Hi, I am a PhD candidate at the chair Security in Telecommunications (SecT) at the Technische Universität Berlin, Germany. My research topics belong to network and software security with a strong focus on web security. As part of my research assistant position at the university, I also teach students and supervise theses or projects. If you are looking for a collaboration partner or a supervisor, feel free to contact me.
Further, I participate in CTFs as part of ENOFLAG and lead the student club AG Rechnersicherheit e.V.. I also do IT-Sec Freelance Work and give talks at various conferences.
Publications
Here is a list of academic publications I was involved with:
Fix it - If you can! Towards Understanding the Impact of Tool Support and Domain Owners
ACSAC 2025
Publication ⟶Do (Not) Tell Me About My Insecurities: Assessing the Status Quo of Coordinated Vulnerability Disclosure in Germany Amid New EU Cybersecurity Regulations
EuroUSec 2025
Publication ⟶What All the PHUZZ Is About: A Coverage-guided Fuzzer for Finding Vulnerabilities in PHP Web Applications
AsiaCCS 2024; Paper award: 1st place @ CSAW 2024 Applied Research Competition
Publication ⟶Bringing UFUs Back into the Air With FUEL: A Framework for Evaluating the Effectiveness of Unrestricted File Upload Vulnerability Scanners
DIMVA 2024
Publication ⟶Oh SSH-it, What’s My Fingerprint? A Large-Scale Analysis of SSH Host Key Fingerprint Verification Records in the DNS
CANS 2022
Publication ⟶The Elephant in the Background: A Quantitative Approach to Empower Users Against Web Browser Fingerprinting
WPES 2021
Publication ⟶Awards & Certificates
Here is a list of awards and certificates for the academic work:
1st place @ ACSAC CTF 2025
I became 1st place at the ACSAC 2025 conference CTF.
ACSAC 2025 / Details ⟶Knowledge Badge "Teaching Without Barriers"
I successfully earned the IAAP DACH Knowledge Badge 'Barrierefrei lehren' by developing and demonstrating my expertise in accessible digital teaching.
IAAP DACH / Details ⟶Qualified TU Berlin Certificate for Teaching in Higher Education
Throughout the past years, I attended many courses on teaching in higher education, have completed the accredited "Teaching for University's Best" course and obtained the qualified teaching certificate by the accredited ZEWK.
ZEWK / Details ⟶1st place @ CSAW'24 Applied Research Competition, Valence, France
The PHUZZ publication was awarded with the 1st place @ CSAW's Applied Research Competition.
CSAW / Details ⟶Scientific & Community Services
I'm always eager to contribute back to the academic and non-academic IT security community:
External Reviewer for EuroUSec 2025
Volunteered to review submissions to the European Symposium on Usable Security 2025 conference.
EuroUSec 2025 / Details ⟶Artifact Evaluation Committee for WiSec 2025
Volunteered to review artifacts submitted to the 18th ACM Conference on Security and Privacy in Wireless and Mobile Networks
WiSec 2025 / Details ⟶Dialog für Cybersicherheit (Dialogue for Cybersecurity)
Representing the scientific shareholders in the dialogue for cybersecurity for the workstream on the "Weiße Karte" (white card). Participation in the "Denkwerkstatt" (though workshop).
DiCySi / Details ⟶Submission Review for DIMVA 2023 (Support)
Supported reviewing a submission for the conference's program.
DIMVA 2023 / Details ⟶Teaching
Here is a list of courses that I was a lecturer or teaching assistant for:
Student Research Opportunities Program (StuROPx): 'AI Caramba': Schwachstellen, Herausforderungen und Chancen von generativer KI in der IT-Sicherheit
A project-based lecture where students focus on researching the impact of LLMs for security and vulnerability research.
Course description ⟶Websecurity
A lecture on web security covering the well known vulnerability classes (OWASP TOP 10) from an attacker's and defender's perspective.
Course description ⟶International Information Security Contest
A project where students develop CTF-services for an international Attack-Defense CTF.
Course description ⟶Websecurity
A lecture on web security covering the well known vulnerability classes (OWASP TOP 10) from an attacker's and defender's perspective.
Course description ⟶International Information Security Contest
A project where students develop CTF-services for an international Attack-Defense CTF.
Course description ⟶Websecurity
A lecture on web security covering the well known vulnerability classes (OWASP TOP 10) from an attacker's and defender's perspective.
Course description ⟶International Information Security Contest
A project where students develop CTF-services for an international Attack-Defense CTF.
