Trace the pivot paths inside your clusterbefore someone else does.

SecureLayer7 testers abuse Kubernetes the way a motivated actor does after they already have a foothold: reachable kubelets, RBAC verbs that chain to cluster-admin, admission stacks that look fine on paper, and tokens that survive longer than the pod. You get ranked chains with manifests, kubectl transcripts, fixes written for platform engineers, and a re-test so audit sees proof, not debate.

Manual cluster testing · CVE-disclosing researchers · Audit-ready kill-chain reporting

See the cluster pivot paths
Four cluster planes, control plane, identity, supply chain, and the highlighted workload, converging on a privileged-pod escape proof card showing root on the host.

Cluster-internal vantage

We start from workloads and identities your threat model already treats as risky, then move toward control plane and supply-chain edges. Not a perimeter-only review.

Working proof-of-exploit

Manifests, commands, and remediation your engineers can drop straight into tickets. Not a passing CIS row that still leaves cluster-admin within reach.

Re-test included

After you ship patches, we re-run the chain. Written confirmation for each closed pivot, at no extra fee.

Why now

The window from vulnerability discovery to exploitation has gone from weeks to hours.

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

On record

  • CREST accredited
  • AICPA SOC 2 Type II
  • ISO/IEC 27001

Why benchmarks greenwash risk

Clean CIS rows do not erase cluster-admin routes. Chained pivots do.

kube-bench, Trivy, and CIS profiles grade configuration snapshots. They rarely prove chained impact: compromised workload, abused kubelet API, lateral hops across namespaces, cluster-admin. We string those steps the way an adversary would, so platform leads and auditors get a narrative they can follow without guessing.

Two columns, passing config-audit findings on the left, and the chained pivot path each one becomes during a manual cluster pentest on the right.
Two columns, passing config-audit findings on the left, and the chained pivot path each one becomes during a manual cluster pentest on the right.

IN SCOPE.

Where we trace pivots in your cluster.

RBAC
Role + binding chains

Cluster-role bindings, escalation verbs, impersonation, token-creator paths to cluster-admin.

WORKLOAD
Pod escape paths

Privileged pods, hostPath mounts, capabilities, securityContext drift, runtime breakout.

NETWORK
Pod-to-pod routes

NetworkPolicy gaps, service mesh trust, ingress to internal services, DNS rebinding inside-cluster.

SUPPLY CHAIN
Image + admission

Registry trust, admission controllers, mutating webhooks, sidecar injection, signed-image bypass.

POD-ESCAPE PATHS.

Where a misconfigured cluster gives an attacker root on the host.

12
  1. 01
    hostPath to node root

    Pod mounts / from the host, attacker writes to /etc/kubernetes/manifests, static-pod becomes a privileged kubelet workload.

  2. 02
    Privileged pod escape

    securityContext.privileged true, capabilities SYS_ADMIN, mount cgroups release_agent, execute on the node as root.

  3. 03
    Service-account token theft

    Auto-mounted token in a compromised pod, kubectl auth can-i wildcard, list secrets across every namespace.

  4. 04
    Kubeconfig from disk

    Developer kubeconfig left in a CI runner image, cluster-admin context survives image rebuild, attacker reuses it from outside.

  5. 05
    etcd direct read

    etcd endpoint exposed on the control-plane subnet without client-cert auth, dump every Secret object in plaintext.

  6. 06
    Admission webhook bypass

    ValidatingAdmissionWebhook fail-open on timeout, attacker submits a Pod that the policy would have blocked.

  7. 07
    Ingress mTLS gap

    Internal service trusts the ingress identity, attacker who reaches the service mesh from a sidecar replays cluster-internal calls.

on record ,

Accredited testers, audited handling.

CREST is the standard for offensive security execution. CERT-In, SOC 2 Type II, and ISO/IEC 27001 cover how SecureLayer7 handles your cluster evidence, Kubernetes artefacts, and your engagement record.

CREST accredited

CREST

Accredited company & testers

CERT-In empanelled

CERT-In

Empanelled auditor

AICPA SOC 2 Type II

SOC 2 Type II

Independently audited

ISO/IEC 27001, Information Security Management

ISO/IEC 27001

Information Security Management

Mapped to audit requirements across

SOC 2 TYPE IIPCI DSSHIPAAISO/IEC 27001GDPRNIST CSFFEDRAMPAND OTHERS

Scope ,

Four cluster planes. One engagement.

Most cluster reviews stop at isolated findings. We chain control plane exposure, workload breakout, identity and secrets, and supply-chain trust in one engagement, mapped to your topology and exercised manually against the bug classes that appear once an attacker already has a foothold.

Control plane

kube-apiserver anonymous-auth, etcd 2379 exposure, kubelet 10250 unauth, scheduler / controller-manager metrics leak, admission-webhook race, audit-policy gap, /healthz info disclosure, in-cluster API server SSRF.

