The ASU SEFCOM/CDF Security Research Apprenticeship Program!

Are you interested in cybersecurity research? Do you want to visit the hottest up-and-coming security lab around, work on cool projects, and CTF on the side? You have come to the right place. The ASU research lab Security Engineering for Future Computing (SEFCOM) is looking for hackers to come and do research apprenticeships with us. This page has some frequently asked questions about the process.

What is an apprenticeship?

The apprenticeship is a full-time research position to a) get exposure to academic research in cybersecurity, b) help advance the state-of-the-art, and c) have an amazing time!

The apprenticeship is a full-time, local position. Unfortunately, we cannot support remote work (and it doesn't work for this type of position anyways). Because it is full time, it is intended for people who are either not students or who can take full time from their studies to pursue research.

Why should I do an apprenticeship?

A research apprenticeship serves several purposes:

  1. The apprenticeship exposes you to the environment of a world-class cybersecurity research lab and conveys what it means to conduct impactful research.
  2. Because you will be carrying out cutting-edge academic research, the apprenticeship can act as a "preview" of a PhD program for those that are curious about graduate school, but not yet ready to commit.
  3. The apprenticeship exposes you to prominent researchers in the field, giving you valuable interpersonal connections for future pursuits within and outside of academia.
  4. Because your work will be on the cutting edge, you will be exposed to emerging concepts and technologies (for example, binary analysis and angr at a more fundamental level than just by cloning them on github).
  5. For students in programs that encourage some amount of research (for example, a Master's thesis) to be done as a visiting scholar in an external institution, the apprenticeship provides a place to do that under the supervision of experienced advisors.

Who will I be supervised by?

Apprenticeships are carried out under the guidance of Yan Shoshitaishvili (known in the CTF scene as Zardus), Adam Doupé (known in the CTF scene as adamd), Ruoyu (Fish) Wang (known in the CTF scene as fish), and Tiffany Bao. Yan, Adam, Fish, and Tiffany are prominent researchers (with dozens of top-tier cybersecurity publications between them) and avid CTF players (having played and hosted CTFs with Shellphish, the pwndevils, and the Order of the Overflow). They are always pushing into new avenues of research, and Yan, Adam, and Tiffany are also currently organizing DEF CON CTF.

How long is the apprenticeship?

The length of the apprenticeship is very flexible. Our experience is that 6 months is the optimal length, but apprenticeships have lasted everywhere from 3 months through 1 year, although other durations (shorter or longer) are possible with good reason. This is largely up to you. Obviously, the longer you are here, the more ambitious and awesome projects you can undertake.

Where does the apprenticeship take place?

The apprenticeship takes place on-site in the SEFCOM lab at Arizona State University in sunny Tempe, AZ. The address of our building is Brickyard Engineering, 699 S Mill Ave, Tempe, AZ 85281. This is an on-site apprenticeship only—we don't really have a way to carry out apprenticeships remotely.

Will I be paid?

Yes, this is a paid apprenticeship! To properly set expectations: academia has less money to leverage than industry. Though it varies slightly by funding availability, an intern is usually supported at a rate around $1,800 per month. To put that into perspective in terms of Arizona's cost of living, ASU's furnished guest housing starts at $750.

Where will I live?

You will be responsible for finding your own place to live! There are several useful routes to doing so:

If you don't have housing figured out before you arrive, don't panic! Airbnb and the numerous hotels in the area provide temporary lodging opportunity.

Public transportation is fairly well-developed in Tempe. You have several options:

What will I work on?

You will have a lot of freedom (and also much guidance) in terms of what to work on. Some possibilities are:

  1. Senior PhD students in the lab often have brilliant project ideas that they simply do not have the bandwidth to pursue. Upon your arrival, students will pitch such projects (vetted by the professors) to you.
  2. The professors always have project ideas that they simply do not have the bandwidth to pursue. They will also pitch these ideas to you.
  3. You might (though this is rare and by no means required) arrive with ideas of what you want to work on. If this is the case, the professors will work with you to vet that the project has enough depth for an apprenticeship.

After the professors and students discuss possible projects with you, you should carefully deliberate on which ones interest you the most. This should not be done fast—taking several weeks to choose a project is perfectly okay. Take your time, clarify any uncertainties, and then dive in with confidence!

You will almost always be paired with a PhD student who will act as a research mentor (in addition to the SEFCOM professors). This will usually be the student whose brilliant idea you choose to turn into a reality. If you choose an idea pitched by a professor, or come up with your own, and feel that you work better with just the professors, that's fine as well (of course, keep in mind that our time is limited).

