The honest version: Lists like this are obsolete the moment they're published. Books get superseded, people change jobs and platforms, newsletters go quiet, podcasts wrap up. We're keeping this short on purpose - only what we'd actually re-recommend right now. If a name's missing or stale, open a PR or issue and we'll update it.
On social handles: we list which platform each person is most active on but skip exact handles unless they're stable and well-known. Search the name on the platform - well-known practitioners surface in the first result. This page ages slower that way.
On this page
The 6 ways CSOH members consume cloud security content
Each medium covers a different gap in your learning. Click a tile to jump to its picks.
Books
Long-form depth. Best for foundations and big-picture mental models.
Newsletters
Curated weekly digests. Best for staying current without doom-scrolling.
Blogs
Practitioner deep-dives. Best for learning how a real team solved a real problem.
Podcasts
Conversations with experts. Best while commuting, walking, or doing chores.
People to follow
X / Bluesky / LinkedIn. Best for breaking news and threat intel signal.
Papers & frameworks
NIST, MITRE, CSA. Best when you need to win an argument with a citation.
Books
Grouped by topic. None of these are required reading; pick the one that maps to whatever you're working on this quarter.
Each book title links to its Open Library entry - pick up the cover, ISBN, and your preferred bookseller from there.
Cloud security foundations
- Practical Cloud Security - Chris Dotson. The closest thing to a textbook for the field. Provider-agnostic, control-focused. Read this first.
- Cloud Security Handbook - Eyal Estrin. More recent, more vendor-specific, useful as a complement.
- Hands-On AWS Penetration Testing with Kali Linux - Karl Gilbert & Benjamin Caudill. Dated in spots but the AWS attack patterns it walks through are still the right ones to learn.
Identity & IAM
- Solving Identity Management in Modern Applications - Yvonne Wilson & Abhishek Hingnikar. Best plain-English treatment of OIDC / OAuth / SAML in a single book.
Containers & Kubernetes
- Container Security - Liz Rice (lizrice.com). The standard reference. Short, dense, accurate.
- Hacking Kubernetes - Andrew Martin & Michael Hausenblas. The offensive companion to the above.
- Cloud Native Security - Chris Binnie & Rory McCune. Broader runtime + supply-chain coverage.
AppSec & DevSecOps
- Alice and Bob Learn Application Security - Tanya Janca (shehackspurple.ca). The most beginner-friendly AppSec book in print.
- Web Application Security - Andrew Hoffman. More advanced, more in-depth on attack surfaces.
- Securing DevOps - Julien Vehent. Older but the patterns hold up; Mozilla-flavored real-world examples.
Detection & incident response
- Applied Incident Response - Steve Anson. Practical, not theoretical. The book most DFIR people recommend to people newly responsible for IR.
- Practical Threat Intelligence and Data-Driven Threat Hunting - Valentina Costa-Gazcón. Pairs well with the SANS DFIR track.
- The Tao of Network Security Monitoring - Richard Bejtlich. Pre-cloud and unapologetically so, but the mental model is foundational.
AI / LLM security
- The Developer's Playbook for Large Language Model Security - Steve Wilson. The most practical book on LLM application security; written by the OWASP Top 10 for LLM project lead.
- Not with a Bug, but with a Sticker - Hyrum Anderson & Ram Shankar Siva Kumar. Adversarial ML for people who run security programs, not just researchers.
Risk, leadership, and the meta-game
- How to Measure Anything in Cybersecurity Risk - Douglas Hubbard & Richard Seiersen. The book that retired the heatmap.
- The Manager's Path - Camille Fournier. Not security-specific, but the reference for any IC moving into management.
- Sandworm - Andy Greenberg. Long-form context on what nation-state attackers actually do; useful for anyone whose threat model includes them.
- Click Here to Kill Everybody - Bruce Schneier. Strategic-altitude view of the broader security landscape.
Blogs
Vendor research blogs (the good ones)
Not all vendor blogs are created equal. These earn their place because they publish original research, not product marketing.
Wiz Research
Cloud-native vulnerability research; the team behind several of the bigger cloud-CVE disclosures of the last few years.
