Key Windows Security Researchers

Last updated: 2026-04-15
Related: Papers And Blogs
Tags: kernel-mode, user-mode

Summary

Knowing who the best researchers are and what they focus on lets you prioritize whose work to study, whose blog to follow, and whose conference talks to watch. This page catalogs elite Windows security researchers by specialty.

Kernel Exploitation

Researcher	Affiliation (notable)	Focus	Where to find
j00ru (Mateusz Jurczyk)	Google Project Zero	win32k, kernel pool, GDI, font bugs	googleprojectzero.blogspot.com
Gynvael Coldwind	Google Project Zero	kernel, reversing, CTF	gynvael.coldwind.pl
James Forshaw	Google Project Zero	Windows internals, TOCTOU, COM, RPC	tyranidslair.blogspot.com
Alex Ionescu	Winsider / CrowdStrike	Windows internals, hypervisor, KPP, CET, CLFS	github.com/ionescu007 (incl. clfs-docs — authoritative CLFS structure reference)
Tarjei Mandt	Azimuth Security	Kernel pool exploitation	Black Hat papers
Enrico Perla	Independent	Kernel exploitation techniques	kernelpool.substack.com
Jann Horn	Google Project Zero	Kernel races, Linux+Windows	googleprojectzero.blogspot.com
0vercl0k (Axel Souchet)	Microsoft / independent	WTF fuzzer, snapshot fuzzing	github.com/0vercl0k
Boris Larin (oct0xor)	Kaspersky GReAT	CLFS exploit analysis, ransomware threat intelligence, ITW zero-day detection	securelist.com — “Windows CLFS and five exploits” series (CVE-2022-24521, -37969, -23376, -28252)
Connor McGarr	Microsoft	Windows kernel internals, KCET shadow stacks, VTL secure calls, browser exploitation	connormcgarr.github.io — KCET series, SkBridge, Vtl1Mon
HN Security	HN Security (Italy)	CLFS deep dives (CVE-2024-49138 two-part analysis)	hnsecurity.it
Ong How Chong	StarLabs	CVE-2025-29824 (CClfsLogCcb UAF)	blog.starlabs.sg
Kai Lu / Brett Stone-Gross	Zscaler ThreatLabz	CLFS ITW exploit capture and analysis (CVE-2022-37969 parts 1+2)	zscaler.com
Đào Tuấn Linh	StarLabs	CVE-2024-26230 (tapisrv.dll UAF, CFG bypass via imported Win32 calls, PrintSpoofer escalation)	starlabs.sg/blog
Cherie-Anne Lee	StarLabs	CVE-2024-30085 (cldflt.sys heap overflow, ALPC handle table spray, PipeAttribute AAR, KALPC_MESSAGE AAW)	starlabs.sg/blog
Chen Le Qi	StarLabs	CVE-2024-43626 (OOB read/info leak in GetPriorityList/_wcsupr), kernel exploitation guidance	x.com/cplearns2h4ck
Alex Birnberg	SSD Security Research	CVE-2021-31969 (cldflt.sys LFH→VS cross-subsegment overflow; NtSetInformationToken/TokenBnoIsolation AAR/AAW)	ssd-disclosure.com
Alex Plaskett	NCC Group	CVE-2021-31956 (NTFS EA heap overflow → WNF pool spray); first public WNF-as-grooming-primitive technique; NTFS exploitation chain with PreviousMode	research.nccgroup.com
Alexandre Borges	Independent	“Exploiting Reversing (ER)” series: kernel driver reversing, CVE-2024-30085 full exploit (ERS_06-08 — 4 variants: ALPC write, token steal, I/O Ring v1/v2); Hyper-V intro; patch diffing; I/O Ring AAR/AAW technique	exploitreversing.com
