From Zero to Hero: Pentesting and Securing Docker, Swarm & Kubernetes Environments

Save the DateKlick for the .ics file to save the date

Containerization and orchestration have dramatically changed the way in which today’s technologies are deployed and managed. Attack and defense techniques require reinvention and security professionals must now acquire the necessary skills to competently protect these environments.

This training is designed for RedTeam and BlueTeam professionals who are looking for practical applied security knowledge on containerization and orchestration from an offensive and defensive point of view. Black Box, Grey Box and White Box analysis are covered on Docker, Docker Swarm and Kubernetes.

From the offensive side, attack techniques related to containers/pods compromising, exploitation, networking abuses, privileges escalation, persistence, lateral movement and node takeover among others will be explained.

On the defensive side, common security issues and a secure way of building docker images and YML deployment files for Swarm and Kubernetes will be analyzed. The right implementation of RBAC access management will be explained, and vulnerability scanners on files and CI/CD pipelines will be presented with many other best practices.

CPE Credits Earn 16 CPE (Continuing Professional Education) for attending this training. Please request a confirmation.
Location Online
Date of Event 24th/25th November 2020
Time 9:00 am – 5:00 pm
Language English
Participation Fee CHF 2’490.–

Topics covered

Day 1:

Docker Fundamentals
1.1. Architecture
1.2. Containers
1.3. Images
1.4. Networking
1.5. Volumes

Docker Black Box Analysis:
2.1. Are we inside a container? Recognizing container environments
2.2. Container introspection: named/bind volumes, sensitive data, network configuration and more
2.3. Do we have container neighbors? Scanning docker networks
2.4. Abusing docker networks defaults
2.5. Pivoting: compromising the whole docker environment
2.6. Sorting shell limitations
2.7. Exploiting docker.sock exposure
2.7.a. Inspecting the cluster
2.7.b. Getting a shell inside other containers
2.7.c. Host takeover
2.7.d. Remote exploitation via HTTP
2.8. Persistence techniques

Docker White Box Analysis:
3.1. Inspecting Docker Images
3.1.a. Dockerfile format & commands
3.1.b. Common security issues in Dockerfile
3.1.c. Building secure images
3.1.d. Multi-stage builds
3.1.e. Distroless images
3.2. Inspecting multi-container deployment files
3.2.a. Docker Compose file structure
3.2.b. Common security issues in deployment files

Containers orchestration: Docker Swarm & Kubernetes
4.1. Multi-clustering concepts
4.2. Swarm vs Kubernetes

Swarm Fundamentals
5.1. Nodes & services management.
5.2. Networking
5.2.a. Overlay driver
5.2.b. Ingress network
5.3. Secrets storage

Swarm Black Box Analysis:
6.1. Differences between Docker and Docker Swarm environments from an attacker viewpoint
6.2. Swarm secrets not too secret
6.3. Abusing Swarm networks features
6.4. Pivoting across containers in multi-services & escalated environments
6.5. Pivoting across different Swarm networks: from frontend to backend
6.6. Persistence: Creating backdoored services

Swarm White Box Analysis:
7.1. Inspecting Stack deployment files
7.1.a. Stack files structure
7.1.b. Common security issues in Stack deployment files

Day 2:

Kubernetes Fundamentals
8.1. Abstraction layers & components
8.2. Networking
8.3. Pods management

Kubernetes Black Box Analysis:
9.1. Detecting K8s orchestration from inside containers
9.2. Container introspection: Persistent volumes, secrets, configmaps and more
9.3. Discovering & Scanning pods along the entire cluster
9.4. Pivoting across pods and network namespaces
9.5. Abusing service account token
9.5.a. Privilege escalation: compromising the whole K8s cluster
9.6. Persistence techniques

Kubernetes Grey Box Analysis:
10.1. RBAC audit
10.2. Abusing misconfigurations
10.2.a. Information disclosure
10.2.b. Anonymous authentication
10.2.c. Secrets listing
10.2.d. Users impersonation
10.2.e Remote Code Execution
10.3. K8s nodes takeover
10.4. Vulnerability scanners (red-team oriented)

Kubernetes White Box Analysis:
11.1. Inspecting K8s YAML files
11.1.a. Configuration YAML structure
11.1.b. Common security issues in YAML files
11.1.c. RBAC YAML inspection

