A list of free cloud native security learning labs. Includes CTF, self-hosted workshops, guided vulnerability labs, and research labs.
| Name | Technology | Category | Author | Notes |
|---|---|---|---|---|
| AWS CIRT Workshop | AWS | Self-hosted, guided lab | AWS CIRT | Build with Cloudformation, explore 5 common incident response scenarios observed by AWS CIRT |
| CloudGoat | AWS | Self-hosted, guided vulnerability lab | Multiple, Rhino Security Labs | Python orchestration of terraform |
| Attacking and Defending Serverless Applications | AWS | Self-hosted, guided vulnerability lab | Ryan Nicholson | Attack and defend a Lambda that you build in your own AWS account with author provided terraform |
| IAM Vulnerable | AWS | Self-hosted, guided vulnerability lab | Seth Art | IAM-focused priv esc playground with 31 pathways, create in your own AWS account using terraform, solid docs |
| flaws.cloud | AWS | Author-hosted, CTF challenge | Scott Piper | Challenge style with levels and clues |
| flaws2.cloud | AWS | Author-hosted, CTF challenge | Scott Piper | Challenge style Attacker and Defender paths |
| Sadcloud | AWS | Self-hosted | Multiple, NCC Group | Terraform code; not guided like CloudGoat |
| Broken Azure | Azure | Author-hosted, CTF challenge | Secura | Provides hints, optionally self-host in your own Azure account using terraform |
| PurpleCloud Azure AD Workshop | Azure | Self-hosted, guided vulnerability workshop | Jason Ostrom | Guided vulnerability workshop requires PurpleCloud and terraform; username and password is sec588 |
| Mandiant Azure Workshop | Azure | Self-hosted, guided commands | Multiple | Vulnerable by design Azure lab with two scenarios; build with terraform |
| AzureGoat | Azure | Self-hosted, attack and defense manuals | Multiple, ine-labs | Bring your own Azure tenant, Build with terraform, one module, provides attack and defense manuals |
| XMGoat | Azure | Self-hosted, guided labs | Multiple | Build with terraform, 5 scenarios, solution docs provided |
| GCP Goat (Josh Jebaraj) | GCP | Self-hosted, mdbook lab guide | Josh Jebaraj | Host in your own GCP account, build with provided scripts, nice guided lab workbook |
| GCPGoat (ine-labs) | GCP | Self-hosted, attack and defense manuals | Multiple, ine-labs | Bring your own GCP account, Build with terraform, one module, provides attack and defense manuals |
| Bustakube | Kubernetes | Self-hosted, import VMs | Jay Beale | Vulnerable K8S cluster, Download the VMs to build cluster and import into VMWare, run it |
| Kubernetes Goat | Kubernetes | Self-hosted, multi-cloud, K3S | Madhu Akula | Create and host in your own cloud account (GKE, EKS, AKS) or K3S and attack, has a guided workbook |
| Kubecon NA 2019 CTF | Kubernetes | Self-hosted in GKE | Multiple | Create GCP account, has a guided workbook with two attack and defense scenarios plus bonus challenges |
| Contained.af | Container | Author-hosted Challenge | Jessie Frazelle | A container escape challenge, break out of it and email the author |
| TerraGoat | Terraform | Self-hosted multi-cloud (AWS, Azure, GCP) | Multiple, Bridgecrew | Vulnerable by design terraform repository |
| PurpleCloud | Azure | Research Lab | Jason Ostrom | Using python and terraform, build your own Azure security lab |
| SimuLand | Azure | Research Lab | Roberto Rodriguez | Using Azure RM templates, create your own Azure security lab |
AWS CIRT Workshop: Build in your own AWS account and explore 5 common incident response scenarios as seen by the AWS CIRT team.
CloudGoat: Vulnerable by design AWS security labs with guided walkthrough.
Attacking and Defending Serverless Applications: Attack and defend a Lambda that you build in your own AWS account with author provided terraform and scripts.
IAM Vulnerable: Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground with 31 privilege escalation attack pathways. Very solid documentation.
flaws.cloud: Challenge style with levels and clues.
flaws2.cloud: Challenge style with both Attacker and Defender paths.
Sadcloud: Create vulnerable AWS services without a guide showing vulnerabilities.
Broken Azure: A vulnerable by design Azure infrastructure that you can attack.
PurpleCloud Azure AD Workshop: Guided vulnerability workshop simulating an enterprise Azure customer. It requires PurpleCloud and terraform; username and password is sec588
Mandiant Azure Workshop: Vulnerable by design Azure lab with two scenarios that you build in your own Azure tenant.
AzureGoat: Build one module with terraform and walk through the provided attack and defense manuals.
XMGoat: Build 5 scenarios in your Azure tenant and walk through solution docs provided.
GCP Goat (Josh Jebaraj): Host in your own GCP account and build with provided scripts. It has a nice guided lab workbook.
GCPGoat (ine-labs): Bring your own GCP account and build one module with terraform. Provides attack and defense manuals.
Bustakube: Download a vulnerable K8S cluster as VMs that you can import and run locally in VMWare.
Kubernetes Goat: Create and host in your own cloud account (GKE, EKS, AKS) or K3S and attack. Includes a guided workbook.
Kubecon NA 2019 CTF: Awesome CTF that you create in your GCP account. Has a guided workbook with two attack and defense scenarios plus bonus challenges.
Contained.af: A container escape challenge, break out of it and email the author.
TerraGoat: Vulnerable by design terraform repository.
PurpleCloud: Using python and terraform, build your own Azure security lab.
SimuLand: Using Azure RM templates, create your own Azure security lab.