I am a Tenured Researcher at the Inria Centre at Universite Cote d’Azur (France). My research broadly focuses on Web security and privacy, Web measurements, and machine learning. Specifically, I design practical approaches to protect the security and privacy of Web users. I build systems to proactively detect malicious JavaScript code and suspicious browser extensions. I analyze data to understand how people spend time on the Web, and I want to use the resulting perspective to prioritize defense strategies.

Before that, I was a Tenure-Track Faculty (W2) at CISPA Helmholtz Center for Information Security (Germany, 2023–2025), where I was leading my research group. Prior to that, I was a Visiting Assistant Professor of Computer Science at Stanford University (U.S., 2021–2023), in the Empirical Security Research Group, led by Zakir Durumeric. Before that, I was a PhD student at Saarland University & CISPA (2018-2021), in the Secure Web Applications Group, jointly supervised by Ben Stock and Michael Backes. My PhD thesis revolves around studying JavaScript security through static analysis.

Before joining CISPA, I was a master student at the French Grande Ecole TELECOM Nancy, where I had the honor to give the valedictorian speech (2017). In particular, I wrote my master thesis at the German Federal Office for Information Security (BSI) under the supervision of Isabelle Chrisment and Robert Krawczyk.

What’s New?

• Jun 2026: I just came back from my “Tour de France” (with a small Luxembourg detour), where I gave several keynotes (at RESSI 2026 and APVP 2026) and talk (at the Plugin Seminar) on the security and privacy risks of browser extensions. The slides are available on my website. And the journey continues: I will be giving a virtual talk next week, at Seminar@SystemX on June 25.
• May 2026: Thrilled to announce that I am serving as Vice Chair for USENIX Security 2027!
• Dec 2025: For the third time this year, I am very excited to have received a Distinguished Reviewer Award, this time at ACSAC 2025! I was in three PCs in 2025 (USENIX Security, ACM CCS, and ACSAC), and I got a Top Reviewer Award for each!
• Dec 2025: Incredibly excited to share that I have joined the Inria Centre at Universite Cote d’Azur as a Tenured Researcher! I will continue my research on Web Security & Privacy, with a specific focus on JavaScript (in)security and browser extensions. At Inria, I will be creating a new research team together with Nataliia Bielova.
• Oct 2025: Thrilled and grateful to have received (another) Top Reviewer Award at ACM CCS 2025!
• Sep 2025: Our paper “It’s not Easy: Applying Supervised Machine Learning to Detect Malicious Extensions in the Chrome Web Store” got accepted at ACM TWEB! We also made the source code and feature set publicly available. Enjoy!
• Aug 2025: Thrilled and grateful to have received a Distinguished Reviewer Award at USENIX Security 2025!
• Mar 2025: Our paper “‘Perfect is the Enemy of Good’: The CISO’s Role in Enterprise Security as a Business Enabler” got accepted at ACM CHI 2025!
• Dec 2024: Our paper “SoK: On the Offensive Potential of AI” got accepted at IEEE SaTML 2025!
• Dec 2024: Thrilled and grateful to have received a Distinguished Reviewer Award at ACSAC 2024, for the second year in a row!
• Aug 2024: Our paper “Typed and Confused: Studying the Unexpected Dangers of Gradual Typing” got accepted at IEEE/ACM ASE 2024, and it has been awarded the “Available” and “Reusable” badges!
• Aug 2024: Our paper “When Adversarial Perturbations meet Concept Drift: an Exploratory Analysis on ML-NIDS” got accepted at ACM AISec 2024!
• Jul 2024: Happy to have gotten (yet another :)) Reviewer Recognition: Noteworthy Reviewer at EuroS&P 2024!
• Jun 2024: Our AsiaCCS 2024 paper “What is in the Chrome Web Store? Investigating Security-Noteworthy Browser Extensions” got a lot of media coverage! Forbes, The Register, AdGuard, Techspot, and dozens more.
• Jun 2024: Excited to be USENIX Security 2025 Artifact Evaluation Committee Co-Chair with Phani Vadrevu. We are looking forward to your artifact submissions!
• May 2024: Our paper “Peeking through the window: Fingerprinting Browser Extensions through Page-Visible Execution Traces and Interactions” was accepted at ACM CCS 2024!
• May 2024: Happy to join as an Associate Editor of the ACM Transactions on Security and Privacy (TOPS). Consider accepting my review request!
• Dec 2023: Our paper “What is in the Chrome Web Store?” was accepted at AsiaCCS 2024!
• Dec 2023: Thrilled and grateful to have received a Top Reviewer Award for the second time in one week! This time at ACSAC 2023.
• Nov 2023: Extremely happy to have received a Top Reviewer Award at ACM CCS 2023, 2 years in a row!
• Oct 2023: Thrilled to be ACM CCS 2024 Workshop Chair with Christophe Hauser. We are looking forward to your workshop proposals!
• Sep 2023: The Web is going MAD again! Super excited to co-chair the 6th MADWeb workshop (co-located with NDSS 2024) with Yinzhi Cao!
• May 2023: Incredibly excited to join CISPA as a Tenure-Track Faculty in August! In the meantime, I am already looking for PhD students in areas related to Web Security & Privacy.
• Nov 2022: Stoked and grateful to have received a Top Reviewer Award at ACM CCS 2022!
• Sep 2022: The Web is going MAD again! Super excited to co-chair the 5th MADWeb workshop (co-located with NDSS 2023) with Zubair Shafiq!
• Aug 2022: Our paper “A World Wide View of Browsing the World Wide Web” got accepted at IMC 2022!
• Oct 2021: Starting as a Visiting Assistant Professor at Stanford University today! Excited to join the lab of Zakir Durumeric!
• Sep 2021: Our paper DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale got accepted at CCS 2021! Wanna check extensions for vulnerable data flows? Our source code is online.
• May 2021: Thrilled to have defended my dissertation!
• Oct 2020: Thrilled to have handed in my dissertation Studying JavaScript Security Through Static Analysis!
• May 2020: Interested in HideNoSeek? Check out the recording of my talk at RuhrSec 2020 #StayAtHome Edition!
• Mar 2020: Just released the clone detector part of HideNoSeek on GitHub. Have fun!
• Feb 2020: HideNoSeek ACM CCS recording is now available for download!
• Feb 2020: Just released an update of JStap on GitHub. Have fun!
• Dec 2019: Very excited to be part of RuhrSec 2020 to present HideNoSeek! See you in May in Bochum.
• Nov 2019: The source code of HideNoSeek is now partially online. Have fun and see you on 14-nov-19 in London!
  In the meantime, have a look at our 1 minute video, also available in French and German.
• Nov 2019: Delighted to be part of Saarland University’s program of excellence! Looking forward to networking, coaching, and mentoring.
• Sep 2019: The source code of JStap is now online with the ACSAC “Artifacts Evaluated – Reusable” badge. Have fun!
• Aug 2019: Our paper “JStap: A Static Pre-Filter for Malicious JavaScript Detection” got accepted at ACSAC 2019! See you in December in San Juan.
• Jun 2019: Our paper “HideNoSeek: Camouflaging Malicious JavaScript in Benign ASTs” got accepted at CCS 2019! See you in November in London.