Attackers don’t need custom implants to be dangerous in 2025. They need OAuth consent, a few mis-scoped roles, access to “just one” mailbox, or a misconfigured automation flow. This lab focuses on how real intrusions play out in Microsoft 365, Google Workspace, and critical SaaS—and how to turn that knowledge into opinionated defenses.
The goal isn’t to catalog every trick—it’s to understand durable patterns that defenders can reliably detect, block, or make prohibitively expensive.
Instead of trying to cover “everything cloud,” we focus on the places attackers reliably get leverage: identity, OAuth apps, automation, and the glue between systems.
Cloud identity models can quietly create high-impact pathways. We explore:
Once an attacker has consent, they often don’t need passwords. We study:
Built-in automation is a powerful substrate for persistence and exfiltration:
These are representative patterns—each turns into concrete detection logic, hardening guidance, or incident playbook content in our client work.
Starting from one compromised account or shared inbox, we explore:
Maintaining control without obvious binaries or implants:
Moving from one platform to another using SSO and API bridges:
Cloud & SaaS Tradecraft research isn’t an academic exercise. It feeds directly into how we help customers harden tenants, build detection, and rehearse incidents.
Opinionated recommendations for Entra ID, M365, Google Workspace, and key SaaS platforms used in our Cloud & 365 / Workspace Resilience solution and M365 / Entra ID Hardening service.
Log sources, event patterns, and correlation ideas that are practical for small and mid-sized teams, not just large SOCs.
Cloud-specific incident scenarios, containment decision points, and investigation steps embedded into our Incident Readiness offerings.
Distilled explanations of emerging cloud/SaaS techniques for security leaders, engineers, and non-technical stakeholders who need to understand the “why,” not just the “what.”