Rebuilding in AWS gave LastPass a clean slate, but it also meant getting the architecture right. To be sure their security boundaries would hold, they partnered with Bishop Fox to test their cloud environment under realistic conditions and strengthen it where it mattered most.
"We didn't just lift and shift. We reinvented LastPass by modernizing our technology, elevating our security posture, and rebuilding a culture grounded in real accountability.
Throughout this transformation, we've upheld commitments we've made to customers and, through our partnership with Bishop Fox, validated that our protections can withstand threats against a modern cloud architecture."
– Mario Platt, CISO at LastPass
LastPass provides secure access solutions like credential management and monitoring to consumers and businesses worldwide. The company’s security model is grounded in architectural separation: customer master passwords and decrypted vault data never reach LastPass-controlled servers. Even in the event of infrastructure compromise, sensitive credentials remain protected by design.
When LastPass separated from its former parent company, the organization faced a defining moment: migrate legacy systems forward or rebuild from the ground up. Leadership chose to reconstruct its technology stack and security functions entirely in AWS, designing a cloud-native architecture intentionally aligned to its security model from day one. The transition introduced greater flexibility and scalability while redefining identity relationships, trust boundaries, and privilege governance across the environment.
The move to AWS reshaped the operational and risk landscape for LastPass. In a cloud-native environment, identity defines access. IAM relationships, cross-account trust configurations, infrastructure-as-code, and container orchestration controls collectively shape the attack surface. Each introduces operational flexibility, but also potential paths for privilege escalation or lateral movement if misconfigured.
With these changes, LastPass leadership sought independent validation that the architectural decisions made during the rebuild would withstand adversary pressure. That objective centered on the following security priorities.
“Designing the architecture was only the first step. We needed to see how it would perform under real conditions, knowing the identity and privilege boundaries we defined would shape our risk posture long term."
– Pedro Correia, Director of Product Security at LastPass.
Building on a multi-year application testing relationship, LastPass selected Bishop Fox to design and execute an adversary-led cloud penetration test aligned to the architectural priorities of the AWS rebuild.
The objective was not to perform a routine assessment, but to pressure-test identity boundaries, privilege governance, and containment controls under realistic attack conditions.
LastPass chose Bishop Fox for its deep expertise in cloud exploitation, particularly within complex IAM environments where identity relationships, cross-account trust configurations, infrastructure-as-code, and service roles can introduce subtle but high-impact escalation paths. Evaluating these risks requires practitioners who understand not only how cloud architectures are designed, but how they are attacked. Following collaborative scoping, Bishop Fox and LastPass defined clear objectives for the engagement.
The engagement was designed to complement existing cloud governance initiatives LastPass already had, including alignment with the AWS Well-Architected Framework and participation in the AWS Security Improvement Program. Those initiatives reinforced architectural best practices through structured review and continuous improvement, while the penetration test introduced an adversary’s perspective, challenging those controls through active exploitation attempts rather than checklist validation.
“We didn’t go to market looking for the cheapest option just to check a box. For something this important, quality and credibility mattered."
– Mario Platt, CISO at Last Pass
The cloud penetration test demonstrated that the AWS architecture supporting LastPass performed as designed under adversary pressure, while identifying targeted opportunities to further strengthen identity governance and segmentation controls.
Under simulated compromise of a privileged account, escalation within a single AWS account was technically achievable in controlled conditions. However, attempts to extend that access across account boundaries were unsuccessful. This confirmed that the blast-radius controls embedded during the rebuild functioned as intended, while identifying targeted opportunities to further tighten identity and service role governance.
Within containerized workloads, adversary simulation evaluated Kubernetes segmentation and deployment guardrails. Testing identified a namespace-level refinement opportunity that LastPass promptly addressed in collaboration with Bishop Fox to strengthen isolation controls. At the same time, preventative container policies actively restricted high-risk configurations, and simulated malicious activity generated timely security alerts that were escalated through established response workflows.
Collectively, these results provided clarity on where incremental hardening would have the greatest impact and reinforced the architectural discipline underpinning the AWS environment. Most importantly, it validated that security and governance controls hold under realistic attack conditions.
“There’s a difference between believing your architecture is sound and watching it hold under pressure. That process gave us confidence and clarity on where to keep strengthening.”
– Pedro Correia, Director of Product Security at LastPass
Rebuilding in AWS was a deliberate investment in architectural integrity. By pairing that redesign with adversary-based cloud penetration testing, LastPass ensured that its security model was not only well-constructed but proven under real-world attack conditions.
The engagement reinforced a disciplined approach to identity governance, containment, and continuous improvement, one that scales with the platform and supports the company’s long-term security commitments.
For LastPass, validation is not a one-time milestone. It is an ongoing practice, embedded in how the platform grows over time.
The result is a cloud architecture built to scale without compromising the principles that define it: strong separation, enforced boundaries, and security designed to endure.
Learn more about Bishop Fox Cloud Penetration Testing Service.
Securing Airline Commerce: Penetration Testing for AWS Cloud Infrastructure
A major airline technology platform turned to Bishop Fox after routine assessments kept missing the mark. What followed revealed unauthorized PCI database access, misconfigured IAM roles spanning hundreds of instances, and lateral movement across Active Directory domains — driving immediate remediation and stronger customer trust.
Bishop Fox Cloud Penetration Testing Methodology
Overview of Bishop Fox’s methodology for cloud security reviews.
CloudFoxable: A Practical Demo of AWS Cloud Security Misconfiguration Attacks
Watch the CloudFoxable demo to see a gamified cloud hacking sandbox where users can find latent attack paths in an intentionally vulnerable AWS environment.
This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.