Cloud infrastructure security company Ermetic Ltd. today announced CNAPPgoat, an open-source project that allows organizations to test their cloud security skills, processes, tools and posture safely in interactive sandbox environments.

Set to be officially presented at the DEF CON hacker conference Demo Labs event on Aug. 11, CNAPPgoat enables organizations to evaluate their cloud-native application protection platforms, or CNAPPs.

CNAPPgoat provides interactive sandbox environments that users can quickly deploy and dismantle. The sandboxes are designed for a variety of purposes, such as testing organizational security posture, training team members in new skills and techniques, providing a platform for penetration testers to develop their abilities and evaluating CNAPP tools against known environments.

Ermetic says the service delivers a distinct approach that allows security teams to create customized environments reflecting different risk scenarios. The project offers a modular and granular approach for provisioning specific categories, with support for Amazon Web Services Inc., Microsoft Azure and Google Cloud Platform. Doing so enables penetration testers and defenders to explore elements crucial for training, skill acquisition, prevention and security posture assessments.

The project covers the list of CNAPP specifications defined by Gartner Inc., including cloud infrastructure entitlement management, cloud workload protection platform and cloud security posture management. In the near future Ermetic plans to add infrastructure-as-code scanning into CNAPPgoat to identify misconfigurations directly within code.

“Compared to existing open-source projects that create ‘capture the flag’ scenarios where participants are expected to follow a certain path, CNAPPgoat spans the leading cloud provider platforms and CNAPP capabilities while providing a modular and granular approach for provisioning specific categories of risks and vulnerabilities,” explained Ermetic Director of Research Igal Gofman and Research Lead Noam Daham. “This breadth and depth allows pentesters and defenders to precisely isolate the elements they want to explore for training, new skills acquisition, prevention and security posture assessments.”

CNAPPgoat has been designed from launch to be an open community initiative, with contributions encouraged in the form of new scenarios, proposals, issues, suggestions, feature requests or feedback. The tool is available for commercial, technical and educational use, and further information, including technical guides, will be released shortly.

Image: Ermetic