Scott Behrens (arbit)


I am currently employed as a Senior Application Security Engineer at Netflix. Before Netflix, I was a Senior Application Security Consultant at Neohapsis and an Adjunt Professor at DePaul univeersity.

My expertise lies in software security, security research, network penetration testing, and security architecture. I have contributed and developed a number of tools for attack and defense. I have also written tools in Python, Ruby on Rails, JavaScript, and Bash. You can visit my github page for more information on my research projects and tools.

I also love speaking and presenting my research. In the past few years I have presented research at DEF CON, Derbycon, Security Forum Hagenberg, Shakacon, ISACA, Security B-sides and various local secuirty meetups.

I have a Master’s of Science in Network Security from DePaul University and have the GPEN certification from SANS institute.

I'm an avid musician and have been playing in heavy metal and obscure rock bands for the last decade. I also make electronic music as well as produce hip hop. You can hear some of my audio projects on Bandcamp and Soundcloud


Trapping Hacks With Ensnare

SOURCE Boston- April 9, 2014
Presenters: Scott Behrens and Andy Hoernecke

In this talk we demonstrated the concept and design of the Ensnare framework. We also demonstrated how Ensnare can be used and customized to provide a unique protection against web application security threats.

What is CSP and Why Haven't You Applied It?

Chicago Security Meetup - August 18, 2013
Presenters: Scott Behrens, Ian Melven, Joel Weinberger, Caleb Queern, Kenneth Lee, Patrick Thomas, and Garret Robinson

This session was a combination of short micro talks and a workshop geared at getting you the tools needed to understand and implement CSP.

Mitigating Cross-site Scripting with Content Secuirty Policy

Chicago Security Meetup - August 18, 2013
Presenters: Scott Behrens and Patrick Thomas

This talk looked into what Content-Security Policy is and how it works. We then stepped through a variety of metrics from popular websites, taking into considerations which sites are already using CSP and which sites may have issues implementing this technology. Some strategies will be discussed to overcome the hurdles of implementing CSP.

MITM All the IPv6 Things

DEF CON 21 - July 5th, 2013
Presenters: Scott Behrens and Brent Bandelgar

This talk discussed the SLAAC IPv6 attack as well as some issues with the current approach to the attack. We discussed how the attack works as well as discussed our automation strategy and some pitfalls we uncovered. Wealso released "Sudden Six", an attack automation script and demonstrated the attack against Windows 8.

State of the Union: Advances in Web Application and Browser Secruity

Shakacon - June 28, 2013
Presenters: Scott Behrens and Ben Toews

The defensive side of web application security is moving at a very rapid pace and deserves to be investigated and presented in a way that is useful for both developers and hackers. We have seen a surge of proposed standards and governing documents to improve web security. We looked at the intricacies of the proposed and accepted standards as well as how they are implemented.

Rapid Blind SQL Injection with BBQSQL

Derbycon - September 28, 2013
Presenters: Scott Behrens and Ben Toews

Blind SQL injection can be a pain to exploit. Tools that help you exploit Blind SQL injection often don't work on weird or complex SQL injection vulnerabilities. BBQSQL is juicy and sweet and will make all of your BSQLI worries fade away. This talk covered why you need BBQSQL, game changing features such as hooks and a slick UI, and gave examples on how to work it into an application testing methodology.

Rapid Blind SQL Injection with BBQSQL

DEF CON 20 - July 29, 2012
Presenters: Scott Behrens and Ben TOews

Blind SQL injection can be a pain to exploit. When the available tools work they work well, but when they don't you have to write something custom. This is time-consuming and tedious. This talk introduced a new tool called BBQSQL that attempts to address these concerns. This talk focused on a brief discussion of SQL Injection and Blind SQL Injection. It then segued into a discussion of how BBQSQL can be useful in exploiting these vulnerabilities. This talk covered how features like evented concurrency and character frequency based searching can greatly improve the performance of a SQL Injection tool.

Detecting Obfuscated Web Shells

Security Forum Hagenberg - April 17, 2012
Presenter: Scott Behrens

This talk discussed modern trends in web shell obfuscation, demonstrated techniques to detect them, and discussed some additional mechanisms in NeoPI scanning tool to aid in the identification of obfuscated web shells.

Where Dat Shell @?

Security B-Sides Chicago - April 16, 2011
Presenters: Scott Behrens, Ben Hagen

Presentation at Security B-Sides Chicago discussed trends in web shells, methods used to obfuscate them, and an overview of NeoPI to aid in the detection of web shells.

Software Development


Sketchy is a task based API for taking screenshots and scraping text from websites.


Scumblr is a web application that allows performing periodic searches and storing / taking actions on the identified results. I helped develop a number of search plugins for this project.

Sleepy Puppy

CSP Playground is a utility to let you test drive Content Seuciry Policy as well as validate your own policies.

CSP Playground

CSP Playground is a utility to let you test drive Content Security Policy as well as validate your own policies.


NeoPI is a Python script that uses a variety of statistical methods to detect obfuscated and encrypted content within text/script files.


BBQSQL is a sql injection framework that utilizes concurrent attacks, menu based configuration, and statistical heuristics to speed up data exfiltration.


Python utility to automate the SLAAC IPv6 attack.


Social Pretexting

Information Week - July 17, 2012
Authors: Scott Behrens, Steve Hunt

Using impersonation as an attack, a method known as social pretexting, is increasingly common and poses a serious risk to end users and businesses alike, from extracting secrets to planting seeds for future data theft. Pretexting isn't limited to teenagers setting up fake profiles to smear people or get secrets from their friends. NATO's supreme commander, James Stavridis, was also a target, and while nothing has been confirmed publicly, it is believed that the exploit resulted in some degree of elicitation of data from his associates.

Neohapsis conducted a field study to demonstrate the potential damage a pretexting attack may have on an enterprise. We decided to build a believable but fake security professional and use that persona to try to get information from people who should know better--other security pros.

Web Shell Detection Using NeoPI

Infosec Institute - April 13, 2011
Authors: Scott Behrens, Ben Hagen

NeoPI is a Python script that uses a variety of statistical methods to detect obfuscated and encrypted content within text/script files. This article discusses some of the common trends in web malware obfuscation, techniques to detect them, and an overview of the NeoPI python tool.

Outgunned: How Security Technologies are Failing

Information Week Analytics - October 13, 2010
Authors: Scott Behrens, Greg Shipley

Information security professionals are dancing on the edge, hoping some mix of technology, education and hard work will keep our organizations safe. But lately, the tempo has changed, and the specter of failure is looming large. The analytics portion of this cover article for Information Week goes in-depth into how infective antivirus software is at detecting malware.



Find Me Here

Netflix Tech blog