GCP penetration testing

Research-led GCP pentest, service accounts to data, end to end.

CREST-accredited researchers attack GCP environments the way an adversary would: service-account impersonation, OAuth scope creep, GKE workload identity bypass, Cloud Storage IAM drift. Two weeks from kickoff to a report your auditor accepts.

GET YOUR SCOPING CALL

Talk to a security expert

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

Why this matters

Most GCP pentests stop at SCC findings. Attackers chain through service accounts.

  • Security Command Center flags 200 mediums; none prove the service-account impersonation chain that ends in Editor on prod.

  • OAuth scope creep and Workspace federation seams only become criticals when chained with metadata abuse. Checklist firms miss the chain.

  • Hybrid identity (Cloud Identity, Workspace, federation) sits where single-cloud testers blink.

Here is what we ship.

Why teams pick us

Path to Cloud Storage, not 200 mediums.

  • GCP-specific bug classes

    Service-account impersonation, IAM condition gaps, OAuth scope creep, GKE workload identity bypass, Cloud Functions env-var leaks, GCE metadata abuse.

  • Chained to data, not config

    We do not stop at 'role binding is overly permissive.' We prove the path to your Cloud Storage bucket and your secrets in Secret Manager.

  • Evidence for the right auditor

    SOC 2, ISO 27001, CIS GCP Benchmark, FedRAMP Moderate. Findings tagged to controls.

How it works

From intro to report in two weeks.

  1. Scope across projects

    Tell us projects, folders, and the data surface that matters. Viewer role provisioned on the call.

  2. Researchers chain paths

    Service-account-to-data and OAuth-to-Workspace chains. Federation and shared VPC included.

  3. Findings with gcloud reproducers

    Each finding ships with reproducer, gcloud commands, and a fix per control.

Research ledger,

Coordinated disclosures published by SL7 research.

The same researchers run your engagement.

Full advisories index

What founders say

Thank you for being our pentest partners. Our user base is safer because of y'all.
Vinay Hiremath

Vinay Hiremath

Co-founder, Loom

View tweet

Common questions

What buyers ask before they sign.

What access do you need?
Viewer role per project, scoped to the engagement. No prod writes without explicit approval.
Will you find service-account escalation?
Yes. Impersonation chains, IAM condition gaps, OAuth scope creep, workload identity bypass, default-account abuse.
Is it safe on production?
Yes. Read-only and recon by default. Destructive actions require explicit per-finding approval.
What about GKE and Cloud Functions?
Covered. GKE workload identity, container escape, Cloud Functions env-var exfil, IAM-role pass-through.
Do you map to CIS or FedRAMP?
Yes. Findings tagged to CIS GCP Foundations, FedRAMP Moderate, SOC 2, and ISO 27001 Annex A.

Ready to see the path from service account to data?

20-minute scoping call with the lead GCP pentester. Multi-project, federation, and the seams between them.

CREST · CERT-In · SOC 2 · ISO 27001