CLOUD PENETRATION TESTING · AWS · AZURE · GCP · MULTI-CLOUD

Validate your cloudsecurity posture.Beyond automated scanning.

Manual adversarial testing of AWS, Azure, and GCP environments. IAM privilege escalation, container breakout, cross-account lateral movement, and serverless exploitation — validated by operators, not scanners.

Request Cloud Assessment View Cloud Methodology →

Live Threat Intelligence

The Numbers That Define
Cloud Security Failure

Industry threat intelligence from Gartner, IBM, and CNCF — mapped to real MITRE ATT&CK® techniques we validate in every cloud engagement.

T001CRITICAL

Cloud Breaches via Misconfiguration

S3 public exposure · IAM wildcard policies · Open security groups

Source: Gartner 2024 Cloud Security Report

T002HIGH

Orgs with Over-Privileged IAM in Prod

AdministratorAccess on Lambda · EC2 instance profiles with *:*

Source: Unit 42 Cloud Threat Report 2024

T003HIGH

Cloud Incidents via Credential Theft

IMDSv1 abuse · Long-lived access keys · Exposed CI/CD secrets

Source: IBM Cost of Data Breach 2024

T004MEDIUM

Container Deployments Unprotected

Privileged pods · Host path mounts · No pod security policy

Source: CNCF Security Audit 2024

Attack Vector Simulation

IAM Exploitation

MITRE ATT&CK®

T1078.004Valid Cloud Accounts

Compromise service account credentials and reuse them via native provider APIs — often bypassing MFA controls enforced only on human identities.

T1548.005Temporary Elevated Access

Chain iam:PassRole + sts:AssumeRole to escalate from a low-privilege starting identity to full Administrator without touching the original user policy.

T1087.004IAM Principal Enumeration

Use GetCallerIdentity, ListRoles, and SimulatePrincipalPolicy to systematically map every reachable permission from a given identity without triggering alerts.

T1550.001Access Token Theft & Reuse

Steal short-lived STS session tokens from IMDS endpoints, CI/CD runners, or Lambda execution context to pivot across services without triggering rotation.

spakto-lab ~ iam

LIVE

Services targetedIAMSTSEC2Lambda

IAM Privilege Escalation Lab

Interactive IAM Privilege Escalation Paths

40+

priv-esc paths catalogued

IAM Resource Graph

👤user

🎭role

⚙️service

👑admin

IAM ATTACK TRACE

$ executing passrole escalation path...

ATTACK METHOD

iam:PassRole → Lambda function creation → IAM role creation → AdministratorAccess

CAPEC-122

Cloud Risk Intelligence

Cloud-Native Risk Landscape

Nine threat categories mapped to likelihood, impact, and real-world cloud exploitation data. Each risk traces directly to tested attack paths.

R01CRITICALIAM

Over-Privileged Service Accounts

CVSS 9.8 · CWE-732

AWSAzureGCP

R02CRITICALStorage

Public S3 / Blob / GCS Misconfiguration

CVSS 9.1 · CWE-284

AWSAzureGCP

R03HIGHNetwork

Security Group / NACL Over-Permissiveness

CVSS 8.2 · CWE-284

AWSAzure

R04HIGHContainer

Privileged Container / Pod Breakout

CVSS 8.8 · CWE-250

AWSAzureGCP

R05HIGHServerless

Lambda Environment Variable Secret Leakage

CVSS 7.5 · CWE-312

AWSGCP

R06HIGHIAM

AssumeRole Cross-Account Trust Misconfig

CVSS 8.5 · CWE-863

AWS

R07HIGHLogging

CloudTrail / Audit Log Gaps

CVSS 6.5 · CWE-778

AWSAzureGCP

R08HIGHNetwork

Metadata Service SSRF (IMDSv1)

CVSS 7.7 · CWE-918

AWSAzureGCP

R09CRITICALSecrets

Hardcoded Credentials in Source / CI

CVSS 9.0 · CWE-798

AWSAzureGCP

Risk Heat Map

IMPACT →

LIKELIHOOD →

Legend

CRITICALScore ≥ 20

HIGHScore 12–19

MEDIUMScore 6–11

LOWScore < 6

Click any risk card to view detailed indicators, mitigations, and affected cloud providers.

