Part 6: Specialized Domains
"The network perimeter is dead. The new perimeter is everywhere your data and code run -- and that is everywhere."
If you have worked through Parts 3 through 5, you can compromise traditional infrastructure. You can exploit network services, crack passwords, escalate privileges on Linux and Windows, attack web applications, pivot through networks, and evade defenses. Those skills are foundational, and they will serve you throughout your career.
But here is the uncomfortable truth: traditional infrastructure is a shrinking percentage of the attack surface. The organizations you will test -- MedSecure, ShopStack, and their real-world counterparts -- do not run their applications on a rack of servers in a closet anymore. They run on AWS, Azure, and GCP. Their customer-facing products are mobile apps that talk to APIs. Their buildings are filled with IoT devices -- smart locks, cameras, HVAC controllers, medical monitors -- each running its own embedded operating system and network stack. Their applications are deployed in Docker containers orchestrated by Kubernetes. And increasingly, their core business logic is powered by machine learning models that introduce an entirely novel category of vulnerability.
Part 6 extends your offensive capabilities into these five specialized domains. Each chapter is designed to be self-contained enough that you can focus on the domains most relevant to your work, while building on the core exploitation, post-exploitation, and evasion skills you developed in earlier parts.
What You Will Learn
Chapter 29: Cloud Security Testing covers the attack surface that has redefined enterprise IT. We focus on the three major platforms -- AWS, Azure, and GCP -- with emphasis on the misconfigurations and design patterns that create vulnerabilities unique to cloud environments. You will learn cloud-specific reconnaissance and enumeration techniques, IAM misconfiguration exploitation and privilege escalation paths that are completely different from traditional system privesc, storage misconfiguration attacks against S3 buckets, Azure Blobs, and Google Cloud Storage, serverless and container security in cloud contexts, and cloud-native attack tools like Pacu, ScoutSuite, and Prowler. ShopStack's migration to AWS provides our running example, and the attack paths we demonstrate -- from a misconfigured S3 bucket to an IAM role with administrative privileges -- reflect the findings that dominate real cloud penetration tests today.
Chapter 30: Mobile Application Security addresses the platform that most consumers interact with daily. Mobile app testing requires a different methodology than web application testing, and the tools are specialized. We cover both Android and iOS architectures and their respective security models, static analysis and reverse engineering of mobile binaries, dynamic analysis and instrumentation using Frida and Objection, network traffic analysis for mobile applications (including certificate pinning bypass), the OWASP Mobile Top 10, and mobile backend and API testing. ShopStack's mobile shopping app becomes our target, and the vulnerabilities we find -- hardcoded API keys, insecure local data storage, missing certificate pinning -- represent the findings that mobile app assessments consistently uncover across the industry.
Chapter 31: IoT and Embedded Systems Hacking takes you into territory that most penetration testers never touch, which is precisely why it is so important. IoT devices are everywhere, they are rarely patched, and they frequently run with the kind of security posture that enterprise IT left behind a decade ago. You will learn IoT architecture and the expanded attack surface it creates, hardware hacking through UART, JTAG, SPI, and I2C interfaces, firmware extraction and analysis, network protocol analysis for IoT-specific protocols like MQTT, CoAP, Zigbee, and BLE, embedded web interface vulnerabilities, and industrial control systems security including ICS and SCADA. In MedSecure's environment, the medical IoT devices -- patient monitors, infusion pumps, imaging systems -- represent some of the highest-risk assets, and the attacks we demonstrate against them highlight why healthcare IoT security is a matter of patient safety.
Chapter 32: Container and Kubernetes Security covers the deployment infrastructure that powers modern applications. Containers changed how software is built and deployed, and they changed the attack surface correspondingly. We cover container security fundamentals and the isolation model, Docker security including image security, registry attacks, and runtime exploitation, container escape techniques that break out of the isolation boundary, Kubernetes architecture and its extensive attack surface, Kubernetes exploitation targeting RBAC, Secrets, the API server, and etcd, and supply chain attacks specific to container infrastructure. The ShopStack deployment on Kubernetes gives us a realistic target, and the attack path from a compromised pod to cluster admin to access to every application secret in the environment demonstrates why Kubernetes security is not optional.
Chapter 33: AI and Machine Learning Security is the newest frontier in offensive security, and it is evolving rapidly. AI systems introduce attack surfaces that have no parallel in traditional computing. You will learn to view AI and ML systems as targets rather than tools, understand adversarial machine learning and how to craft inputs that fool classifiers, execute prompt injection and LLM attacks against systems that integrate large language models, perform data poisoning and model manipulation, conduct model extraction and inference attacks that steal proprietary models or recover training data, and use AI-powered offensive security tools that augment your own testing. We also cover defending AI systems, because understanding the mitigations helps you test for their absence. MedSecure's deployment of an AI-based diagnostic assistant provides a compelling case study -- an adversarial attack that causes a medical AI to misclassify a condition is not an academic exercise but a patient safety risk.
Key Themes
Specialization multiplies your value. The market for generalist penetration testers is competitive. The market for testers who can assess cloud environments, break out of containers, or test medical IoT devices is far less crowded and far better compensated. Each chapter in this part represents a potential specialization path.
Shared principles, different surfaces. The fundamental concepts -- reconnaissance, exploitation, privilege escalation, lateral movement, data exfiltration -- remain constant across every domain. What changes is the specific technology, the tools, and the attack surface. An IAM privilege escalation in AWS is conceptually identical to a local privilege escalation on Linux. A container escape is a privilege boundary violation, just like breaking out of a restricted shell. This conceptual continuity means you are never starting from zero.
Security lags adoption. Cloud, containers, IoT, and AI were all adopted faster than their security models matured. This creates the gap that penetration testers exploit and, ultimately, help close. The vulnerabilities in these domains are not obscure edge cases -- they are systemic, widespread, and often trivially exploitable by anyone who knows where to look.
Convergence is the reality. Real environments are not neatly categorized. MedSecure runs containerized applications in the cloud, monitored by IoT devices, managed through a mobile app, with AI-assisted diagnostics. An engagement against such an organization requires the ability to move fluidly across all these domains, chaining vulnerabilities across technology boundaries.
How This Part Connects
Parts 3 through 5 gave you the core offensive skills: system exploitation, web application attacks, post-exploitation, and evasion. Part 6 applies those same skills to modern infrastructure. The privilege escalation concepts from Chapter 15 reappear in cloud IAM. The web application attacks from Part 4 resurface in embedded web interfaces and API testing. The evasion techniques from Chapter 27 adapt to cloud-native detection services.
Part 7 builds on these specialized skills with advanced operational topics: supply chain attacks, red team operations, bug bounty hunting, and incident response. The specialized domain knowledge from this part is what makes those advanced operations effective. A red team campaign against MedSecure that ignores their cloud infrastructure, their IoT medical devices, and their AI systems would be incomplete and unrealistic. The breadth you develop here enables the depth you will achieve in Part 7.
New terrain, same mission. Let us explore it.