SEC584: Cloud Native Security: Defending Containers and Kubernetes

Provided by

About the course

SEC584 will perform a deep dive into defending key infrastructure deployment components, focusing on containerization and orchestration exploits. Students will be thrust directly into detailed issues related to misconfiguration and known attack patterns and will learn how to properly harden and protect against these exploits.

What You Will Learn

Deploy Securely At The Speed Of Cloud Native

Cloud native infrastructure and service providers are enabling organizations to build and deliver modern systems faster than ever. The end-to-end toolchain supporting the systems includes managed services to create cloud infrastructure, store source code, build containers, and manage clusters. For information security professionals, the attack surface created by these modern systems can be difficult to defend and monitor. SEC584 explores Docker and Kubernetes, key components of the cloud native infrastructure stack, providing in-depth analysis of the attack surface, misconfigurations, attack patterns, and hardening steps. Students will gain hands-on experience building, exploring, and securing real-world modern systems through an offensive lens.

SEC584 starts by painting a portrait of the modern cloud-native infrastructure hosted in Google Cloud. After deploying cloud resources, students examine methods of compromise, walk through attack scenarios, and then shift their focus to defending and remediating infrastructure services. This includes hardening Kubernetes orchestrator and workload configuration, deploying security testing and monitoring software in pipelines and clusters, cryptographically signing images and build pipelines, and applying AppArmor and Seccomp profiles to containerized workloads.

The course then shifts its focus to defending a live Kubernetes deployment. After students identify several Kubernetes weaknesses, hands-on exercises attacking and remediating security and network policies and admission controllers will help them lock down the lab environment. Attacks and controls are threat-modeled to ensure they are applied correctly, tested out-of-band to ensure their efficacy, and applied at multiple stages throughout the pipeline to enhance engineers' productivity and feedback loops.


Understand why many cloud native services have evolved quickly and without security as a top consideration
Secure containerized applications and defend orchestration workloads
Leverage automated testing tools to perform security testing and harden your deployments


  • Use real-world exploits to target key application deployment components
  • Understand the risks involved in running cloud native infrastructure
  • Explore vulnerabilities to cloud native deployments through authentication, pipeline, and supply chain exploits
  • Exploit and then secure application deployments via Docker and Kubernetes
  • Determine how vulnerabilities are exploited and how defenses are designed


  • Printed and Electronic courseware
  • Course virtual machine with all class labs

Syllabus (18 CPEs)

SEC584.1: Cloud Native Security

SEC584.2: Container Security and Exploitation

SEC584.3: Moving to Kubernetes

SEC584 performs a deep dive into defending containerized workloads (Docker) and orchestrators (Kubernetes). Courses or equivalent experiences should include:

  • SEC540 Cloud Security and DevOps Automation (familiarization with DevOps automation, CI/CD tools and processes, and how containers are used to package software)
  • Experience with Linux command shell
  • Experience with Docker and Kubernetes
  • Familiarity with Google Cloud Platform (GCP)
  • For those looking to prepare ahead of time, check out the following resources:

Docker QuickStart:

Kubernetes Basics:

Terraform Getting Started Guide:

Laptop Requirements
Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

Mandatory: Students must bring their own GCP account to complete the exercises. Please ensure that you have done the following before class starts:

Google Cloud Platform

  1. Create a Google account.
  2. Sign up for a GCP free trial.


A properly configured system is required for each student participating in this course. Before starting the course, carefully read and follow these instructions exactly:

Download and install VMware Workstation or VMware Fusion on your system prior to the start of the class.
If you own a licensed copy of VMware, make sure it is at least VMware Workstation Pro 15+, VMware Fusion 11+.
If you do not own a licensed copy of VMware, download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.
Mandatory Host Hardware Requirements

CPU: 64-bit 2.5+ GHz multi-core processor or higher
BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
Hard Disk: Solid-State Drive (SSD) is MANDATORY with 50GB of free disk space minimum
Memory: 16GB of RAM or higher is mandatory for this class (IMPORTANT! 16GB of RAM is MANDATORY)
Working USB 2.0 or higher port
Wireless Ethernet 802.11 B/G/N/AC
Local Administrator Access within your host operating system
Mandatory Host Operating System Requirements

You must use a 64-bit laptop with one of the following operating systems that have been verified to be compatible with course VMware image:

Windows (8 or 10)
Mac OS X (Catalina, Mojave) Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.
Mandatory Software Requirements

Prior to class, ensure that the following software is installed on the host operating system:

VMware Workstation Pro 15+, VMware Fusion 11+
Zip File Utility (7Zip or the built-in operating system zip utility)
In summary, before beginning the course you should:

Have a laptop with a solid-state drive (SSD), 16GB of RAM, and a 64-bit operating system
Install VMware (Workstation or Fusion)
Windows Only: Verify that the BIOS settings have the Intel VT virtualization extensions enabled
Register a NEW GCP free-tier account prior to the start of class at
If you have additional questions about the laptop specifications, please contact

Author Statement
"The proliferation of containers and the growth of Kubernetes and its supporting ecosystem offer a new opportunity for organizations looking to adopt modern development, deployment, and security practices. Containers share their host's kernel and so are more efficient and lightweight than VMs, but they provide a different set of security guarantees. And as cloud providers have built out their managed offerings, the shared responsibility model puts the ultimate responsibility for the security of users' infrastructure on their shoulders.

Highly scalable and resilient distributed systems bring additional complexity, and DevSecOps security can only be achieved with a solid DevOps engineering foundation on which to build. Once this is established, automated security verification can prove the absence of known regressions and reduce the likelihood of unknown vulnerabilities.

Attackers have exploited misconfigured Docker and Kubernetes instances, container and application supply chains, and the cloud infrastructure with which they integrate. This course examines all of these attacks in detail, shows attendees how to undertaken them, and provides detailed remediation and testing steps to ensure cloud native infrastructure is locked down, while still providing value to the business."

- Andy Martin & Eric Johnson

"Very knowledgeable, especially appreciate the extra anecdotes and background as that was especially useful in my learning experience today." - Jacob Austin

Ways to Learn
 Live Online
Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

 In Person (3 days)
Training events and topical summits feature presentations and courses in classrooms around the world.

Who Should Attend SEC584?
This course is primarily targeted at

Information security professionals
DevOps engineers
System administrators
Operations engineers
Software architects
Anyone else who is responsible for deploying, managing, and securing modern tools like Docker and Kubernetes in the cloud
The course will also be helpful for security practitioners trying to understand the risks associated with these components.

"Great content. Loads of new things to learn." - Nii Akai-Nettey, 6point6


Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...