Trace the pivot paths inside your clusterbefore someone else does.

SecureLayer7 testers abuse Kubernetes the way a motivated actor does after they already have a foothold: reachable kubelets, RBAC verbs that chain to cluster-admin, admission stacks that look fine on paper, and tokens that survive longer than the pod. You get ranked chains with manifests, kubectl transcripts, fixes written for platform engineers, and a re-test so audit sees proof, not debate.

Manual cluster testing · CVE-disclosing researchers · Audit-ready kill-chain reporting

See the cluster pivot paths
Four cluster planes, control plane, identity, supply chain, and the highlighted workload, converging on a privileged-pod escape proof card showing root on the host.

Cluster-internal vantage

We start from workloads and identities your threat model already treats as risky, then move toward control plane and supply-chain edges. Not a perimeter-only review.

Working proof-of-exploit

Manifests, commands, and remediation your engineers can drop straight into tickets. Not a passing CIS row that still leaves cluster-admin within reach.

Re-test included

After you ship patches, we re-run the chain. Written confirmation for each closed pivot, at no extra fee.

Why now

The window from vulnerability discovery to exploitation has gone from weeks to hours.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

On record

  • CREST accredited
  • ISO/IEC 27001

Why benchmarks greenwash risk

Clean CIS rows do not erase cluster-admin routes. Chained pivots do.

kube-bench, Trivy, and CIS profiles grade configuration snapshots. They rarely prove chained impact: compromised workload, abused kubelet API, lateral hops across namespaces, cluster-admin. We string those steps the way an adversary would, so platform leads and auditors get a narrative they can follow without guessing.

Two columns, passing config-audit findings on the left, and the chained pivot path each one becomes during a manual cluster pentest on the right.
Two columns, passing config-audit findings on the left, and the chained pivot path each one becomes during a manual cluster pentest on the right.

IN SCOPE.

Where we trace pivots in your cluster.

RBAC
Role + binding chains

Cluster-role bindings, escalation verbs, impersonation, token-creator paths to cluster-admin.

WORKLOAD
Pod escape paths

Privileged pods, hostPath mounts, capabilities, securityContext drift, runtime breakout.

NETWORK
Pod-to-pod routes

NetworkPolicy gaps, service mesh trust, ingress to internal services, DNS rebinding inside-cluster.

SUPPLY CHAIN
Image + admission

Registry trust, admission controllers, mutating webhooks, sidecar injection, signed-image bypass.

POD-ESCAPE PATHS.

Where a misconfigured cluster gives an attacker root on the host.

12
  1. 01
    hostPath to node root

    Pod mounts / from the host, attacker writes to /etc/kubernetes/manifests, static-pod becomes a privileged kubelet workload.

  2. 02
    Privileged pod escape

    securityContext.privileged true, capabilities SYS_ADMIN, mount cgroups release_agent, execute on the node as root.

  3. 03
    Service-account token theft

    Auto-mounted token in a compromised pod, kubectl auth can-i wildcard, list secrets across every namespace.

  4. 04
    Kubeconfig from disk

    Developer kubeconfig left in a CI runner image, cluster-admin context survives image rebuild, attacker reuses it from outside.

  5. 05
    etcd direct read

    etcd endpoint exposed on the control-plane subnet without client-cert auth, dump every Secret object in plaintext.

  6. 06
    Admission webhook bypass

    ValidatingAdmissionWebhook fail-open on timeout, attacker submits a Pod that the policy would have blocked.

  7. 07
    Ingress mTLS gap

    Internal service trusts the ingress identity, attacker who reaches the service mesh from a sidecar replays cluster-internal calls.

on record ,

Accredited testers, audited handling.

CREST is the standard for offensive security execution. CERT-In, SOC 2 Type II, and ISO/IEC 27001 cover how SecureLayer7 handles your cluster evidence, Kubernetes artefacts, and your engagement record.

CREST accredited

CREST

Accredited company & testers

CERT-In empanelled

CERT-In

Empanelled auditor

AICPA SOC 2 Type II

SOC 2 Type II

Independently audited

ISO/IEC 27001, Information Security Management

ISO/IEC 27001

Information Security Management

Mapped to audit requirements across

SOC 2 TYPE IIPCI DSSHIPAAISO/IEC 27001GDPRNIST CSFFEDRAMPAND OTHERS

Scope ,

Four cluster planes. One engagement.

Most cluster reviews stop at isolated findings. We chain control plane exposure, workload breakout, identity and secrets, and supply-chain trust in one engagement, mapped to your topology and exercised manually against the bug classes that appear once an attacker already has a foothold.

Control plane

kube-apiserver anonymous-auth, etcd 2379 exposure, kubelet 10250 unauth, scheduler / controller-manager metrics leak, admission-webhook race, audit-policy gap, /healthz info disclosure, in-cluster API server SSRF.

