CI/CD systems are no longer just build automation. They are high-trust control planes that connect source code, secrets, runners, artifacts, cloud permissions, and deployment paths. This hands-on training shows participants how attackers think about CI/CD: as a privileged automation layer that can be abused for initial access, code tampering, secret theft, persistence, and pivots into broader software delivery environments.
The goal is not to memorize one vendor’s interface. Participants learn how to reason about repositories, workflow triggers, runners, agents, build scripts, artifacts, logs, webhooks, and integrations across both self-hosted and SaaS-based environments.
Cyfinoid approaches this area as part of the broader software supply chain security problem. That means this training focuses on how trust breaks between developers, source control, automation platforms, cloud services, and deployment systems rather than treating CI/CD as an isolated build feature.
What This Training Is
This page gives a high-level overview of the training approach. Cyfinoid runs multiple software delivery and cloud-focused courses, and the exact syllabus for a given run depends on the conference, audience, duration, and lab design for that event.
Depending on the delivery, the material may draw from GitHub Actions, GitLab CI, Jenkins, Bitbucket Pipelines, Gitea, self-hosted runners, cloud-native delivery workflows, artifact handling, and surrounding identity or integration layers. We have experience across both self-hosted and SaaS-based CI/CD environments, but not every public run covers every platform.
This training is attack-led, with practical attention to misconfiguration audits and defensive implications. The core emphasis is on how CI/CD systems are abused in practice, how insecure pipeline design creates leverage for attackers, and what teams should review if they want to harden their delivery workflows. For the exact platform coverage, lab design, student requirements, and account needs for a specific session, please check that conference or event page.
Why It Matters
Many organizations still think of CI/CD as internal plumbing. Attackers see something different: a privileged automation layer with access to source code, tokens, secrets, artifacts, deployment rights, and sometimes direct cloud or production access.
CI/CD platforms may differ in syntax and features, but the same weak assumptions keep appearing: untrusted inputs in trusted workflows, over-permissioned tokens, poorly isolated runners, insecure defaults, unsafe artifact trust, and dangerous integrations. This training is built to help participants recognize those repeating patterns and understand how they turn into real compromise.
What Participants Will Learn
Participants will learn how to:
- Understand why CI/CD systems are attractive attack surfaces in modern software delivery
- Map trust boundaries across repositories, workflows, runners, secrets, artifacts, and deployment steps
- Identify common CI/CD attack paths in both self-hosted and SaaS-based environments
- Abuse GitHub, GitLab, Jenkins, Bitbucket, and similar CI/CD primitives such as workflow manipulation, context injection, secret leakage, and runner misuse
- Audit pipeline design, insecure defaults, and common misconfigurations that create exploitable paths
- Explore how CI/CD weaknesses chain into artifact tampering, cloud abuse, and broader software supply chain compromise
- Use offensive understanding to improve audits, reviews, and platform hardening decisions
What Makes This Training Different
- Focused on attacker methodology, not just platform administration
- Built to cover both self-hosted and SaaS CI/CD environments
- Treats pipelines as part of a wider software delivery control plane, not a standalone build tool
- Grounded in realistic abuse paths across repositories, runners, cloud integrations, and deployment workflows
- Flexible enough to adapt to different conference formats, durations, and private team needs
Example Questions The Training Explores
- How do attackers gain useful leverage in a CI/CD system without starting from full administrative control?
- Which trust boundaries matter most in practice: repository write access, pull requests, runner control, artifacts, tokens, or cloud integrations?
- How do insecure defaults and workflow design mistakes create exploitable paths in GitHub Actions, GitLab CI, Jenkins, Bitbucket Pipelines, and similar platforms?
- How can secrets, logs, caches, webhooks, artifacts, and external actions become attack surfaces?
- How do self-hosted runners and cloud-connected pipelines turn CI/CD issues into broader infrastructure compromise?
- How can CI/CD systems be abused for persistence, stealth, command-and-control, or software tampering?
- What should defenders audit first if they want to catch attacker thinking earlier in the delivery lifecycle?
Who Should Attend
- Red teamers and pentesters
- DevOps engineers, platform teams, and build engineers
- Security engineers and product security teams
- Solution architects and developers responsible for CI/CD design or review
Training Format
- Hands-on labs built around realistic CI/CD attack paths
- Guided walkthroughs of offensive techniques across repositories, runners, pipelines, and integrations
- Platform coverage adjusted to the specific conference or private delivery
- Offensive-first methodology with discussion of common misconfigurations, audit techniques, and defensive implications
- Some runs may include a capstone challenge or CTF-style exercise, depending on the format
Student Requirements
- Basic familiarity with CI/CD and pipeline concepts
- Comfort with Git, browser-based tooling, and common developer workflows
- Familiarity with at least one source control or CI/CD platform is helpful, but not required
Exact prerequisites may vary by run. Always check the conference or event page for the authoritative student requirements.
What Students Should Bring
- Laptop with a working browser and unrestricted Internet access
- Administrative access on the laptop in case troubleshooting is needed during labs
- Any required free accounts for GitHub, GitLab, Bitbucket, or similar platforms, if requested for that run
Some platforms place limits on newly created accounts. If a specific session requires accounts, create them in advance and follow the conference instructions. For hands-on sessions, older accounts may work better than freshly created ones.
What Students Receive
- Detailed step-by-step lab manual for the exercises covered during the class
- Slide deck for the material covered during the training
- Cloud-based or virtual lab environment with the required tools pre-configured for the event
- Practical scenarios that participants can reuse for further testing and internal reviews
Next Sessions
Previous Run of this class
How to attend
Cyfinoid offers its trainings via multiple international conference such as BlackHat USA and others, We do offer private trainings also.