top of page

CLOUD VILLAGE @ DEF CON 34 7th Aug - 9th Aug 2026

Cloud Village is an open space to meet folks interested in offensive and defensive aspects of cloud security.

ABOUT

Cloud village is an open space to meet folks interested in offensive and defensive aspects of cloud security. The village is home to various activities like talks, workshops, CTFs and discussions targeted around cloud services.

If you are a professional who is looking to gain knowledge on securely maintaining the cloud stack and loves to be around like-minded security folks who share the similar zeal towards the community, Cloud Village is the perfect place for you.

 

Cloud Village will be in-person at DEF CON 34, Las Vegas Convention Center from 7th August to 9th August 2026

Hope to see you all there!

Speaker Schedule

💡 Talks: 18  |  ⚡️ Lightning Talks: 2  |  🔨 Tool Demos: 5  | 🎙️ Panels: 4
10:00-10:10
icons8-vertical-line-50 (1).png

Opening note

+

Kick off to the DEF CON 34 journey.

10:10-10:50
icons8-vertical-line-50 (1).png

💡 Talk: Seth Art
New AWS IAM Attack Paths and the Framework to Exploit Them

+

Speaker: Seth Art


Abstract:

In cloud environments, the path from low-privilege foothold to full account takeover often runs through IAM privilege escalation. This talk introduces over a dozen newly discovered escalation paths spanning services that have never appeared in public research: AWS Batch, Amazon Braket, Amazon Managed Apache Flink, Amazon GameLift, Health Omics, and more.


We'll walk through exploiting the most interesting paths in depth, including cross-account variants and attacks that require delivering malicious code payloads to trigger escalation. Then we'll introduce Pathrunner, a new open-source Metasploit-style framework built specifically for IAM privilege escalation, and show how it makes chaining these complex, multi-hop attacks practical during a real engagement.


Speaker Bio:

Seth Art is a Security Researcher & Advocate at Datadog. Prior to joining Datadog, Seth created and led the Cloud Penetration Testing practice at Bishop Fox. He is the author of pathfinding.cloud, an AWS IAM privilege escalation library, and has published many open source tools including Pathfinding-labs, IAMVulnerable, BadPods, and CloudFoxable, and is the co-creator of the popular cloud penetration testing tool, CloudFox.

10:50-11:30
icons8-vertical-line-50 (1).png

💡 Talk: Elzer Pineda & Jose Rivas
Tokens and PRT: Advanced Attacks and Persistence in Microsoft Entra ID

+

Speakers: Elzer Pineda & Jose Rivas


Abstract:


Is MFA and Conditional Access a real security guarantee? In this technical session, we will demonstrate how endpoint compromise allows an attacker to bypass traditional identity barriers in the cloud. The talk focuses on exploiting vulnerabilities in Microsoft Entra ID, breaking down an advanced attack chain:


• Device Code Flow: Abuse of authentication flows for initial access (Demo with Entraith).

• PowerShell Hijacking: Process interception to obtain session tokens (GrabTokenAzureAD).

• Sliver BOF Extraction: Use of Beacon Object Files (BOF) for stealthy exfiltration of tokens and the Primary Refresh Token (PRT) from memory, evading anti-malware defenses.

• MFA Bypass and Intune: Custom tools were developed to extract local PRTs, bypass Intune device management controls, and circumvent MFA. The entire process was automated through the open-source tool https://github.com/bl4cksku11/entraith, enabling attacks via device code flow, token renewal, email and app inspection, token exfiltration, and persistence generation.


Speaker Bio(s):


Elzer Pineda


Regional Pentester and Cybersecurity Consultant, Elzer Pineda is an active member of the Red Team executing strategic consulting projects and advanced penetration testing engagements. His career has been focused on Threat Research for private and government organizations across the region. He is a Dojo Community Ambassador and Professor at the Universidad Tecnológica de Panamá (UTP). His experience has taken him to share technical research at Ekoparty, BSides Latam Peru, BSides Panamá, DOJOConf, PwnedCR, and OWASP Latam. Offensive security certifications: OSWE, OSEP, OSCP, OSWP, CRTP, CRTO, and CRTL.


Jose Rivas


Jose Rivas is an Offensive Security Researcher and Red Team Operator at A-LIGN, specializing in adversarial simulations, Active Directory attack paths, and physical security assessments. Co-founder of Zero Trust Offsec, an offensive security research group focused on vulnerability exploitation, emerging attack techniques, and responsible disclosure, and Founder of DCG Panama, Panama's first official DEF CON chapter, where he leads a community dedicated to red team operations, and adversarial tradecraft. A recognized voice in the Panamanian security community, Jose has spoken at BSides Colombia, BSides Panama, OWASP Panama, and DOJOConf. With certifications including CRTO, eWPT, eCPPT, and CompTIA PenTest+, he brings a threat-actor mindset and a strong commitment to advancing offensive security knowledge across the region.








