Dr. Fabian Yamaguchi

Computer Scientist, Lecturer, Hacker.

Hi, I am a computer security professional, software engineer, and professor based in Cape Town, South Africa. Reach out for vulnerability assessments, talks, and courses on vulnerability discovery and exploitation.

What's new?

What's new?

  • August'23: Our paper entitled: "Learning Type Inference for Enhanced Dataflow Analysis" has been accepted at ESORICS'23 - Authors: Lukas Seidel, Sedick David Baker Effendi, Xavier Pinho, Konrad Rieck, Brink van der Merwe, and Fabian Yamaguchi.

  • August'23: After my move from Berlin, Germany to Cape Town, South Africa, I am now Founder and CTO of the IT security company Whirly Labs (Pty) Ltd.

  • January'22: Our paper entitled "Testability Tarpits: The Impact of Code Patterns on the Security Testing of Web Applications" has been accepted at NDSS'22 - Authors: F. Al-Kassar, G. Clerici, L. Compagna, F. Yamaguchi, and D. Balzarotti.

  • December'21: ThinkstScape Quarterly for Q4 2021 is featuring our research on automatic binary code analysis and router vulnerabilities.

  • November'21: The video of the NoHat talk about automated binary analysis of router firmware by Claudiu Vlad Ursache and myself is now available on Youtube.

  • November'21: Concluded the first iteration of my course Vulnerabilities and Exploits at Stellenbosch University.
Learn more about me

About Me

Security Industry.I am currently Founder and CTO of the IT security company Whirly Labs (Pty) Ltd where I oversee all technical operations. At Whirly Labs, I focus on the delivery of high quality vulnerability assessments to clients, the development of internal tooling to make these assessments more effective, as well as on the training of the next generation of security consultants. I am also Chief Scientist Emeritus at Qwiet.ai (formely ShiftLeft), a Silicon Valley based security company founded in 2016 with offices in Santa Clara, CA and Berlin, Germany. Backed by prominent venture capital firms including Bain Capital Ventures and Mayfield Fund, the company today provides timely and automated static application security testing (SAST) to enterprise customers and is growing its revenue at a rapid pace. As its Chief Scientist and a founding team member, I led its code analysis team. Together, we have developed and continue to improve the core technology of ShiftLeft's main product line, a code analysis platform that rests on the code property graph - a concept introduced in my dissertation and for which I received the CAST/GI Dissertation Award 2016. Staying connected with academia, the team performs research on code analysis in collaboration with a consortium of companies and universities as part of the project TESTABLE funded by the European Union.

Teaching and Academia. I have recently been appointed Associate Professor Extraordinary at Stellenbosch University where I teach the module vulnerability discovery and exploitation as part of the Honours in Computer Science programme. I myself have graduated summa cum laude with a PhD in computer science from the University of Goettingen where I worked as a research assistant and later as a postdoc in the computer security group lead by Prof. Dr. Konrad Rieck. I hold a master’s degree in computer engineering from Technical University Berlin where I graduated with a thesis on vulnerability extrapolation for which I received the Outstanding Paper Award at the Annual Computer Security Applications Conference (ACSAC) in 2012.

Hacking and Security Research. Drawn to the hacking and open-source communities in my teens, I founded the "Young Programmer's Network" at age 13 - a collaboration platform for kids who liked programming - for which I received the ArsDigita Prize. At age 19, I was then fortunate enough to meet Felix "FX" Lindner who offered me my first job: reverse engineering and vulnerability research at his newly founded company Recurity Labs. During the time at Recurity Labs (2006-2011), I identified previously unknown vulnerabilities in many popular system components and applications, including the Microsoft Windows and Linux kernel, the Squid proxy server, and the VLC Media Player. Today, I carry out vulnerability assessments on demand and continue to present at hacking conferences.

My Work

The Code Analysis Platform Joern

I am the initiator and a core developer of the code analysis platform Joern, reference implementation of the code property graph approach.

Machine Learning for Vulnerability Discovery

In my disseration I show how unsupervised machine learning techniques can be used to assist in the discovery of vulnerable code.

Lectures on Vulnerability Discovery

I offer lectures and short-courses on the discovery and exploitation of vulnerabilities as well as automations applicable in the process.

Embedded Security

As part of my work on binary analysis, I am increasingly focusing on identifying vulnerabilities in embedded and smart devices such as routers, phones, and TVs.

Scientific Publications

My work on vulnerability discovery and other topics in security has been published at top academic security conferences such as IEEE S&P, CCS, and USENIX Security.


I have reported vulnerabilities in well-known code bases, including the Linux and Windows kernels, the VLC media player, the instant messenger Pidgin, and the Squid proxy server.


Since 2007, I have been presenting my findings and techniques at industry conferences such as DEFCON (2008), First (2010), BlackHat USA (2011), Chaos Communication Congress (2007, 2008, 2009, 2014) and NoHat (2021), as well as at academic conferences such as ACSAC (2012), CCS (2013), and IEEE S&P (2014, 2015). You can find some of my talks here. If you would like me to speak at your conference, feel free to reach out.

Contact me.

Please feel free to contact me via e-mail.