Research

Areas I'm actively thinking about. If any of these overlap with your work, I'd love to compare notes.

๐Ÿ”

API Security & Fuzzing

Automated vulnerability discovery in GraphQL and REST APIs โ€” dependency-aware fuzzing, IDOR detection, and the limits of static vs. dynamic analysis.

๐Ÿค–

LLM-Assisted Security Testing

Using large language models to improve test coverage, classify endpoints, and reason about access-control chains. Where does the model help, and where does it hallucinate?

๐Ÿ›ก๏ธ

AI-Powered Cyber Defence

Using AI systems to detect, respond to, and anticipate attacks in real time โ€” from anomaly detection to autonomous incident response and adaptive threat modelling.

๐Ÿ“ก

Hardware & Embedded Security

Attack surfaces in embedded and IoT devices โ€” firmware analysis, side-channel attacks, and the gap between software security assumptions and hardware reality.

๐Ÿ“Š

Data-Driven Threat Intelligence

Applying data science and ML to security telemetry โ€” anomaly detection, attribution, and building pipelines that surface signal from noise at scale.

๐Ÿ“ˆ

Social Economics

Incentives, information asymmetry, and social dynamics โ€” with intersections in security (bug bounties, ransomware markets) and AI (labour displacement, governance).

Publications

Google Scholar
2025

GraphQLer: Enhancing GraphQL Security with Context-Aware API Testing

O Tsai, J Li, TT Cheung, L Huang, H Zhu, J Xiao, I Sharafaldin, MA Tayebi

arXiv preprint arXiv:2504.13358

2025

PrediQL: Automated Testing of GraphQL APIs with LLMs

S Liu, S Marefat, O Tsai, Y Chen, Z Deng, J Wang, MA Tayebi

arXiv preprint arXiv:2510.10407

2024

XploitSQL: Advancing Adversarial SQL Injection Attack Generation with Language Models and Reinforcement Learning

D Leung, O Tsai, K Hashemi, B Tayebi, MA Tayebi

Proceedings of the 33rd ACM International Conference on Information and Knowledge Management