Cloud penetration testing services
Cloud penetration testing. For AWS, Azure, GCP, and Kubernetes.
A misconfigured role or an exposed bucket is rarely the whole story. We test how those small gaps chain into real access across your cloud, then hand you the fixes and the evidence your auditor needs.
Four providers
AWS · Azure · GCP · Kubernetes, one method, four control planes.
Evidence
Working proof-of-exploit and code-level fix guidance on every finding.
Re-test included
We verify your fixes at no extra cost. One engagement, closed loop.
The window from vulnerability discovery to exploitation has gone from weeks to hours.
Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure
On record
Cloud depth.
One misconfiguration is never just one finding. It's the first step into your account.
A single over-permissive role or an exposed key is rarely the whole risk. We chain those small gaps the way an attacker would, from one weak setting to real access across your account, and show you exactly where the path breaks. For Amazon-specific depth, see AWS penetration testing.
What we test
Four cloud surfaces. One engagement.
Each provider gets a manual, threat-modelled review against its real attack surface, control plane, identity, network, and workload. Intensity tunes per scope.
Amazon AWS
IMDSv1 SSRF, IAM role chaining, public S3 enumeration, Lambda over-privilege, EKS cluster-role abuse, KMS key-policy misuse, Cognito user-pool misconfig, Secrets Manager exposure.
Microsoft Azure
Managed identity over-scope, Storage Account SAS leak, Function App env exposure, AKS pod-identity abuse, Key Vault access policy bypass, Azure AD application consent, Logic App secret reuse.
Google Cloud Platform
Workload-identity confusion, service-account impersonation, Cloud Run scope abuse, GKE node pool escape, Secret Manager IAM gaps, Cloud Storage bucket policy bypass, Cloud Functions trigger replay.
Kubernetes
Pod escape via privileged container, RBAC bypass, etcd exposure, kubelet API abuse, sidecar/init container attack paths, NetworkPolicy gaps, admission-controller bypass, ServiceAccount token theft.
CLOUD PENTEST METHODOLOGY.
Eight phases. Control plane to workload.
Threat-modelled to your control plane, identity model, and workload topology. Not a template we run against every cloud.
- 01Scope & threat-model
- 02Recon & enumeration
- 03Configuration review
- 04Identity exploitation
- 05Workload & network exploitation
- 06Vulnerability analysis
- 07Remediation guidance
- 08Patch verification
Insights
Cloud security Resources.
Cross-provider attack-path notes: AWS, Azure, GCP, written by the same reviewers who run cloud pentests.
Meet our expert
One lead across your whole cloud estate.
Nivedita Singh
Security Advisor & Engagement Lead
10+
Years in offensive security
300+
Engagements led
99.7%
On-time delivery rate
Nivedita scopes cloud-pentest engagements against your account topology, identity model, and workload boundaries. She guides the pod from kick-off through final report and re-test.
- Scopes AWS, Azure, GCP, and Kubernetes engagements against your real risk model.
- Owns kick-off, mid-engagement check-ins, and live walkthrough of every finding.
- Drives remediation review and re-test until every cloud-path finding is closed.
Ready to scope a cloud pentest? Book 30 minutes with Nivedita to walk through your topology, identity model, and timeline.
For startups
Pre-Series A? Apply for the startup program.
A single Autonomous app pentest, CREST-aligned report, engagement-lead signoff, retest included, heavily discounted for pre-Series A startups passing enterprise procurement or SOC 2 due diligence. Eligibility verified on application.
Tested by industry.
The bug classes named below come from real engagements in each sector. Pick the closest fit.
FinTech
Cloud-native banking workloads, KMS / HSM boundaries, settlement isolation.
Retail
E-commerce on cloud, POS sync APIs, customer-PII surfaces in serverless paths.
Built for Australia engagements
What changes when we deliver here.
Regulatory framework
ACSC Cloud for Tenants control map
Compliance scoping
CPS 234 ¶21 + ¶33 evidence column
Local engagements
Health insurer — multi-cloud, IRAP stage-1 ready
Local pricing
AUD per-workload pricing, GST inclusive option
Compliance scoping
APP 8 cross-border data-flow register
Questions Australian cloud architects ask first.
Do you align to ACSC cloud tenant guidance?
Yes. Findings reference the ACSC Cloud Computing Security for Tenants document chapter and control number. PSPF-aligned tenants get the OFFICIAL: Sensitive overlay.
How do findings sit against CPS 234?
Cloud control gaps cite CPS 234 ¶21 capability and ¶33 third-party clauses. Material service provider risk feeds the CPS 230 register.
Will reports help an IRAP assessment?
Yes. Findings format to IRAP control statement language. Useful as input to a stage-1 IRAP gap assessment.
Do you test data residency under APP 8?
Yes. Every data-flow finding lists the destination region. APP 8 cross-border disclosure risk is flagged when data leaves AU.
Delivery in Australia
ACSC cloud. CPS 234 cloud controls.
Tests cover ACSC Cloud Computing Security for Tenants guidance. IAM, logging, and key-management findings cite CPS 234 ¶21 information security capability for cloud workloads.
- Direct line
- +61-2-0000-0000
- Office
- Sydney, Australia
Frameworks scoped: ASD Essential 8 · APRA CPS 234 · Privacy Act · ISO/IEC 27001.
Sample engagement report
See what arrives in your inbox.
A pre-vetted sample report: full vulnerability narrative, working PoC, code-level fix guidance. Sent on request after a 5-minute scoping call.