NCC Group - Offensive Cloud Security

This training is Sold-Out

May 27th and 28th

Course Abstract

While security awareness and collective experience regarding the Cloud has been steadily improving, one common difficulty is applying theoretical knowledge to real-life scenarios. This training’s goal is to help attendees bridge this gap by understanding how conventional technologies integrate with Cloud solutions. The training is scenario-based and focuses on applied exercises. Attendees will experience first-hand how security vectors that exist in such ecosystems present opportunities for abuse. Throughout the training, we will also cover detection and mitigation of the attacks covered in the course.

The training is structured as a sequence of scenarios, which mix theory and practical exercises. The theory is imparted gradually, and attendees are given time to think for themselves and work through the exercises.


Day 1

  • The [Multi-]Cloud
    • Overview of AWS, Azure & GCP
    • Differences, similarities and important characteristics of Cloud Providers
  • Security in the Cloud
    • Enumerating cloud-hosted resources
    • Identity and Access Management (IAM), Metadata Services and Credentials
    • Typical application vulnerabilities and how they translate to the Cloud
    • Cloud hacker’s arsenal
  • Scenarios
    • Leveraging CI/CD systems to gain a foothold into Cloud environments
      • Attendees will gain a foothold into a CI/CD deployment, and leverage this initial compromise to access additional environments.
    • Lateral Movement & Privilege Escalation in AWS
      • A number of scenarios will have attendees move laterally to gain access to additional sensitive resources, not accessible through the initial compromise.
    • Azure Applications – Implementation and Weaknesses
      • This scenario will introduce attendees to Azure’s implementation of programmatic identities, and highlight how design choices present an opportunity for abuse.

Day 2

  • Scenarios (continued)
    • Abusing Containers & Clusters
      • We will review typical topologies of cloud-hosted cluster environments, as well as how attackers can target them.
    • Hybrid Networks & Moving from the Management to the Resources Plane
      • Many organizations maintain hybrid cloud environments, which contain a mix of on-premises, private cloud and third party, public cloud services. Throughout the training, attendees will pivot between these environments
    • [Azure] Active Directory Synchronization Mechanisms and Pitfalls
      • Corporate environments that contain Cloud components will oftentimes synchronize Active Directory with Azure Active Directory (AAD). The training will cover a number of implementations and compromise vectors for AD/AAD.
    • A Blue Team Perspective
      • Throughout the course, attendees will focus on exploiting cloud-hosted resources. This module will cover detection and remediation of the attack chains.
  • Tying it all together
    • The training will end with a CTF-type exercise, which will have attendees leverage the skills acquired throughout the course to compromise a realistic Cloud environment.

The scenarios are based on NCC Group’s research, incident response experience and on the knowledge acquired through countless cloud assessments carried out every year.

Who Should Attend

The training is tailored towards individuals who have some experience with “the Cloud”, seeking to improve their proficiency at assessing and improving the security of cloud hosted applications and infrastructures.

Ideally, attendees should have some experience with a major Cloud provider, and be familiar with the steps required to assess the security of applications and infrastructures (not necessarily cloud hosted). Attendees who have zero experience with the below will likely struggle following the course’s pace:

  • OWASP Top Ten
  • nmap
  • Linux CLI & SSH

What You Need

Attendees will be provided access to virtual instances with all the required tooling. All they need is a laptop with an SSH and a RDP client to access the instances. The laptop should not have any corporate security software that restricts Internet access or forces use of a corporate proxy server for browsing.


Xavier Garceau-Aranda ,

Xavier is a managing security consultant at NCC Group, with experience in both academia and the private sector. He has worked as a developer, security researcher and consultant. Xavier currently spends most of his time focusing on application and cloud security, as well as driving the development of Scout Suite (, an open source multi-cloud security-auditing tool.

Xavier holds the AWS Certified Security – Specialty, Offensive Security Certified Professional (OSCP), Offensive Security Certified Expert (OSCE) and Offensive Security Wireless Professional (OSWP) certifications.

Return to training sessions