Cloud Penetration Test (VAPT)

Cloud VAPT for AWS, Azure, and GCP

Breaking the illusion of safety in the cloud

A Cloud Vulnerability Assessment and Penetration Test (VAPT) identifies and exploits misconfigurations, identity and access management weaknesses, and insecure cloud-native controls across AWS, Azure, and GCP environments. In practice, the service tests whether one exposed credential, weak role, or trust relationship can be turned into meaningful access. A cloud vulnerability assessment stops at listing security issues and known security vulnerabilities. A cloud VAPT shows what those weaknesses let an attacker do. That includes privilege escalation, lateral movement, and data exfiltration. Swarmnetics delivers cloud VAPT engagements using Offensive Security Certified Professional (OSCP) and CREST Registered Penetration Tester (CRT) certified consultants.

Your cloud IAM is an attacker’s first target

Find the doors attackers use—before they do

In October 2025, FINRA issued a cybersecurity alert on the Red Hat security incident. Threat actors had breached a self-managed GitLab instance used by Red Hat Consulting. They exposed sensitive customer data, including configuration data, authentication tokens, and infrastructure details. Rapid7 later linked related cloud intrusion activity to the threat group Crimson Collective. Together, these reports illustrate the same cloud risk pattern: exposed credentials or identity weaknesses can be expanded into privileged access, service discovery, and data exfiltration. In that campaign, exposed long-term AWS access keys were used to create privileged IAM users, escalate access, conduct reconnaissance across AWS services, and exfiltrate data. A Cloud VAPT would have identified the exposed long-term access keys and overly permissive identity and access management configurations before attackers used them to escalate privileges and exfiltrate sensitive data.

For enterprises already using CSPM, CNAPP, or native cloud security tooling, the key question is not whether findings exist. It is whether those findings can actually be chained into compromise. Organisations often need to validate that cloud security controls are effective through regular testing — not merely through configuration audits. Automated scanning can identify known misconfigurations, but it cannot show how one exposed credential can lead to broader cloud compromise. It also cannot show the security risks created by chained weaknesses.

Testing your cloud the way attackers do

Because knowing what to fix beats hoping you’re secure

The assessment phase shows how exposed your cloud environment really is. In a black-box cloud VAPT, Swarmnetics assesses the environment without prior access or documentation. This simulates an external attacker attempting to discover exposed services, misconfigurations, and vulnerabilities from the outside. In a grey-box engagement, your team provides cloud console access and relevant documentation. That allows our consultants to assess the environment from both external and internal perspectives, including authentication mechanisms, access controls, network security, data protection, and service configurations.

This cloud security assessment goes beyond basic vulnerability scanning. Swarmnetics uses automated tools including Scout Suite and CloudSploit to identify misconfigurations, vulnerabilities, and compliance gaps across cloud infrastructure, containers and repositories. Those outputs are then tested manually to determine whether identity weaknesses, cross-account trust relationships, storage access paths, and service-to-service permissions can be abused in practice. Combined with manual testing, the goal is not to stop at identified vulnerabilities. It is to simulate real world attacks and show how real world attackers move through cloud environments. That includes validating privilege escalation paths, role chaining, lateral movement opportunities, and the effective blast radius from one weak identity or exposed credential. It also shows whether one weak security control can be chained into broader compromise.

Yes, we are CREST accredited

Our core team is based in Singapore and consists of CREST certified penetration testers who are also Offensive Security Certified Professional (OSCP) certified. The team has delivered numerous penetration testing projects for customers in Singapore and other locations, from large multinational enterprises to small and medium business, and across various industries.

