Module S10 — Cloud Red Team Harnesses

Cloud Red Team Harnesses

API-first offensive architecture, IAM privilege escalation path-finding, and evidence-backed findings mapped to SOC 2, ISO 27001, and PCI DSS.

60
minutes
8
artifacts
3
sub-sections
A harness that attacks the cloud the way cloud adversaries do — API-first, identity-first, no port scanning. The cloud kill chain from reconnaissance to impact. IAM privilege escalation as graph-based path-finding. And evidence collected to a schema that maps directly to compliance frameworks for the client deliverable.
Key Claims
Load-Bearing Claims

The cloud is an API, not a network. A cloud red team harness is API-first and identity-first. Port scanning is irrelevant — the attack surface is IAM policies, roles, and trust relationships, not open ports.

IAM is the primary attack surface. A cloud breach is almost always an IAM abuse. Privilege escalation is graph traversal — the same technique as posture attack-path analysis, applied to the permission space.

Escalation paths must be demonstrated, not asserted. Every path is backed by an evidence chain showing the exact API calls, in order, that achieve it. Reproducible, verifiable, client-presentable.

Findings must speak the auditor's language. Technical findings mapped to SOC 2, ISO 27001, and PCI DSS controls. The auditor does not understand iam:PassRole — they understand which control is at risk.

After This Module
01
Articulate how a cloud offensive harness differs from a network pentest harness (API-first, identity-first, no port scanning) and execute the cloud kill chain under scope enforcement.
02
Build an IAM privilege escalation path-finder that enumerates reachable permissions from a starting identity and chains iam:PassRole, CreatePolicy, and AttachRolePolicy into escalation paths.
03
Design a cloud evidence schema that captures API call, response, timestamp, account, region, and resource ARN, and map findings to SOC 2, ISO 27001, and PCI DSS for the client deliverable.
Artifacts