CloudGoat vs Pacu
GitHub Stats
About CloudGoat
CloudGoat is Rhino Security Labs' 'Vulnerable by Design' AWS deployment tool. It provisions intentionally misconfigured AWS environments (scenarios) using Terraform, creating realistic attack paths for practicing cloud penetration testing. Scenarios include IAM privilege escalation, Lambda function exploitation, EC2 SSRF to metadata service, S3 bucket misconfigurations, and cross-account access abuse. Each scenario has documented start and end conditions with multiple solution paths. CloudGoat provisions and destroys environments on demand in your own AWS account, providing hands-on practice with real AWS services rather than simulations.
About Pacu
Pacu is an open-source AWS exploitation framework designed for offensive security testing of cloud environments. It's built by Rhino Security Labs and provides a comprehensive set of modules for AWS reconnaissance, privilege escalation, data exfiltration, and persistence. Pacu automates common attack techniques across IAM, EC2, S3, Lambda, and dozens of other AWS services. It maintains session data, tracks discovered credentials, and maps out AWS environments - essentially the Metasploit for AWS.
Platform Support
Tags
Shared
CloudGoat only
Pacu only