IT Brief Australia - Technology news for CIOs & IT decision-makers
Australia

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Cloud computing classroom open padlocks security risk training
#
Firewalls
#
Hyperscale
#
Cloud Security

Misconfigured cloud training labs open paths to attacks

Fri, 23rd Jan 2026
Author image
By Shannon Williams, News Editor

Pentera Labs has reported widespread exposure of cloud-hosted training applications across Amazon Web Services, Google Cloud and Microsoft Azure, with evidence that attackers have already compromised a significant share of the systems identified.

The research focused on customer-managed environments running intentionally vulnerable applications used for security training and demonstrations. Pentera said it found nearly 2,000 publicly exposed training applications. It linked these exposures to attack paths affecting organisations including Palo Alto Networks, Cloudflare and F5.

Pentera said the exposed systems often appeared in environments treated as low priority. The company said it repeatedly observed the same underlying issue. It described "lab" deployments tied to overly permissive identity and access management roles.

Training apps

The research covered common training and demonstration software, including open-source projects OWASP Juice Shop, DVWA and Hackazon. Pentera said many of the exposed systems ran on enterprise-owned cloud infrastructure rather than on isolated test platforms.

Pentera described the environments as deployed with default configurations and minimal isolation. The company said it found cloud identities and privileged roles connected directly to the exposed applications.

In verified incidents, Pentera said a single exposed lab application enabled credential theft and later movement into production systems. The company said this created a repeatable attack surface across AWS, Google Cloud and Microsoft Azure.

Active exploitation

Pentera said it found indicators of live attacker activity in about 20% of the exposed environments it identified. The company said attackers had already deployed crypto-mining malware and persistence mechanisms in a similar share of cases.

Pentera also reported finding webshells and obfuscated scripts on compromised hosts. It said these findings indicated that adversaries viewed publicly accessible lab systems as a practical foothold into enterprise cloud accounts.

Pentera said attackers could expand access from these footholds. It cited lateral movement across cloud resources, privilege escalation through permissive roles, tampering with CI/CD workloads and insertion into software supply chain processes as examples.

Noam Yaffe, Senior Security Researcher at Pentera Labs and Team Lead of Pentera's Offensive Security Services, described the cost and risk implications of misconfigured environments.

"One misconfigured training app was enough for attackers to obtain cloud credentials and deploy miners at an organization's expense," said Noam Yaffe, Senior Security Researcher at Pentera Labs and Team Lead of Pentera's Offensive Security Services, Pentera Labs. "These systems may be labeled 'non-production,' but the access they expose is very real for thousands of organizations."

Named targets

Pentera said its investigation included case studies involving large technology and security vendors. It named Palo Alto Networks, Cloudflare and F5 among organisations impacted by the exposure paths it identified.

The company said it encountered multiple cases where exposed training applications belonged to major security vendors and technology companies. It said each case had distinct circumstances. It said the pattern remained consistent across the cases it examined.

Pentera said it disclosed findings to affected organisations. It said the organisations remediated issues before publication of the report.

Cloud controls

The findings highlight how short-lived or low-priority cloud deployments can create persistent risk when identity permissions remain broad. Pentera said overly permissive roles increased the blast radius beyond the vulnerable applications themselves. It said the risk extended to broader cloud infrastructure in the same accounts.

Pentera said its evidence showed attackers using exposed systems for opportunistic access. It also said the activity went beyond automated scanning. It cited persistence mechanisms and credential theft as examples of deeper compromise.

The company said the research originated with Yaffe. Pentera said it documented methodology and evidence as part of a report titled "When the Lab Door Stays Open."

Pentera said it expects exposed training environments to remain an attractive target as organisations continue to run demos and hands-on labs on mainstream cloud services.

Related stories
NTT DATA maps six AI trends shaping mass intelligence
Australians turn to AI for love as dating scams surge
How seamlessly connected tech will shape business 2026
Synology gains ISO 27001:2022 for security management
Interactive & Ansvar mark 15 years of tech partnership

Top stories

Four Sage executives named to 2026 CRN Channel Chiefs list
AI productivity gains undermined by rising rework burden
Tesa marks 45 years in Singapore with new lab push
AI pushes dense, decentralised & sustainable data centres
myFirst expands kid-safe tech ecosystem with Circle app