Cloud posture, IAM-first.
CSPM-style review of AWS / Azure / GCP environments against CIS benchmarks, plus custom attack-path hunts. We don't just list misconfigs - we show how an attacker would chain them.
Threat landscape
What cloud attackers go after
The six classes of cloud breach we see most often. Each one preventable with the right posture and detection.
Public bucket → PII leak
One misconfigured S3 / GCS / Blob ACL turns into a customer-data dump. Easy to find, hard to recover from.
IAM role chaining → admin
AssumeRole ladders and service-account impersonation paths quietly escalate to full account takeover.
Container escape → host
Privileged pods or vulnerable images break out of their container to the underlying node.
Metadata SSRF → cred theft
A single SSRF against IMDS v1 grabs temporary credentials and turns into full cloud-account compromise.
Logging blind spots
CloudTrail / Audit Logs disabled in regions where you don't expect activity - until you do.
Compliance failures
HIPAA / PCI / DPDP audit failures over preventable misconfigs - encryption-at-rest, retention, access logs.
What we cover
- AWS, Azure, GCP posture assessment
- IAM policy & permission review
- Storage bucket & database security
- Container & Kubernetes hardening
- Serverless architecture review
- Compliance: CIS / NIST / PCI / SOC 2 / HIPAA
Common findings
- Over-privileged IAM roles & role chaining
- Publicly exposed buckets / databases
- Unencrypted volumes & snapshots
- Vulnerable container images
- Misconfigured security groups / NACLs
- Logging & monitoring blind spots
All three hyperscalers
AWS · Azure · GCP
Same depth across the three. Each report includes a CIS pass/fail score with remediation effort estimates.
AWS
Services covered
Framework
CIS AWS Foundations Benchmark · AWS Well-Architected (Security Pillar)
Azure
Services covered
Framework
CIS Azure Foundations · Azure CAF · Microsoft Cloud Security Benchmark
GCP
Services covered
Framework
CIS GCP Foundations · Google Cloud security best practices
How attackers move
Attack paths we hunt
Single misconfigs are findings. Chained misconfigs are incidents. We map both.
Public bucket → PII exfil
Misconfigured S3 / GCS / Blob → customer-data leak. We hunt every public bucket and ACL.
Over-privileged role → lateral
AssumeRole chains, sts:AssumeRoleWithWebIdentity, GCP service-account impersonation.
Vulnerable image → cluster takeover
Outdated container image + privileged pod → node escape → control-plane reach.
Exposed metadata → instance creds
IMDS v1 / SSRF → temporary credentials → escalated cloud access.
Containers & Kubernetes
Cluster hardening included
Image-level vuln scanning + Kubernetes posture audit against CIS benchmarks. Privileged workloads, exposed kubelets, weak RBAC, and namespace isolation gaps surface in the same report.
Tools & stack
What's in the toolbox
See what a real report looks like
24 pages, redacted from a live engagement. Executive summary, technical findings with PoCs, remediation roadmap and attestation.
- Executive summary + technical report
- Reproducible PoCs with screenshots
- Remediation roadmap + retest plan
- Letter-of-attestation appendix
How we work
Methodology
A repeatable five-phase process. Same depth whether it's a focused spot test or a multi-surface engagement.
Recon & threat modeling
Asset discovery, app mapping, STRIDE/DREAD analysis to scope what matters.
Automated baseline
Tuned SAST/DAST/scanners to clear the noise. Never the primary signal.
Manual exploitation
Where the real findings live. Senior testers, real PoCs, chained attacks.
Risk assessment
CVSS scoring combined with your business context - not auto-generated severities.
Reporting
Executive summary + reproducible technical report + remediation roadmap.
Frameworks & standards
Mapped to the standards your auditors care about
Reports map findings to the frameworks your compliance team is already chasing. Drop-in evidence for ISO, SOC 2, PCI and DPDP audits.
FAQ
Common questions
If you're evaluating multiple firms, these are the questions worth asking each of us.
How long does a typical engagement take?
A focused spot test runs 5-7 business days. Multi-surface engagements typically take 2-4 weeks depending on application complexity. We agree on a written scope before the contract - no surprise extensions.
Is testing safe to run in production?
We test in production only when staging is unavailable and only with explicit written approval, an agreed test window, and a documented rollback plan. Destructive checks (DoS, data corruption) are excluded unless specifically requested.
What certifications does your team hold?
Engagements are run by senior testers and signed off by a practice lead. We test to recognised methodologies - OWASP, PTES and the OSSTMM - and map every finding to CVSS and CWE. If your procurement process needs specific individual credentials on file, we'll share them under NDA during scoping.
Do you offer retests after we patch?
Yes - retest engagements are scoped separately, focused only on the findings you've patched. Pricing is proportional to the surface area being re-verified and we send a written scope before any work starts.
What format are the deliverables in?
PDF reports (executive summary + technical), an editable findings spreadsheet, attack-path diagrams where relevant, and a letter of attestation on request. All findings include CVSS, CWE, repro steps, and remediation guidance.
How is scope determined and priced?
After a 15-minute discovery call we send a written scope inside 48 hours - fixed-price, with clearly itemized exclusions. No hourly billing surprises, no scope creep mid-engagement.
Tighten your cloud posture.
Read-only audit role + 48 hours = a written scope. No drama, no extra agents to install.