The honest version: Lists like this are obsolete the moment they're published. Books get superseded, people change jobs and platforms, newsletters go quiet, podcasts wrap up. We're keeping this short on purpose โ only what we'd actually re-recommend right now. If a name's missing or stale, open a PR or issue and we'll update it.
On social handles: we list which platform each person is most active on but skip exact handles unless they're stable and well-known. Search the name on the platform โ well-known practitioners surface in the first result. This page ages slower that way.
๐ On this page
The 6 ways CSOH members consume cloud security content
Each medium covers a different gap in your learning. Click a tile to jump to its picks.
Books
Long-form depth. Best for foundations and big-picture mental models.
Newsletters
Curated weekly digests. Best for staying current without doom-scrolling.
Blogs
Practitioner deep-dives. Best for learning how a real team solved a real problem.
Podcasts
Conversations with experts. Best while commuting, walking, or doing chores.
People to follow
X / Bluesky / LinkedIn. Best for breaking news and threat intel signal.
Papers & frameworks
NIST, MITRE, CSA. Best when you need to win an argument with a citation.
Books
Grouped by topic. None of these are required reading; pick the one that maps to whatever you're working on this quarter.
Each book title links to its Open Library entry โ pick up the cover, ISBN, and your preferred bookseller from there.
Cloud security foundations
- Practical Cloud Security โ Chris Dotson. The closest thing to a textbook for the field. Provider-agnostic, control-focused. Read this first.
- Cloud Security Handbook โ Eyal Estrin. More recent, more vendor-specific, useful as a complement.
- Hands-On AWS Penetration Testing with Kali Linux โ Karl Gilbert & Benjamin Caudill. Dated in spots but the AWS attack patterns it walks through are still the right ones to learn.
Identity & IAM
- Solving Identity Management in Modern Applications โ Yvonne Wilson & Abhishek Hingnikar. Best plain-English treatment of OIDC / OAuth / SAML in a single book.
Containers & Kubernetes
- Container Security โ Liz Rice (lizrice.com). The standard reference. Short, dense, accurate.
- Hacking Kubernetes โ Andrew Martin & Michael Hausenblas. The offensive companion to the above.
- Cloud Native Security โ Chris Binnie & Rory McCune. Broader runtime + supply-chain coverage.
AppSec & DevSecOps
- Alice and Bob Learn Application Security โ Tanya Janca (shehackspurple.ca). The most beginner-friendly AppSec book in print.
- Web Application Security โ Andrew Hoffman. More advanced, more in-depth on attack surfaces.
- Securing DevOps โ Julien Vehent. Older but the patterns hold up; Mozilla-flavored real-world examples.
Detection & incident response
- Applied Incident Response โ Steve Anson. Practical, not theoretical. The book most DFIR people recommend to people newly responsible for IR.
- Practical Threat Intelligence and Data-Driven Threat Hunting โ Valentina Costa-Gazcรณn. Pairs well with the SANS DFIR track.
- The Tao of Network Security Monitoring โ Richard Bejtlich. Pre-cloud and unapologetically so, but the mental model is foundational.
Risk, leadership, and the meta-game
- How to Measure Anything in Cybersecurity Risk โ Douglas Hubbard & Richard Seiersen. The book that retired the heatmap.
- The Manager's Path โ Camille Fournier. Not security-specific, but the reference for any IC moving into management.
- Sandworm โ Andy Greenberg. Long-form context on what nation-state attackers actually do; useful for anyone whose threat model includes them.
- Click Here to Kill Everybody โ Bruce Schneier. Strategic-altitude view of the broader security landscape.
Blogs
Vendor research blogs (the good ones)
Not all vendor blogs are created equal. These earn their place because they publish original research, not product marketing.
Wiz Research
Cloud-native vulnerability research; the team behind several of the bigger cloud-CVE disclosures of the last few years.
Orca Security Research
Counterpart to Wiz โ original cloud research with well-written write-ups.
Datadog Security Labs
Stratus Red Team comes from this team; consistently good detection content.
AWS Security Blog
The first-party reference. Subscribe.
Microsoft Security Blog
Defender / Sentinel / Entra updates plus MSTIC threat intelligence.
Google Cloud Threat Intelligence
Mandiant + GCP. Probably the strongest threat-intel blog in cloud right now.
Palo Alto Unit 42
Threat research with strong cloud and container coverage.
SentinelLabs
Adjacent but high-quality, especially on offensive tooling.
Individual blogs worth a feed slot
Summit Route
Scott Piper. The flAWS author. Long-form AWS security analysis.
marcolancini.it
Marco Lancini. Same voice as the newsletter, longer pieces.
awsteele.com
Aidan Steele. Surprising and frequently eyebrow-raising AWS findings.
kellyshortridge.com
Kelly Shortridge. Resilience engineering applied to security; required reading if you work on detection or program design.
Phil Venables
Google CISO. CISO-altitude essays; especially good on board-level security communication.
Securosis
Rich Mogull and team. Cloud security commentary from someone who's been at it longer than most of the field.
Podcasts
Cloud Security Podcast
Ashish Rajan. The big one for our space. Practitioner interviews, vendor-fair, weekly.
Risky Business
Patrick Gray. Long-running, broader security but the news roundups are unmatched.
Darknet Diaries
Jack Rhysider. Narrative storytelling. The episodes on cloud breaches (Capital One, Code Spaces) are required listening.
Defense in Depth / CISO Series
David Spark. Cross-cutting security topics with senior practitioners.
SANS Internet Storm Center StormCast
Five-minute daily threat brief. Lowest possible activation energy.
Click Here
Recorded Future News. Polished journalism, weekly.
