CTRL+F - A Practical Guide to Security Reviews
Table of Contents
Announcements
- The 2026 edition of CTRL+F starts on Friday May 15 at 9am in Huxley 311!
Overview
This four-session mini-course offers a practical and accessible introduction to vulnerability research. Through a combination of theory, guided labs, and real-world case studies, you’ll learn how security vulnerabilities are discovered, from reviewing source code to using modern program analysis tools.
We’ll begin with the fundamentals: how to approach code, understand attack surfaces, and recognize common vulnerability patterns. From there, we’ll explore manual discovery techniques, analyze real CVEs, and tackle hands-on challenges. In the later sessions, you'll work with professional tools for static analysis and fuzzing, demonstrating how automation enhances and extends human capabilities.
Whether you're curious about application security, interested in bug bounties, or simply want to understand how software breaks, this course will equip you with the mindset and skills to begin your journey into security research.
Organization
- Timetable:
- All sessions on Fridays at 9:00am, we have the room for 2 hours but plan to use less than that
- Session 1: May 15 in Huxley 311
- Session 2: May 22 in Huxley 311
- Session 3: May 29 in Huxley 308
- Session 4: June 5 in Huxley 308
- Slack will be used for course announcements and course related questions.
- Course materials: on this website.
- Assessment: no assessment 😅
- Recordings: no recordings 😐
- BYOL: bring your own laptop!
- Code editor, e.g. VS Code
- Git
- Docker
Resources
- CISA known exploited vulnerabilities
- Google 0day "In the Wild"
- http://threatmodelingmanifesto.org
- Mark Dowd- Keynote -How Do You Actually Find Bugs? (video)
- The Art of Software Security Assessment (book)
- Threat modelling – Designing for security (book)
- The Web Application Hacker's Handbook (book)
- CWE/SANS Top 25 Most Dangerous Software Errors.
- OWASP Top 10 list of the most critical web application security flaws.
- Search the CVE Vulnerability Database.
- Search the exploit-db database.
- Hacker One reward program for internet vulnerability disclosures.
- Full Disclosure mailing list.
- Black Hat and DEF CON hacking conferences.
People
Lecturer
Ibrahim ElSayed.
Ibrahim is an experienced security engineer specializing in leveraging program analysis to detect and prevent security vulnerabilities at scale. With over a decade of expertise in building advanced static analysis tools, he has contributed to securing massive codebases written in languages like PHP, Python, and Java. Ibrahim is also passionate about researching vulnerabilities in end-to-end encrypted messaging applications like WhatsApp, Telegram, and Signal, aiming to enhance their security. He leads efforts to empower developers and scale security teams to identify and mitigate critical vulnerabilities effectively.
Course leader
Sergio Maffeis. Sergio is an associate professor in Computer Security at Imperial, where he leads the Security and Machine Learning Lab. He received his PhD from Imperial and his MSc from University of Pisa, Italy. Maffeis' research interests include security, machine learning, formal methods, and programming languages. You can find out more from his home page.