11:30-12:10
icons8-vertical-line-50 (1).png

💡 Talk: Saksham Agrawal
From Pipeline to Cloud Control

+

Speaker: Saksham Agrawal


Abstract:

Azure DevOps service connections are a core part of modern pipelines, allowing teams to interact with Azure and other external systems seamlessly. While they make deployments faster and easier, they also introduce an attack surface that is often overlooked in real-world environments.


In this research, we explore new attack paths showing how even limited access within Azure DevOps pipelines can be leveraged to escalate privileges and compromise cloud environments. By taking advantage of over-scoped service connections and certain platform behaviors, an attacker can chain together small gaps to achieve significant impact, including gaining subscription-level access.


These findings were reported to Microsoft and acknowledged through MSRC, highlighting a deeper issue in how DevOps integrations are secured. Rather than being just a configuration problem, this reflects a broader gap that organizations need to understand when designing their cloud security approach.


Speaker Bio:

Saksham Agrawal is a Senior Security Consultant at NotSoSecure, specializing in AWS and Azure security. His work focuses on discovering new attack paths in cloud environments and helping organizations understand real-world risks. He enjoys building tools, exploring cloud internals, and sharing his findings with the security community.





12:10-12:50
icons8-vertical-line-50 (1).png

💡 Talk: Pujita Sahni & Geoff Sweet
Security at Machine Speed: How Autonomous AI Agents Are Changing Cloud Defense

+

Sponsored by: AWS


Speakers: Pujita Sahni & Geoff Sweet


Abstract:

Attackers are using frontier AI to compress the time between finding a vulnerability and exploiting it. Manual triage and human-in-the-loop remediation cannot keep pace. The answer is autonomous security that works at machine speed.


This talk covers the continuous AI-powered security loop and how autonomous agents are changing three SOC functions:


Autonomous triage. Agentic AI systems trained on real security decisions separate real threats from noise with high accuracy, reasoning across logs, configurations, reachability, and history. What takes analysts hours, these systems handle in seconds.


Validated remediation. The latest AWS security enhancements discover vulnerabilities, validate exploitability in sandboxes, and fix confirmed exposures with increasing autonomy. We walk through the journey from human-approved fixes to fully autonomous remediation.


Continuous offensive testing. AI agents that proactively test your applications throughout the dev lifecycle instead of once a year. Customized pen testing across your whole environment. We show what this looks like when an AI chains attack paths across services in real time.


The full loop. Discovery feeds triage, triage feeds remediation, remediation closes the gap before attackers exploit it. Integrated through AWS Security Hub with the tools you already use.


Real demos. Real attack paths. Walk away knowing where this technology stands and what first steps look like.


Speaker Bio(s):


Pujita Sahni


Pujita Sahni is a Delivery Consultant specializing in cloud security, risk, and compliance at AWS. In her role, she is responsible for architecting IAM governance frameworks and security automation solutions that enable organizations to implement secure cloud migrations and shift security left within enterprise environments. She brings a broad technical background across identity and access management, vulnerability management, infrastructure-as-code security, and DevSecOps practices, providing a comprehensive view of how security platforms are built, automated, and maintained across enterprise cloud environments.


Geoff Sweet


Geoff Sweet has nearly 30 years of technology experience, starting from the late 90's during the dot-com boom. Geoff has worked in many verticals including Gaming, BioTech, Retail, and financial SaaS. He has held several titles through his career such as Systems Architect, Network Architect, and most recently Security Architect. These experiences have helped him to develop robust experiences in Infrastructure Security. Geoff left the customer side to come to AWS in December of 2019. He left SAP where he lead a small security team responsible for monitoring and doing Incident Response for nearly 10,000 cloud accounts over several cloud providers. Geoff has a proven record of speaking to customers in both small and large format settings. He is engaging, entertaining, and communicates in a way that assures everyone understands. Geoff's background is in Electrical Engineering and Mathematics and continues to use that knowledge to support his customers. He also has a deep fondness for all things automotive and extensive experience building and fabricating vintage cars.




12:50-13:20
icons8-vertical-line-50 (1).png

🔨 Tool Demo: Ariz Soriano
PurpleLoop: Closing the Loop Between Detection Rules, Log Schemas, and Purple-Team Validation

+

Speaker: Ariz Soriano


Abstract:

The problem -

Sentinel deployments rot. Mid-market SOCs run 80 to 300 analytics rules, and a large share haven't fired a true positive in 90 days. Many reference tables or columns that don't exist in the tenant because the rule was copied from a Microsoft post written for a different topology. The public Azure-Sentinel repo ships new content weekly and almost nobody reconciles against it. One layer deeper, Log Analytics ingests 20 to 80 tables per tenant, and most teams have never audited which have any coverage and which are dark. And almost nobody validates that the rules they do have actually fire against the techniques they claim to cover.


What PurpleLoop is -

PurpleLoop is an LLM-augmented detection-engineering workflow built on one insight: rule authoring, coverage analysis, and purple-team validation are the same job, and they should be one tool. It does four things, none individually novel, never previously combined into one workflow:


- Reviews deployed rules by diffing against the live Azure-Sentinel repo and community libraries, flagging drift, dead operators, missing siblings.

