Publicly exposed training apps as recurring cloud-entry risk across security vendors
Trend
Summary
Hide ▲
Show ▼
Cybersecurity training apps left exposed on the public Internet are creating a recurring cloud-entry risk for security vendors and enterprise users. A scan identified 1,926 active instances spread across public servers, with a subset overpermissioned enough to enable lateral movement inside cloud accounts. The pattern matters because tools meant for practice can become production footholds when they are deployed with live credentials and broad IAM roles.
Related Happenings
AWS Continuum launches AI-powered vulnerability management lifecycle platform
Security Tool/Service
H score14
First: 19.06.2026 14:00
Last: 19.06.2026 14:00
Sources 1
About this happening:
**AWS Continuum** launched in **gated preview** as a new **AI-powered vulnerability management platform** for AWS environments, expanding security teams’ ability to manage code fl...
AWS Continuum launches AI-powered vulnerability management lifecycle platform
Security Tool/ServiceAbout this happening: **AWS Continuum** launched in **gated preview** as a new **AI-powered vulnerability management platform** for AWS environments, expanding security teams’ ability to manage code fl...
Zealot autonomous AI cloud intrusion proof of concept
Technical Analysis
H score28
First: 23.04.2026 13:09
Last: 23.04.2026 13:09
Sources 1
About this happening:
**Palo Alto Networks Unit 42** built **Zealot**, an autonomous AI agent that successfully attacked an isolated **Google Cloud Platform** environment, showing that machine-speed ad...
Zealot autonomous AI cloud intrusion proof of concept
Technical AnalysisAbout this happening: **Palo Alto Networks Unit 42** built **Zealot**, an autonomous AI agent that successfully attacked an isolated **Google Cloud Platform** environment, showing that machine-speed ad...
Unit 42 Zealot proves autonomous cloud attack chaining in GCP
Technical Analysis
H score28
First: 23.04.2026 13:00
Last: 23.04.2026 13:00
Sources 1
About this happening:
**Unit 42's Zealot PoC** shows autonomous AI can chain cloud attack stages in a live **Google Cloud Platform** environment, shrinking defender reaction time to minutes. The system...
Unit 42 Zealot proves autonomous cloud attack chaining in GCP
Technical AnalysisAbout this happening: **Unit 42's Zealot PoC** shows autonomous AI can chain cloud attack stages in a live **Google Cloud Platform** environment, shrinking defender reaction time to minutes. The system...
Cloud environments third-party flaw exploitation wave
Exploitation Wave
H score37
First: 09.03.2026 23:45
Last: 09.03.2026 23:45
Sources 1
About this happening:
**Threat actors** are rapidly weaponizing **newly disclosed third-party vulnerabilities** to reach **cloud environments**, compressing the exploitation window from weeks to days a...
Cloud environments third-party flaw exploitation wave
Exploitation WaveAbout this happening: **Threat actors** are rapidly weaponizing **newly disclosed third-party vulnerabilities** to reach **cloud environments**, compressing the exploitation window from weeks to days a...
Elastic Cloud SIEM stolen-data campaign
Campaign
H score41
First: 09.03.2026 17:45
Last: 09.03.2026 17:45
Sources 1
About this happening:
The **Elastic Cloud SIEM** abuse campaign has been uncovered across **dozens of organizations**, turning a legitimate security platform into a stolen-data hub and increasing opera...
Elastic Cloud SIEM stolen-data campaign
CampaignAbout this happening: The **Elastic Cloud SIEM** abuse campaign has been uncovered across **dozens of organizations**, turning a legitimate security platform into a stolen-data hub and increasing opera...
Timeline
-
21.01.2026 16:00 2 articles · 5mo ago
Pentera report finds exposed training apps can open cloud environments
Initial DisclosureSecurity research showed that training applications such as Hackazon, DVWA, OWASP Juice Shop, and bWAPP were exposed on the public Internet and, in some cases, deployed in production on Amazon Web Services (AWS) Elastic Compute Cloud (EC2) with attached IAM roles. The scan found more than 10,000 instances, verified 1,926 active internet-accessible deployments across 1,626 servers, and identified 974 running on AWS, Google Cloud (GCP), or Microsoft Azure; 165 of those had IAM roles and 109 were overpermissioned enough to support lateral movement. The findings also connected exposed training-app deployments to major security vendors including F5, Cloudflare, and Palo Alto Networks, and noted that 20% of 616 DVWA servers contained cyberattack artifacts and some were used to run XMRig.
Show sources
- 'Damn Vulnerable' Training Apps Leave Vendors' Clouds Exposed — www.darkreading.com — 21.01.2026 16:00
- 'Damn Vulnerable' Training Apps Leave Vendors' Clouds Exposed — www.darkreading.com — 21.01.2026 16:00