The Top 10 AWS Security Research
of 2026
Every year, the AWS security community ships an extraordinary amount of research, and the best of it gets buried under the volume. This is the list that surfaces it: the ten pieces of AWS security research from 2026 that genuinely changed how we attack and defend the cloud, chosen by the people who read it all.
β Nominations open Open until 30 September 2026. The Top 10 is announced 28 October 2026.
No login, no email required. Nominate as many as you like, self-nominations welcome.
ποΈ Organized by Eduard Agavriloae of OFFENSAI
-
1
Nominations
Anyone can submit a link to AWS security research published in 2026.
Until 30 Sep -
2
Community vote
Readers vote on the nominations to shape a shortlist of finalists.
October -
3
Expert panel
A panel of AWS security practitioners reviews and ranks the finalists.
October -
4
Results
The Top 10 is published right here, on this page.
28 October
Novel & reusable
A new attack technique, primitive, or defensive method that can be re-applied to other systems, not a one-off finding.
AWS-focused
Research that matters specifically to securing AWS, its IAM model, services, APIs, or the ecosystem around them.
Published in 2026
The research must have been first published during the 2026 calendar year. Updates to older work don't count.
Has a primary source
A blog post, paper, talk, or write-up we can link to and read. Tweet threads count if they stand on their own.
Self-nominations welcome
Did the work yourself? Nominate it. The panel cares about the research, not who submitted it.
As many as you like
Submit one nomination or twenty. There's no cap, and the form takes a few seconds each.
What won't make it: single CVEs with no reusable technique behind them, vendor marketing dressed up as research, tooling without a novel idea, and work that isn't really about AWS. We'll filter these out before voting.
Know a piece of research that belongs here?
It takes under a minute. Drop a link, add a sentence on why it matters, and you're done. The best AWS security research of 2026 is only as good as the nominations.
No login or email required. Nominate as many as you like.
π³οΈ The fine print
Questions, answered.
What is this?
An annual, community-driven list of the most important AWS security research published in a given year. It's inspired by PortSwigger's Top 10 Web Hacking Techniques, but focused entirely on AWS. 2026 is the inaugural edition.
How does the selection work?
Four phases. First, anyone nominates research via the form. Then the community votes to create a shortlist of finalists. A panel of AWS security practitioners then reviews and ranks those finalists. Finally, the Top 10 is published on this page.
What counts as a valid nomination?
Novel, practical AWS security research first published in 2026 that teaches a reusable technique, attack primitive, or defensive method. Notable bugs and vulnerabilities count too, what we're really after is the reusable method behind a finding, so lead with the technique rather than just the CVE number.
Can I nominate my own work?
Absolutely. Self-nominations are welcome and judged exactly like everything else. The panel cares about the research, not who submitted it.
How many can I submit?
As many as you like. There's no limit, and you don't need to create an account or hand over an email address to nominate.
When do voting and results happen?
Nominations are open now and close on 30 September 2026. Community voting and the panel review run through October, and the final Top 10 is announced on 28 October 2026, right here on this page. We'll flag each milestone in the newsletter and on X and LinkedIn.
Don't miss the voting window.
Subscribe and we'll tell you the moment voting opens and the results drop, plus every AWS security change, every Monday.