Orca Security Research
Counterpart to Wiz - original cloud research with well-written write-ups.
Datadog Security Labs
Stratus Red Team comes from this team; consistently good detection content.
AWS Security Blog
The first-party reference. Subscribe.
Microsoft Security Blog
Defender / Sentinel / Entra updates plus MSTIC threat intelligence.
Google Cloud Threat Intelligence
Mandiant + GCP. Probably the strongest threat-intel blog in cloud right now.
Palo Alto Unit 42
Threat research with strong cloud and container coverage.
SentinelLabs
Adjacent but high-quality, especially on offensive tooling.
Individual blogs worth a feed slot
awsteele.com
Aidan Steele. Surprising and frequently eyebrow-raising AWS findings.
Phil Venables
Google CISO. CISO-altitude essays; especially good on board-level security communication.
Securosis
Rich Mogull and team. Cloud security commentary from someone who's been at it longer than most of the field.
Podcasts
Cloud Security Podcast
Ashish Rajan. The big one for our space. Practitioner interviews, vendor-fair, weekly.
Risky Business
Patrick Gray. Long-running, broader security but the news roundups are unmatched.
Darknet Diaries
Jack Rhysider. Narrative storytelling. The episodes on cloud breaches (Capital One, Code Spaces) are required listening.
Defense in Depth / CISO Series
David Spark. Cross-cutting security topics with senior practitioners.
SANS Internet Storm Center StormCast
Five-minute daily threat brief. Lowest possible activation energy.
Click Here
Recorded Future News. Polished journalism, weekly.
YouTube & conference video
A few channels worth a subscription if you learn better by watching. Conference talks especially - many of the best cloud-security ideas show up on a fwd:cloudsec or KubeCon stage a year before they hit a book.
fwd:cloudsec
The cloud-security-only conference. Talks land on YouTube within weeks - the closest thing to a yearly state-of-the-field roundup.
Black Hat
Annual talks on offensive research and novel attack classes. Filter for cloud / container / IAM tracks.
AWS Events
re:Inforce and re:Invent security tracks. First-party but the deep-dive sessions (400-level) earn their watch time.
CNCF (KubeCon)
KubeCon and CloudNativeSecurityCon. Best single source for Kubernetes and supply-chain security talks.
SANS Cloud Security
Free webcasts and conference recordings. Lecture-style, training-flavored.
DEF CON (Cloud Village)
The Cloud Village track has matured into a genuinely strong cloud-attack research venue.
People to follow on X / Bluesky / LinkedIn
A short, opinionated list of practitioners who consistently publish things worth reading. Many of these folks post the same content on multiple platforms; the badges below each entry are name-searches on each platform - no stored handles, so the page ages slower. PRs welcome to add or update.
Cloud security depth
- Scott Piper - Wiz; creator of the flAWS CTF series and the AWS Security Reference. Blog: Summit Route. Why follow: deep, no-fluff AWS security analysis.
- Daniel Grzelak - CEO of Plerion; ex-Atlassian CISO. Why follow: opinionated cloud security commentary; will tell you when the emperor has no clothes.
- Marco Lancini - runs the Cloud Security Newsletter. Blog: marcolancini.it. Why follow: technical clarity, generous link-sharing.
- Rami McCarthy - Wiz; ex-Datadog. Why follow: balanced takes on tooling and program design; CSA Top Threats co-author.
- Aidan Steele - independent. Blog: awsteele.com. Why follow: AWS deep-dives that often surface things AWS would prefer you didn't find.
- Houston Hopkins - IAM and guardrails at scale; well-known for AWS-Org-shaped war stories. Why follow: hard-won lessons about doing cloud security at large companies.
- Will Bengtson - HashiCorp; ex-Netflix. Why follow: cloud detection & IR at scale; the Trailblazer / SecurityMonkey lineage.
Detection, IR & offense
- Christophe Tafani-Dereeper - Datadog; maintainer of Stratus Red Team. Why follow: cloud attack-emulation thinking made approachable.
- Andrew Krug - Datadog; long-time conference circuit. Why follow: practical IR + community-builder energy.