Kubernetes & Docker defense:
12.1. Containers/Images vulnerability scanners
12.2. On-deploy vulnerability scanners
12.3. Access management
12.4. Network Policies
12.5. Best practices in Kubernetes and Swarm


  • Understanding of how Docker, Swarm and Kubernetes work from local to productive environments
  • Black, grey and white box analysis of Docker, Swarm and Kubernetes with applied offensive techniques
  • Securing Docker and Kubernetes environments

Lecture vs hands-on:
The time will be distributed on 20% lecture vs 80% hands-on. The focus of the course will be mostly dedicated to the hands-on laboratories. The theory lessons will be used to explain necessary concepts that will boost the practical exercises.


  • Docker Fundamentals (practice): 30 minutes
  • Docker Black Box Analysis: ~ 2 hours
  • Docker White Box Analysis: ~ 1 hour
  • Swarm Black Box Analysis: ~ 2 hours
  • Swarm White Box Analysis: ~ 1 hour
  • Kubernetes Fundamentals (practice): 30 minutes
  • Kubernetes Black Box Analysis: ~ 2 hours
  • Kubernetes Grey Box Analysis: ~ 2 hours
  • Kubernetes White Box Analysis: ~ 1 hour
  • Kubernetes & Docker defense: ~ 2 hour

Why people should attend this course
The evolution of a technological world has developed the urgent need to deliver fast and flexible changes to every application. Containerization and orchestration play a principal role in the technologies needed to ensure products remain one step ahead of competitors.

RedTeam and BlueTeam members need to gain and maintain an up to date knowledge of the techniques for testing the security of Docker Swarm and Kubernetes environments, as well as understanding the resources to keep them as safe as possible. A lack of information about the security of these topics represent a huge threat to current infrastructure, it’s time to start discussing, evaluating and implementing security techniques for these environments.

Who should take this course

  • Offensive security professionals
  • Cloud security professionals
  • Systems Architects
  • Security Analysts
  • Anyone interested in learning more about common issues over containerization, containers orchestrators and their security concerns

Student Requirements

  • Linux basics (including bash and filesystems)
  • Networking basics
  • Pentesting experience (wished, not required)

What students should have

  • Laptop with at least 8GB RAM and 60GB free disk space
  • Admin/Root access on their laptop
  • VirtualBox installed

What students will be provided by

  • Slides/lectures of the training
  • YML files of all the exercises
  • VM with test environment ready to deploy the exercises and make the practices

About your trainers

Sheila A. Berta
Sheila A. Berta is an offensive security specialist who started at 12 years-old by learning on her own. At the age of 15, she wrote her first book about Web Hacking, published in several countries. Over the years, Sheila has discovered vulnerabilities in popular web applications and software, as well as given courses at universities and private institutes in Argentina.

She specializes in offensive techniques, reverse engineering and exploit writing and is also a developer in ASM (MCU and MPU x86/x64), C/C++, Python and Golang. As an international speaker, she has spoken at important security conferences such as Black Hat Briefings, DEFCON, HITB, Ekoparty, IEEE ArgenCon and others. Sheila currently works as Head of Research at Dreamlab Technologies.

Sol Ozzan
Sol Ozzan has been a Developer, Software Architect, Security Analyst and DevOps technologist for the past four years. She works as a Backend Developer and Security Researcher at Dreamlab Technologies, her previous role was at one of the biggest e-commerce in Latin America.

Her technical background includes development in Go, Python, Java, Ruby and Javascript. She has worked with advanced CI/CD pipeline technologies including Jenkins, Docker, Kubernetes, Ansible, AWS CodeDeploy and Terraform among others. Sol is a specialist in
container-based development and deployment, and has dealt with productive environments that handle +30k distributed VMs with ~150k containers that host +2k distributed services that are deployed +3k per day.

When she’s not working she’s volunteering organizing free security events and trainings for beginners, playing Overwatch or listening to vinyl records.

Cancellations of registration are free of charge until 30 days before. Cancellations received beyond this point will incur 100% of the admission fee. You will get an invoice for the respective amount. In any case, however, a delegate may be sent at no additional costs.

Register here

Event Partner

Earn CPE Credits for
attenting SIGS Events