About Me
I am a Visiting Postdoc at Stanford University. My research focuses on building automated, agentic systems to identify and mitigate structural security and privacy risks at internet scale.
I hold a PhD from KIT. Previously, I was a Visiting Scholar at UC Davis. I also work closely with the if(is) and Intellisec research groups and I am a core maintainer of the open-source project HTTP Archive and the Editor-in-Chief of the Web Almanac.
I actively translate my research into operational tools. I am the founder of the global threat intelligence platform SecuSeek.
Publications (selected)
See my Google Scholar page for the full list of publications.
2026
Understanding Data Collection, Brokerage, and Spam in the Lead Marketing Ecosystem
Yash Vekaria, Nurullah Demir, Konrad Kollnig, Zubair Shafiq
47th IEEE Symposium on Security and Privacy (IEEE S&P), 2026
3rd FTC Conference on Marketing and Public Policy (FTC), 2026
5th CNIL Privacy Research Day, 2026
Keys on Doormats: Exposed API Credentials on the Web
Nurullah Demir, Yash Vekaria, Georgios Smaragdakis, and Zakir Durumeric
Preprint (arXiv:2603.12498)
Four Decades of Security and Privacy Research: Evolution of Topics, Impact, and the Community
Nurullah Demir, Christian Böttger, Henry Hosseini, Meryem Demir, Christian Wressnegger, Norbert Pohlmann, Tobias Urban
Oxford University Press, Journal of Cybersecurity, 2026
“This Paper is Quite Unusual:” Metascience and Structural Misalignment in the Security & Privacy Research Community
Henry Hosseini, Christian Böttger, Tobias Urban, Nurullah Demir
In Workshop on Metascience and Critical Reflections in Security & Privacy, co-located with the 47th IEEE Symposium on Security and Privacy (IEEE S&P), 2026
2025
Understanding Regional Filter Lists: Efficacy and Impact
Christian Böttger, Nurullah Demir, Jan Hörnemann, Bhupendra Acharya, Norbert Pohlmann, Thorsten Holz, Matteo Grosse-Kampmann, Tobias Urban
In the 25th Privacy Enhancing Technologies Symposium (PETS), 2025
Privacy from 5 PM to 6 AM: Tracking and Transparency Mechanisms in the HbbTV Ecosystem
Christian Böttger, Henry Hosseini, Christine Utz, Nurullah Demir, Jan Hörnemann, Christian Wressnegger, Thomas Hupperich, Norbert Pohlmann, Matteo Große-Kampmann, Tobias Urban
55th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), 2025
Every Keystroke You Make: A Tech-Law Measurement and Analysis of Event Listeners for Wiretapping
Shaoor Munir, Nurullah Demir, Qian Li, Konrad Kollnig, Zubair Shafiq
Preprint (arXiv:2508.19825)
The 2025 Web Almanac
Nurullah Demir (Editor-in-Chief)
6th Edition, HTTPArchive.org, 2025
2024
A Large-Scale Study of Cookie Banner Interaction Tools and their Impact on Users’ Privacy
Nurullah Demir, Tobias Urban, Norbert Pohlmann and Christian Wressnegger
Proc. of Privacy Enhancing Technologies Symposium (PETS), 2024
The 2024 Web Almanac
Nurullah Demir, Caleb Queern (Editor-in-Chief)
5th Edition, HTTPArchive.org, 2024
2023
Better Web Measurements: Enhancing Security and Privacy Research
Nurullah Demir
PhD Dissertation, Karlsruhe Institute of Technology (KIT), 2023
On the Similarity of Web Privacy Measurements Under Different Experimental Setups
Nurullah Demir, Tobias Urban, Jan Hörnemann, Matteo Große-Kampmann, Thorsten Holz, Norbert Pohlmann, and Christian Wresnegger
In Proc. of the 23rd Internet Measurement Conference (IMC), 2023
Angriffe auf die Künstliche Intelligenz – Bedrohungen und Schutzmaßnahmen
Dominik Adler, Nurullah Demir, Norbert Pohlmann
IT-Sicherheit – Mittelstandsmagazin für Informationssicherheit und Datenschutz, DATAKONTEXT-Fachverlag, 2023
2022
Reproducibility and Replicability of Web Measurement Studies
Nurullah Demir, Matteo Große-Kampmann, Tobias Urban, Christian Wressnegger, Thorsten Holz and Norbert Pohlmann
Proc. of 31st ACM Web Conference (WWW), 2022
Best Paper Award Runner-Up
Towards Understanding First-Party Cookie Tracking in the Field
Nurullah Demir, Daniel Theis, Tobias Urban and Norbert Pohlmann
GI-Sicherheit: Sicherheit, Schutz und Zuverlässigkeit, 2022
The 2022 Web Almanac: HTTP Archive’s annual state of the web report — Security Chapter
Tom van Goethem and Nurullah Demir
HTTPArchive.org, 2022
2021
Our (in) Secure Web: Understanding Update Behavior of Websites and Its Impact on Security
Nurullah Demir, Tobias Urban, Kevin Wittek, and Norbert Pohlmann