What is the end-goal of the apprenticeship?

Usually, your project will end up being a self-contained project that results in an academic publication. Writing academic papers is an awesome experience, and your student mentor and the professors will help you through the process. This does not absolutely have to be the case. If you are very passionate about doing a project focused fully on implementation (i.e., developing some awesome CTF tool as opposed to an awesome new program analysis approach), and have no external requirements to produce a paper (such as a Master's thesis), this is fine as well.

It is important to note that, in the end, this apprenticeship is more for you than it is for us. A good outcome (and we will strive to help you get there) is awesome for everyone. A bad outcome (and these, unfortunately, do happen) is not the end of the world. Bad outcome here means that no progress is made and nothing is produced. This is not to make the apprenticeship seem insignificant, but to relieve the pressure: our lives do not hang on your performance—don't panic! Of course, if you're looking for a letter of recommendation from us, shoot for the good outcome.

How will my progress be measured?

We have weekly meetings of the whole lab where everyone presents their progress, along with on-demand as-needed one-on-one sessions. You should be present at these meetings (or let us know of your absence in advance) even when you have not made progress. Research sometimes progresses in bursts, and you sometimes need to sit back and think on things for a while. This is fine, and we are absolutely accepting of it, but we like to know what's going on so that we can help if you're blocked.

Can I open source my work?

Yes! We all strongly believe in open access to research, and barring weird unforeseen circumstances, you will be encouraged to open source your projects as soon as the associated paper is published (or your apprenticeship ends if there is no paper outcome).

What about CTF?

We love to CTF! ASU is called home by the pwndevils, who meet every Tuesday (beginner session) and Thursday (advanced session) and play CTFs on weekends, and some members of Shellphish, who play CTFs when they feel like it. Additionally, Yan, Adam, and Tiffany are members of the Order of the Overflow, and are hosting DEF CON CTF in that capacity.

If you like to CTF, then CTF will be a fundamental part of your apprenticeship! Come hack with us, develop ideas inspired by CTF, and help push the community forward!

What about life?

We don't expect you to be a robot (although if you are, beep boop beep). Tempe and the surrounding area are home to lots of awesome activities, including comedy clubs, paintball, boat rentals on the lake adjacent to campus, escape rooms, laser tag, countless art, wine, and culture festivals, skating rinks, theaters, and so on.

Tempe is also well-positioned for exploring the rest of the US. To begin with, the Grand Canyon, one of the most impressive natural attractions in the US, is a short drive north. Mexico is a short drive south. Los Angeles and San Diego are short drives west. On top of this, Phoenix Sky Harbor Airport ($15 Uber ride from ASU) is a major airport hub in the US, with relatively inexpensive nonstop flights to most of the US.

Do not spend your apprenticeship locked in the lab! Experience what Tempe, Arizona, and (if you're from abroad) the US have to offer!

So what is expected of me, really?

As a successful intern, you will demonstrate technical skill and/or academic promise. How you do this is a function of you. We hope that you will do this while also enjoying the process, and that you will leave with fond memories (or decide to stay here long-term!).

In general, we are looking for excellent hackers: folks who can code, think, and are self-driven.

Sounds great! How do I apply?

If you are interested in the apprenticeship, please reach out to Yan ( Include the following information:

If we are not aware of you by reputation, we will carry out a quick call to get to know each other. Then, if we have capacity and if you will make a good fit, we will recommend that you apply to the official ASU Intern application process (Yan will send you a link). An important note: if you answer "no" to any of the final questions of the application, the system will automatically disqualify you and it will significanlty postpone the opportunity for you to re-apply. This is not something that we can control or change.

To apply, you will need:

The application process generally takes between one and three weeks, including a background check to verify the information provided on the resume (so please make sure there are no errors!). If you are a student, this process might require you to provide paperwork from your university showing proof of enrollment. If you have graduated, this might require you to send along your transcripts to ASU's HR office (not to us, don't worry). After this, you will receive the official offer of temporary employment and, if you are coming from outside of the US, the DS-2019 that you will use to apply for a J1 visa.

Once you receive the DS-2019, the process is out of our hands and in the hands of your local US embassy. It is very hard to estimate how long the visa application process takes, as it depends on the country in question, international events, and nondeterministic components. Visas have been acquired in a matter of days, and some have taken months. Plan accordingly!

What do I do on arrival?

You've arrived! Welcome to Arizona. Now, you should do a few things:

When you get to the lab, you will be given a desk to sit at and (if you need it) a computer. Then, after the next weekly lab meeting, we will hold a pitch session to pitch potential projects to you (see above)!