🎉 CWL 6th Anniversary Sale: Certifications up to 80% OFF · Extensions from $9 · Tracks from $49 · Infinity at $2/m · Offensive Cyber Operations with AI: Pre-Release Live

Commit → Build → Pwn : Offensive Tradecraft for CI/CD Pipelines

  • Training Duration : 12 Hours (4 Hours * 3-day)
  • Training Dates & Time : 22nd May – 24th May’26 (5:00 PM UTC to 09:00 PM UTC / 10:30 PM to 02:30 AM IST)
  • Mode : Online
  • Level : Beginner to Intermediate
  • Price: $99
Enroll Now
Commit → Build → Pwn : Offensive Tradecraft for CI/CD Pipelines

Modern applications don’t get hacked in production, they get compromised long before deployment. CI/CD pipelines have become high-value targets, offering attackers a direct path from source code to cloud infrastructure.

This hands-on bootcamp takes a red team approach to the entire DevOps ecosystem, starting with the fundamentals of software development and CI/CD, and rapidly pivoting into offensive tradecraft across the software

You will execute realistic attack paths including:

  • Enumerating and backdooring source code repositories via GitHub
  • Weaponizing developer tooling, CI workflows, and package ecosystems (NPM)Weaponizing developer tooling, CI workflows, and package ecosystems (NPM)
  • Exploiting Jenkins misconfigurations to extract credentials, modify builds, and execute commands
  • Abusing cloud-native pipelines to exfiltrate environment variables, tokens, and service identities
  • Pivoting across artifact registries, containers, and cloud workloads
  • Explore Kubernetes + GCP IAM attack paths to escalate privileges and pivot within cloud infrastructure

Each module builds on the previous, forming a complete CI/CD attack chain, from commit to cloud compromise. By the end, you won’t just understand pipeline attacks, you’ll know how to execute them, chain them, and recognize where they can be disrupted.

The Agenda is divided across 5 sections, Please Find Below

DOWNLOAD
  • By the end of this training, participants will be able to:
  • Map the CI/CD attack surface end-to-end, identifying weak trust boundaries across source code, build systems, artifacts, and cloud integrations.
  • Enumerate and weaponize source code platforms including identifying sensitive data exposure and introducing stealthy backdoors.
  • Abuse developer tooling and supply chain components, including malicious IDE extensions, CI workflows, and package ecosystems (e.g., npm).
  • Exploit CI/CD platforms like Jenkins to extract credentials, manipulate builds, and achieve remote command execution.
  • Leverage misconfigurations in cloud-native pipelines such as AWS CodePipeline to exfiltrate environment variables, abuse IAM roles, and pivot into other AWS services.
  • Compromise Azure DevOps pipelines by extracting tokens, abusing REST APIs, and leveraging pipeline identities for lateral movement.
  • Chain multiple weaknesses into a full CI/CD kill chain, moving from initial access in source code to control over build systems and cloud workloads.
  • Identify detection opportunities and defensive controls that can disrupt or expose these attack paths in real-world environments.

Pre-requisites

Following are the requirements:

  • Basic understanding of software development concepts, including how code is written, versioned, and deployed
  • Familiarity with Git-based workflows (e.g., cloning, commits, pull requests) on platforms like GitHub
  • Working knowledge of Linux fundamentals, including command-line usage, file systems, and basic scripting
  • Introductory understanding of CI/CD concepts, such as pipelines, builds, and automation
  • Basic exposure to cloud environments, particularly concepts in Amazon Web Services and Microsoft Azure
  • Awareness of containerization concepts, including images and runtime behavior (e.g., Docker)
  • Foundational knowledge of web security or offensive security concepts (e.g., authentication, tokens, misconfigurations)

Target Audience

  • Professionals looking to expand beyond traditional web and network testing into software supply chain attacks.
  • Engineers responsible for securing pipelines, infrastructure, and developer workflows.
  • Professionals working with cloud infrastructure who want visibility into pipeline-driven attack paths.
  • Engineers building and maintaining CI/CD pipelines who want to think like an attacker.
  • Individuals exploring new attack surfaces in modern environments.

Nice-to-Have (Will Help but Not Mandatory)

  • Prior hands-on experience with CI/CD tools such as Jenkins, AWS CodePipeline, or Azure DevOps
  • Familiarity with IAM concepts (roles, policies, permissions) in cloud environments
  • Experience with REST APIs and tools like curl or Postman
  • Basic understanding of JavaScript/package ecosystems (e.g., npm)

Below are the Deliverables, Requirements and Exclusions

Requirements

  • Laptop with a 64-bit (AMD64/x86_64) processor architecture, minimum 16 GB RAM and 60–80 GB free disk space
  • Ability to run VMware Workstation Pro hypervisor
  • A modern web browser and terminal environment
  • [ Note: Systems with Apple Silicon (M-series) or other ARM-based CPUs are not supported ]

Exclusions

  • 0-day exploits will not be covered
  • Kubernetes and Docker foundational concepts are assumed and not covered in depth
  • Application-layer vulnerabilities (e.g., OWASP Top 10, web app pentesting)

Deliverables

  • Premium study materials
  • 7-day lab access
  • Completion certificate

Abhijeet Kumar

  • Security researcher specializing in adversary simulations and advanced attack chains
  • Designs multi-stage attacks from initial access to persistence and data exfiltration
  • Hands-on experience across supply chains, Kubernetes, Active Directory, and cloud (AWS, Azure, GCP)
  • Skilled in targeting *enterprise and NIX environments
  • Actively researches adversary TTPs and emerging threats
  • Enjoys reading, exploring cuisines, and home cooking