Cloud Village at DEF CON 34
- Date:
- August 7–9, 2026
- Location:
- Las Vegas Convention Center, Las Vegas, NV
Cloud Village returns to DEF CON 34 as one of the con's most hands-on offensive security spaces, bringing together practitioners focused on cloud attack paths, misconfigurations, and defense across AWS, Azure, and GCP. Bishop Fox is glad to be part of it this year, with two of our consultants leading sessions on the village floor.
Samanta Aranda, Managing Senior Consultant I, will run a fully hands-on workshop on weaponizing CloudFormation, and Leron Gray, Senior Security Consultant II, will lead a lab on extending Azure attack graphing beyond identity with Cirro, the spiritual successor to Stormspotter.
Come find our team on the village floor between sessions — always happy to talk shop about cloud attack paths and what we're seeing in the field.
For more details, visit: Cloud Village.
"Weaponizing CloudFormation"
Speakers: Samanta Aranda, Managing Senior Consultant I, Bishop Fox
Date/Time: Friday, August 7 | 11:00 AM–1:00 PM PT
Location: Zone A, Room 312
Abstract: In this fully hands-on offensive cloud security workshop, attendees will start with limited IAM permissions and learn to identify and exploit misconfigured CloudFormation execution roles using iam:PassRole, service roles, and Lambda-backed Custom Resources. Participants will weaponize CloudFormation templates to build persistence inside service-scoped IAM paths without needing direct administrative access.
The workshop digs into realistic cloud attack paths, delegated execution abuse, and the risks introduced by over-permissioned automation, along with rollback abuse scenarios and how these attacks surface in CloudTrail and IAM logs.
"Attack and Tools Lab: Cirro — Extending Your Azure Graph Beyond Identities"
Speakers: Leron Gray, Senior Security Consultant II, Bishop Fox
Date/Time: Friday, August 7 | 4:00–6:00 PM PT
Location: Zone A, Room 312
Abstract: Most Azure graph analysis tooling focuses on identity relationships — users, groups, service principals, role assignments. Modern Azure environments hold far more exploitable context in infrastructure, platform services, application configs, network relationships, managed identities, and data-plane resources.
Cirro, the spiritual successor to Stormspotter, is an attack graphing tool that models Azure environments by combining Microsoft Graph identity data with Azure Resource Manager infrastructure data — mapping resources into Neo4j for deeper attack path and misconfiguration analysis. This lab walks through Cirro's collection, ingestion, and analysis workflow. Attendees will enumerate and assess an Azure tenant, run Cypher queries, and use custom dashboards to interpret graph data.
Prerequisites: Docker/Podman Compose, Azure CLI, a web browser, and a SQLite3 browser. Fundamental knowledge of Cypher is recommended but not required.