3-Day Training: November 3-5, 2025
Level: Intermediate
Trainer: Abhay Bhargav
To register, please purchase your training ticket
here. Training and conference are two separate ticket purchases.
Multicloud environments have grown in prevalence and significance. According to a study by VMWare in 2021, 73% of companies surveyed had adopted multi-cloud deployments with 2 cloud providers and 26% of them had adopted 3 cloud providers. By some estimates (Hashicorp), nearly 90% of organizations are multicloud.
Multicloud environments, consequently, lead to a variety of different application deployments and environments. Applications ranging from traditional VM deployed apps, to containerized apps on Kubernetes or other managed Container Orchestration apps to FaaS (Functions-as-a-Service) apps are deployed on the Big Three cloud providers (AWS, Azure, and GCP).
Just as application deployment patterns are dissimilar, the security of applications in these cloud environments is different as well. Attack patterns against these applications are also different, as a result of this. Companies and their security personnel are grappling with this issue, not only at scale but with a severe shortage of skills to boot.
This training has been designed with our highly renowned approach of ADD (Attack-Detect-Defend). This is where we use stories and get students to work through intricately designed technical scenarios. As part of each story, the student deploys the app on the relevant cloud environment using Infrastructure-as-Code tools like Terraform and others. The application(s), along with the stack (the cloud resources and configuration) is vulnerable in many small and serious ways. For the “Attack” part of the story, the students deploy the stack. Once the application is deployed, the students explore a compromise of the application. The students leverage vulnerabilities and execute carefully planned attack sequences that are designed to escalate privileges into the specific cloud environment and start to perform post-exploit activities ranging from data exfiltration to resource manipulation. This completes one part of the story where we go from deploying the application to attacking the application and compromising the underlying cloud infrastructure. This is the section of each story, where participants will do a CTF-style session. Here they will spend time identifying and attacking these infrastructures with multi-step attacks, where they perform extensive examples of lateral movement using techniques highlighted in the MITRE ATT&CK Framework, popular bug-bounties, and our own experiences with attacking and auditing cloud infrastructure.
For the “Detect” part of the story, we look at scenarios that involve Incident Response, Detection Engineering on the cloud, with these various Cloud Providers. In this part of the story, we have students deploy an identical (still vulnerable stack). However, this time, they deploy stacks with detection services enabled and configured. These detection services include, but are not limited to:
- Ingesting and harnessing Control-Plane Logs of the Cloud Provider/Service
- Leveraging Threat Intelligence Services provided by the Cloud Provider
- Leveraging ETL Services and Cloud Storage to build Detection Queries and parameters
- And more
The idea here is to get the student to perform the same attack sequences against the Cloud environment. Except for this time, deployed detection mechanisms identify these incursions and identify the attack attempts.
Finally, for each story, we have a “Defend” section. This is a section that comes full circle. We deploy a much more secure application to the particular cloud environment. In some cases, this would mean that even if the application continues to be vulnerable to the same issues, the underlying cloud configuration would be much more secure, hence negating the possibility of attack.
In this part of each story, we’d explore a combination of several security mechanisms that are natively provided by the cloud provider.
The security implementations we’ll be exploring across the stories are including, but are not limited to:
- AWS Network Security Controls => VPC, Advanced VPC Controls (Mirroring, Flow Logs, etc), Security Groups, etc
- AWS IAM and Advanced IAM deployment, policies, and Policy Management
- AWS Security Services => Security Hub, GuardDuty, etc
- AWS Host Security Services => IMDSv2, Host level security monitoring using OSQuery, etc
- Proactive Detection and Alerting => Cloudwatch, Cloudtrail, Alerts, Leveraging Lambda for security Event triggers, etc.
- Security Analytics with Cloudwatch, Athena, etc
- Federated Access Control and Management with Cognito and Cognito implementation deep-dives
- Container-native security protections => ECR and Fargate
- Encryption and Key Management Practices with KMS, Secrets Manager
- GCP Network Security Controls => VPC, Firewall, and NAT Gateways
- GCP IAM and advanced IAM with conditions and IAM policy with Audit logs
- Access control management for the Application with GCP Identity Aware Proxy (IAP)
- GCP Service account and least privilege in the service accounts
- GCP Logging and monitoring => VPC logging, Firewall Logging, and Audit Logging
- GCP storage and Security Controls for Storage => Fine-Grained Access, Uniform Access, and Public prevention
- GCP Security Command Center for Security Detection and Vulnerability Monitoring
- Azure network Security controls => Virtual network, Network Security Groups, Azure firewall.
- Azure IAM and Advanced IAM deployment, policies, and Policy Management
- Azure Security Services => Microsoft sentinel, Defender for cloud service, advanced threat protection, Azure security center e.t.c
- Security logging and monitoring with Azure monitor logs, Azure network watcher, and security orchestration automated incident response through Microsoft sentinel.
- Leveraging multiple encryption techniques through Azure key vault.
The scope of this training encompasses the Big Three Cloud Providers (AWS, Azure, and GCP). In addition, since Kubernetes is a cross-cutting concern across all three cloud environments, there would be relevant Kubernetes specific stories showcased in the training as well.
Each story is a simulation of a real-world application and use-case(s). We’d leveraging everything from VMs on AWS, GCP, and Azure to Managed Container services (ECS, ACI, Cloud Run), to managed Kubernetes (EKS, AKS, GKE) to FaaS (Lambda, Azure Function Apps, Google Cloud Functions, Step Functions, Logic Apps, etc). The objective is to provide the students with a comprehensive viewpoint of applications, with a view on diverse deployment environments. This enables them to gain a greater understanding of the intricacies of offensive, defensive, and detection engineering for various types of applications and cloud environments.
We look to cover approximately 3 fully formed stories every day of the training. To keep the flow consistent, we’d focus on one cloud provider per day, with a brief introductory session on the cloud provider and some critical areas that the audience should be aware of before they go deep into the subject matter. The stories themselves are a set of micro-labs, where the trainers would explain and demonstrate the concept with hands-on labs that the participants are working through. The class is meant to be an extensively hands-on class, with the theory intermeshed into the hands-on labs to support it and give the students a detailed underst
