03 / Cloud

Cloud Security
Assessment

The keys to your cloud are hidden in plain sight. We find them.

Cloud infrastructure expands faster than the controls meant to secure it. The misconfiguration that leads to full account compromise rarely looks like one. We map the real attack paths — the IAM chains, the exposed metadata services, the trust boundaries that were never meant to be crossed.

Request Scoping CallView Pricing ↓
PlatformsAWS · Azure · GCP
FrameworkCIS Benchmarks v2
ToolingPacu · Prowler · ScoutSuite
ComplianceSOC 2 · PCI DSS · HIPAA
Access neededRead-only IAM role
Methodology

How we test.

IAM Analysis
  • Permission enumeration across all principals
  • Privilege escalation path mapping
  • Cross-account trust policy review
  • Service account and key hygiene
Network & Access Control
  • Security group and firewall rule analysis
  • VPC flow log coverage gaps
  • Public IP exposure audit
  • NAT gateway and peering configuration
Storage & Data
  • S3/Blob/GCS public access check
  • Encryption at rest and in transit
  • Bucket policy and ACL review
  • Sensitive data exposure in public assets
Compute & Workload
  • IMDSv1 and hop limit checks
  • Instance metadata credential exposure
  • Container image vulnerability scan
  • Serverless function permission analysis
Secrets & Configuration
  • Secrets Manager and KMS key policy review
  • Environment variable secret exposure
  • CI/CD pipeline secret scanning
  • Config drift from baseline
Attack Path Simulation
  • IAM privilege escalation to Admin
  • Lateral movement across accounts
  • Data exfiltration path from compromise point
  • Persistence mechanism identification
Tooling

What we use.

Pacu
AWS exploitation framework for IAM privilege escalation and attack path testing.
Prowler
AWS/Azure/GCP security assessment tool aligned to CIS Benchmarks and compliance frameworks.
ScoutSuite
Multi-cloud security auditing tool for configuration review across providers.
CloudSploit
Automated cloud configuration scanning for common misconfigurations.
Enumerate-iam
IAM permission enumeration without requiring privileged access.
Custom tooling
Engagement-specific scripts for cross-account analysis and attack path chaining.
Sample findings

What we find.

Representative findings from past engagements. Client details redacted.

CRITICAL
IAM Role with Wildcard S3 Permissions Assumable by External Principal
Overly permissive trust policy allowed any authenticated AWS account to assume a role with s3:* on production buckets.
HIGH
EC2 Instance Metadata Service (IMDSv1) Enabled — SSRF to Credentials
IMDSv1 without hop limit enabled SSRF-to-IMDS exploitation, exposing instance role credentials.
HIGH
Azure Storage Account with Public Blob Access and No SAS Expiry
Backup container publicly accessible with SAS tokens hardcoded in environment variables across 12 services.
MEDIUM
GCP Service Account Key Rotation Disabled — 847-Day-Old Key in Use
Stale service account key with Editor role, no rotation policy enforced, key present in GitHub commit history.
Pricing

Engagement tiers.

Essentials
$5,000 – $12,000
SMB / single cloud / pre-compliance
  • Single cloud provider (AWS, Azure, or GCP)
  • CIS Benchmark alignment review
  • IAM permission analysis
  • Storage and network exposure check
  • Findings report + remediation guidance
Read-only access required. No credentials stored post-engagement.
Get a Quote
Most common
Standard
$12,000 – $25,000
Mid-market / SOC 2 / multi-service
  • Single or dual cloud provider
  • Full attack path analysis
  • IAM privilege escalation enumeration
  • Secrets and credential exposure review
  • Compliance-ready report (SOC 2/PCI/HIPAA)
  • 30-day retest included
Most common. Covers the full cloud attack surface for compliance-driven orgs.
Get a Quote
Enterprise
$25,000 – $50,000+
Multi-cloud / complex org / enterprise
  • Multi-cloud (AWS + Azure + GCP)
  • Cross-account and cross-tenant analysis
  • CI/CD pipeline security review
  • Container and Kubernetes security
  • Executive + technical report package
Scoped per environment. Timeframe varies with cloud footprint size.
Get a Quote
FAQ

Common questions.

What access do you need?
A read-only IAM role with permissions to enumerate resources across your environment. We provide a least-privilege policy document. We never require write access and we never store credentials post-engagement.
Do cloud providers need to be notified?
AWS, GCP, and Azure all have specific notification requirements for security testing. We handle this as part of pre-engagement setup and confirm provider authorization before any active testing begins.
How is this different from a compliance scan?
A CIS Benchmark check tells you which boxes are checked. We tell you which misconfigurations chain together into a real breach path — privilege escalation from a developer account to production data, for example. Compliance and exploitability are not the same thing.
Can you assess Kubernetes workloads?
Yes, on Enterprise tier engagements. Kubernetes security — RBAC misconfiguration, pod security policies, secrets in etcd — is included as an add-on scope item. Mention this in your scoping call.
Start an engagement

Ready to see what's really there?

No commitment, no pitch deck. A direct conversation about your threat surface and what a DALI engagement looks like.

Request Scoping Call →
ResponseAll scoping inquiries answered within one business day.
NDA firstMutual NDA signed before any scoping conversation begins.
ComplianceSOC 2, PCI DSS, and HIPAA report-ready engagements.
Contacthello@dali.security
Begin Engagement →