01 — attack paths
Curated misconfig chains.
Each path bundles two or more catalog scenarios into a single attacker storyline — starting position, objective, and the exact steps that exploit each misconfiguration. Open one in the builder to pre-select the components and embed the playbook in the generated IaC.
easy
Hello, anonymous bucket
List and download every object in the public S3 bucket.
cloud: aws~ 10 min3 steps1 components
open in builder
hard
SSRF → IMDS → S3 (Capital One pattern)
Exfiltrate an internal S3 bucket using credentials lifted from the instance's IAM role.
cloud: aws~ 30 min3 steps2 components
open in builder
medium
GitHub Actions OIDC role takeover
Assume the target AWS role from an arbitrary workflow you own.
cloud: aws~ 20 min3 steps1 components
open in builder
easy
Subdomain takeover for credential phishing
Serve attacker-controlled HTML from a subdomain of the target's primary domain.
cloud: multi~ 15 min3 steps1 components
open in builder
hard
Container supply chain → host root
Obtain root on a Kubernetes node by poisoning the container image the cluster pulls.
cloud: multi~ 60 min4 steps2 components
open in builder