Workload & data plane

Privileged-container escape, hostPath / hostNetwork / hostPID abuse, SYS_ADMIN & NET_RAW capability misuse, missing seccomp / AppArmor, PodSecurityStandards bypass, NetworkPolicy default-allow, sidecar trust-boundary leak, ConfigMap secrets leak.

Identity, RBAC & secrets

ServiceAccount token theft and replay, escalate / impersonate / bind verb chaining, over-scoped ClusterRoleBinding, projected-token reuse across namespaces, IRSA / Workload-Identity confusion, External-Secrets misconfig, kubectl auth can-i blind spots.

Supply chain

Mutating-webhook abuse, unsigned-image admission, ImagePullSecret leak, base-image typosquat, SBOM tampering, GitOps repo and pipeline takeover, Helm-chart values injection, registry-credential reuse across clusters.

KUBERNETES METHODOLOGY.

Eight phases. Threat-modelled to your cluster.

Scoped to your topology, namespaces, RBAC graph, admission controllers, and how images actually ship. We stress APIs, controllers, workloads, and pipelines until impact is demonstrated or ruled out. Deliverables include prerequisites, blast radius, and remediation sized for how your platform team ships change.

  1. 01
    Scope & threat-model
  2. 02
    Recon & enumeration
  3. 03
    Configuration review
  4. 04
    Identity & RBAC exploitation
  5. 05
    Workload & cluster exploitation
  6. 06
    Supply chain & admission
  7. 07
    Remediation guidance
  8. 08
    Patch verification

Insights

Kubernetes security Resources.

Notes from operators who publish CVE research and ship fixes in the open: Kubernetes hardening, exploit chains, and lessons from real cluster engagements.

Meet our engagement lead

Engagement lead. John Dill.

John Dill

vCISO at SecureLayer7

15+

Years in offensive security

150+

Engagements led to date

99.99%

On-time engagement delivery

John owns Kubernetes engagements from scope to re-test. Topology and RBAC graph become the test plan your platform org recognises. He stays through live walkthroughs, remediation, and re-test.

  • Scopes EKS, AKS, GKE, and self-managed clusters against how you run production, not a generic checklist.
  • Runs kick-off, mid-engagement reviews, and live demos for every material finding.
  • Closes the loop on remediation and re-test until pivot paths are demonstrably gone.
SL7 Lab. Published CVE research.
John Dill, vCISO at SecureLayer7

When your next board or audit cycle asks how far someone moves from one bad pod, book 30 minutes with John. Topology, RBAC graph, and timeline on one call.

Book a 30-min call

Tested by industry.

The bug classes named below come from real engagements in each sector. Pick the closest fit.

Tech SaaS

Multi-tenant k8s, namespace isolation drift, service-mesh boundaries.

See Tech SaaS pentest

FinTech

Banking workloads on k8s, secret-rotation, PCI segmentation in service mesh.

See FinTech pentest

HealthTech

HIPAA-aligned k8s workloads, PHI-handling pods, audit-log retention paths.

See HealthTech pentest

Built for United Kingdom engagements

What changes when we deliver here.

  • Compliance scoping

    CIS Kubernetes Benchmark v1.9 mapping per finding

  • Regulatory framework

    NCSC container guidance principles cited in the report

  • Local engagements

    UK fintech rebuilt PSS baseline policy after K8s pentest

  • Local pricing

    GBP fixed-fee per cluster, regardless of node count

  • Compliance scoping

    Pod Security Standards baseline-and-restricted evidence pack

Kubernetes testing, UK shape.

  • Do you test admission controllers and PSS?

    Yes. OPA Gatekeeper, Kyverno and PSS baseline/restricted policies. Bypasses tied to CIS Kubernetes Benchmark 5.x controls.

  • How do you handle eBPF and CNI?

    Cilium and Calico CNI tested for policy bypass and pod-to-pod escape. Findings cite NCSC's container-guidance principle 3.

  • Will this fit an FCA SS2/21 outsourcing review?

    Yes. Managed-K8s tenancy (EKS, AKS, GKE) findings map to SS2/21 paragraphs 4.6 and 5.3. PRA reviewers accept the table.

  • Do you test the supply chain into the cluster?

    Image-signing, SBOM and admission-time policy. Maps to NCSC Secure Development Principle 5 — secure build and deployment.

Delivery in United Kingdom

K8s pentest. CIS v1.9 and PSS evidence.

Pod Security Standards, RBAC, admission control and CNI findings cite CIS Kubernetes Benchmark v1.9 and the NCSC container guidance. UK or EEA region only.

Direct line
+44-20-0000-0000
Office
London, United Kingdom

Frameworks scoped: CREST · NCSC CAF · UK GDPR · PCI DSS · ISO/IEC 27001.

Sample Kubernetes pentest report, kill-chain · evidence · remediation

Sample engagement report

See a manifest-led kill chain auditors can follow.

The sample pack walks YAML-shaped edges, RBAC escalation, and the shortest path from workload compromise to cluster-wide impact. Redacted from real engagements, formatted for risk and audit readers. Sent after a short scoping call so examples match your environment.