CNAPPs & CSPMs don’t tell the full cloud security story
Mar 13, 2025
auto_awesome
Nick Jones, Head of Research at WithSecure and an offensive cloud security expert, dives deep into the often overlooked aspects of cloud security. He explains why relying solely on CNAPPs and CSPMs can leave critical gaps. Nick reveals the biggest cloud attack paths and discusses how cloud pentesting differs from traditional methods. He emphasizes identity management's role over direct attacks, challenges common security misconceptions, and shares real-world insights from red team engagements to bolster organizational defenses.
Cloud Security Posture Management (CSPM) significantly enhances penetration testing by enabling focused identification of vulnerabilities in cloud environments.
Organizations must adopt a distinct mindset towards cloud security, recognizing that traditional measures are insufficient and that identity is the new perimeter.
Effective cloud penetration testing requires both traditional skills and a deep understanding of cloud architecture, emphasizing continuous education and collaboration with experts.
Deep dives
The Role of CSPM in Pen Testing
Providing Cloud Security Posture Management (CSPM) output significantly enhances the effectiveness of penetration testing. By sharing this data, organizations enable testers to easily identify what's covered and which vulnerabilities remain. Including CSPM findings in the report allows for a more informed assessment of critical security issues that could impact attack paths. This collaborative approach can streamline the pen testing process and yield more actionable insights for remediation.
Evolution of Cloud Security Understanding
The understanding of cloud security has matured considerably since its inception, with organizations now aware that traditional security measures do not apply directly to cloud environments. There is a growing recognition that the cloud requires a different mindset, particularly regarding identity as a perimeter and the distinction between misconfigurations and vulnerabilities. Companies have started to hire cloud security specialists who possess the necessary expertise to navigate unique challenges. Additionally, the development of advanced tools has made it easier to manage cloud security effectively.
The Importance of Context in Security Findings
While tools like CSPMs are becoming adept at identifying misconfigurations, they lack the contextual understanding required to assess the importance of specific vulnerabilities. For example, a public S3 bucket may not pose a significant risk if it contains intended public data. This highlights the necessity of human analysis to contextualize security findings and prioritize them based on the organization's business needs. Expert pen testers can offer tailored recommendations for long-term fixes that align with operational requirements.
Challenges Facing Startups in Cloud Security
Startups navigating cloud security often face unique challenges due to a lack of regulatory pressure that larger organizations encounter. These companies might not place sufficient emphasis on security practices, leading to potentially dangerous vulnerabilities. Without a strong compliance requirement, engineering teams may prioritize feature release over security measures. As a result, pentesters are frequently called in to highlight these risks, necessitating a shift in organizational culture towards prioritizing security alongside rapid development.
Essential Skills for Cloud Pen Testers
Cloud pen testers must possess not only traditional pen-testing skills but also a deep understanding of cloud architecture and security protocols. The ability to contextualize findings and adapt strategies based on the specific cloud environment is crucial for effective assessments. Aspiring pen testers should focus on continuous education regarding the latest threat vectors and simulate attacks in safe environments to build their expertise. Collaborating with experienced cloud security practitioners can provide valuable insights and accelerate learning.
In this episode we speak to Nick Jones, an expert in offensive cloud security and Head of Research at WithSecure to expose the biggest security gaps in cloud environments and why CNAPPs and CSPMs alone are not enough often.
How cloud pentesting differs from traditional pentesting
Why CSPMs & CNAPPs don’t tell the full cloud security story
The biggest cloud attack paths—identity, IAM users, and CI/CD
Why “misconfigurations vs vulnerabilities” is the wrong debate
How organizations should prepare for a cloud pentest
With real-world examples from red team engagements and cloud security research, Nick shares insider knowledge on how attackers target AWS, Azure, and Kubernetes environments—and what security teams can do to stop them.
