Background
The MSc in Software and System Security degree at University of Oxford provides the students with a wonderful feature - they allow you to select the modules that you want to work on, learn more about and are not doing it just for the sake of curriculum. Meaning, that mostly people would take a certain module because they are really curious and passionate about a subdomain of cyber and software engineering. So here goes my list of module selections without gatekeeping
Modules
I attended my first module in the lovely winter weather of February 2023 (although I was enrolled in October 2022).
Security Principles (February 2023)
A comprehensive understanding of cybersecurity’s specialized sub-domains necessitates a strong grounding in its fundamental principles. This module effectively achieves that balance by systematically building from first principles to more complex system-level considerations. It begins with foundational discussions on the rationale for security, core concepts such as the CIA triad, and the interrelationships between risk, threats, and vulnerabilities, before progressing toward security-aware system design.
The module further provides a rigorous treatment of cryptographic protocol design, which underpins the security of modern computing systems. It examines the primary goals of security protocols, including key distribution, authentication, and key confirmation, and explores the associated protocol constructions and attack models. Key topics include the use of symmetric-key and public-key cryptography, classic protocols such as Needham–Schroeder and Kerberos, the Diffie–Hellman key exchange mechanism, and the security implications arising from key compromise and improper key management.
Building on these foundations, the module introduces advanced cryptographic protocols, including Encrypted Key Exchange mechanisms and secret sharing schemes, highlighting their role in strengthening trust and resilience in distributed systems. The module concludes with a critical examination of real-world case studies, analyzing both failures and successful deployments of cryptographic protocols in contemporary systems, thereby reinforcing the importance of sound protocol design and implementation in practice.
Having historically associated cryptography with extensive memorization and complexity, I approached the module with some apprehension. However, I found the material to be far more engaging and conceptually driven than anticipated.
Cloud Security (February 2023)
This module allowed me to develop a structured understanding of cloud computing and related technologies while remaining deliberately provider-agnostic. I particularly appreciated this neutrality, as it encouraged me to focus on underlying security principles rather than vendor-specific implementations. Through the module, I engaged with foundational concepts such as trust, privacy, and the shared responsibility model, before examining their security implications, common attack scenarios, and the associated legal and regulatory consequences across different jurisdictions.
As the module progressed into security remediation, I found the emphasis on layered controls especially effective. The discussion extended beyond technical safeguards to include physical security considerations relevant to the design of cloud infrastructure, alongside policy- and procedure-based controls and personnel security measures. This approach reinforced for me that cloud security is not solely a technical challenge, but one that is equally shaped by organizational structure and human factors.
The concluding focus on virtualization, cloud-specific attack vectors, and corresponding security controls helped consolidate my understanding of how theoretical principles manifest in real-world cloud environments. Overall, the module strengthened my ability to reason about cloud security holistically, integrating technical, organizational, and regulatory dimensions.
Security In Wireless Networks (March 2023)
This was my third module at the University of Oxford and one I found particularly engaging due to my background in Electronics and Telecommunication Engineering. The module revisited core wireless concepts such as anti-jamming techniques, Frequency Hopping Spread Spectrum (FHSS), Direct Sequence Spread Spectrum (DSSS), and Orthogonal Frequency Division Multiplexing (OFDM), and extended them by examining how these technologies are attacked in real-world settings.
A key focus was the security of low-energy wireless technologies, including Bluetooth Low Energy (BLE), ZigBee, and NFC. The module provided valuable insight into how these protocols operate in practice and how design or implementation weaknesses can be exploited if not adequately secured.
One highlight was the discussion of the paper “Brokenwire: Vulnerability in the Combined Charging System for Electric Vehicles,” authored by members of the department, which demonstrated how subtle flaws in widely deployed systems can have significant security implications.
Overall, the module offered a well-balanced combination of theory and practical security analysis, deepening my understanding of wireless technologies and reinforcing the importance of security-by-design.
Mobile System Security (June 2023)
Building on Security in Wireless Networks, this module provided a technically rigorous and unusually well-integrated treatment of mobile security. It stands out as one of the strongest modules in the programme due to its systematic coverage of the mobile threat landscape across the telecommunication network, handset hardware, operating system, and application layers, and its consistent emphasis on applied security analysis.
The module went beyond platform overviews by examining Android and iOS security mechanisms in practice, including application signing and distribution models, hardware-backed security, biometric authentication, and controlled access to sensors such as cameras. It also addressed mobile malware techniques, combining static and dynamic analysis approaches with discussion of ecosystem-level mitigation strategies.