Engagement Methodology

10-Day Cloud Pentest Lifecycle

A structured engagement cadence from initial reconnaissance through executive reporting. Each phase produces specific deliverables with measurable outcomes.

🔭

RECON

Cloud Footprint Discovery

Day 1–2

🔐

AUTH

Authentication & IAM Audit

Day 2–3

🌐

NET

Network Perimeter Testing

Day 3–4

🗄️

DATA

Data Store Enumeration

Day 4–5

⚡

EXEC

Exploitation & Lateral Movement

Day 5–7

👻

PERSIST

Persistence & Exfiltration Simulation

Day 7–8

📋

REPORT

Findings & Remediation Delivery

Day 9–10

🔭

Phase 1 / 7 · RECON

Cloud Footprint Discovery

Map the entire cloud attack surface — exposed services, DNS, certificate transparency, and publicly enumerable cloud resources across all providers.

Day 1–2

DURATION

Activities

◉ spakto-cloud-pentest/recon
▌

Deliverables

Attack surface inventory

Exposed endpoint map

Technology stack fingerprint

Phase Output

Asset inventory with risk scoring

Platform Coverage Matrix

AWS · Azure · GCP Service Coverage

Every test maps to a specific service, severity tier, and enumerated test case. 110+ individual test cases across all providers.

Service

Severity

Test Coverage

Tests

IAM / STS

Identity

critical

5test cases

Storage

critical

5test cases

EC2 / IMDSv2

Compute

critical

5test cases

Lambda

Serverless

high

5test cases

EKS / ECS

Container

high

5test cases

RDS / Redshift

Database

high

5test cases

CloudTrail / Config

Logging

medium

5test cases

API Gateway

API

high

5test cases

Container & Kubernetes Security

K8s Attack Simulation Lab

Six container and Kubernetes attack paths simulated step-by-step. Select an attack to see exploitation trace, impact analysis, and detection signatures.

criticalCWE-250CVE-2022-0185

Privileged Pod → Node Escape

K8s Manifest Injection

criticalCWE-522

Service Account Token Exfiltration

Automated SA Token Mount

highCWE-312

Container Registry Credential Theft

imagePullSecret Extraction

criticalCWE-287CVE-2020-8566

etcd Direct Access → Cluster Takeover

Unprotected etcd API

highCWE-306

K8s Dashboard RCE via Unauthenticated Access

Exposed Dashboard

mediumCWE-923

Sidecar Injection → Traffic Interception

MutatingWebhook Abuse

A1criticalTA0004CWE-250CVE-2022-0185

Privileged Pod → Node Escape

Vector: K8s Manifest Injection

◉spakto-k8s-lab / attack-simulatorMITRE TA0004
Select an attack scenario from the left panel,
then click ▶ SIMULATE to run the step-by-step attack trace.

Multi-Cloud Lateral Movement

Cloud Attack Path Visualizer

Interactive kill-chain diagrams showing how attackers move from initial access to full cloud environment compromise.

AP1CRITICALTTC: < 2 hours

Developer Laptop → AWS Admin via CI/CD

Compromised developer workstation pivots through misconfigured CI/CD pipeline to achieve AWS administrative access across the organization.

Compromise developer workstation via phishing or supply chain

Scan git history for hardcoded AWS access keys

Keys trigger CI/CD workflow with OIDC IAM role trust

IAM role has PassRole permission — create new admin policy

Assume admin role for full org-level access

Attack Impact

Full AWS organization compromise via stolen CI/CD secrets and assumed admin role

Entry Point

Pivot Node

Cloud Service

Target

Start Your Engagement

Your Cloud Environment Has Attack Paths

Manual cloud penetration testing that finds the issues automated scanners miss. IAM privilege escalation, container breakout, cross-account movement — all validated by adversarial operators.