- Suggests new rules from your actual workspace schema, not Microsoft's reference topology. A rule needing DeviceProcessEvents isn't suggested if MDE isn't onboarded.

- Generates purple-team scenarios and validates rules against them. The tool runs an atomic-style simulation, checks whether the rule fires, and patches the KQL if it doesn't. The loop closes itself.

- Builds a detection-gap map that distinguishes "no rule for this" from "no telemetry for this." Most coverage tools miss the second category.


Why an LLM? -

The LLM provides the connective reasoning between the pieces. It is not in the codegen path. PurpleLoop reasons in a Sigma-inspired intermediate detection representation (IDR), and a deterministic compiler renders to KQL. The queries that run on your workspace are produced by code we wrote, not by pattern completion. Hallucinated columns and invented operators are eliminated at the compiler boundary, not at the prompt boundary.


What attendees take home -

A working open-source tool installable in minutes, a reusable methodology not bound to Sentinel, and prompt-engineering patterns for security workflows where correctness matters. The talk argues the case, demos the tool live against a real tenant, and hands the code to the room.


Speaker Bio:

Ariz Soriano is a Senior Content Engineer at TryHackMe, where he creates advanced challenges revolving around red and blue teaming. He draws on nearly a decade of industry experience across Red Teaming, Penetration Testing, and Incident Response to turn the tradecraft he uses on live engagements into practical, interactive learning content.


His path through the field is what gives his content its edge. He started on the defensive side as a SOC analyst and IR lead before moving fully into offensive security, where he's spent the last five years red teaming. Most notably, he built the Red Team at Theos Cyber from the ground up, recruiting and training operators, designing red team infrastructure and tooling, and establishing the methodology and playbooks behind the team's APT simulation and purple teaming engagements. That dual perspective shows in his work: his offensive scenarios are grounded in how defenders actually detect and respond, and his blue team content reflects a real attacker's mindset.


At TryHackMe, he focuses on creating advanced challenges across topics like threat hunting, detection engineering, and penetration testing, translating complex techniques into hands-on rooms that teach by doing. Outside of his content work, Ariz is a conference speaker who is passionate about building red team tooling, optimizing offensive workflows, and sharing knowledge with the wider security community.

13:20-14:00
icons8-vertical-line-50 (1).png

💡 Talk: David Fiser
The Hidden Cost of Agentic Connectivity

+

Sponsored by: TrendAI


Speaker: David Fiser


Abstract:

During our extensive research on MCP servers, we uncovered critical vulnerabilities that pose significant risks to the cloud infrastructure management. These vulnerabilities enable malicious actors to interact with and compromise organizational infrastructure. Alarmingly, while some MCP servers had implemented protective measures against such misuse, these measures were often flawed, allowing for trivial bypasses. 


In this presentation, we will underscore the necessity of comprehensive visibility and robust policy guidelines for every organization. Our analysis of over 19,000 MCP servers reveals substantial gaps and vulnerabilities within the so-called security features of these systems. We will demonstrate how these security features can be bypassed and highlight the real-world implications of these vulnerabilities. 


Through active scanning, we identified the same vulnerable MCP server implementations deployed in the wild, confirming that these vulnerabilities are actively exploitable. This underscores the urgent need for organizations to adopt a strategic approach to managing MCP servers. 


Our aim is for attendees to understand th e critical importance of AI security beyond mere vulnerability management. Our findings show that even if the MCP server is not vulnerable, default deployments often introduce significant risks to organizational security. We will conclude our presentation by outlining best practices for mitigating the risks associated with MCP servers, ensuring that attendees leave with actionable insights to enhance their organization's security posture. 

14:00-14:30
icons8-vertical-line-50 (1).png

🔨 Tool Demo: Bleon "gl4ssesbo1" Proko
Nebula - 5 years, still kicking *aaS

+

Speaker: Bleon "gl4ssesbo1" Proko


Abstract:

Nebula is a cloud C2 Framework, which at the moment offers reconnaissance, enumeration, exploitation, post exploitation on AWS, but still working to allow testing other Cloud Providers and DevOps Components.

It started as a project to unify all Cloud + DevOps Pentest and Security Techniques for a better assessment of the Infrastructures. It is build with modules for each provider and each functionality. Initially released in April 2021 as a bulk of scripts, it developed into a C2 framework, managed through a teamserver, allowing a team of pentesters to authenticate and access the tool, as well as a MongoDB database to save the results into. Offers modules for reconnaissance, initial access, enumeration, Command and Control, post exploitation, persistence and cleanup in AWS, Azure Graph and Management API, DigitalOcean, as well as a new release for GCP and GWS, Kubernetes and defense bypasses.


Currently covers:

- Public Reconnaissance

- Phishing

- Brute-force and Password Spray

- Enumeration of internal resources after initial access

- Lateral Movement and Privilege Escalation

- Persistence


Ever since I pushed the last update, the tool has changed drastically. Now you will get a teamserver based tool, with a client and server split, authentication to access the tool, user management and a MongoDB database to save the results into.


