Shaun McCullough

As a hands-on practitioner with a gift for architecture design, Shaun explores the good and bad of how the Cloud is changing the way the industry secures and runs infrastructure. During his 25+ years of experience, Shaun has spent equal parts in security engineer and operations as well as software development. With extensive experience within the Department of Defense, Shaun was the Technical Director of the Red and Blue operations teams, a researcher of advanced host analytics, and ran a threat intelligence focused open source platform based on MITRE ATT&CK. Previously, he was a consultant with H&A Security Solutions, focusing on analytic development, DevOps support, and security automation tooling. Shaun is co-author of SANS SEC541: Cloud Security Attacker Techniques, Monitoring, and Threat Detection.

More About Shaun


After taking SEC560: Network Penetration Testing and Ethical Hacking with Ed Skoudis in 2011, Shaun knew that using an offensive mindset to create defensive infrastructure was the career path for him. That SANS course changed the trajectory of his career, launching him directly into a renewed focus for information security and never looking back. Since that time, Shaun has immersed himself in learning and understanding the industry, its gaps, and how he can utilize his vast skill set to be a part of it all.

In his current role, Shaun’s focus is on cloud infrastructure and creating new ways to run secure workloads for organizations. Working in both security engineering and software development through the years, Shaun has a particular affinity with the Cloud, as it brings together these two distinct worlds. Knowing the Cloud can be so much more than a virtualized copy of traditional IT infrastructure, Shaun enjoys diving into the *how* of the cloud, reimagining new architecture and operations design patterns that move infrastructure security into the future. He thoroughly enjoys the freedoms, and challenges, of combining these two disciplines into a new type of IT infrastructure.

Shaun is happiest when creating something brand new and really stretching the boundaries of an organization, product platform, or new ways of thinking. He understands that while some of these creations will be a great success, others will not. However, even with the failures, he gains new perspective and skills to take into future projects. This is the type of atmosphere Shaun likes to create for his students.

As a hands-on practitioner with a gift for architecture design, Shaun explores the good and bad of how the Cloud is changing the way the industry secures and runs infrastructure. He believes one of the biggest challenge students face is that the big cloud infrastructure companies are releasing new services that look less and less like the standard on-prem virtualized infrastructure, which in turn presents a steep learning curve for students. As an instructor, Shaun wants to give back to students just as SANS instructors have helped him through the years and therefore provides his own stories and life experiences in the classroom.

Back in 2011 in his first SANS course, Shaun was blown away by the fact SANS instructors were not just relaying canned content, but were sharing their experiences, deep research, and unique perspectives. Now, a SANS instructor himself, he has seen first-hand how students elevate their game after engaging with SANS training, which inspires him to continue to further his own game and stretch his comfort zone.

Shaun gives back to his profession by mentoring and supporting the next generation of cyber professionals at his work. He has spoken at numerous private conferences, SANS events and at BSides DC. He has a bachelor's degree in Computer Engineer from Virginia Tech and a masters in Information Security Engineering from the SANS Technology Institute, as well as numerous professional certifications including: GSE, GSEC, GCIA, GCFE, GXPN, GCIH, GREM, GCFA, GCCC, and GCPM.

In his spare time, Shaun enjoys chauffeuring his children around town and refurbishing old or building new wood furniture.


Cloud Attacks, Mitigations, and Detections—A Code Spaces Case Study, O'Reilly Cloud Superstream: Cloud Security event, June 2022

The Threat Detection with Cloud API Logs: A Case Study from Capital One, May 2021

Cyber Solutions Fest: Level Cloud Security, Oct 2021

Cloud Security Monitoring and Threat Detection in AWS, Dec 2020

Cloud Security Solutions Forum, Dec 2020

Architecting for Threat Hunting, Oct 2020

Threat Hunting through Log Analysis in AWS, July 2020 

Infrastructure as Code is REAL: Using the Cloud to Provision Infrastructure with Software, June 2020 

United We Stand, Divided We Fall: 2019 Threat Landscape and the Influence of Sharing Communities, Jan 2020 

How to Build a Threat Hunting Capability in AWS, Dec 2019 

How to Secure a Modern Web Application in AWS, May 2019


Practical Guide to Security in the AWS Cloud, Nov 2020

How to Protect a Modern Web Application in AWS, April 2019

How to Build a Threat Hunting Capability in AWS, Nov 2019