Twelve researchers worth knowing about
A junior cyber pro who knows zero names doesn't have the field's social context. These twelve appear in every serious cyber conference, every policy debate, every textbook reference list. Each profile is sourced to public material — books, congressional testimony, conference talks, reputable journalism.
Public-figure profiles only. Public work, public statements, public record. No private speculation. The list is not exhaustive — a hundred more names deserve their own page. These twelve are the ones a junior researcher should know on day one.
01
Independent investigative cyber journalist · krebsonsecurity.com
Former Washington Post · single-most-cited individual reporter on US cybercrime for 15+ years. His reporting broke Target 2013, exposed BriansClub, identified named ransomware operators ahead of US government action.
Voice: Methodical, source-rich, often weeks ahead of vendor disclosure. Reads like a detective novel that happens to be true.
Where to follow: krebsonsecurity.com (free) · 'Spam Nation' (2014) book
02
British security researcher · WannaCry kill-switch finder
Discovered and triggered the WannaCry kill switch May 12, 2017, stopping the worst ransomware outbreak in history. Later arrested by FBI for unrelated 2014-2015 malware development; pleaded guilty 2019; served time supervised release, full pardon process complete by 2021.
Voice: Cautionary tale + redemption. His reverse-engineering writeups on his blog remain canonical educational material for the field.
Where to follow: malwaretech.com (blog) · multiple BBC + Wired profiles · his own writing on the arrest experience
03
Hacker turned policy figure · former DARPA + Stripe + Twitter security
L0pht Heavy Industries founder. Testified before Congress 1998 (the famous 'we could take down the internet in 30 minutes'). DARPA Cyber Fast Track program lead 2010-2013. Twitter whistleblower 2022 — his disclosures shaped Senate hearings on platform security.
Voice: Generational. Speaks both to engineers and to senators. The bridge between L0pht-era hacker culture and modern cyber-policy formation.
Where to follow: Congressional testimony (1998, 2022) · DEF CON archives · multiple longform interviews
04
Bug bounty pioneer · Luta Security founder
Designed and launched Microsoft's first bug bounty program (2013) and the Pentagon's Hack the Pentagon program (2016) — both became templates copied across industry and government. CEO of Luta Security.
Voice: Constructive critic of the bug-bounty industry. Has been notably honest about platform misincentives. Frequent congressional witness on coordinated vulnerability disclosure.
Where to follow: lutasecurity.com · TED talks · Senate testimony
05
Cryptographer + security policy public intellectual
Cryptographer (Twofish, Blowfish). Author of foundational security books (Applied Cryptography, Secrets and Lies, Data and Goliath, A Hacker's Mind). Harvard Berkman Klein Center fellow. The most-cited public-facing cryptography figure.
Voice: Calm, longform, system-level. Bridges cryptography to policy to society. His Crypto-Gram newsletter has run since 1998.
Where to follow: schneier.com · multiple books · MIT/Harvard appointments
06
Reverse engineer · founder of zynamics (acquired by Google) · former Google Project Zero
Pioneered automated binary diffing (BinDiff). DEF CON / Black Hat keynote multiple years. His talks on the economic structure of the security industry are required watching for anyone going into the field.
Voice: Methodical, rigorous, willing to say uncomfortable things about the industry's incentives. The reverse-engineer's reverse-engineer.
Where to follow: addxorrol.blogspot.com · DEF CON / Black Hat archives · zynamics history
07
Google Project Zero · vulnerability researcher
Most prolific public vulnerability discoverer of the 2010s-2020s. Discovered remote-code-execution bugs in essentially every major piece of consumer security software (Symantec, McAfee, Kaspersky, Sophos, Trend Micro, Microsoft Defender) plus password managers (LastPass, 1Password) plus core OS components.
Voice: Sharp, often funny, refuses to soften findings to spare vendor ego. Embodies Project Zero's '90-day or we publish' culture.
Where to follow: lock.cmpxchg8b.com · Twitter/Mastodon · Google Project Zero blog
08
Former Kaspersky GReAT lead researcher · independent since 2023
Led Kaspersky's Global Research and Analysis Team. Directly involved in the discovery and analysis of Stuxnet, Flame, Equation Group, Lazarus campaigns. One of the few researchers with deep first-hand knowledge of the most consequential nation-state malware.
Voice: Quietly authoritative. His Twitter remains one of the highest-signal threat-intel feeds.
Where to follow: Kaspersky GReAT archive · SAS conference talks · ongoing public commentary
09
EFF Director of Cybersecurity · stalkerware advocacy
Founded the Coalition Against Stalkerware (2019). Decades of work on cybersecurity for civil-society targets — journalists, activists, domestic-abuse survivors. The most consistent public voice on the human cost of unaddressed cybersecurity gaps.
Voice: Compassionate, urgent, unapologetic about whose security matters. Bridges technical research to advocacy.
Where to follow: eff.org · multiple longform profiles · DEF CON talks
10
Chief Research Officer · WithSecure (formerly F-Secure)
Tracked computer malware since 1991. Notably tracked down and helped prosecute the authors of the Brain virus (1986, the first PC virus). TED talks reach 8M+ views. Author of 'If It's Smart, It's Vulnerable' (2022).
Voice: Historical perspective + future warning combined. Talks about cybersecurity as if explaining it to your grandparents — and that's the strength.
Where to follow: mikko.com · TED talks · F-Secure/WithSecure publications
11
Security executive · former Apple + Mozilla + Microsoft · current ThistleTech CEO
Led security at Mozilla during the rise of Firefox (2007-2008). Apple security executive 2010-2017. Microsoft Trustworthy Computing initiative early lead. Founded Thistle Technologies (IoT security) 2019. Trusted voice across multiple eras of the field.
Voice: Practitioner-leader. Bridges engineering depth to executive decision-making. One of the most-quoted female voices in mainstream cyber coverage.
Where to follow: Multiple Wired + NYT profiles · ThistleTech publications
12
Google VP / Chrome security · 'Security Princess'
Led Google Chrome's security team for 15+ years. Drove industry-wide TLS adoption (HTTPS Everywhere → HTTPS by default). Multiple Black Hat / RSA keynotes. One of the most influential web-security practitioners alive.
Voice: Practical, builder-focused, allergic to security theater. Her career is the case for 'security is product engineering, not a separate function.'
Where to follow: Multiple Wired + Forbes + Fortune profiles · Black Hat keynote archives
Cyber is a small enough field that following ten or twelve people on Twitter/Mastodon and reading their blogs puts you in the conversation. None of these twelve are gatekept. They've all published openly for years. Read what they write.