Speaker Bio:

Bleon is an Info-sec passionate about Infrastructure Penetration Testing and Security, including Active Directory, Cloud (AWS, Azure, GCP, Digital Ocean), Hybrid Infrastructures, as well as Defense, Detection and Thread Hunting. He has presented topics related to Cloud Penetration Testing and Security in conferences like BlackHat USA, Europe and Sector, DEF CON, SANS Pentest Hackfest Hollywood and Amsterdam, as well as several BSides on USA and Europe.

His research include Nebula, a Cloud Penetration Testing Framework (https://github.com/gl4ssesbo1/Nebula) and other blogs, which you can also find on his blog (blog.pepperclipp.com). He is also the author of YetiHunter, DetentionDodger and Ransomwhen (https://github.com/Permiso-io-tools/[DetentionDodger | YetiHunter | Ransomwhen]).



14:30-15:10
icons8-vertical-line-50 (1).png

🎙️ Panel:
Citizen Developers Can't Defend What They Built: Scaling Security Past the Security Team

+

Panelists: TBD


Description:

The operations, marketing, and finance staff shipping apps on low-code platforms and AI assistants are on track to outnumber your engineers four to one, and almost none of what they ship reaches a security review. When it fails, it fails wide: one default-public setting in Power Apps exposed 38 million records across 47 organizations. So how do they defend what they build, or do they? Push ownership outward with paved roads and policy-as-code, or wall off the blast radius and concede they never will? And when the citizen-built app is the breach, who answers: them, or you?

15:10-15:50
icons8-vertical-line-50 (1).png

💡 Talk: Muskan Tomar
The Polymorphic Agent: From Cross Agent Escalation to Just in Time Defense on Azure

+

Speaker: Muskan Tomar


Abstract:

A permission error halts conventional malware. AI agents are being assigned standing cloud IAM permissions and the autonomy to use them, a combination that breaks an assumption every existing control depends on. The agent reasons its way to an escalation path through the cloud provider's own IAM APIs. We call this the polymorphic agent. This talk presents research cross-agent privilege escalation between independent AI agents & defense around it.


The attack begins with a single poisoned tool description, rewritten to read like routine compliance guidance. The agent parses the injected text, reasons about it, and grants itself elevated IAM roles. this showcases how a compromised Agent A modifies the role assignments of a separate Agent B, running a different framework in a seperate environment and never issued a malicious instruction, expanding Agent B's authority entirely through authorized IAM calls. This points directly to two risks named in the OWASP MCP Top 10: Privilege Escalation via Scope Creep (MCP02), achieved through Tool Poisoning (MCP03). To test whether this is agent-specific, we ran the attack across three production agents, including LangChain and Claude Code. All three escalated, the pattern is consistent: prompt-layer guardrails are reformable, human approval is socially engineer-able, and telemetry arrives too late. 


These results frame two requirements for any workable defense: the escalation must be measurable in real time, and it must be blocked at a point the agent cannot reach. Enforcement has to move to the credential layer, since an agent cannot act on the cloud without first obtaining a credential. This is the gap PrivilegeGuard closes, an out-of-process credential gateway that intercepts DefaultAzureCredential and slots into existing agent deployments with minimal to no code change.


On each token request, it computes the requesting Non-Human Identity’s Blast Radius Score (BRS): the fraction of the cloud resource surface reachable by that identity across a two-hop IAM graph traversal, providers reachable under current role assignments plus those reachable after a simulated roleAssignments/write self-escalation. PrivilegeGuard evaluates BRS and its rate of change against an Open Policy Agent (Rego) policy and denies an anomalous, high-blast-radius request before the escalated role is usable. 


The takeaway is architectural: cross-agent escalation follows from giving probabilistic, goal-driven agents standing IAM credentials, not from any single agent or framework, and it widens as agents gain access. We deliver the attack on real Azure identities, and an enforcement model that stops it where the agent cannot follow: the credential layer.


Speaker Bio:

I am Muskan Tomar, a Security and Reliability Engineer at MICROSOFT, where I work at the intersection of Site reliability, Infrastructure Security, and Software Engineering building systems that are expected to never go down, stay secure, and scale quietly in the background. 5X Microsoft Azure Certified , with experience working on architecting and modernising, securing cloud platforms and reducing operational toil through automation, AI and data driven engineering. 

My independent research focuses on AI agent security and cloud identity, and how autonomous agents change the threat model for systems we trust to stay locked down. An enthusiastic learner who champions collaborative cloud and security research, I enjoy untangling complex systems and eliminating single points of failure. Outside work, I love to travel and paint.

15:50-16:10
icons8-vertical-line-50 (1).png

⚡️ Lightning Talk: Gil Weizman & Tamir Yehuda
Go with the Flow: Riding GCP Dataflow Shadow Dependency to Cross-Tenant Compromise

+

Speakers: Gil Weizman & Tamir Yehuda


Abstract:

Cloud resources rely on a web of trust that most security teams ignore. Even if you secure access to a resource, you might miss its "shadow dependencies" - the external, system-generated resources required for it to function. 


