Cloud Pentest
A cloud pentest simulates real-world attacks to identify and exploit weaknesses in your cloud environment based on the OWASP Cloud-Native Application Security Top 10.
Our Cloud Pentest methodology is designed to provide a deep, attacker-simulated assessment of your cloud environment, adhering to the Shared Responsibility Model by focusing on the security of your configurations, data, and applications.
What’s Testable: The Shared Responsibility Model
The shared responsibility model dictates what is testable. Our services focus on the security of the cloud, including your data, applications, operating systems, and configurations. We do not test the security of the cloud itself, which is the responsibility of the cloud service provider. This includes the physical infrastructure and the security of the underlying cloud services.
Our testing approach is aligned with industry standards and frameworks, including the OWASP Cloud-Native Application Security Top 10, OWASP Testing Guide, and CIS Benchmarks.
Prerequisites
To ensure a comprehensive and effective pentest, providing the following access is mandatory:
- Credentials and Console Access for the cloud environment.
- Jump Box Setup: A dedicated lightweight Linux server (e.g., Kali Cloud VM) installed within the cloud network.
- Resource Allocation: Recommended resources for the VM are at least 2 virtual CPUs, 8 GB RAM, and 50 GB disk space.
- Access Credentials: Key-based SSH access for each pentester and Root access to the Kali VM.
While most cloud providers no longer require pre-notification for these audits, please refer to the Cloud Provider Authorization documentation for more details.
Cloud Pentesting Approach
Major cloud providers (AWS, Azure, GCP) offer hundreds of specialized services. While the names differ, our testing methodology remains consistent, covering key functional areas:
| Functional Area | Service Examples |
|---|---|
| Compute | Azure VMs, GCE, Lambda, Fargate, App Services |
| Storage | S3, Blob Storage, GCS, Glacier, EBS, EFS |
| Databases | RDS, DynamoDB, Cosmos DB, Cloud SQL, Aurora |
| Networking | VPC, NSGs, Security Groups, Route 53, Cloud CDN |
| Identity & Access | IAM, Azure AD, GCP IAM, Cognito |
| Monitoring & Logging | CloudTrail, CloudWatch, Activity Logs, Stackdriver |
Our testers focus on both the configuration of your cloud environment and the security of services deployed within your infrastructure.
The pentest includes evaluation of access controls, exposed services, secrets management, and cloud-native integrations using relevant OWASP and cloud-specific testing techniques. Simulated attacks are performed to identify weaknesses in IAM roles, trust boundaries, storage permissions, misconfigured services, and other exploitable vulnerabilities specific to your cloud provider. Our testers utilize a wide range of public and proprietary tools tailored to cloud infrastructure testing.
Our pentest follows a structured, four-phase process:
- Target Scope Reconnaissance
- Cloud Configuration Review
- Manual Assessment (Simulated Attack)
- Reporting, Triaging, and Retesting
1. Target Scope Reconnaissance
Our testers gather intelligence on your cloud environment to define the complete attack surface, which includes:
- Service and Asset Discovery: Identification and cataloging of cloud services, instances, storage, serverless functions, and container workloads to establish scope and exposure.
- Authentication & Identity Management: Review authentication mechanisms, IAM roles, privilege delegation, and session control across user and machine identities.
- Business Logic & Data Handling: Mapping of high-risk workflows and sensitivity of data handled by the environment (e.g., PII in storage buckets, customer data in managed databases).
- Network Reachability & Filtering: Evaluation of firewall policies, network ACLs, load balancers, and VPC peering for exposed or misconfigured services.
2. Cloud Configuration Review
Our testers initiate the test with an automated review of your environment against established standards like CIS Benchmarks and industry best practices. This is followed by a manual review to eliminate false positives and accurately assess the severity of findings that automated scanners often miss.
3. Manual Assessment
This is the core of the pentest, where testers perform simulated attacks using a systematic approach to identify complex, chained vulnerabilities specific to your cloud infrastructure.
Our testers concentrate on the following high-impact domains:
- Identity and Access Management (IAM): Examine privilege escalation paths, over-permissive roles, missing MFA, and lateral movement opportunities using assumed roles or service principals.
- Storage and Data: Analyze cloud storage services (e.g., S3, Azure Blob, GCS) for public exposure, misconfigured access policies, unencrypted data at rest, and weak control over sensitive datasets.
- Network and Infrastructure: Review virtual network architecture (VPCs, VNets), firewall rules, routing, and public service exposure to ensure services are appropriately segmented and protected from unauthorized access.
- Application and API Security: Assess cloud-hosted applications, serverless functions, and APIs for OWASP Top 10 vulnerabilities, and misconfigured endpoints.
- Configuration and Secrets Management: Evaluate secrets handling, including environment variables and key stores, checking for hardcoded credentials and lack of rotation.
- Monitoring and Resilience: Test the resilience of monitoring and detection controls (e.g., GuardDuty, Security Center) to identify gaps that could allow attacker activity to go undetected.
Testing Based on OWASP Cloud
For each category, testers will assess:
- Access Control: Identify flaws that allow privilege escalation, unauthorized resource access, or bypass of policy restrictions. Includes IAM misconfigurations, excessive permissions, and insecure role assumptions.
- Cryptography: Assess if sensitive data is exposed due to lack of encryption in storage or transit. Focus areas include unsecured storage buckets, weak SSL/TLS configurations, and misconfigured encryption keys.
- Misconfigurations: Identify misconfigured services, open administrative interfaces, publicly exposed storage, disabled monitoring, or unused services increasing the attack surface.
- Vulnerable and Outdated Components: Check compute workloads (e.g., EC2, Azure VM, container images) for outdated software, missing patches, and known vulnerabilities via CVE lookups.
- Credential Leakage and Secrets Management: Search for hardcoded secrets, plaintext API keys, and credentials in environment metadata or repos. Assess proper use of cloud-native secrets stores and key rotation practices.
- Service Abuse: Simulate abuse of autoscaling, misconfigured quotas, or excessive service requests leading to cost spikes, DoS conditions, or availability degradation.
Tools
Cobalt pentesters may use tools such as:
- Cloud Posture Tools: ScoutSuite, Pacu, Prowler, CloudSploit, CloudFox, KICS
- Kubernetes Posture Tools: Kube-hunter, Kubesec
- API/Web Security: Burp Suite, OWASP ZAP, Postman
- Credentials/Recon: TruffleHog, git-secrets, Steampipe, Recon-ng
- Custom & Proprietary Internal Tools for advanced IAM and policy abuse testing
4. Reporting, Triaging, and Retesting
Cobalt pentesters report and triage all vulnerabilities during the assessment. You can review details of all findings, in real time, through the Cobalt platform. In these findings, as well as in any report, Cobalt’s pentesters include detailed information, including:
- Step-by-step remediation guidance
- Recommendations on how to improve your overall security posture
You can remediate findings during and after the pentest. Then you can submit findings for retest. Our pentesters test the updated components and retest vulnerabilities to ensure that there are no security-related residual risks.
Last modified January 12, 2026