A particularly valuable component was the treatment of mobile handset forensics, explicitly analysing the conflicts between forensic evidence acquisition and device security guarantees. The inclusion of hands-on exercises throughout the module reinforced these concepts and distinguished it from more survey-based treatments of mobile security. The module concluded with a forward-looking examination of M2M communication, smart cities, and connected devices, grounding future risks in concrete architectural and physical security considerations.
Understanding and Mitigating Malware (June 2023)
I chose Understanding and Mitigating Malware to deliberately move beyond a purely technical view of malware analysis and engage with its broader social and economic dimensions. While I entered the module with prior exposure to malware analysis techniques, what made this module particularly compelling was how it reframed malware as an operational instrument within complex cybercriminal ecosystems, rather than as isolated malicious code.
I found the progression of the module especially effective. Beginning with malware history, taxonomy, and evasion techniques such as polymorphism and metamorphism provided a strong conceptual grounding, which was then reinforced through the analysis of network traces and execution behaviour. The discussion of how low-level activity, such as email spam, can scale into large-scale ransomware operations, banking fraud, and targeted espionage was particularly impactful, as it highlighted the cumulative and systemic nature of malware-driven threats.
What I valued most was the module’s emphasis on intent and incentives. Examining how threat actor groups leverage malware for monetisation, information gathering, and money laundering alongside the role of underground economies and the dark web significantly deepened my understanding of attacker decision-making. From a defensive standpoint, the module encouraged a more holistic mindset, combining technical controls such as antivirus and intrusion detection systems with economic, legal, and educational countermeasures. Overall, this module reshaped how I approach malware: not simply as a detection problem, but as a socio-technical challenge requiring multidisciplinary mitigation strategies.
Cyber Threat Intelligence (June 2024)
I returned to Oxford after a year-long gap to attend my sixth module, a pause largely shaped by a promotion year at work. That gap, however, sharpened my intent. I had long been keen to study Cyber Threat Intelligence (CTI) in a structured and conceptual manner, particularly as a complement to the practical intelligence-gathering work I had already undertaken professionally. This module felt like a natural inflection point.
What made the course particularly distinctive was its framing. Rather than treating CTI as a collection of tools or outputs, it centred on the psychology, motivations, and decision-making processes of threat actors. Beginning with the core categories of threat intelligence—strategic, operational, and tactical—and their respective use cases, the module progressively examined how different adversaries operate in practice, including profit-driven groups, insider threats, nation-state actors, and hobbyist hackers. This approach fundamentally reshaped how I think about intelligence collection: as an exercise in understanding intent and behaviour, not merely aggregating indicators.
The most valuable outcome for me was developing the mindset required to “think like the adversary” and tailor intelligence gathering accordingly. This perspective bridged theory and practice in a way that directly enhanced how I contextualise threats in real-world environments. The module was further enriched by guest lectures from leading practitioners in the field, including Jason Passwaters, CEO and Co-Founder of Intel 471, and Martin Lee from Cisco Talos, whose insights grounded academic concepts in operational reality. Overall, this module crystallised CTI for me as a discipline rooted as much in human behaviour and strategic thinking as in technical analysis.
Security & Incident Management (October 2024)
Continuing my focus on Digital Forensics and Incident Response (DFIR), I was particularly eager to undertake the Security & Incident Management module, as it directly aligns with my professional domain. The module systematically reinforced core principles of incident management, while providing structured insight into internationally recognised frameworks such as NIST and ISO.
A key strength of the course was its emphasis on the gap between documented processes and real-world execution during live incidents, particularly under operational and business pressure. It explored not only cyber incident response but crisis management more broadly whilst examining large-scale disruptions such as natural disasters and organisational breakdowns. This wider lens highlighted the importance of resilience, governance, and decision-making when established management structures fail.
The module concluded with an immersive cyber incident simulation in which we assumed the role of board members, navigating escalating scenarios under time pressure. The exercise effectively mirrored real-world executive decision-making, requiring us to balance risk, communication, and business continuity.
Overall, the module provided both theoretical grounding and practical exposure, deepening my understanding of crisis leadership and strategic incident response beyond the technical layer.
People and Security (March 2025)
For my eighth module, People and Security, I chose it purely on vibes and glowing peer reviews and it turned out to be one of the most perspective-altering experiences of my time at Oxford.
