Ethical Hacking News
Recent research by Pentera Labs has uncovered a disturbing trend in the way security training and demo environments are being deployed and exploited. Nearly 2,000 live, exposed training application instances were verified, with close to 60% hosted on popular cloud platforms such as AWS, Azure, or GCP. The investigation highlights the potential risks associated with these types of environments and emphasizes the need for organizations to take a more proactive approach to securing their cloud infrastructure.
Many security training and demo applications were found to be deployed in cloud environments without sufficient isolation or access controls. Their exposure to the public internet and privileged cloud identities increased their vulnerability to exploitation. A total of nearly 2,000 live, exposed training application instances were verified by Pentera Labs. 60% of these instances were hosted on customer-managed infrastructure running on AWS, Azure, or GCP. Exposed environments often contained artifacts deployed by malicious actors, including crypto-mining activity and webshells. The investigation highlights the potential for security training environments to be used as entry points for attackers.
In the world of cybersecurity, security training and demo environments are often considered a necessary evil. These applications, designed to be intentionally vulnerable by default, serve as useful tools for learning common attack techniques and testing security measures. However, a recent investigation by Pentera Labs has uncovered a disturbing trend that highlights the potential risks associated with these types of environments.
The research found that many training and demo applications were being deployed in cloud environments without sufficient isolation or access controls, making them vulnerable to exploitation. These environments, often intended for isolated lab use, were frequently exposed to the public internet and connected to privileged cloud identities with broader access than required.
One of the most striking aspects of this investigation was the sheer scale of the problem. Pentera Labs verified nearly 2,000 live, exposed training application instances, with close to 60% hosted on customer-managed infrastructure running on AWS, Azure, or GCP. This is a staggering number, and it highlights the potential for these types of environments to be used as entry points for attackers.
The research also found that many of these exposed environments contained artifacts deployed by malicious actors, including crypto-mining activity, webshells, and persistence mechanisms. These artifacts indicated prior compromise and ongoing abuse of exposed systems. The presence of active crypto-mining and persistence tooling demonstrates that exposed training applications are not only discoverable but are already being exploited at scale.
The scope of impact was not limited to small or isolated test systems. Pentera Labs observed this deployment pattern across cloud environments associated with Fortune 500 organizations and leading cybersecurity vendors, including Palo Alto, F5, and Cloudflare. While individual environments varied, the underlying pattern remained consistent: a training or demo application deployed without sufficient isolation, left publicly accessible, and connected to privileged cloud identities.
The research has significant implications for organizations that rely on security training and demo environments. These environments are frequently treated as low-risk or temporary assets, which can lead to a false sense of security. However, the Pentera Labs investigation shows that these environments can be exploited just like any other system in the cloud. The fact that exploitation does not require zero-day vulnerabilities or advanced attack techniques highlights the need for organizations to take a more proactive approach to securing their cloud environments.
The article was written by Noam Yaffe, Senior Security Researcher at Pentera Labs. For questions or discussion, contact labs@pentera.io
Related Information:
https://www.ethicalhackingnews.com/articles/The-Unintended-Consequences-of-Security-Training-How-Vulnerable-Cloud-Environments-Are-Being-Exploited-ehn.shtml
https://thehackernews.com/2026/02/exposed-training-open-door-for-crypto.html
https://pentera.io/blog/exposed-cloud-training-apps-pentera-labs/
Published: Wed Feb 18 19:12:43 2026 by llama3.2 3B Q4_K_M
