tools/update_sitemap.py) - β
robots.txt- Allow: / for all major crawlers, plus explicit allow-rules for 21 AI/LLM bots (GPTBot, ClaudeBot, PerplexityBot, Google-Extended, Applebot-Extended, CCBot, MistralAI-User, Cohere, etc.) - β
RSS feed (
feed.xml) for the news aggregator - β
humans.txtfor human-readable credits, linked via<link rel="author"> - β
security.txtat the well-known location for vulnerability disclosure - β Site-wide canonical URLs to consolidate ranking signals
- β Glossary cross-linking - first occurrence of each of 300+ terms auto-linked to the glossary on every content page (tools/crosslink_pages.py)
- β Open Graph + Twitter Card meta on every indexable page (title, description, type, url, image)
- β
Per-article social images - 170+ unique 1200Γ630 JPG previews under
img/og/(top-level pages via tools/generate_og_images.py, 102 meeting recaps via tools/generate_meeting_og_images.py) so each page has its own LinkedIn/Slack/Twitter preview, not a generic site banner - β
og:type: profile on the bio page withprofile:first_name/profile:last_name
- β
WebP everywhere - homepage banner, all 36 news-source banners, and the author photo all serve WebP via
<picture>with JPG/PNG fallback (β40-60% smaller payloads) - β
<link rel="preload">for critical CSS, with SRI integrity hashes auto-updated on every deploy - β
loading="lazy"on below-the-fold images - β
width/heightattributes on every<img>to prevent CLS - β
decoding="async"on hero images - β
PWA manifest (
manifest.json) + 192/512 maskable icons β "Add to Home Screen" eligible
- β Title tags 45-60 chars, meta descriptions 120-160 chars on every indexable page
- β
One
<h1>per page, semantic heading hierarchy - β
alttext on every content image - β Skip links + ARIA labels for accessibility (which Google increasingly weighs)
- β
lang="en"on<html>for international targeting
- β Zero cookies, zero trackers, zero third-party analytics
- β Strict Content-Security-Policy
- β HSTS preload-eligible
- β All external scripts blocked at the CSP layer
The result: rich-snippet eligibility across Google's full catalog of result types, full author entity wiring for E-E-A-T, AI-search citation eligibility, and Core Web Vitals headroom from a static-HTML stack with no JS frameworks.
Want to help improve CSOH? We have beginner-friendly guides for contributing - no coding experience needed!
- Interactive Resource Submission Tool - Automated Python script with URL validation and PR creation
- Interactive News Source Submission Tool - Add RSS/Atom feeds with the interactive script
- How to Add a Resource - Step-by-step guide for adding cloud security resources (tools, labs, certifications, etc.)
- General Contributions - Guide for all other contributions:
- Adding news sources for our automated news aggregation
- Improving descriptions and content
- Suggesting resource reorganization
- Reporting bugs or broken links
- Feature requests and ideas
Easy options (no coding required):
- Report an issue - Found a bug? Have a suggestion?
- Join the mailing list - Get the weekly Zoom link and meeting info
- Add a resource - Use our web-based guide (copy/paste method)
- Use the submission tool - Interactive Python script (automated)
- Add a news source - Interactive Python script
For developers: See DEVELOPMENT.md for the full local setup guide, project architecture, and testing instructions.
- Fork the repository
- Create a feature branch:
git checkout -b add-resource - Run
python3 -m http.server 8091and preview athttp://localhost:8091 - Make changes and test locally (check light mode, dark mode, and mobile layout)
- Commit with clear messages:
git commit -m "Add AWS security labs resource" - Push to your fork:
git push origin add-resource - Create a Pull Request
- All resources must be free or freemium (or worth including as premium option)
- Ensure working links before submitting
- Add descriptive tags (AWS, Azure, GCP, Kubernetes, CTF, Tools, Labs)
- Maintain vendor neutrality - no paid sponsorships without disclosure
- Follow existing HTML/CSS conventions
- Mailing List: https://csoh.kit.com/39feb4f397 - 2000+ subscribers; sign up to receive the weekly Friday Zoom link (7am PT)
- GitHub: https://github.com/CloudSecurityOfficeHours/csoh.org
- Email: admin@csoh.org for general questions or to reach community admins
- Issues: Create a GitHub issue
- Friday Zoom: Bring questions live - sign up at csoh.kit.com for the link
- β€οΈ Star this repository
- π Share CSOH with your network
- π¬ Contribute resources or improvements
- π° Donate via PayPal (optional, fully community-run)
- π€ Code of Conduct - community standards across Friday Zoom, mailing list, and GitHub
- π Privacy Policy - no cookies, no trackers, no on-site ads
- π Security Policy / SECURITY.md - coordinated disclosure
This project is dual-licensed:
- Website Code (HTML markup, CSS, JS, Python, config): MIT License - fork, modify, and reuse freely with attribution.
- Editorial Content (articles, guides, glossary entries, breach reconstructions, resource descriptions): CC BY-NC-ND 4.0 - you may share with attribution, but no commercial use and no derivative works without permission.
- Linked Resources: Property of their respective creators/owners.
- News Articles: Linked to original sources with proper attribution.
For commercial licensing, republication, or permission to create derivatives, contact the site owner via about-shawn-nunley.html.
Copyright Β© 2023-2026 Cloud Security Office Hours / Shawn Nunley
For the latest updates and announcements, sign up for the mailing list.