Course description ⟶Technical Foundations of Computer Science for Business-Computer Scientists
Students learn the technical foundations of computer science, i.e. computer architectures, number representations, operating systems, scheduling algorithms, paralleziation & locking, networking, etc.
Course description ⟶International Information Security Contest
A project where students develop CTF-services for an international Attack-Defense CTF.
Course description ⟶Internet Security
A lecture about internet security, i.e. protocols, firewalls, DDoS, XSS, etc.
Course description ⟶Technical Foundations of Computer Science for Business-Computer Scientists
Students learn the technical foundations of computer science, i.e. computer architectures, number representations, operating systems, scheduling algorithms, paralleziation & locking, networking, etc.
Course description ⟶Rescue Your Server Project (Computer Security Big Project)
A project where students develop new vulnerable services for the IT-Seclab Course.
Course description ⟶International Information Security Contest
A project where students develop CTF-services for an international Attack-Defense CTF.
Course description ⟶Theses & Projects
I am happy to supervise bachelor and master thesis that are related to my research interests. It's best if you can bring an idea, but feel free to ask if I have a topic available. Similarly, if you're looking for a bachelor's (6LP) or master's (9LP) project, do not hesitate to contact me as well.
Here is a list of theses and projects I have supervised:
Exposing Information Leaks in WordPress Plugins: A Large Scale Analysis
Bachelor Thesis
So many vulnerabilities, so little time: Erweiterung und Evaluation eines Greybox-Fuzzers für PHP-Webanwendungen
Bachelor Thesis
HTTP Basic Authentication in the Modern Web: Prevalence and Risks of Embedded Credentials
Bachelor Thesis
Large-Scale Analysis of Cryptographic Attacks on Internet Public Key Infrastructure
Master Thesis
LLMs as WAFs: Exploring the Potential of Large Language Models to Secure Web Applications
Bachelor Thesis
Access Control Vulnerabilities in WordPress Plugins and Automated Static Detection Thereof Using Code Property Graphs
Bachelor Thesis
An Empirical Analysis of the Adoption of Authenticated Signals to Bootstrap DNSSEC
Bachelor Thesis
Improvement of HTTP Communication: Development and Evaluation of an Approach to Optimize the Transmission of Recurring HTTP Security Response Headers
Bachelor Thesis
Developing a Framework for More Reliable DNS Queries in Cybersecurity Research
Bachelor Thesis
Behavioral Analysis of Chrome Extensions: Automated Detection of Malicious Activities in a Sandbox Environment
Bachelor Thesis
Attacks on the Cloud: Unveiling Cyber Assaults on Cloud Infrastructure Through Honeypot Analysis
Bachelor Thesis
Analysis of the HTTP Security Response Headers of the Top 1 Million Domains
Computer Security Big Project
Assessing DNS Security Resource Record Adoption: The Hosters’ Influence
Bachelor Thesis
Analyzing Query Limits Of Open DNS-Resolvers To Facilitate More Reliable Internet Scanning
Bachelor Thesis
Intrusion Detection at Scale: Designing, Implementing, and Evaluating Lightweight Honeypot Techniques for IoT Networks
Bachelor Thesis (Co-Supervisor)
A Security Analysis of FIDO2 Implementations and the Impact of Passkey Synchronization
Bachelor Thesis
Assessing Web Vulnerabilities: Exploring File Upload Vulnerabilities on PHP Servers and Conducting a Comparative Analysis of Testing Tools
Bachelor Thesis
Large Scale Analysis of Web Security Headers and Their Potential Data Transfer Overhead
Bachelor Thesis
Towards Effective Vulnerability Management: A Survey to Assess the Status Quo of Coordinated Vulnerability Disclosure in Germany
Bachelor Thesis
PressPot: Developing and Evaluating a Honeynet Framework Based on WordPress CMS
Bachelor Thesis
A Case Study of Building a Coverage-Guided Fuzzer with the Purpose of Finding Security Vulnerabilities in PHP Web Applications
Bachelor Thesis
Presentations, Projects & News
A selected list of highlights about my academic work.
ACSAC 2025 LASER Workshop: Taming the Chaos: Managing Reproducibility in Experiments and Results
Workshop presentation about facilitating reprocibility of experiments.
ACSAC 2025 LASER Workshop Slides ⟶ACSAC 2025 Artifact Evaluation Badges
The submission to ACSAC 2025 underwent an artifact evaluation and earned the badges: "Artifact Available," "Artifact Reviewed," and "Artifact Reproducible".
ACSAC 2025 AE / Details ⟶Selected Lecturer for Student Research Opportunities Program (StuROPx)
My submission "'AI Caramba': Schwachstellen, Herausforderungen und Chancen von generativer KI in der IT-Sicherheit" was accepted for the program and together with 15 students I will conduct some research into how generative AI can help with IT-security during the winter term 2025/26.