People to follow on X / Bluesky / LinkedIn
A short, opinionated list of practitioners who consistently publish things worth reading. Many of these folks post the same content on multiple platforms; we note where they're most active. Search the name on the platform โ the well-known ones surface immediately. PRs welcome to add or update.
Cloud security depth
- Scott Piper โ Wiz; creator of the flAWS CTF series and the AWS Security Reference. Blog: Summit Route. Why follow: deep, no-fluff AWS security analysis. Active on: X, LinkedIn.
- Daniel Grzelak โ CEO of Plerion; ex-Atlassian CISO. Why follow: opinionated cloud security commentary; will tell you when the emperor has no clothes. Active on: X, LinkedIn.
- Marco Lancini โ runs the Cloud Security Newsletter. Blog: marcolancini.it. Why follow: technical clarity, generous link-sharing. Active on: X, LinkedIn.
- Rami McCarthy โ Wiz; ex-Datadog. Why follow: balanced takes on tooling and program design; CSA Top Threats co-author. Active on: X, LinkedIn, Bluesky.
- Aidan Steele โ independent. Blog: awsteele.com. Why follow: AWS deep-dives that often surface things AWS would prefer you didn't find. Active on: X.
- Houston Hopkins โ IAM and guardrails at scale; well-known for AWS-Org-shaped war stories. Why follow: hard-won lessons about doing cloud security at large companies. Active on: X, LinkedIn.
- Will Bengtson โ HashiCorp; ex-Netflix. Why follow: cloud detection & IR at scale; the Trailblazer / SecurityMonkey lineage. Active on: X, LinkedIn.
Detection, IR & offense
- Christophe Tafani-Dereeper โ Datadog; maintainer of Stratus Red Team. Why follow: cloud attack-emulation thinking made approachable. Active on: X, Bluesky, LinkedIn.
- Andrew Krug โ Datadog; long-time conference circuit. Why follow: practical IR + community-builder energy. Active on: X, LinkedIn.
- Rhino Security Labs โ the Pacu / CloudGoat team. Why follow: announcements and write-ups for the canonical AWS-attack tooling. Active on: X, LinkedIn.
AppSec & DevSecOps
- Tanya Janca (SheHacksPurple) โ AppSec educator at shehackspurple.ca. Why follow: kindest practitioner in security; great if you're new. Active on: LinkedIn, X, Bluesky.
- Clint Gibler โ runs tl;dr sec. Why follow: sharp distillations of weekly research. Active on: X, LinkedIn.
- Liz Rice โ Isovalent / CNCF; container security author. Personal site: lizrice.com. Why follow: definitive voice on Kubernetes and eBPF security. Active on: X, LinkedIn, Bluesky.
Strategy, leadership, broader security
- Phil Venables โ Google Cloud CISO. Blog: philvenables.com. Why follow: board-level security thinking, well-written essays. Active on: X, LinkedIn.
- Kelly Shortridge โ Fastly. Blog: kellyshortridge.com. Why follow: resilience engineering for security; will change how you think about programs. Active on: X, Bluesky.
- Rich Mogull โ Securosis / FireMon. Why follow: has been doing cloud security since before the term existed. Active on: X, LinkedIn.
- Bruce Schneier โ Harvard Kennedy School. Site: schneier.com. Why follow: the dean of security commentary.
- Bob Lord โ ex-CISA, ex-DNC CSO. Why follow: cyber policy with operator credibility. Active on: LinkedIn, Bluesky, X.
Cloud journalism worth following
- Lily Hay Newman โ WIRED. Why follow: cybersecurity reporting with technical fidelity.
- Catalin Cimpanu โ Risky Business News. Why follow: volume + accuracy that's hard to beat.
- Andy Greenberg โ WIRED; author of Sandworm. Why follow: long-form on nation-state and supply-chain security.
Three hours intentionally split across formats beats ten hours of doom-scrolling X. โ the recommended weekly split, above
Papers, frameworks & canonical reads
The handful of documents you'll keep returning to. All free.
- CSA Security Guidance v5 โ Cloud Security Alliance. The single best vendor-neutral primer for the field. ~250 pages, free PDF.
- MITRE ATT&CK for Cloud โ The shared vocabulary for cloud attacker techniques. Map your detections against it.
- NIST SP 800-207: Zero Trust Architecture โ The reference document everyone cites for zero-trust. Read the paper, not the marketing.
- CISA advisories โ Current attacker activity and remediation guidance, US-government flavored.
- OWASP Top 10 for LLM Applications โ The starting point for AI / LLM security threat-modeling.
- AWS Well-Architected Security Pillar โ Free, opinionated, written by people who actually run AWS.
- Microsoft Cloud Adoption Framework โ Secure โ Azure equivalent.
- Google Cloud Architecture Framework โ Security โ GCP equivalent.
- Real breach post-mortems โ see our breach kill chains for the curated set, each mapped to ATT&CK.
Contribute or correct
This list is intentionally short and intentionally opinionated. It will go stale unless the community keeps it honest:
- Add a person, blog, or book โ open a PR against this page on GitHub. Include a one-line "why follow / why read." Self-nominations welcome (we'll review).
- Correct a handle, link, or affiliation โ same path. Or message in the Signal chat.
- Suggest a removal โ if a once-recommended resource has gone quiet or off-topic, flag it and we'll move it out of the active list.
- Suggest a new section โ if you think a category is missing (e.g., "Cloud security YouTube channels"), file an issue.
Where next
- Learning path โ where this reading list fits into the bigger picture.
- Careers guide โ the roles these folks work in.
- Full resources catalog โ 200+ tools, labs, and references beyond the curated list above.
- CSOH news feed โ auto-aggregated headlines from many of the blogs above.
- Friday Zoom + Signal chat โ meet the practitioners who maintain this list.