What CSOH is
Cloud Security Office Hours is a free, vendor-neutral community for people who do - or want to do - cloud security work. It is anchored by a weekly Friday Zoom (7am Pacific), a mailing list of 2,000+ practitioners, and a public resource hub at csoh.org. It was founded in February 2023 and has run uninterrupted since.
Why it exists
Cloud security is fragmented: every vendor sells a different acronym, every cloud provider draws the shared-responsibility line in a different place, and a newcomer drowns in marketing material before they find the handful of pages that actually teach the field. CSOH exists to give practitioners a single, vendor-neutral place to learn the discipline, compare tools without sales pressure, and talk to peers who are working on the same problems in production.
The ethos
A few principles run through everything on the site:
- Vendor-neutral. 350+ vendors appear in the Vendor Landscape with one-sentence orientation copy - no rankings, no “magic quadrants,” no sponsored placement on the site itself. Author affiliations (e.g. Wiz) are disclosed.
- Free, forever, no surveillance. No cookies, no analytics, no marketing trackers, no on-site advertising - see the Privacy Policy. External links are stripped of tracking parameters before publication.
- Practitioner-written. The guides are authored by people who have shipped cloud security work, not by content marketers - see About Shawn Nunley. Where opinions appear, they are called out as opinions.
- High bar over high volume. Breach Kill Chain entries, for example, require a real post-mortem, step-by-step technical detail, MITRE ATT&CK mapping, and defender recommendations. Ten deeply researched entries beat a hundred shallow ones.
- No marketing. The Friday session is a discussion, not a webinar. Presenters are community members, not vendors pitching products. See the Code of Conduct and FAQ for the rules of the room.
What’s on the site
The hub organizes ~50 long-form pages plus several living directories into five buckets:
Foundations
What is Cloud Security?, the Learning Path, the Shared Responsibility Model, the CSPM vs CNAPP vs CWPP vs CIEM vs DSPM acronym decoder, and the Vendor Landscape.
Disciplines
Vendor-neutral practitioner guides covering IAM, Zero Trust, Network Security, Data Security, KMS & Secrets, Vulnerability Management, API Security, SaaS Security (SSPM), Backup, DR & Ransomware, Threat Modeling, Detection Engineering, Incident Response & Forensics, Cloud Pentesting, AI/ML & LLM Security, Service Mesh Security, Landing Zones, Containers, Kubernetes, Serverless, CI/CD, Cloud SOC, GRC for Cloud, and Compliance Frameworks.
By cloud
Hub pages for AWS Security, Azure Security, and GCP Security, plus a side-by-side AWS vs Azure vs GCP comparison.
Career & community
Certifications, Degree Programs, Careers, Home Lab, Portfolio Projects, and the Best Practices checklist.
Reference & practice
A 300+ term Glossary with live search and auto cross-links, a 240+ entry Resources Directory, 39+ hands-on CTFs, a 27-conference directory, 10 deeply researched Breach Kill Chains mapped to MITRE ATT&CK, a curated Threat Research source directory, ~120 articles in Cloud Security News auto-aggregated every three hours, 94+ searchable Meeting Recaps, the Presentations archive, community-shared chat resources, and a site-wide MiniSearch search.
How it’s built - in the open
The site is intentionally low-tech: static HTML, no build step, no database, no JavaScript framework. You can clone it, open index.html, and have the full site running locally in seconds. This is a deliberate choice - it keeps the contribution barrier low and makes the site readable as a learning artifact in its own right.
Everything lives in a public GitHub repo at github.com/CloudSecurityOfficeHours/csoh.org under an open-content license:
- Documented in public. A README, DEVELOPMENT.md, four contributing guides - general, resources, CTFs, kill chains - a public Security Policy, and per-tool README files for every automation script.
- Contribution-friendly. Interactive Python scripts (
submit_resource.py,submit_news_source.py,submit_ctf.py,add_meeting.py) walk contributors through additions without needing to hand-edit HTML. There’s also a dedicated Contribute page and a resource submission form. - Automated guardrails. GitHub Actions workflows lint HTML, lint YAML and Python, validate every URL for safety, check for broken links, regenerate the RSS feed and sitemap, refresh resource preview screenshots, run weekly PageSpeed and structural SEO audits, and deploy via keyless OIDC to AWS, GCP, and Azure behind a Cloudflare edge.
- Dogfooded teaching material. The CI/CD pipeline doubles as the example used by How We Use GitHub Actions and How We Deploy Across AWS, GCP & Azure - readers can study a real production cloud deployment by reading the same repo they would contribute to. How csoh.org Is Secured documents the site's own defenses (strict CSP, SRI, keyless deploys) and how to verify each one.
How CSOH is funded
CSOH runs lean and stays independent. Here is exactly where the money comes from and where it goes, so you never have to guess:
- Hosting and tooling. The site is served from AWS, GCP, and Azure behind a Cloudflare edge, plus a Zoom subscription for the Friday call. Those are the main costs, and they stay modest because the site is static.
- Newsletter sponsorship. The weekly email that carries the Zoom link occasionally includes a single, clearly-labeled sponsored link from a community-aligned partner. That slot helps offset hosting. It is the only place any sponsorship appears, and it never buys a placement, ranking, or mention anywhere on the site itself.
- Optional donations. Some members chip in via PayPal. Donations are always optional and never required to attend, join, or use anything here.
- No vendor money for content. CSOH takes no payment for guides, resource listings, breach write-ups, or placement. The Vendor Landscape lists 350+ vendors with the same neutral, one-sentence treatment - nobody pays to be included, and there are no rankings to buy.
- Affiliations disclosed. Organizers and authors work across the industry, sometimes at competing vendors. Author affiliations (for example, Wiz) are disclosed on the pages they write, and the Code of Conduct enforces the no-sales-pitch rule for everyone.
Bottom line
csoh.org is the static, public counterpart to a 2,000-person Friday Zoom: a curated, vendor-neutral knowledge base built and maintained in the open by the practitioners who use it. Start with What is Cloud Security?, follow the Learning Path, and join the Friday session when you’re ready to talk to peers.
