Kris Oosthoek

Kris Oosthoek

PhD Candidate Cyber Threat Intelligence

Delft University of Technology


Kris Oosthoek is CTI lead at a government agency in The Netherlands. He is a part-time PhD candidate with the Cyber Threat Intelligence Lab at Delft University of Technology. His research focuses on the extraction of CTI from host and network artifacts. Kris has worked in various technical positions based from the US, UK and Afghanistan. He holds an MSc from Erasmus University and several commercial cyber security certifications such as CISSP, GICSP, GCTI, GXPN, GRID.


  • Cyber Security
  • Threat Intelligence
  • Penetration Testing


  • PhD in Cyber Threat Intelligence, current

    Delft University of Technology

  • MSc in Strategic Management, 2012

    Erasmus University Rotterdam

  • BSc in Informatics, 2010

    Rotterdam University of Applied Sciences



PhD Candidate

Delft University of Technology

Sep 2018 – Present Delft
Research into cyber threat intelligence from network and host artifacts at the Delft Cyber Threat Intelligence Lab with Christian Doerr.

Senior SOC Cyber Threat Intelligence Analyst

Dutch National Government

Jan 2015 – Present The Netherlands
Responsibilities include:

  • Threat Intelligence
  • Security Operations
  • TIP Management


GIAC Cyber Threat Intelligence (GCTI)

Cyber Threat Intelligence practitioner certification from SANS. Covers the basics of CTI (fundamentals of strategic, operational, tactical analysis).
See certificate

GIAC Advanced Penetration Testing and Exploit Development (GXPN)

Advanced penetration testing and exploiting certification from SANS. Covers cryptography exploitation, escaping restricted environments and advanced stack overflows for Windows and Linux.
See certificate

GIAC Response and Industrial Defense (GRID)

Industrial cyber security and threat intelligence certification from SANS. Focuses on forensics, incident response and malware in industrial control environments. Also covers threat analysis for ICS-oriented threats.
See certificate

GIAC Global Industrial Cyber Security Professional (GICSP)

Foundational industrial cyber security certification from SANS around architecture of industrial control systems.
See certificate

Certified Information Systems Security Professional

Managerial certification; bare cyber security fundamentals.

Recent Posts

What's wrong with Cyber Threat Intelligence

Over the last decade the field of Cyber Threat Intelligence (CTI) has emerged, which aims to preempt cyber threats by combining aspects from Computer Science and the Intelligence field. Something like Risk Management, but less dusty, practical, operational and able to deal with a highly dynamic environment.

Security Recommendations for Bitcoin hodlers

As follow-up on my Cryptocast appearance, some security recommendations for Bitcoin hodlers that don’t break the bank (your own bank).

BNR Cryptocast

Cryptocasters! Het valt voor @Misssbitcoin en @hmblank @BNR niet altijd mee een podcast te maken vanuit huis, met gasten op afstand. Maar toch weer mooi als het lukt. Met @f00th0ld, die onderzoek deed @tudelft naar gehackte #exchanges.

From Hodl to Heist

How and where do you buy your Bitcoin? Via a P2P marketplace, decentralized exchange, or rather through Coinbase, Binance and the likes? Most people do so via the latter ones. Centralized exchange platforms are compelling to most users as they are easy to use.

ATT&CK Techniques and Trends in Windows Malware

Most cyber security practitioners are by now aware of the Mitre ATT&CK framework and the tremendous potential it holds for increasing the understanding and mitigation of adversary TTPs. Within the Computer Science realm however, the framework has caught less altitude than in the infosec blogosphere.

Recent Publications

Cyber Threat Intelligence: A Product Without A Process?

Abstract not available as the journal does not use it. Read the full article here and the accompanying blog post here.

From Hodl to Heist: Analysis of Cyber Security Threats to Bitcoin Exchanges

Bitcoin is gaining traction as an alternative store ofvalue. Its market capitalization transcends all other cryptocurrencies in the …

SoK: ATT&CK Techniques and Trends in Windows Malware

In an ever-changing landscape of adversary tactics, techniques and procedures (TTPs), malware remains the tool of choice for attackers …


Average response time 12 hours

  • Van Mourikbroekmanweg 6, Delft, 2628 XE
  • DM Me