This sector deep-dive is currently available in Portuguese only. Full English translation is in progress.

/servicos · Pentest Google Cloud

Pentest GCP: IAM, Cloud Storage, GKE, Cloud Functions

Pentest manual em projeto Google Cloud — IAM bindings, Cloud Storage público, GKE workload identity, Cloud Functions com role excessiva.

Cotar pentest GCP See vectors

90% manual · 10% automated

OSCP · CISSP · CRTO · GPEN

BR · PT · IT · ES · MA · US · AU

OWASP · MITRE · PTES · NIST

Why now

The real pain

GCP cresce em fintech e SaaS B2B no Brasil — e o modelo de IAM hierárquico (organization → folder → project) confunde quem veio de AWS. Pentest GCP especializado entende project-level IAM, workload identity federation e service account impersonation.

Applicable frameworks

CIS Google Cloud Benchmark 2.0ISO 27017GCP Security Foundations BlueprintPCI-DSS 4.0

/attack-surface

Pentest Google Cloud

Every engagement is designed for your environment. The points below are part of our standard playbook for this sector — final scope is adapted to your stack and contract.

IAM e service accounts

Bindings em todos níveis, service account impersonation, key generation, workload identity federation.

Cloud Storage

Buckets públicos, signed URL eterna, IAM herdado, fine-grained vs uniform.

GKE e Anthos

Workload identity, RBAC, network policy, binary authorization, GKE Sandbox.

Cloud Functions e Run

Service account associado, env vars com secret, ingress settings, IAM invoker.

BigQuery e Pub/Sub

Dataset ACL, query injection, autorização por tabela, Pub/Sub topic público.

VPC, firewall e Cloud Armor

Firewall rules permissivas, VPC peering, shared VPC, Cloud Armor bypass.

/methodology

Genuinely manual pentest

Automated scanners find what's documented. Real attackers find what isn't. 90% of the work is manual — performed by specialists holding OSCP, CISSP, CRTO and GPEN.

01 · Reconnaissance

Target mapping, OSINT, footprint, sector-specific threat modeling.

02 · Discovery

Deep enumeration, complementary scanning, manual exposure identification.

03 · Exploitation

Manual validation with controlled PoC, finding chaining, escalation.

04 · Report

Executive + technical, step-by-step replication, mapped to applicable regulation.

/why-trust

Who has trusted our work

Projetos GCP multi-org de SaaS B2B e healthtechs com workload regulado.

Caixa Econômica Federal

Banco BMG

iFood

ArcelorMittal

Multibanco

Polícia Federal

Fórmula 1

OpenFinance

Technical assessment recognized in highly regulated, mission-critical environments — the pentest that finds what nobody had found before.

Douglas Lopes

Founder · CEO · intrus.io

/faq

FAQ — Pentest Google Cloud

Cobrem Anthos e GKE Autopilot?

Sim. Validamos workload identity, RBAC, network policy e binary authorization em ambos. Anthos on-prem também.

Faixa de preço?

Projeto single-org pequeno: R$ 12-25k. Multi-projeto com Anthos: R$ 40-90k. Org enterprise: R$ 80-180k.

/contact

Cotar pentest GCP

Schedule a confidential meeting. Within 48h we'll send a proposal with scope, timeline and pricing.

Talk to us See other sectors

Other sectors we cover

/pentest-mobile

Pentest Mobile

/pentest-api

Pentest de API

/red-team

Red Team

/pentest-cloud-aws

Pentest AWS

/pentest-cloud-azure

Pentest Microsoft Azure

/pentest-kubernetes