Hey there, I'm Kelly

I am an application security engineer at Strava. Previously I have been: a senior security researcher at Trail of Bits, an appsec engineer at Twitter, a backend software engineer at Twitter, a full stack software engineer at Twitter, a QE at Twitter, and a graduate student in the NSR group at University of Colorado Boulder.

When I'm not working I am probably out hiking or skiing, depending on the season. I also like to take things apart, to fix things, to build new things, to cook things, and to eat (tasty) things. You'll probably find a lot of hiking scenery pictures and food (and, of course, pictures of my cat) on my socials.

github

email

mastodon

technical blog

Publications and talks

• Tjaden Hess, Suha Hussain, Kelly Kaoudis, Jim Miller, Cliff Smith, Alan Cao, "Meta WhatsApp Private Processing: Security Assessment with Fix Review", Trail of Bits, August 2025. [report]
• Kelly Kaoudis, Akshay Kumar, Julius Alexandre, Francesco Bertolaccini, Henrik Brodin, "[RFC] Constant-Time Coding Support", LLVM Discourse, August 2025. [post]
• Kelly Kaoudis, "Listening for effective threat modeling", ThreatModCon Barcelona, May 2025. [slides], [threatmodcon link]
• Kelly Kaoudis, "Threat modeling the TRAIL of Bits way", Trail of Bits, March 2025. [blog]
• Paweł Płatek, Spencer Michaels, Kelly Kaoudis, "Continuous TRAIL", Trail of Bits, March 2025. [blog]
• Kelly Kaoudis, Evan Sultanik, Shaun Mirani, "Preventing account takeovers on centralized cryptocurrency exchanges in 2025", Trail of Bits, February 2025. [blog], [whitepaper]
• Evan Sultanik, Marek Surovič, Henrik Brodin, Kelly Kaoudis, Facundo Tuesca, Carson Harmon, Lisa Overall, Joseph Sweeney, Bradford Larsen, "PolyTracker: Whole-Input Dynamic Information Flow Tracing", ACM ISSTA 2024. Won Distinguished Tool Award. [paper], [slides], [github]
• Ian Smith, Kelly Kaoudis: “Cedar, Rego, and OpenFGA Policy Languages: Comparative Language Security Assessment”, Trail of Bits, August 2024. [whitepaper]
• Fangfei Yang, Bumjin Im, Weijie Huang, Kelly Kaoudis, Anjo Vahldiek-Oberwagner, Chia-Che Tsai, Nathan Dautenhahn, "Endokernel: A Thread Safe Monitor for Lightweight Subprocess Isolation", Usenix Security 2024. [usenix link], [paper]
• Kelly Kaoudis, "Systems security in practice: threat modeling at Trail of Bits", invited guest lecture for University of Toronto's CleverHans Lab, Spring 2024. [updated slides]; also presented to UC Santa Cruz's Languages, Systems, and Data Seminar, Fall 2023. [slides]; also presented to Rice Univ. COMP 427: Intro to Computer Security, Spring 2023. [slides]
• Kelly Kaoudis, Shaun Mirani, Spencer Michaels, "Eclipse Mosquitto Threat Model", Trail of Bits, Nov 2023. [report]
• Yi Chien, Vlad Bădoiu, Yudi Yang, Claire Huo, Kelly Kaoudis, Hugo Lefeuvre, Pierre Olivier, Nathan Dautenhahn, "CIVSCOPE: Analyzing Potential Memory Corruption Bugs in Compartment Interfaces", SOSP KISV (Proceedings of the 1st Workshop on Kernel Isolation, Safety and Verification pp. 33-40), 2023. [paper]
• Fangfei Yang, Weijie Huang, Kelly Kaoudis, Anjo Vahldiek-Oberwagner, Nathan Dautenhahn, "Endoprocess: Programmable and Extensible Subprocess Isolation", New Security Paradigms Workshop (NSPW), 2023. [paper]
• Artur Cygan, Kelly Kaoudis, Emilio López, "Eclipse JKube Security Assessment", Trail of Bits, Sept 2023. [report]
• Kelly Kaoudis, Will Brattain, "OIDC For HashiCorp Vault Access in GitHub Actions Workflows", Trail of Bits, Aug 2023. [whitepaper]
• Cliff Smith, Sam Alws, Kelly Kaoudis, Spencer Michaels, "Eclipse Jetty Security Assessment", Trail of Bits, June 2023. [report]
• Cliff Smith, Sam Alws, Kelly Kaoudis, Spencer Michaels, CVE-2023-36478, CVE-2023-36479, Eclipse Jetty, June 2023.
• Kelly Kaoudis, Henrik Brodin, Evan Sultanik, "Automatically Detecting Variability Bugs with Hybrid Control and Data Flow Analysis", LangSec (IEEE Security and Privacy Workshops), 2023. [langsec link], [paper]
• Yudi Yang, Weijie Huang, Kelly Kaoudis, Nathan Dautenhahn, "Automating Program Reasoning with the Object Encapsulation Model", LangSec (IEEE Security and Privacy Workshops), 2023. [langsec link]
• Kelly Kaoudis, "Beginner's guide to bug bounty", invited guest lecture for Rice University's COMP 427: Introduction to Computer Security, Spring 2022. [slides]
• Kelly Kaoudis, Sick Codes, "Pwning IPv4 parsing", DEFCON 29, 2021. [video]; also presented to CyberDT XSWG-14, Institute for Defense Analyses (IDA), July 2022. [updated slides]
• Sick Codes, Kelly Kaoudis, Victor Viale, John Jackson, CVE-2021-29922, CVE-2021-29923, CVE-2021-29921, CVE-2021-29662, CVE-2021-28918, CVE-2021-33318, April 2021.
• Kelly Kaoudis, "Application Security at (Twitter) Scale", Datadog Bits of Security, April 2021. [video]
• Kelly Kaoudis, "Scaling Validation of Streaming Data Products at Twitter", Strange Loop 2017. [video]
• Aimee Coughlin, Kelly Kaoudis, Eric Keller, "Augmenting Cloud Architectures to Support Decentralized Applications", IEEE Integrated Management, 2017. [paper]