GCP Dataflow is just the latest in a long trail of vulnerable services suffering from this architectural blind spot. What we found is a fundamental flaw in how Dataflow blindly trusts dependencies located far outside its IAM control and security boundaries. 


In this talk, we’ll present two novel attack techniques that weaponize unvalidated config files to hijack trusted data pipelines. We’ll also demonstrate a critical cross-tenant vulnerability that extends this issue by enabling manipulation of Dataflow orchestration across tenant boundaries. The issue remains under responsible disclosure and is expected to be fixed before the presentation. 


Background: GCP Dataflow and Managed Infrastructure 


Organizations running large-scale enterprise data workloads increasingly rely on managed data-processing services, especially GCP Dataflow. Built on Apache Beam, Dataflow executes unified data pipelines while removing much of the operational burden of provisioning cluster frameworks, tuning virtual machines, and scaling infrastructure in response to demand. Teams define the pipeline, and Dataflow provisions and scales the underlying compute resources automatically. 


During this orchestration, however, Dataflow pipelines often depend on objects stored in standard cloud storage buckets to control execution, such as code, templates, and environment configuration. 


Pipelines routinely ingest and execute files from cloud buckets, including JavaScript or Python User Defined Functions (UDFs) for runtime transformation, structured YAML job templates that define pipeline parameters, and other environment configuration files. 


Because these files and their supporting temporary assets are often managed through automated developer pipelines, they can become "shadows": overlooked in routine asset inventories and security posture reviews, yet still critical to the execution of highly trusted cloud workflows.


Key Takeaways 


Dismantling the shadow resources blind spot: Understand how automated cloud orchestration creates short-lived access windows that can evade scheduled security scans and routine asset inventories. 


Auditing the infrastructure-as-config attack surface: Learn to treat external execution blueprints as active attack surfaces rather than passive configuration files. 


Applying defensive best practices: Take away architectural recommendations for designing pipelines that are more resilient to these attack paths. 


Session Details 


Total duration: 20 minutes 


5 minutes: Background on shadow resources and Dataflow mechanics. 


10 minutes: Walkthrough of the attack paths and the cross-tenant vulnerability. 


5 minutes: Research methodology, defensive takeaways, and detection strategies. 


Speaker Bio(s):

Gil Weizman


Gil Weizman is an experienced security researcher with over ten years of expertise across on‑prem, cloud, web, and SaaS security. Gil focuses on threat detection, product security research, vulnerability research and identifying gaps in security visibility across modern environments. Gil specializes in translating real‑world attacker behavior into improved detection and mitigation strategies.


Tamir Yehuda


Tamir Yehuda is a Senior Security Researcher and cloud security team lead at Varonis. He is a full-stack hacker with experience in malware analysis, Windows & AD domains, SaaS applications, and cloud infrastructure. Tamir specialize in IaaS & PaaS research focusing mainly on Azure, GCP, AWS, Salesforce, and ServiceNow. He brings over eight years of experience in various types of security research and red teaming





16:10-16:50
icons8-vertical-line-50 (1).png

🎙️ Panel:
The New Software Supply Chain Nobody is Securing: MCP

+

Panelists: TBD


Description:

MCP is the USB-C port for AI: one universal socket that lets an agent plug into your source, your SaaS, and the credentials on your developers' laptops. The threat model isn't the mystery anymore; OWASP and the NSA have written it down. The unsolved part is the one USB-C never fixed: what you let plug into the port, and what each thing's allowed to do once it's in. Plug in the wrong server and your own agent becomes the attacker. So what earns the right to connect and should MCP enforce that at the port, or is that on you?

16:50-17:30
icons8-vertical-line-50 (1).png

💡 Talk: Aravind Sreekanth Pallavoor & Sadhana Sainarayanan 
Trust Fall: How Agentic AI Inherits Your Cloud's Worst IAM Habits

+

Speakers: Aravind Sreekanth Pallavoor & Sadhana Sainarayanan 


Abstract:


Cloud IAM was designed for two principals: humans and machines. In 2026, a third has arrived: the autonomous AI agent and it plays by neither rule book. AWS Bedrock Agents, LangChain-based orchestrators, and multi-agent pipelines are being deployed with execution roles scoped to whatever the deploying engineer thought was "good enough," inheriting the same over-privileged IAM patterns that have plagued cloud environments for a decade. The difference: agents don't just misuse permissions accidentally. When adversarial manipulations are done, they weaponize them with precision.


This talk dissects the threat model of agentic AI systems from an attacker's perspective with a clear-eyed look at how autonomous agents become cloud privilege escalation engines. Drawing from the OWASP Top 10 for Agentic Applications 2026, MITRE ATLAS, and real-world research including Sonrai Security's AgentCore privilege escalation path and Unit 42's confirmation of autonomous AI-driven cloud attacks, the talk walks through a complete attack chain: indirect prompt injection against an agent's context window → tool misuse via over-privileged Lambda execution roles → IAM policy modification → persistent backdoor creation — all without a single stolen credential.


