Assess multi-cloud security with the open-source CNAPPgoat project

Ermetic released CNAPPgoat, an open-source project that allows organizations to test their cloud security skills, processes, tools, and posture in interactive sandbox environments that are easy to deploy and destroy. It is available on GitHub.


CNAPPgoat supports AWS, Azure (Microsoft Entra ID), and GCP platforms for assessing the security capabilities included in Cloud Native Application Protection Platforms (CNAPP).

Unlike projects that illustrate possible attack paths, CNAPPgoat provides a large and expanding library of scenarios that security teams can execute to create a customized cloud environment for simulating unsecured and vulnerable assets and validating their defenses. The ability to quickly provision a vulnerable environment with a broad range of risk scenarios provides the following benefits:

  • Create a sandbox for testing an organization’s security posture by assessing security team capabilities, procedures, and protocols
  • Use vulnerable environments for hands-on workshops to train team members on new skills and techniques
  • Provision a “shooting range” for pentesters to test their skills at exploiting the scenarios and developing relevant capabilities
  • Benchmark CNAPP tools against known environments to evaluate their capabilities

“Compared to existing open-source projects that create ‘capture the flag’ scenarios where participants are expected to follow a certain path, CNAPPgoat spans the leading cloud provider platforms and CNAPP capabilities while providing a modular and granular approach for provisioning specific categories of risks and vulnerabilities,” said Igal Gofman, Director of Research for Ermetic.

CNAPPgoat enables security teams, trainers and pentesters to provision and run vulnerable scenarios from the following modules that make up the CNAPP specification defined by Gartner:

  • Cloud Infrastructure Entitlement Management (CIEM) – covers risks associated with identities and entitlements, such as the unintended ability of an identity to escalate its privileges
  • Cloud Workload Protection Platform (CWPP) – includes the exposure of workloads to vulnerabilities such as running vulnerable/end-of-life software or OS versions
  • Cloud Security Posture Management (CSPM) – spans the misconfiguration of cloud infrastructure components, such as publicly exposed storage resources
  • Infrastructure as Code (IaC) scanning – will be added soon for finding misconfigurations directly in the code

Must read:

Don't miss