vulnerabuild_
launch console
v0.4.2 — IaC generator online · cloud deploy coming soon

Generate vulnerable
infrastructure
as code.

Compose purposely-misconfigured environments for AWS, Azure, and GCP, then download the Terraform or CloudFormation. Apply it in your own isolated account. One-click cloud deploy is on the roadmap.

start building
42
scenarios
3
cloud apis
2
iac formats
vulnerabuild-aws.tf
terraform
# Public S3 bucket — vulns: S3-001, S3-004
resource "aws_s3_bucket" "public" {
bucket = "vbuild-public"
}
# Public SSH/RDP host — vulns: NET-007
resource "aws_security_group" "open" {
ingress {
cidr_blocks = ["0.0.0.0/0"]
from_port = 22
}
}
2 resources · 3 vulnerabilities
download .tf
01 — providers

Three clouds. One interface.

Native primitives for each provider, orchestrated through a single declarative spec.

AWS
provider/aws
S3IAMEC2LambdaRDS
scenarios18
GCP
provider/gcp
GCSIAMGCECloud RunBigQuery
scenarios12
Azure
provider/az
BlobAADVMFunctionsSQL
scenarios12
02 — scenarios

Curated misconfigurations.

Mapped to MITRE ATT&CK and CWE. Versioned, reproducible, isolated.

critical
awsS3-001

Public S3 buckets

Object-level ACLs allowing anonymous read/write.

deploy scenario
high
gcpIAM-014

Over-privileged service account

SA with project-wide owner role attached to a Compute VM.

deploy scenario
high
azNET-007

Exposed RDP / SSH

NSG with 0.0.0.0/0 ingress on port 22 and 3389.

deploy scenario
critical
awsEC2-022

SSRF-prone metadata endpoint

IMDSv1 enabled, role with broad permissions.

deploy scenario
medium
azBLB-003

Unencrypted blob storage

Containers without CMK or server-side encryption.

deploy scenario
medium
gcpLOG-009

Disabled audit logging

Cloud Audit Logs turned off across data services.

deploy scenario
03 — workflow

From scenario to template in seconds.

Today: download IaC and apply it yourself. Soon: one-click deploy from the console.

01

Compose environment

Pick scenarios across VM, Data, Identity and Container. Review the vulnerabilities each one introduces.

02

Generate IaC

Choose Terraform (AWS / Azure / GCP) or CloudFormation (AWS), pick a region, and the template is ready.

03

Download & apply

Download the .tf or .yaml and run it in your own isolated sub-account or project.

coming soon — managed deploy. Connect a cloud account via OIDC and we will provision, monitor, and tear down environments for you. Currently in private alpha.
apply with care. These templates are intentionally vulnerable. Use a dedicated sub-account / project, tag everything, and never apply on top of production.

Stop building targets.
Start breaking them.

Free to use. Generate as many templates as you want. Managed cloud deploy is coming soon.

generate templates