Ashley Manraj Chief Technology Officer, Pvotal Technologies Inc.
I’ve built my career at the intersection of security and speed. Today, as AI agents write our code, that intersection has become the most critical frontier in technology. The challenge is no longer creation, but control: how do we secure and maintain the autonomous systems built for us?
Through our work in secure digital transformation at Pvotal, we realized the answer wasn't just better tools, but a new foundation. We needed a control plane designed for this new era. This was the genesis of Infrastream.
Think of it as the factory floor for modern development. Developers and AI agents declare their "intent," and Infrastream's executors work to build and maintain that intent as a secure, compliant, and observable reality. Our mission is to make security an invisible, scalable, and simple-by-design layer, so teams can finally move at the speed of innovation without one off compromise.
Workshop: Breaking and Hardening the Cloud: Advanced Hooking and Shellcoding in a Hardened Environment
Workshops are first-come, first-serve and have limited capacity. Some workshops may be streamed for additional passive participation.
In the rush to adopt modern cloud architectures, organizations often prioritize velocity over security, leaving critical gaps in their infrastructure. This workshop bridges the gap between offensive exploitation and defensive engineering, using a real-world scenario deployed on Google Cloud Platform (GCP).
Participants will be given access to a "production-grade" environment managed with InfraStream, a manifest-driven infrastructure platform. Inside this environment lies a set of microservices written in Go, which appear functional but contain a critical flaw: a Server-Side Template Injection (SSTI) vulnerability. However, the infrastructure is hardened: The server runs in a scratch-based container with some very restrictive network rules that prevents both bind and reverse shell from being effective.
The workshop is divided into two phases:
The Red Team Phase: Attendees will get their hands dirty analyzing the Go application code and crafting payloads to exploit the SSTI vulnerability. The goal? Get a fully interactive shell on the underlying container and attempt to pivot through the default GCP network to compromise adjacent services. While the initial vulnerability is pretty simple to exploit, the real challenge here lies in leveraging it through the hardening, which will involve hooking the server's code and advanced shellcoding to implement a backdoor. The Blue Team Phase: Once the compromise is confirmed, we will switch gears to remediation. We will modify InfraStream's manifests to apply practical defense-in-depth strategies. Participants will learn how to implement hardened docker runtime deployments, enforce strict network policies, and enable mTLS within the service mesh—effectively restricting the impacts of the RCE and limiting lateral movement. We will also fix the root cause that allowed the process hooking step to take place.
By the end of this session, attendees will understand the mechanics of Go template injection, advanced techniques to leverage vulnerabilites in hardened infrastructure and how to leverage infrastructure-as-code to enforce security baselines that make even vulnerable applications resilient to attack.