CSI Cyber Security Awards 2025 — Women in Cyber + Outstanding Training
Macksofy Technologies
AWS · Azure · GCP · Kubernetes

Cloud Security Audit & VAPT in India — AWS, Azure, GCP.

From IAM privilege escalation to S3 misconfigurations, exposed Lambda functions to over-permissive K8s RBAC — Macksofy assesses your cloud environment with the same depth as on-prem, but with cloud-native tooling and attacker tradecraft.

Request a quoteSee coverage
wildcard role
lambda-execution-role
s3:* · kms:Decrypt
ec2-app-instance
secretsmanager:* · rds:Connect
iam:PassRole *
sts:AssumeRole · → admin
ssm:PutParameter
ssm:GetParameter · secrets
iam:CreateAccessKey
self · → persistence
Layer coverage

IaaS. PaaS. SaaS. All three break differently.

A cloud assessment that only checks one layer misses two thirds of the attack surface. We test the way attackers move — across the stack, not inside a single tier.

IaaS
Infrastructure-as-a-Service

EC2, Compute Engine, Azure VMs — your direct responsibility from the OS up.

  • VPC / VNet segmentation + flow-log audit
  • Instance metadata service (IMDSv1 / SSRF) abuse
  • Custom AMIs, snapshots, exposed disks
  • Provider-IAM role mis-scoping
PaaS
Platform-as-a-Service

Lambda, App Service, Cloud Functions, RDS, EKS control planes — where the wiring usually breaks.

  • Function execution-role privilege escalation
  • Managed-DB public exposure + auth-replay
  • Service-mesh + API-gateway auth bypass
  • Secrets in environment variables and build logs
SaaS
Software-as-a-Service

M365, Google Workspace, Salesforce, Atlassian — your data, someone else’s ops.

  • Tenant-isolation + cross-tenant data exposure
  • OAuth scope sprawl + consent-grant abuse
  • SCIM provisioning drift + dormant identities
  • Conditional-access / DLP bypass
Sample posture report

3 clouds. 12 services. 13 findings.

Composite from a 2025 assessment of a Series-B SaaS running multi-cloud across AWS, Azure and GCP. Each tile maps to CIS benchmarks + provider best practice.

AWS
EC2
2 findings
S3
1 finding
IAM
3 findings
VPC
clean
CIS benchmark6 gaps
Azure
VMs
1 finding
Blob
1 finding
Entra ID
2 findings
NSG
1 finding
CIS benchmark5 gaps
GCP
GCE
clean
GCS
clean
IAM
1 finding
VPC
1 finding
CIS benchmark2 gaps
IAM blast radius

One overscoped role = five privesc paths.

Cloud breaches almost never need a CVE. The Lambda execution role withs3:* +iam:PassRole *is what turns a single SSRF into AWS account takeover.

  • Prevent the next 'misconfigured S3' headline
  • CIS benchmark + cloud-provider best-practice attestation
  • Reduce cloud bill by exposing rogue + over-provisioned resources
  • Satisfy SOC 2 / ISO 27001 / CERT-In cloud audit requirements
47%
of cloud breaches start with IAM misconfig
≤24h
from SSRF to AWS root via Pacu chain
0
CVEs needed for typical cloud privesc
100%
engagements include K8s + IaC review
Container & Kubernetes

Where one bad RoleBinding ends the cluster.

Containerised workloads add an entirely new attack surface on top of the cloud provider: image registries, build pipelines, runtime escapes, K8s RBAC, service meshes. Every Macksofy cloud engagement tests it end-to-end — from the Dockerfile your developer pushed last Friday to the kube-apiserver token your CI runner mounted at /var/run/secrets.

EKSAKSGKEOpenShiftRancherK3sDocker SwarmIstio / Linkerd
Image & supply chain
  • Vulnerable base images + abandoned layers
  • Hard-coded secrets / private keys in image history
  • Build-pipeline cache poisoning
  • Public registry mis-permissions
Runtime & escape
  • Privileged container + host-PID/IPC abuse
  • Capabilities + AppArmor / Seccomp bypass
  • DinD & socket-mount → host takeover
  • Sidecar-to-app trust-boundary violations
Kubernetes RBAC
  • ServiceAccount over-permissioning
  • RoleBinding wildcards + namespace breakout
  • Kubelet anonymous-auth + exec endpoint
  • Webhook / admission-controller abuse
Cluster & data plane
  • etcd reachability + secret leakage
  • API-server auth bypass + audit-log gaps
  • CNI misconfiguration → pod-to-pod lateral
  • Persistent-volume cross-tenant exposure
Cloud-native methodology

How a Macksofy cloud assessment actually runs.

