Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

Celebrating One Year of CloudFox

Celebrating one year of CloudFox with purple background and Bishop Fox CloudFox logo.


As we celebrate the one-year anniversary of CloudFox, it's exciting to reflect on the updates and growth that have occurred over the past year. CloudFox co-creator, Seth Art, Principal Security Consultant at Bishop Fox, and Bishop Fox alumnus Carlos Vendramini have created many updates to improve the initial capabilities of the open-source command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure. One pivotal development during the year was the creation of CloudFoxable, an intentionally vulnerable AWS environment created specifically to teach the art of AWS cloud penetration testing in conjunction with CloudFox’s capabilities.

Additionally, numerous key features and updates have been rolled out periodically to help the rapidly growing community of cloud-focused offensive security professionals. We look forward to continuing feedback from users of CloudFox and CloudFoxable and seeing how people adopt this tool into their penetration testing journeys. Cheers to growth and success in the years to come!

One Year Later

You can find details for new commands and updates on the CloudFox GitHub page or check out these highlights from Seth Art:


  • AWS updates:
    • Inventory went from ~20 to ~50 resources checked 
    • Pmapper awareness – If you run pmapper before CloudFox, many CloudFox commands will use the pmapper data and tell you if a role assigned to a workload has a privesc path to admin
    • 15 new CloudFox AWS commands, five of which were contributed by the community:
  • Azure updates:
    • Implemented initial Azure support
    • Five new CloudFox Azure commands (only basics so far)


  • Launched in June with 18 cloud CTF challenges
  • 200+ registered users
  • 11 users have completed all initial challenges

Raise a Glass to CloudFox

CloudFox and CloudFoxable are critical tools for any pen tester or offensive security professional to aid their exploration of cloud infrastructure and attack paths. We would also love to hear your stories about using these tools and what could be done better with the features available now so reach out on Bishop Fox LinkedIn or Discord. Explore Bishop Fox’s expertise about cloud penetration testing with these additional resources:

Tune in to our Tool Talk, where we debuted CloudFox to see the tool in action:

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.

Seth art

About the author, Seth Art

Principal Security Consultant

Seth Art (OSCP) is a Principal Security Consultant at Bishop Fox, where he currently focuses on penetration testing cloud environments, Kubernetes clusters, and traditional internal networks.

Seth is the author of multiple open-source projects including CloudFox, CloudFoxable, IAM Vulnerable, Bad Pods, celeryStalk, and PyCodeInjection. He has presented at security conferences, including fwd:cloudsec, DerbyCon, and BSidesDC, published multiple CVEs, and is the founder of IthacaSec, a security meetup in upstate NY.

More by Seth

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.