Workload & data plane

Privileged-container escape, hostPath / hostNetwork / hostPID abuse, SYS_ADMIN & NET_RAW capability misuse, missing seccomp / AppArmor, PodSecurityStandards bypass, NetworkPolicy default-allow, sidecar trust-boundary leak, ConfigMap secrets leak.

Identity, RBAC & secrets

ServiceAccount token theft and replay, escalate / impersonate / bind verb chaining, over-scoped ClusterRoleBinding, projected-token reuse across namespaces, IRSA / Workload-Identity confusion, External-Secrets misconfig, kubectl auth can-i blind spots.

Supply chain

Mutating-webhook abuse, unsigned-image admission, ImagePullSecret leak, base-image typosquat, SBOM tampering, GitOps repo and pipeline takeover, Helm-chart values injection, registry-credential reuse across clusters.

KUBERNETES METHODOLOGY.

Eight phases. Threat-modelled to your cluster.

Scoped to your topology, namespaces, RBAC graph, admission controllers, and how images actually ship. We stress APIs, controllers, workloads, and pipelines until impact is demonstrated or ruled out. Deliverables include prerequisites, blast radius, and remediation sized for how your platform team ships change.

  1. 01
    Scope & threat-model
  2. 02
    Recon & enumeration
  3. 03
    Configuration review
  4. 04
    Identity & RBAC exploitation
  5. 05
    Workload & cluster exploitation
  6. 06
    Supply chain & admission
  7. 07
    Remediation guidance
  8. 08
    Patch verification

Insights

Kubernetes security Resources.

Notes from operators who publish CVE research and ship fixes in the open: Kubernetes hardening, exploit chains, and lessons from real cluster engagements.

Meet our engagement lead

Engagement lead. John Dill.

John Dill

vCISO at SecureLayer7

15+

Years in offensive security

150+

Engagements led to date

99.99%

On-time engagement delivery

John owns Kubernetes engagements from scope to re-test. Topology and RBAC graph become the test plan your platform org recognises. He stays through live walkthroughs, remediation, and re-test.

  • Scopes EKS, AKS, GKE, and self-managed clusters against how you run production, not a generic checklist.
  • Runs kick-off, mid-engagement reviews, and live demos for every material finding.
  • Closes the loop on remediation and re-test until pivot paths are demonstrably gone.
SL7 Lab. Published CVE research.
John Dill, vCISO at SecureLayer7

When your next board or audit cycle asks how far someone moves from one bad pod, book 30 minutes with John. Topology, RBAC graph, and timeline on one call.

Book a 30-min call

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

Tech SaaS

Multi-tenant k8s, namespace isolation drift, service-mesh boundaries.

See Tech SaaS pentest

FinTech

Banking workloads on k8s, secret-rotation, PCI segmentation in service mesh.

See FinTech pentest

HealthTech

HIPAA-aligned k8s workloads, PHI-handling pods, audit-log retention paths.

See HealthTech pentest

Built for United Arab Emirates engagements

What changes when we deliver here.

  • Compliance scoping

    Findings tagged to UAE IAS v2 T8 + PSS level + CIS K8s row

  • Regulatory framework

    Service-mesh sidecar coverage on Istio, Linkerd, Cilium

  • Local engagements

    Tested a Dubai logistics platform's 200-node EKS estate

  • Local pricing

    AED quotes; per-cluster pricing with per-node band

  • Compliance scoping

    Admission-controller bypass paths in every report

K8s questions UAE platform teams ask.

  • Do you test EKS, AKS, and GKE the same way?

    Yes. Cluster checks share the same playbook. Cloud-specific IAM bridges differ; findings list the bridge per provider with UAE IAS v2 T8 mapping.

  • Is Pod Security Standards mapping included?

    Yes. Each workload finding cites the PSS level it breaks: privileged, baseline, or restricted. UAE IAS v2 T8 cross-reference in the same row.

  • Do you cover service-mesh sidecars?

    Yes. Istio, Linkerd, and Cilium. Sidecar bypass, mTLS gaps, and policy-engine holes tested. Findings cite mesh and PSS level.

  • Is admission-controller review part of scope?

    Yes. OPA Gatekeeper, Kyverno, and ValidatingAdmissionPolicy. Bypass paths and policy gaps documented with reproduction steps.

Delivery in United Arab Emirates

K8s tested to UAE IAS T8 + PSS.

Pod, node, and control-plane findings cite UAE IAS v2 T8 cloud sub-controls and Kubernetes Pod Security Standards baseline. Admission-controller bypass paths covered.

Direct line
+971-4-123-4567
Office
Dubai, UAE

Frameworks scoped: UAE IAS · NESA · ADHICS · PCI DSS · ISO/IEC 27001.

Sample Kubernetes pentest report, kill-chain · evidence · remediation

Sample engagement report

See a manifest-led kill chain auditors can follow.

The sample pack walks YAML-shaped edges, RBAC escalation, and the shortest path from workload compromise to cluster-wide impact. Redacted from real engagements, formatted for risk and audit readers. Sent after a short scoping call so examples match your environment.