Attendees will leave with a structured threat model mapped to MITRE ATLAS tactics, a dissection of what AWS CloudTrail catches versus what it silently misses during agent-driven attacks, a breakdown of the three OWASP agentic risks most directly applicable to AWS environments (Goal Hijack, Tool Misuse, Identity & Privilege Abuse), and concrete defensive controls including agent-scoped least-privilege IAM, Bedrock Guardrails limitations practitioners need to know, and human-in-the-loop architectural patterns.


Speaker Bio(s):


Aravind Pallavoor


Aravind Pallavoor is a cybersecurity practitioner with over five years of hands-on experience spanning application security, cloud security engineering, and offensive security research. He holds CISSP, CEH (v11), and AWS Certified Security – Specialty (SCS-C02) certifications alongside a Master of Science in Cybersecurity, Technology and Policy from The University of Texas at Dallas, where he graduated with a 3.82 GPA.


His offensive security background includes web application and API penetration testing, mobile application security, AI chatbot security assessments — including prompt injection and training data poisoning research — and cloud infrastructure security across AWS environments. He has conducted security assessments for global financial institutions and enterprise SaaS organizations, applying frameworks including OWASP, CVSS, MITRE ATT&CK, NIST, PCI DSS, and CIS Foundations.


On the cloud side, Aravind has directly architected and audited IAM environments, deployed and red-teamed compliance automation pipelines, and operationalized AWS Config, Secrets Manager, and CI/CD pipeline security at scale. His research interest at the intersection of agentic AI and cloud identity — the subject of this talk — grew directly from real-world experience testing AI systems for adversarial manipulation and observing how autonomous tool use exposes cloud IAM to a new class of attack surface.


"Trust Fall" represents his synthesis of those two worlds: offensive AI security research applied to the cloud IAM threat model, grounded in published vulnerability research, OWASP's Agentic Top 10 for 2026, and MITRE ATLAS — and delivered without a lab, because the threat model speaks for itself.


Sadhana Sainarayanan


Sadhana Sainarayanan is an AI and machine learning practitioner with deep expertise in autonomous pipeline design, event-driven system architecture, MLOps, and cloud-native AI deployment across GCP and Azure environments. She holds a Google Cloud Certified Professional Machine Learning Engineer certification and a Microsoft Certified Azure AI Engineer Associate certification, alongside dual Master's degrees from Carnegie Mellon University. Her research interests span the security implications of agentic AI systems, NLP pipeline trust boundaries, and the input-validation gaps that emerge when autonomous systems process external data at scale. For this talk, she brings the AI builder's perspective to the cloud identity threat model.

LinkedIn: https://www.linkedin.com/in/sadhana-sainarayanan


Cloud Village CTF

Cloud Village CTF @ DEF CON 34: 7th & 8th August 2026

CTF starts - 7th August, 2026 - 10:00AM PDT

CTF closes - 8th August 2026 - 23:59PM PDT

CTF registrations opens - 30th July 2026 - 10:00AM PDT

CTF Site - https://ctf.cloud-village.org


If you ever wanted to break stuff on the cloud, or if you like rabbit holes that take you places you did not think you would go to, follow complicated story lines to only find you could have reached to the flag without scratching your head so much - then this CTF is for you!

Our CTF is a two days jeopardy style contest where we have a bunch of challenges hosted across multiple Cloud providers across multiple categories of difficulty.

You can register as teams or go solo, use hints or stay away from them, in the end it will be all for glory or nothing. Plus the prizes. Did we not mention the prizes? :D

See you on the other side!

Labs Schedule

🗡 Attack Labs: 3  |  🛡 Strategic Defense Labs: 6  |  🔍 Investigation Labs: 2  | ⚔️ Attack & Tools Labs: 2
Note: All labs will be conducted in Room 312, LVCC. The room has been divided into two zones, A and B, to accommodate simultaneous lab sessions.
11:00-13:00
icons8-vertical-line-50 (1).png

🗡 Attack Lab: Samanta Aranda
Weaponizing CloudFormation: Privilege Escalation via Infrastructure as Code in AWS

+

Venue: Zone A, Room 312


Instructor: Samanta Aranda


Abstract:

CloudFormation is widely trusted as a secure and declarative Infrastructure as Code (IaC) service inside AWS environments. In practice, however, CloudFormation frequently operates with permissions far beyond those of individual users, CI/CD pipelines, or developers. This workshop explores how attackers can abuse that trust model to achieve privilege escalation and persistence in realistic AWS environments.

In this fully hands-on offensive cloud security workshop, attendees will begin with limited IAM permissions and learn how to identify and exploit misconfigured CloudFormation execution roles using iam:PassRole, service roles, and Lambda-backed Custom Resources. Participants will weaponize CloudFormation templates to create persistence mechanisms inside service-scoped IAM paths without requiring direct administrative permissions.

The workshop emphasizes realistic cloud attack paths, delegated execution abuse, and the security risks introduced by over-permissioned automation. Attendees will also explore rollback abuse scenarios and learn how these attacks appear in CloudTrail and IAM logs.