Learn more

Inside the cloud attack surface

What gets tested

Swarmnetics tests the following cloud attack surfaces and vulnerability types to show how weaknesses across identity, storage, networking, and cloud services could combine into a practical attack path:

IAM privilege escalation paths, including wildcard policies, overly permissive role assumptions, and long-lived access keys
Cross-account role trust relationships and federation misconfigurations
Storage bucket access controls, public exposure, and encryption implementation
Exposed credentials in environment files, code repositories, and Lambda environment variables
Serverless function IAM policies enabling unauthorised access to other cloud services
Container registry access controls and orchestration security configurations
Network segmentation gaps in VPCs, security groups, and routing controls
Cloud-native application security, including insecure API endpoints and authentication weaknesses
Lateral movement paths between cloud services exploiting misconfigured service-to-service access
Data loss prevention controls, monitoring coverage, and detection capability against active exfiltration

FAQ

A cloud vulnerability assessment identifies misconfigurations and known vulnerabilities in your cloud environment without exploiting them. It produces a list of issues to fix. A cloud VAPT goes further by actively testing what an attacker could achieve from those weaknesses. That difference matters because a single low-priority misconfiguration can become a high-impact compromise when it is chained to an IAM or trust relationship flaw.

A cloud VAPT covers IAM configurations and privilege escalation paths, storage access controls, network segmentation, and serverless function permissions. It also addresses container security, cloud-native application security, and federation trust relationships. The assessment targets AWS, Azure, and GCP environments and evaluates both configuration-level weaknesses and active attack paths, including credential exposure, cross-account access, and lateral movement between cloud services.

A black-box cloud VAPT simulates an external attacker with no prior knowledge of your environment. It tests what is exposed and discoverable from the outside. With a grey-box engagement, your team provides Swarmnetics with cloud console access, enabling deeper evaluation of internal IAM policies, role chains, and service-to-service access controls. Organisations concerned about internal misconfigurations usually gain more coverage from the grey-box approach.

In a cloud environment, one exposed IAM credential with excessive permissions can be enough to hand an attacker administrator-level access. From there, they can create backdoor users, move laterally across cloud services, steal data from storage buckets and databases, and pivot into connected systems.

A cloud penetration test from Swarmnetics produces a draft report for your review, followed by a final report upon acceptance. The report includes an executive summary, a detailed technical section with every finding listed by CVSS severity, proof-of-concept evidence demonstrating exploitability, and specific remediation guidance. After you have addressed the findings, we conduct a follow-up retest to confirm adequate remediation.

Any organisation that operates workloads on public cloud platforms should consider a cloud penetration test. It is particularly relevant for organisations subject to regulatory, contractual, or industry security requirements, which requires regular penetration testing of cloud systems. A cloud penetration test is also recommended before launching new cloud systems, after significant changes, and as part of an ongoing security assurance programme. Swarmnetics has conducted cloud penetration tests across all sectors since 2015.

The duration of a cloud penetration test depends on the scope – the number of cloud accounts and services, their complexity, and whether a black-box or grey-box approach is used. A typical cloud penetration testing engagement takes five to ten business days for the assessment phase, followed by an initial report within five business days for your review.

A cloud penetration test is often required for compliance with applicable regulatory, contractual, or industry security obligations where organisations must demonstrate that cloud security controls are effective through regular testing, not just scanning. Swarmnetics recommends conducting a cloud penetration test at least annually, after significant changes, and before launching new cloud systems into production.

Every cloud penetration test follows a three-phase process. In the planning phase, Swarmnetics agrees the scope, testing approach, and schedule with your team. In the Assessment phase, our OSCP and CREST-certified consultants conduct manual cloud penetration testing aligned to the MITRE ATT&CK Cloud Matrix to identify and actively exploit vulnerabilities, determining their real-world impact. In the reporting phase, we deliver a draft report for review and a final report with detailed remediation guidance for every finding.

All Swarmnetics penetration tests are conducted by our Singapore-based team of security consultants holding the Offensive Security Certified Professional (OSCP) and CREST Registered Penetration Tester (CRT) credentials. Swarmnetics has been delivering technical security assessments to organisations across Singapore since 2015 and acts as a trusted VAPT delivery partner to service and solution providers, supporting their customers across multiple sectors.

The security assessment report includes specific, actionable remediation guidance for every finding – not generic advice. For each vulnerability, we describe the fix, its priority based on CVSS severity, and any dependencies between remediation steps. Once your team has addressed the findings, Swarmnetics conducts a follow-up retest to verify that each vulnerability has been adequately remediated. The final report confirms closure and provides documented evidence of remediation.