Shaanan is a Senior Lecturer and ARC DECRA Fellow whose research centers on the interplay between computer systems and the law, with particular focus on applications of cryptography. Shaanan recently completed a Postdoctoral Fellowship at Princeton University. Prior to that he served in the office of U.S Senator Ron Wyden as a Cybersecurity Fellow.
TrustedThings
TrustedThings helps organisations find and prioritise security and privacy flaws in complex digital systems before they become breaches or expensive remediation projects. We draw on organisational insight to help make this process more effective and work to drive business value.
Led by Shaanan Cohney, Toby Murray, and Thuan Pham, the collaboration turns deep security research into automated testing tools for APIs, software deployments, embedded systems, and other products that are too complicated to check by hand.
The team combines academic depth with a delivery track record: award-winning publications, a provisional patent, government and industry-funded projects, and joint supervision of students building software security capability.
Team
Leads
Researchers and PhD students
Masters students
Matthew Pham, Runzhou (Ryan) Chen, Han Perry, Xiaocong Zhang, Qingyun Wu, Michael Maxwell Wenn, Haodong Gu, Zachary Duthie, and Simon Kelly.
Undergraduate students
Fane Ye and Ray Zhang.
Research
What we work on
- Finding vulnerabilities in software products that are too complex or fast-moving for manual review alone.
- Detecting excessive data exposure in Web services before sensitive information leaks to the wrong users.
- Testing Web APIs, network protocols, and embedded systems even when documentation is incomplete or behaviour depends on hidden state.
- Building automated tools that learn from real software artefacts, code reviews, and system behaviour to generate better security tests.
- Turning advanced fuzzing research into practical methods that partners can apply to difficult security testing problems.
Activity
Shared supervision and project work
- Joint PhD and Masters supervision, shared tool-building, and partner-linked project work in automated software security.
- Recent student work spanning Web API security testing, protocol reverse engineering, and security tests guided by source code and code review.
Open problems
Current research flavour
- Metamorphic and differential oracles for excessive data exposure and authorisation failures.
- End-to-end Web API fuzzing without complete specifications, including dependency inference and state setup.
- Stateful protocol fuzzing for systems with hidden state, long sessions, and brittle message grammars.
- Program-structure, source-code, and code-review-guided fuzzing that turns human design intent into search guidance.
- Evaluation methods for vulnerability discovery tools: reproducible benchmarks, bug triage, and evidence that findings matter.
Outcomes
Selected publications, patent, and recognition
Awarded paper
Detecting Excessive Data Exposures in Web Server Responses with Metamorphic Fuzzing
Lianglu Pan, Shaanan Cohney, Toby Murray, and Van-Thuan Pham. ICSE 2024.
Received the Distinguished Paper Award at the 46th ACM/IEEE International Conference on Software Engineering.
Paper
Trailblazer: Practical End-to-end Web API Fuzzing
Lianglu Pan, Shaanan Cohney, Toby Murray, and Van-Thuan Pham. ISSTA 2025 Registered Report.
Paper
Following Dragons: Code Review-Guided Fuzzing
Viet Hoang Luu, Amirmohammad Pasdar, Wachiraphan Charoenwet, Toby Murray, Shaanan Cohney, and Van-Thuan Pham. 2026 arXiv preprint.
Patent
System and Method for Detecting Excessive Data Exposures
Australian Provisional Patent 2022903182. Lianglu Pan, Toby Murray, Thuan Pham, and Shaanan Cohney.
Podcast
Collaborative Research, Not Competitive Research
New Books Network, 2025. Featuring Thuan Pham, with Lianglu Pan and Shaanan Cohney.
A conversation about how the group reads papers, develops ideas, and writes stronger research.
Recognition
FEIT Excellence Award in Mid-Career Research
Shaanan Cohney, Toby Murray, and Thuan Pham. University of Melbourne, 2024.
Funding
Joint support
CSA, Research Contract for 2x Masters Projects
$110,000 AUD · 2024 · with Van Thuan Pham and Toby Murray
Defense Science Technology Group, Research Contract for Student Supervision
$30,000 AUD · 2024 · with Van Thuan Pham and Toby Murray
Feedback-Guided Security Testing for Embedded Systems
University CIS Competitive Grant · $35,000 AUD · 2023 · with Van Thuan Pham and Toby Murray
Media
Shaanan Cohney
- Moltbook: AI agents swarm social media site in a bot-driven experiment The Guardian · 2 February 2026
- Age verification technology introduced to Australia ABC The World Today · 9 March 2026
- What are AI agents and can they be trusted? ABC News Daily / ABC Listen · 22 February 2026
Media
Toby Murray
- Formal Verification in the Age of AI Toby's Blog · 5 March 2026
- Leak of US military plans on Signal is a classic case of shadow IT The Conversation · 25 March 2025
- What we know so far about the Australian superannuation fund cyber attacks ABC News · 4 April 2025