Prerequisites:
- Basic familiarity with AWS concepts
- Basic understanding of IAM roles and policies
- Familiarity with terminal/CLI workflows
- Laptop capable of running:
   - AWS CLI v2
   - Terraform >= 1.5
   - Python 3.x (optional but recommended)


Instructor Bio:

Samanta Aranda serves as a Managing Senior Consultant at Bishop Fox, leading security assessments and initiatives focused on strengthening organizations’ technological resilience. She holds a degree in Electronics and Communications Engineering and a Master’s in Computer Science and Technology Management. From the very beginning of her career, she found in cybersecurity not just a profession but a genuine passion. Over the years, she has collaborated with national and international firms such as KPMG, Scitum, EC-Council LATAM, and INFOTEC, contributing to projects that bridge technology, strategy, and security.

Samanta holds 16 professional certifications, including GPEN, GWAPT, CEH, and CND, and has been recognized as an EC-Council Certified Instructor, earning a place in the organization’s Circle of Excellence in 2021. She blends technical expertise with a human and collaborative approach to security, firmly believing that shared knowledge is the strongest defense.

11:00-13:00
icons8-vertical-line-50 (1).png

🛡 Strategic Defence Lab: Ram (n2r)
Governing the Firehose: Writing Custom OPA Policies to Tame and Remediate Prowler Output

+

Venue: Zone B, Room 312


Instructor: Ram (n2r)


Abstract:

When you run an opensource CSPM tool like Prowler across an cloud environment, you don’t get an audit; you get a tsunami of raw data. Sifting through thousands of JSON lines to determine what actually poses an active threat to your specific architecture is where most cloud defense pipelines break down.

In this 2-hour handson workshop, I’m going to show you how I bridge the gap between scanning and governance using Policy as Code. We will dive straight into treating Prowler’s raw security findings as structured data input for Open Policy Agent (OPA).

Together, we’ll write custom Rego policies from scratch to parse, filter and logically route Prowler results based on real world business context. I’ll show you how to write policies that evaluate infrastructure as code risk, suppress known risk acceptances safely and isolate critical failures (like exposed storage buckets or unencrypted databases) to trigger automated remediation workflows.


Prerequisites:

To actively participate, participants should bring a laptop and have:
- Comfort working in the command line (Bash/Zsh) and manipulating data structures.
- A foundational grasp of JSON formatting and basic cloud concepts (identities, storage accounts).
- Git, Docker and a modern code editor installed.
- Prior experience with Rego *isn't required* we'll build our logic from the ground up.


Instructor Bio:

Passionate about Linux, cryptography, and secure SDLC, He loves digging into code, threat modeling, and breaking things (responsibly ofc). Whether it’s hardening apps or decoding exploits. He is all about making software safer - one commit at a time.


13:30-15:30
icons8-vertical-line-50 (1).png

🔍 Investigation Lab:
Cloudy with a Chance of Breaches: Hands-On AWS Threat Defense

+

Venue: Zone A, Room 312


Sponsored by: TrendAI


Abstract:

Join this hands-on workshop to explore integrated security capabilities for the modern AWS cloud stack, including containers, object storage, and AI applications. You’ll work with a deliberately vulnerable Flask application running on EKS with S3 and Amazon Bedrock, then deploy and configure controls that detect attacks at runtime.

The session will cover behavioral runtime detection for credential-access activity and malware inside live pods, attack-surface mapping, and identity-aware risk analysis to trace the potential blast radius of a compromised workload through its IAM role. You’ll also examine file-borne threat protection across the application boundary and S3, use unified XDR queries to hunt across container and storage detections, and close with runtime guardrails that block direct and document-borne prompt injection against a real Amazon Bedrock model.

13:30-14:30
icons8-vertical-line-50 (1).png

🛡 Strategic Defence Lab: Jeremy Schiefer & Lawton Pittenger
The Autonomous Security Loop

+

Venue: Zone B, Room 312


Sponsored by: AWS


Speakers: Jeremy Schiefer & Lawton Pittenger


Abstract:

SOCs get thousands of alerts daily. Most orgs take days to triage and fix critical findings. Attackers exploit that gap.

This lab walks through the three stages of a continuous security loop. Do each phase by hand, then see how the latest AWS capabilities compress it to seconds:

Discovery: Review output from a continuous security scan that found a multi-step attack path. Understand why this catches things annual pen tests miss.
Triage: Manually triage 5 out of 30 Security Hub findings using the same signals AI triage uses. Compare your calls against the automated system.
Remediation: Examine proposed fixes. Understand the difference between human-approved and autonomous remediation. Submit a fix and confirm it works.


Speaker Bio(s):

Jeremy Schiefer


Jeremy is a Pr. Security Solution Architect at AWS focused on helping customers improve their security posture.