- Rhino Security Labs - the Pacu / CloudGoat team. Why follow: announcements and write-ups for the canonical AWS-attack tooling.
AppSec & DevSecOps
- Tanya Janca (SheHacksPurple) - AppSec educator at shehackspurple.ca. Why follow: kindest practitioner in security; great if you're new.
- Clint Gibler - runs tl;dr sec. Why follow: sharp distillations of weekly research.
- Liz Rice - Isovalent / CNCF; container security author. Personal site: lizrice.com. Why follow: definitive voice on Kubernetes and eBPF security.
Strategy, leadership, broader security
- Phil Venables - Google Cloud CISO. Blog: philvenables.com. Why follow: board-level security thinking, well-written essays.
- Kelly Shortridge - Fastly. Blog: kellyshortridge.com. Why follow: resilience engineering for security; will change how you think about programs.
- Rich Mogull - Securosis / FireMon. Why follow: has been doing cloud security since before the term existed.
- Bruce Schneier - Harvard Kennedy School. Site: schneier.com. Why follow: the dean of security commentary.
- Bob Lord - ex-CISA, ex-DNC CSO. Why follow: cyber policy with operator credibility.
Cloud journalism worth following
- Lily Hay Newman - WIRED. Why follow: cybersecurity reporting with technical fidelity.
- Catalin Cimpanu - Risky Business News. Why follow: volume + accuracy that's hard to beat.
- Andy Greenberg - WIRED; author of Sandworm. Why follow: long-form on nation-state and supply-chain security.
Three hours intentionally split across formats beats ten hours of doom-scrolling X. - the recommended weekly split, above
Communities worth joining
Where practitioners actually answer each other's questions. Beyond our own Friday Zoom and Signal chat:
- Cloud Security Forum Slack - the largest vendor-neutral cloud-security Slack. Active channels for AWS, Azure, GCP, Kubernetes, IAM, and IR. Request an invite via the site.
- fwd:cloudsec - the annual cloud-security-only conference, plus a year-round Slack for attendees and alumni.
- CSA Circle - Cloud Security Alliance's community platform; useful for working-group discussions and CCSK study cohorts.
- OWASP Slack - for the AppSec side of the house; #cloud-security and #project-* channels.
- r/cybersecurity & r/AskNetsec - noisier, but useful for "what is everyone seeing" questions and career threads.
Papers, frameworks & canonical reads
The handful of documents you'll keep returning to. All free.
- CSA Security Guidance v5 - Cloud Security Alliance. The single best vendor-neutral primer for the field. ~250 pages, free PDF.
- MITRE ATT&CK for Cloud - The shared vocabulary for cloud attacker techniques. Map your detections against it.
- NIST SP 800-207: Zero Trust Architecture - The reference document everyone cites for zero-trust. Read the paper, not the marketing.
- CISA advisories - Current attacker activity and remediation guidance, US-government flavored.
- OWASP Top 10 for LLM Applications - The starting point for AI / LLM security threat-modeling.
- AWS Well-Architected Security Pillar - Free, opinionated, written by people who actually run AWS.
- Microsoft Cloud Adoption Framework - Secure - Azure equivalent.
- Google Cloud Architecture Framework - Security - GCP equivalent.
- Real breach post-mortems - see our breach kill chains for the curated set, each mapped to ATT&CK.
Contribute or correct
This list is intentionally short and intentionally opinionated. It will go stale unless the community keeps it honest:
- Add a person, blog, or book - open a PR against this page on GitHub. Include a one-line "why follow / why read." Self-nominations welcome (we'll review).
- Correct a handle, link, or affiliation - same path. Or message in the Signal chat.
- Suggest a removal - if a once-recommended resource has gone quiet or off-topic, flag it and we'll move it out of the active list.
- Suggest a new section - if you think a category is missing (e.g., "Cloud security YouTube channels"), file an issue.
Where next
- Learning path - where this reading list fits into the bigger picture.
- Careers guide - the roles these folks work in.
- Full resources catalog - 200+ tools, labs, and references beyond the curated list above.
- CSOH news feed - auto-aggregated headlines from many of the blogs above.
- Friday Zoom + Signal chat - meet the practitioners who maintain this list.