Request a Scoping Call View Methodology

Engagement Process

Scoping CallDay 0

30-min technical scoping call to define cloud environment, providers, accounts in scope, and objectives.

Kickoff & Credential SetupDay 1

Secure credential handoff, read-only IAM role configuration, VPN access if required for internal assets.

Active TestingDays 2–11

10-day structured testing engagement following our cloud pentest methodology across all in-scope services.

Findings & DebriefDay 12

Risk-prioritised findings report with executive summary, technical detail, and remediation playbook delivered.

What We Test

🔐 AWS Account(s) & IAM

☁️ Azure Subscription(s) & Entra ID

🌐 GCP Project(s) & Cloud IAM

📦 Kubernetes Clusters (EKS/AKS/GKE)

⚡ Serverless Functions & APIs

🗄️ Cloud Storage Services

🔄 CI/CD Pipelines

🐳 Container Registries

Engagements running — availability limited

No Automated Scanners

100% Manual Testing

CREST Methodology

NDA Before Kickoff

CVE-Quality PoC Evidence

Frequently Asked Questions

Frequently asked
questions.

questions
answered

What cloud platforms does Spakto test?

We test AWS, Microsoft Azure, and Google Cloud Platform environments, including multi-cloud architectures. This covers IAM configuration, network security groups, storage bucket exposure, serverless functions, container security, Kubernetes clusters, and cloud-native service misconfigurations.

Do you need our cloud credentials to perform testing?

Depending on scope, we may need read-only IAM credentials to enumerate resources, or we can perform external black-box testing against exposed cloud services. We always operate with the minimum permissions needed and provide credential handling procedures aligned to your security policies.

Can cloud penetration testing impact our live services?

We operate carefully to avoid production impact. Testing is scoped to prevent disruption to running services, and destructive operations are always discussed and agreed with your team before execution. We have tested hundreds of cloud environments without service disruption.

Is cloud penetration testing different from traditional network testing?

Significantly. Cloud environments have unique attack surfaces — misconfigured IAM roles enabling privilege escalation, exposed storage buckets, metadata API abuse, cross-account trust relationships, and serverless function vulnerabilities. These require cloud-specific tooling and expertise.

What is cloud privilege escalation and how common is it?

Cloud privilege escalation exploits overly permissive IAM policies to gain higher-level access — often full administrator — from a low-privileged starting position. It is extremely common in cloud environments because IAM complexity makes it difficult to identify all privilege escalation paths manually.

What deliverables does a cloud pentest engagement produce?

Engagements deliver a risk-prioritised findings report with CVSS scoring, step-by-step attack reproduction with screenshots, business impact assessment, and cloud-native remediation guidance — including Terraform/IaC fix examples, SCP recommendations, and a 30-day remediation timeline.

Still have questions?

Our security engineers answer within one business day.

Ask a question

Build a CTEM Program That Actually Works

Stay Ahead of Threats

Validate your cloudsecurity posture.Beyond automated scanning.

The Numbers That Define
Cloud Security Failure

Interactive IAM Privilege Escalation Paths

Cloud-Native Risk Landscape

10-Day Cloud Pentest Lifecycle

AWS · Azure · GCP Service Coverage

K8s Attack Simulation Lab

Cloud Attack Path Visualizer

Your Cloud Environment Has Attack Paths

Frequently asked
questions.

Build a CTEM Program That Actually Works

Stay Ahead of Threats

Validate your cloudsecurity posture.Beyond automated scanning.

The Numbers That DefineCloud Security Failure

Interactive IAM Privilege Escalation Paths

Cloud-Native Risk Landscape

10-Day Cloud Pentest Lifecycle

AWS · Azure · GCP Service Coverage

K8s Attack Simulation Lab

Cloud Attack Path Visualizer

Your Cloud Environment Has Attack Paths

Frequently askedquestions.

The Numbers That Define
Cloud Security Failure

Frequently asked
questions.