Attacking & Securing CI/CD Pipeline Certification (ASCPC)

Description

The ASCPC On-Demand course blends offensive and defensive techniques across a variety of CI/CD platforms, focusing on practical, hands-on skills. Students will explore vulnerabilities, exploit misconfigurations, and learn how to defend against real-world CI/CD threats.

Key focus areas include:

• GitHub Actions Security: Explore context injection, pull request abuse, artifact poisoning, and misconfigured OIDC workflows.
• CircleCI Misconfigurations: Hijack pipeline configurations and exploit insecure runner setups.
• AWS CodeBuild Exploitation: Abuse IAM roles, environment variables, and pipeline triggers to escalate privileges and exfiltrate secrets.
• Docker Registry Attacks: Inject malicious images and perform credential harvesting through poorly secured registries.
• Kubernetes Integration Risks: Compromise clusters via CI/CD, enumerate resources, and escalate access across pods and containers.
• Azure DevOps Abuse: Leak credentials, escalate privileges, and abuse service connections in insecure Azure DevOps pipelines.
• Each module is supported by guided labs that simulate real CI/CD environments and include both offensive attack paths and defensive remediation strategies.

Key Learning Objectives

Identify and exploit misconfigurations in GitHub, CircleCI, and cloud-integrated CI/CD pipelines

Perform attacks such as context injection, artifact poisoning, OIDC abuse, and pipeline hijacking

Implement effective defenses through permissions hardening, workflow validation, and policy enforcement

Harden DevOps pipelines across cloud environments, container orchestration, and source control systems

Apply offensive and defensive techniques to secure real-world CI/CD workflows

Who Should Attend?

DevOps and DevSecOps Engineers: Professionals who design and manage CI/CD pipelines and want to integrate security into every stage of the development process.

Penetration Testers and Red Team Operators: Those who want to expand their capabilities into CI/CD-focused attack paths, supply chain exploitation, and real-world offensive tooling in cloud-native environments.

Cloud and Application Security Engineers: Security professionals tasked with reviewing infrastructure-as-code, cloud deployments, or pipeline configurations.

Blue Team Analysts and Defenders: Analysts who need to understand attacker techniques in order to better detect, respond to, and mitigate pipeline-based intrusions.

Cybersecurity Students and Enthusiasts: Learners with foundational experience in cloud or security who are ready to move into more advanced, applied content. If you’re looking to move beyond theory and gain practical experience in attacking and securing real-world CI/CD pipelines, the ASCPC On-Demand course is built for you.

Prerequisite Knowledge

This is an intermediate to advanced course. Students should have a background in cloud security, development pipelines, or general cybersecurity.

Hardware Requirements

– Two GitHub accounts – Access to AWS and Azure environments – Docker installed on the host machine – Admin access to your local system and cloud platforms

Bio