StuROPx Program / Details ⟶Match-making candidate for SoftwareCampus
Myself and my research project successfully passed the HR interview and academic review in the SoftwareCampus cycle 2025 and advanced to the final Match-making phase. Unfortunately, the industry's interest in my security-related project was limited.
SoftwareCampus / Details ⟶Knowledge Badge "Teaching Without Barriers"
I successfully earned the IAAP DACH Knowledge Badge 'Barrierefrei lehren' by developing and demonstrating my expertise in accessible digital teaching.
IAAP DACH / Details ⟶Presentation @ Nullcon Goa 2025, Goa, India
The PHUZZ publication was presented at Nullcon Goa 2025.
Nullcon Goa 2025 Presentation ⟶Presentation @ 38C3 2024, Hamburg, Germany
The PHUZZ publication was presented at 38C3 as What the PHUZZ?! Finding 0-days in Web Applications with Coverage-guided Fuzzing.
38C3 Presentation ⟶Qualified TU Berlin Certificate for Teaching in Higher Education
Throughout the past years, I attended many courses on teaching in higher education, have completed the accredited "Teaching for University's Best" course and obtained the qualified teaching certificate by the accredited ZEWK.
ZEWK / Details ⟶1st place @ CSAW'24 Applied Research Competition, Valence, France
The PHUZZ publication was awarded with the 1st place @ CSAW's Applied Research Competition.
CSAW ⟶Invited Guest Talk @ KIT SECUSO Research Seminar, Karlsruhe, Germany
A presentation about my publications and research to foster new ideas and collaborations. Thanks for having me!
KIT Research Seminar ⟶Paper presentation @ DIMVA 2024, Lausanne, Switzerland
The publication "Bringing UFUs Back into the Air With FUEL: A Framework for Evaluating the Effectiveness of Unrestricted File Upload Vulnerability Scanners" was presented at DIMVA 2024.
DIMVA Program ⟶Paper presentation @ AsiaCCS 2024, Singapore, Singapore
The publication "What All the PHUZZ Is About: A Coverage-guided Fuzzer for Finding Vulnerabilities in PHP Web Applications" was presented at AsiaCCS 2024.
AsiaCCS Program ⟶Bugbounty Workshop @ GPN 2024, Karlsruhe, Germany
I gave a workshop on bugbounty programs and legal hacking at GPN 22.
GPN 22 Workshop ⟶Presentation @ GPN 2024, Karlsruhe, Germany
The upcoming FUEL publication was presented at GPN 22 as Help Us Identify UFUs: (Em)Powering Vulnerability Scanners with FUEL.
GPN 22 Presentation ⟶Presentation @ Nullcon Goa 2024, Goa, India
The SSHFP publication was presented at Nullcon Goa 2023 as (In)Secure Host Key Verification - Are SSHFP DNS Records The 'Next Big Thing'?.
Nullcon Program ⟶Presentation @ Security Nights Berlin, Berlin, Germany
The SSHFP publication was presented at SNB 2023 as Oh SSH-it, I didn't know about SSHFP RRs in the DNS!.
Security Nights Berlin ⟶Paper presentation @ CANS 2022, Abu Dhabi, United Arab Emirates
The publication Oh SSH-it, what's my fingerprint? A Large-Scale Analysis of SSH Host Key Fingerprint Verification Records in the DNS was presented at CANS 2022.
CANS Program ⟶Presentation @ DNS-OARC 39, Belgrade, Serbia
The SSHFP publication was presented at DNS-OARC 39 as Analysis of SSHFP records in the DNS.
DNS-OARC 39 Program ⟶Moderated session @ TechCamp 2022, Hamburg, Germany
A moderated session with the title Lets talk about vulnerabilities, responsible disclosure and bug bounties. at TechCamp Hamburg 2022.
TechCamp Program ⟶Presentation @ TechCamp 2022, Hamburg, Germany
A presentation about our SSHFP research with the title SSH host key verification fingerprints in the DNS.
TechCamp Program ⟶Panel Discussion @ CodeTalks 2022, Hamburg, Germany
One of the panelists on the discussion about How attacks have changed between the recent 2 decades at CodeTalks 2022.
CodeTalks Program ⟶Presentation @ CodeTalks 2022, Hamburg, Germany
Presentation about the Master's thesis publication on browser fingerprinting as Fingerprinting the Fingerprinters at CodeTalks 2022.
CodeTalks Program ⟶