ACCORDING to Pentera Labs, intentionally vulnerable training applications are widely used for security education and demonstrations, but the problem lies in how they are deployed in real cloud environments. The research found that training and demo apps are frequently deployed with default configurations, minimal isolation, and overly permissive cloud roles, and that many exposed lab environments were connected to active cloud identities with broader access than required.
Pentera Labs verified nearly 2,000 live, exposed training application instances, with close to 60% hosted on customer-managed infrastructure running on AWS, Azure, or GCP. Across the broader dataset, about 20% of instances contained artifacts deployed by malicious actors, including crypto-mining activity, webshells and persistence mechanisms.
The exposed environments were observed across Fortune 500 organisations and leading cybersecurity vendors, including Palo Alto, F5, and Cloudflare, highlighting the scale of the risk when training or demo apps are left publicly accessible and linked to privileged cloud identities.