Yarden Shafir	Trail of Bits	WNF Code Integrity state names (CI.dll→WNF notification pipeline); Windows kernel exploitation; CET shadow stacks; I/O Ring exploit primitive (original — TyphoonCon 2022: RegBuffers overwrite → full AAR/AAW on Win11)	windows-internals.com, twitter.com/yarden_shafir
Angelboy (Scott Chen)	DEVCORE	Windows Kernel Streaming attack surface: “Proxying to Kernel” bug class (KsSynchronousIoControlDevice always KernelMode); 20+ KS CVEs 2023-2024; CVE-2024-35250/30084 (Pwn2Own Vancouver 2024); CVE-2024-30090 (novel SeDebugPrivilege LUID EoP); MDL bug classes (uninitialized PFN, mismatch, misalignment)	devco.re/blog
chompie1337	IBM X-Force	MSKSSRV exploitation: CVE-2023-36802 (type confusion exploit writeup); CVE-2024-30089 (Pwn2Own 2024 reference count bug); WinDNS SIGRed RCE PoC	securityintelligence.com, chomp.ie
Gabrielle Viala	Quarkslab	WNF internals (“Playing with the Windows Notification Facility” — Black Hat 2018 with Ionescu); WNF structure reverse engineering	quarkslab.com
hieu.q + voidsec	Crowdfense	CVE-2024-21338 (appid.sys untrusted pointer dereference → AAW via `DbgkpTriageDumpRestoreState` gadget; PreviousMode flip + SeDebugPrivilege paths; Lazarus FudModule rootkit ITW); CVE-2025-53136 (NT kernel TOKEN address leak via NtQueryInformationToken TOCTOU; KASLR defeat from AppContainer)	crowdfense.com
Marcus Hutchins (MalwareTech)	Independent	tcpip.sys IPv6 stack deep dive; CVE-2024-38063 root cause analysis and DoS PoC; reverse-engineered undocumented tcpip.sys structures (Packet_t, Reassembly_t, Demuxer dispatch table); also known for taking down WannaCry sinkhole	malwaretech.com
Axel “0vercl0k” Souchet	Microsoft (previously)	WTF snapshot fuzzer; tcpip.sys reverse engineering (CVE-2021-24086 “Packet of Death” — first public PoC + deep struct analysis); NET_BUFFER/MDL internals; foundational reference for all tcpip.sys research	github.com/0vercl0k, doar-e.github.io
Francisco Falcon	Quarkslab	CVE-2021-24086 (independent analysis + PoC); IPv6 nested fragment technique (xzibit fragments-within-fragments attack); tcpip.sys fragmentation internals	blog.quarkslab.com
piazzt	Microsoft Security	Internally discovered CVE-2021-24086, CVE-2021-24074, CVE-2021-24094 (all patched Feb 2021 Patch Tuesday)	@piazzt on Twitter
pi3	Independent	CVE-2020-16898 “Bad Neighbor” — first public PoC and blog post within days of patch drop; ICMPv6 RDNSS exploitation	blog.pi3.com.pl
Armis Research Team	Armis	CVE-2021-24094 (IPv6 recursive reassembly UAF + novel firewall bypass primitive via type confusion); URGENT/11 (embedded TCP/IP stack vulnerabilities in VxWorks/IPnet)	armis.com/blog
Tim Lau	FortiGuard Labs	CVE-2022-21907 (http.sys uninitialized MDL analysis — tracked down the Tracker->0x80 uninitialized MDL crash path)	fortinet.com/blog
Xiao Wei	Kunlun Lab	CVE-2024-38063 — discovery and responsible disclosure; CVSS 9.8 tcpip.sys zero-click wormable IPv6 RCE	Credited in MSRC advisory