Five stages, two-to-three weeks for a typical multi-cloud SaaS. We use the same tradecraft a real cloud-savvy attacker would use — never a check-the-box CIS scan read aloud.

  1. 01
    Scope & envelope

    Account inventory, in-scope services, IaC repos, read-only audit roles, RoE.

    1–2 days
  2. 02
    Enumerate & map

    Provider-API enumeration, IAM graphing, K8s discovery, IaC drift analysis.

    2–3 days
  3. 03
    Exploit & chain

    IAM privesc paths, SSRF→credential→takeover chains, container escapes, K8s RBAC abuse.

    4–6 days
  4. 04
    Lateral & impact

    Cross-account jumps, persistence, sensitive-data demonstration (no exfiltration).

    2–3 days
  5. 05
    Report & retest

    Board summary, dev-ready remediation, CIS / NIST / RBI / SEBI evidence, 30-day retest.

    3–4 days
Why Macksofy for cloud

Cloud is what we live in, not a service line we added.

Indian regulators are catching up to cloud, attackers are already there, and most audit shops still treat AWS like a colocation cage. Here’s what makes a Macksofy cloud engagement different.

CERT-In empanelled

Our cloud reports are accepted as audit evidence by Indian regulators — CERT-In, RBI, SEBI, IRDAI — without rework.

Operators, not scanners

Engagements led by OSCP / OSWE / OSCE-certified testers who have actually compromised production cloud estates. No Nessus-reading interns.

Multi-cloud + multi-region

AWS, Azure, GCP, OCI — and the India / UAE regional nuances (data-residency, RBI localisation, NESA / DESC) baked into every finding.

Retest within 30 days

Fix it, ship it, ping us. We re-test every High/Critical free of charge and issue a closure letter your auditor will accept.

Engagement snapshot

What we found in your provider’s defaults.

B2B SaaS startup (Bangalore)

AWS account audit

Finding · Lambda execution role with wildcard IAM → admin escalation

Critical — patched same week, IaC guardrails added

Risk severity · Critical
LMHC
Cloud-native tooling

Pacu. Prowler. Real attacker tooling.

Tools we operate
PacuScoutSuiteProwlerCloudSploitTrivyCheckovkube-benchkube-hunterFalcoAWS CLIAzure CLIgcloud SDK
Compliance evidence

Cloud audit accepted by every framework.

CERT-In

Information security audit empanelled by Indian CERT

RBI CSF

RBI Cyber Security Framework + System Audit Reports

SEBI CSCRF

Cybersecurity & Cyber Resilience Framework for capital markets

ISO 27001

ISMS implementation, internal audit and certification support

PCI-DSS

Payment card industry — ASV scans, internal audit, pentest

GDPR

Article 32 controls, DPIA, data flow mapping

HIPAA

Healthcare data protection (relevant for India + UAE health-tech)

UAE NESA / SIA

UAE National Electronic Security Authority compliance

What clients say · Trusted India + UAE

Rated 4.9 ★ from 612 client reviews.

Google
4.9 · 612 reviews
Trustpilot
4.8 · 412 reviews
LinkedIn
20K+ · followers
CERT-In Empanelled
Govt of India · MeitY
EC-Council ATC
Authorized Training
ISO 27001 Certified
Info Security Mgmt
We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.
AK
Aisha Khan
Information Security Manager · Listed Fintech · BKC, Mumbai
The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.
IK
Inspector K. Joshi
Cyber Cell · Maharashtra Police · Mumbai
Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.
VI
Vivek Iyer
DevSecOps Lead · Healthcare SaaS · Hyderabad
Read all 612 reviews on Google →
FAQ

Things people ask before signing.

AWS, Azure and GCP all permit customer-initiated pentests against your own resources without prior notification (with some exclusions). Macksofy adheres to all three policies.
Talk to us

Get a fixed-price proposal in 48 hours.

Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.

CERT-In Empanelled
Information Security Auditor · India
  • CERT-In Empanelled
  • EC-Council ATC · CompTIA Authorized
  • 20,000+ professionals trained
  • India + UAE engagements
Human verification· Cloudflare Turnstile

By submitting this form you agree to be contacted by Macksofy. We typically respond within a few business hours and never share your details. Protected by Cloudflare Turnstile and rate limiting.