Back to timeline



Pipeline Predators: Attacking CI/CD Environments

Brucon 25 Training

2025/04/24

Pipeline Predators: Attacking CI/CD Environments (Virtual)

2-day virtual course (starting Thursday 24th of April)

CI / CD systems are obnoxiously present and sprayed across modern enterprise environments. With the current world focusing on faster delivery, and faster production CI / CD has taken a prominent role in the development world. Rapid adoption of these technologies has meant that a lot of the security precautions are thrown out of the window and insecure by default settings are in place. We have created this course to focus on Attacking CI CD environments as a way in for attackers.

In this course, we take an approach from basics to advanced guidance. We start with understanding how CI / CD systems work under the hood and then understand their position in a corporate IT environment. We focus on exploiting both self-hosted environments as well as SaaS-based environments.

Course Structure

Overview of CI/CD Environments

Introduction to CI/CD Attacks

CI/CD Attacks in Different Environment

Environment Specific Attacks (GitHub)

Environment Specific Attacks (Jenkins)

Environment Specific Attacks (GitLab CI)

Cloud Providers CI/CD Systems’ Attack Vectors

C2

The course will be followed by a Capture-The-Flag event, where the participants can implement their learnings and hack a vulnerable-by-design environment on the last day of the training.

Target Audience

Pentester, Security engineer, red team testers

Pre-requisites

The course assumes basic familiarity with CI CD and pipeline concepts. Security tooling and specific pipeline details will be covered in the course.

Hardware requirements

Our labs are cloud-based, and a browser should be sufficient. However, we will still suggest the following hardware specs:

We would still recommend bringing a laptop with full administrative access in case any troubleshooting is required. As part of the program, participants will create accounts on platforms like GitHub and Bitbucket for hands-on activities. Clear instructions will be provided in advance, and creating these accounts is free of charge.

Trainer Bio

Anant Shrivastava is the founder of Cyfinoid Research. He has experience in Security (both offense and defense), Development, and Operations. He has a rich history of engagement with renowned conferences as both a trainer and a speaker, including Black Hat (USA, Asia, EU), Nullcon, and c0c0n, among others. Anant leads open-source projects, notably the Tamer Platform and CodeVigilant, and curates the Hacking Archives of India. When not engaged in official work, Anant contributes to open communities with a shared goal of spreading information security knowledge, such as the null community, Garage4Hackers, hasgeek, and OWASP.

https://web.archive.org/web/20250428112334/https://www.brucon.org/training-details/attacking-cicd