This sector deep-dive is currently available in Portuguese only. Full English translation is in progress.

/servicos · Pentest Kubernetes

Pentest Kubernetes e Container Security

Pentest em cluster K8s — RBAC, Pod Security, network policy, service account, container escape, supply chain de imagem.

Cotar pentest Kubernetes See vectors

90% manual · 10% automated

OSCP · CISSP · CRTO · GPEN

BR · PT · IT · ES · MA · US · AU

OWASP · MITRE · PTES · NIST

Why now

The real pain

K8s adoção explodiu em fintech, SaaS e healthtech BR. Adoção rápida + complexidade enorme + RBAC confuso = produção com kubelet exposto, ServiceAccount com cluster-admin, imagens base com CVE crítica e network policy default-allow.

Applicable frameworks

CIS Kubernetes Benchmark 1.9NSA/CISA Kubernetes Hardening GuideNIST SP 800-204CPCI-DSS 4.0 container appendix

/attack-surface

Pentest Kubernetes

Every engagement is designed for your environment. The points below are part of our standard playbook for this sector — final scope is adapted to your stack and contract.

RBAC e ServiceAccount

Cluster-admin abuse, namespace boundary, default SA com poderes, JWT projetado.

Pod Security e admission

PodSecurityPolicy/PodSecurityAdmission, OPA Gatekeeper, Kyverno bypass, privileged pod.

Network policy

Default-allow, east-west sem segregação, Ingress controller misconfig, service mesh.

Container escape

Capabilities excessivas, hostNetwork, hostPID, volume mount sensível (/, /var/run/docker.sock).

Supply chain de imagem

Imagens base com CVE, secrets em camadas, image signature, registry auth.

Componentes da control plane

etcd exposto, kubelet sem auth, API server público, cloud controller.

/methodology

Genuinely manual pentest

Automated scanners find what's documented. Real attackers find what isn't. 90% of the work is manual — performed by specialists holding OSCP, CISSP, CRTO and GPEN.

01 · Reconnaissance

Target mapping, OSINT, footprint, sector-specific threat modeling.

02 · Discovery

Deep enumeration, complementary scanning, manual exposure identification.

03 · Exploitation

Manual validation with controlled PoC, finding chaining, escalation.

04 · Report

Executive + technical, step-by-step replication, mapped to applicable regulation.

/why-trust

Who has trusted our work

Cluster K8s de fintech regulada e SaaS B2B com workload PCI/LGPD.

Caixa Econômica Federal

Banco BMG

iFood

ArcelorMittal

Multibanco

Polícia Federal

Fórmula 1

OpenFinance

Technical assessment recognized in highly regulated, mission-critical environments — the pentest that finds what nobody had found before.

Douglas Lopes

Founder · CEO · intrus.io

/faq

FAQ — Pentest Kubernetes

EKS, GKE, AKS — tudo igual?

Não. EKS tem IRSA, GKE tem workload identity, AKS tem managed identity. Cada um com seu vetor próprio. Auditamos cada um com playbook específico.

Cobrem service mesh (Istio/Linkerd)?

Sim. Auditamos mTLS, authorization policy, sidecar injection, control plane.

Faixa de preço?

Cluster pequeno: R$ 15-30k. Multi-cluster: R$ 40-90k. Plataforma K8s com 20+ clusters: R$ 80-200k.

/contact

Cotar pentest Kubernetes

Schedule a confidential meeting. Within 48h we'll send a proposal with scope, timeline and pricing.

Talk to us See other sectors

Other sectors we cover

/pentest-mobile

Pentest Mobile

/pentest-api

Pentest de API

/red-team

Red Team

/pentest-cloud-aws

Pentest AWS

/pentest-cloud-gcp

Pentest Google Cloud

/pentest-cloud-azure