win32k / GDI / Graphics

Researcher	Notable Work
j00ru	Multiple win32k UAF CVEs, font bugs, GDI exploitation
Yuki Chen	win32k type confusion, CFG bypasses
Hao Xu	win32k kernel bugs
Connor McGarr	win32k exploitation write-ups

User-Mode / Browser Exploitation

Researcher	Affiliation	Focus
saelo (Samuel Groß)	Google Project Zero	Browser engines, JIT, WebKit/V8
Ivan Fratric	Google Project Zero	Browser fuzzing (WinAFL)
Lokihardt	Google Project Zero	JavaScript engine bugs
Bruno Keith	Google Project Zero	Browser security

Hypervisor / VBS

Researcher	Focus
Alex Ionescu	Hyper-V internals, VBS, secure kernel
Nicolas Joly	Hyper-V, sandbox escapes
Peleg Hadar	Hyper-V, VBS, HVCI
Alex Matrosov	Firmware/UEFI, HVCI bypass

cldflt.sys / Cloud Filter

Researcher	Notable Work
Alex Birnberg (SSD)	CVE-2021-31969 — first cldflt exploit; cross-subsegment LFH→VS overflow technique
Cherie-Anne Lee (StarLabs)	CVE-2024-30085 — cldflt BITMAP element bounds check bypass; ALPC handle table + PipeAttribute exploit chain

BYOVD / Driver Exploitation

Researcher	Affiliation	Notable Work
Ilia Dafchev	Independent	WRMSR BYOVD exploitation — full chain (LSTAR overwrite, IRETQ entry frame, SMAP bypass via RFLAGS AC bit, swapgs+sysret return); CVE-2021-3437 WRMSR class; blog: idafchev.github.io

RPC / User-Mode LPE / AppContainer Escape

Researcher	Affiliation	Notable Work
k0shl	Cyber Kunlun	CVE-2022-22715 (Windows Dirty Pipe / npfs.sys LFH→VS cross-subsegment overflow → AppContainer escape; TianfuCup 2021); CVE-2023-28229 + CVE-2023-36906 (CNG Key Isolation UAF + OOB read → lsass DLL injection from AppContainer); CVE-2024-26230 (tapisrv UAF + XFG bypass via VirtualAlloc address prediction trick); blog: whereisk0shl.top

Remote Exploitation / RCE

Researcher	Affiliation	Notable Work
Sagi Tzadik	Check Point Research	CVE-2020-1350 (SIGRed) — discovered 17-year-old integer overflow in Windows DNS Server `SIG` record parsing; first to document the DNS name compression inflation trick and full root cause; blog: research.checkpoint.com
chompie1337	Independent	CVE-2020-1350 (SIGRed) — first and only public RCE PoC; WinDNS custom allocator grooming, TTL-as-heap-primitive technique, DNS_Timeout arbitrary read/write primitive chain, CFG bypass via valid-but-exploitable targets; github.com/chompie1337

TOCTOU / Logic Bugs / LPE

Researcher	Notable Work
James Forshaw	Dozens of TOCTOU bugs, symbolic link abuse framework (NtApiDotNet)
SandboxEscaper	Numerous LPE 0-days published publicly (2018-2019)
Abdelhamid Naceri	Multiple LPE CVEs, Windows Installer races

Top Conference Venues

Conference	Relevance
Black Hat USA/EU	Windows kernel, mitigations, new techniques
OffensiveCon	Pure offensive focus — kernel, browsers
DEF CON	Exploits, offensive techniques
BlueHat	Microsoft’s own security conference
INFILTRATE	Elite offensive techniques
Hardwear.io	Firmware, hardware security
POC (Power of Community)	Korean security research

Key Twitter/X Accounts

@j00ru — Mateusz Jurczyk (Windows kernel)
@tyranidslair — James Forshaw
@aionescu — Alex Ionescu
@0vercl0k — Axel Souchet (WTF fuzzer)
@matrosov — Alex Matrosov (firmware)
@oct0xor — Boris Larin (Kaspersky, CLFS/ransomware ITW)
@connormcgarr — Connor McGarr (KCET, VTL, browser)

References

Google Project Zero — googleprojectzero.blogspot.com
Winsider Seminars — alex-ionescu.com
Corelan Team — corelan.be

Share on

Bluesky Facebook LinkedIn X (formerly Twitter)

gengstah