Containers and Kubernetes now run production for most cloud-native organisations, and adoption keeps compounding at roughly 24% a year — but clusters fail in ways traditional reviews miss. We assess them the way an attacker who has gained a foothold operates: starting from a compromised pod or an over-broad service account and working towards control of the cluster, the nodes and the workloads they protect.
Coverage spans the full stack. We review RBAC and the control plane for privilege-escalation paths, pod and workload security for weak isolation and dangerous capabilities, and runtime configuration for container-escape routes to the host. We trace the software supply chain through your images, registries and CI/CD pipelines, hunt for exposed secrets, and test whether network policies actually segment east-west traffic — benchmarked against the CIS Kubernetes Benchmark on EKS, AKS and GKE.
This is engineer-led, attacker-minded testing, not a scanner dump. You get findings proven by exploitation, rated by real impact, mapped to the CIS control and to MITRE ATT&CK for Containers, with concrete hardening guidance your platform team can act on — and the option to re-test once fixes land.
- EKS · AKS · GKE
- managed Kubernetes coverage
- MITRE ATT&CK
- for Containers — every technique mapped
How it works
- 01
Scoping & access
Identify clusters, platforms (EKS/AKS/GKE), critical workloads and the access or assumed-breach starting point.
- 02
Configuration baseline
Benchmark the control plane, RBAC, workloads and network policies against the CIS Kubernetes Benchmark.
- 03
Attack-path testing
Attempt privilege escalation, container escape and lateral movement from a compromised-pod foothold.
- 04
Supply-chain & secrets review
Assess images, registries and CI/CD pipelines for tampering and exposed secrets.
- 05
Reporting & hardening
Risk-rated findings mapped to CIS and MITRE ATT&CK, with concrete hardening guidance.
- 06
Re-test
Re-test remediated clusters to confirm fixes and closure (optional).
Packages
Essential
Single-cluster configuration and RBAC review against the CIS Kubernetes Benchmark.
Comprehensive
Full cluster assessment with attack-path, supply-chain and secrets testing.
Enterprise
Multi-cluster program with CI/CD integration and recurring re-testing.
Frequently asked questions
How is this different from a standard cloud security or configuration review?
A cloud posture review assesses your provider account — IAM, storage, networking — against benchmarks. This assessment goes inside the cluster: the control plane, RBAC, pod security, runtime escape, network policies and the container supply chain. Crucially, it is attacker-led — we don’t just check settings, we attempt privilege escalation and container breakout from a compromised-pod foothold to prove what an intruder could actually reach.
Do you support managed Kubernetes like EKS, AKS and GKE?
Yes. We assess managed services — Amazon EKS, Azure AKS and Google GKE — as well as self-managed and on-prem clusters. For managed platforms we review the shared-responsibility boundary specifically: what the provider secures versus the RBAC, workload, network-policy and node configuration that remains yours, which is where most exploitable weaknesses sit.
Which standards and frameworks do you test against?
We baseline against the CIS Kubernetes Benchmark and the platform-specific CIS guides for EKS, AKS and GKE, and we map attacker activity to MITRE ATT&CK for Containers. We also align with NSA/CISA Kubernetes hardening guidance and Pod Security Standards, so findings map both to a recognised control and to the real technique an adversary would use.
Will testing destabilise our running clusters?
No. Configuration and RBAC review is read-only. Active attack-path testing — privilege escalation, container escape, lateral movement — is carefully controlled, scoped and scheduled, and we strongly recommend running it against a staging or representative non-production cluster where possible. Where production testing is required, we use production-safe techniques, agree rules of engagement up front and notify you immediately of any critical finding.
What do we receive, and can you re-test after we fix the findings?
You receive risk-rated findings proven by exploitation, each mapped to the CIS control it breaches and to MITRE ATT&CK for Containers, with concrete hardening guidance for your platform team and an executive summary. Re-testing after remediation is available to confirm closure, and Enterprise engagements can integrate checks into your CI/CD pipeline so regressions are caught before they ship.
Helpful tools
Scope a test
[email protected] · +371 2256 5353
Straight to a senior operator · 24-hour reply · NDA on request