I didn’t expect the human dimension of security to unsettle me the way it did. The module felt like a deliberate unlearning. So often in cybersecurity, we default to neat explanations that someone clicked something. But in this classroom, that instinct was interrogated. Through a Human-Computer Interaction lens, I began to see how simplistic that attribution really is. Security outcomes are not isolated human failures; they are the product of system design, cognitive load, context, incentives, and environment interacting in complex ways.
It genuinely felt like a spa for biases - a cleansing of the quiet assumptions we carry into incident response conversations.
The timing made it even more surreal. During the same week, I attended a session in Oxford titled “Lessons from Billion Breaches” by Troy Hunt, founder of Have I Been Pwned. In a moment of candid honesty, he shared how he had accidentally clicked a phishing link just before landing - attributing it to travel fatigue and context. Hearing that from someone synonymous with breach analysis was powerful. It wasn’t ironic; it was human. And it echoed exactly what we had been discussing in class: expertise does not immunise anyone against context.
The practical exercises drove this home. We developed a curated phishing email using publicly available information about our professor, Reuben; not to sensationalise attack techniques, but to understand targeting, persuasion, and the interplay between system, people, and task. The conversations that followed - about performance under pressure, about design, about responsibility were some of the richest I’ve had.
I walked away from this module with a quieter, but stronger conviction: security is not just engineered in code. It is shaped in the space between people and systems. And if we don’t design for that space, we misunderstand the problem entirely.
Digital Forensics (April 2025)
By the time I took this module, I already felt at home in Oxford — and in security. But Digital Forensics humbled me in the best way possible.
Despite having worked in forensics for years, this module revealed how much I had unconsciously taken for granted as a practitioner. I had become comfortable navigating operating systems, file systems, and artefacts. I knew what to look for. But I had stopped asking the deeper question: where does this actually come from? Industry veterans often say, “don’t worship artefacts,” but rarely explain where to begin instead. This module became that missing starting point.
It forced me to rebuild my understanding from the ground up — quite literally, bit by bit. Beyond covering procedural fundamentals like chain of custody and hashing, the real learning happened at the structural level: disk offsets, where artefacts physically reside, how the MBR is structured, and what those 00 and FF values in hex truly represent. For the first time, I wasn’t just consuming tool output - I was understanding the substrate beneath it.
One of the most striking moments was learning how forensic and recovery tools interpret raw data — and how, in some cases, they overstate what they have actually “recovered.” Seeing research expose these assumptions made me fall in love with forensic research all over again. It reminded me that tools are abstractions - and abstractions must be questioned.
The module fundamentally reshaped my mental model of forensics. It reconnected practice with research, artefacts with architecture, and tools with truth. My assignment focused on Copilot application forensics - a fitting way to explore modern artefacts through a far more foundational lens.
This module didn’t just add knowledge. It rebuilt it.
Network Security (February 2026)
The final module of my MSc and I truly couldn’t have chosen a better way to close this chapter.
I walked in believing I understood enterprise networks well enough to manage incidents. I walked out realising how much deeper the foundations run. Learning from people who have spent decades in the field — some present during the early evolution of modern networking, felt like a masterclass in intellectual humility. It was, in many ways, the hallmark of an Oxford education.
Beginning with the OSI and TCP/IP models, almost in the spirit of Andrew Tanenbaum’s foundational texts, we dissected networking layer by layer: protocols, demonstrations, attack surfaces, and their evolution over time. It wasn’t a recap. It was structural analysis. Intrusion detection was not presented as a tool category, but as a reasoning system built upon assumptions about traffic, state, and behaviour.
More importantly, it resolved professional questions I had carried for years. Why is full packet capture operationally critical, not just regulatorily convenient? Why introduce firewalls at specific trust boundaries rather than relying solely on routing controls? How do man-in-the-middle attacks succeed not merely through rogue devices, but through protocol design and session-state manipulation? These questions moved from intuition to clarity.
The module also examined network anonymity and the layered construction of Tor — not just how it functions, but the research assumptions and trade-offs underpinning it. That shift from “how it works” to “what assumptions it relies on” changed the way I evaluate systems.
What this module ultimately reinforced is that network security is about understanding state, trust, latency, and failure across layers — and designing systems that are secure by structure, not by patchwork.
Ending my MSc here felt appropriate. It closed the degree the same way it began: by demanding that I understand the foundations.