Lawton Pittenger


Lawton is a Worldwide Security Specialist Solutions Architect at AWS, based in New York City. He specializes in helping customers design and implement effective network security controls. At AWS, he works with customers at scale and collaborates closely with service teams to drive continuous improvement in security services based on customer needs and feedback. (https://www.linkedin.com/in/lawtonpittenger/ | https://github.com/lawtonpittenger)


16:00-18:00
icons8-vertical-line-50 (1).png

⚔️ Attack and Tools Lab: Leron Gray
Cirro: Extending Your Azure Graph Beyond Identities

+

Venue: Zone A, Room 312


Instructor: Leron Gray


Abstract:

Most Azure graph analysis tooling focuses primarily on identity relationships: users, groups, service principals, and role assignments. While valuable, modern Azure environments contain far more exploitable context hidden within infrastructure, platform services, application configurations, network relationships, managed identities, and data-plane resources.

Cirro (the spiritual successor to Stormspotter) is an attack graphing tool built to model Azure environments by combining Microsoft Graph identity data with Azure Resource Manager (ARM) infrastructure data. Instead of limiting analysis to Entra ID objects and role assignments, Cirro maps Azure resources into Neo4j for deeper attack path and misconfiguration analysis.

This lab provides a practical understanding of Cirro’s collection, ingestion, and analysis workflow. Attendees will perform enumeration and assessment of an Azure tenant to understand how to view attack paths beyond identities. They will perform Cypher queries and use custom dashboards to visualize and interpret graph data.

Prerequisites:
- Docker/Podman Compose
- Azure CLI
- Web browser
- Sqlite3 Browser
Recommended (but not required):
- Fundamental knowledge of Cypher query language


Instructor Bio:

Leron Gray is a Senior Security Consultant at Bishop Fox, specializing in offensive security, cloud attack path analysis, and security tooling research. He is the creator of Cirro, an extensible graph-based framework for analyzing Azure and cloud environments through Microsoft Graph and Azure Resource Manager data. His work focuses on helping security researchers and red teamers better understand complex cloud relationships, identity abuse paths, and infrastructure misconfigurations at scale.

16:00-18:00
icons8-vertical-line-50 (1).png

🛡 Strategic Defence Lab: Mackenzie Jackson
From Dashboard to Exploit: Weaponizing and Winning the Cloud Queue

+

Venue: Zone B, Room 312


Sponsored by: Aikido


Instructor: Mackenzie Jackson


Abstract:

Finding a vulnerability on a dashboard is only half the battle. Knowing how an attacker will weaponize it is what separates great security engineers from the rest.

In this hands-on CloudSec Village lab hosted by Aikido Security, you will step into the shoes of both defender and attacker. Navigating a custom simulation dashboard, you’ll face live vulnerabilities hidden across containerized apps and serverless functions. Your mission: don’t just trust the scanner. You will dive into live mini-applications, execute real-world exploits to prove their impact, and see exactly how they register on the platform. This drop-in lab bridges the gap between passive triage and active offensive security — join any time and validate threats like a pro.


Instructor Bio:

Mackenzie is the Field CTO for Aikido Security, helping tech leaders understand application security through an attacker’s lens. As the co-founder and former CTO health tech company Conpago, he understands the challenges of building secure applications. He has spoken in over 30 countries, hosts the popular Podcast The Secure Disclosure, and contributes to multiple publications including Dark Reading, Financial Times, and Fast Company.

Our sponsors at

TrendAI-Logo-CMYK.ai (1).png

DIAMOND SPONSOR
(ANNUAL)

Trend Micro, a global cybersecurity leader, helps make the world safe for exchanging digital information. Fueled by decades of security expertise, global threat research, and continuous innovation, our cybersecurity platform protects 500,000+ organisations and 250+ million individuals across clouds, networks, devices, and endpoints. Know More

Logo_VTL_202403_1200w_White (1).png

DIAMOND SPONSOR
(ANNUAL)

Varonis protects the data where it lives. Their platform is purpose-built to look deeply inside and around data—and then automate its protection using patented, battle-hardened machine learning and AI. Know More

ai to png (1).png

DIAMOND SPONSOR
(ANNUAL)

Amazon Web Services is the world’s most comprehensive and broadly adopted cloud, enabling customers to build almost anything they can imagine. They offer the greatest choice of innovative cloud and AI capabilities and expertise, on the most extensive global infrastructure, with industry-leading security, reliability, and performance. Know More

Logo-Core-FullColorInverted-Large.png

PLATINUM SPONSOR
(ANNUAL)

Aikido have category-leading security products across code, cloud, runtime, and autonomous penetration testing.
What makes them even stronger is context. By connecting code, cloud, and runtime data, their products work together to find the right issues and fix them faster.
Know More

ai to png.png

PLATINUM SPONSOR

Prowler builds open, adaptable, and community-driven solutions that empower security teams to stay ahead. Prowler stands at the forefront of this transformation. They offer an open-source, highly configurable security platform that empowers organizations to tailor their security assessments and monitoring strategies. Know More

BECOME A SPONSOR

If you are interested in sponsoring Cloud Village, drop us an email at 
hello@cloud-village.org or fill in this quick Google Form.

We are community-driven village that strives to promote and support research in Cloud security community

bottom of page