Abstract
In this session, we’ll explore a realistic, end-to-end attack scenario that highlights how misconfigurations in Kubernetes and secrets management can lead to serious exposures—and how the robust features of HashiCorp Vault can be used to defend against them.
We begin our journey from the outside in, using Shodan reconnaissance to identify exposed instances of Vault, Consul, and Nomad—demonstrating how these powerful tools, when misconfigured, can unintentionally be made visible on the public internet. From there, we pivot into a Kubernetes cluster, exploiting common weak points such as insecure dashboards, overly permissive policies, and poor token hygiene to escalate privileges and access secrets.
Each phase of the attack chain is mapped to a structured Kubernetes security learning path:
External discovery using Shodan dorks to surface exposed HashiCorp services
Privilege escalation through service account tokens and Vault API misuse
Secrets extraction from Vault’s AWS secrets engine
Terraform state file leaks and hardcoded tokens
Real-world defensive strategies using Vault’s flexible auth methods, short-lived credentials, namespace segmentation, and integrations with Kubernetes RBAC and network policies
To empower defenders, we’ll share an automated approach for exposure monitoring using the Shodan API—enabling teams to proactively detect and respond when Vault or related infrastructure is exposed.
This talk balances offense and defense, giving both red and blue teams a hands-on blueprint for identifying risks, simulating real-world threats, and ultimately strengthening secrets management with Vault as a core security pillar in modern cloud-native environments