Proc. of 22nd International Conference on Passive and Active Measurement (PAM), 2021
The 2021 Web Almanac: HTTP Archive’s annual state of the web report — Security Chapter
Saptak Sengupta, Tom van Goethem and Nurullah Demir
HTTPArchive.org, 2021
Services
- ACM Internet Measurement Conference (IMC) – General Co-Chair: 2026
- Privacy Enhancing Technologies Symposium (PETS) – PC: 2025, 2026
- ACM Internet Measurement Conference (IMC) – PC: 2025
- The Web Almanac by HTTPArchive.org – General Chair: 2024, 2025
- ACM Conference on Data and Application Security and Privacy (CODASPY) – Ext. Reviewer: 2025
- Conference on Human Factors in Computing Systems (CHI) – Ext. Reviewer: 2025
- Annual Computer Security Applications Conference (ACSAC) – PC: 2024
- Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb) – PC: 2024, 2026
- ACM Conference on Computer and Communications Security (CCS) – AE: 2023
- ACM Special Interest Group on Data Communications (SIGCOMM) – AE: 2023
- Privacy Enhancing Technologies Symposium (PETS) – AE: 2021, 2022, 2023
- USENIX Security Symposium – Artifact Evaluation Committee Member: 2023
- ACM European Conference on Computer Systems (EuroSys) – Shadow PC Member: 2023
- European Symposium on Research in Computer Security (ESORICS) – Sub-Reviewing: 2023
Talks
2026
- Understanding Data Collection, Brokerage, and Spam in the Lead Marketing Ecosystem, Federal Trade Commission, Washington D.C., USA
- Metascience and Structural Misalignment in the Security & Privacy Research Community, MetaCRiSP 2026, co-located with IEEE S&P, San Francisco, USA
2025
- Broken Security and Privacy Governance at Web Scale, Stanford University, USA
- Understanding Large-Scale Security and Privacy Malpractices in Web, TU Delft, Delft, Netherlands
- Measuring the Web at Scale, IEEE S&P 2025, San Francisco, USA
2024
- Alte Software – Neue Gefahren: Die stille Gefahr des Internets, Heise IT-Sicherheitstag, Gelsenkirchen, Germany
- A Large-Scale Study of Cookie Banner Interaction Tools and their Impact on Users’ Privacy, PETS 2024, Bristol, England
2023
- On the Similarity of Web Privacy Measurements Under Different Experimental Setups, IMC 2023, Montréal, Canada
- Analyzing Consent Banner Interaction Tools and Their Impact on Privacy, University of California, Davis, USA
- Exploring the Complexity of the Web and its Impact on Web Measurements, LACNIC40, Fortaleza, Brasil
- Understanding Update Behavior of Websites and Its Impact on Security, RIPE 86, Rotterdam, Netherlands
2022
- Towards Understanding First-Party Cookie Tracking in the Field, GI-Sicherheit, Karlsruhe, Germany
- Reproducibility and Replicability of Web Measurement Studies, WWW, Lyon, France
2021
- Our (in) Secure Web: Understanding Update Behavior of Websites and Its Impact on Security, Passive and Active Measurement, Brandenburg, Germany
- Understanding Update Behavior of Websites and Its Impact on Security, DEICy 2021, Warsaw, Poland
- KI: adaptives, kontext- und risikobasiertes Re-Authentifikationsverfahren – Authentifizierung im Web neu denken, Heise IT-Sicherheitstag, Webinar
Awards and Honors
Press
- Help Net Security: Health insurance lead sites sell personal data within seconds of form submission — April 2026
- MSN: Security study finds thousands of API credentials exposed on the web for years — April 2026
- TechRadar: API credentials are widely and publicly exposed on the web: Experts scour 10 million web pages — April 2026
- SANS NewsBites: Researchers Find Exposed API Keys: Analysis of 10 million websites — March 2026
- The Register: Security boffins scoured the web and found hundreds of valid API keys — March 2026
- Digital Trends: A simple coding mistake is exposing API keys across thousands of websites — March 2026
- Tech Xplore: Thousands of websites are accidentally broadcasting sensitive data, study finds — March 2026
- New Scientist: Security credentials inadvertently leaked on thousands of websites — March 2026
- Heise Online: Web Almanac 2025: HTTP Archive legt neue Ausgabe des Web-Jahrbuchs vor — January 2026
- Help Net Security: When typing becomes tracking: Study reveals widespread silent keystroke interception — September 2025
- Cybernews: 95% of websites run on outdated software with known vulnerabilities — March 2021
Software
- Maintainer: Pulse of Cybersecurity
- Lead developer: MultiCrawl
- Core Contributor: HTTPArchive