Securing the Future: Defending Kubernetes & Cloud-Native Infrastructure in the Age of AI - Madhu Akula - DCTAC2025

Name of Training: Securing the Future: Defending Kubernetes & Cloud-Native Infrastructure in the Age of AI
Trainer(s): Madhu Akula
Dates: November 3-4, 2025
Time: 8:00 am to 5:00 pm 
Venue: TBD
Cost: $2,700

Course Description: 

Defending containerized workloads and cloud-native infrastructure is more critical than ever. Recent security reports indicate that 42% of respondents cite security as a top concern with container and Kubernetes strategies, while attackers start probing new clusters in as little as 18 minutes.

This hands-on, real-world training is designed to equip Blue Teamers, Cloud Security Engineers, Security Architects, and DevSecOps professionals with the skills needed to understand and defend Kubernetes clusters across the supply chain, infrastructure, and runtime layers. The course addresses current threat landscapes including AI/ML workload security, supply chain attacks, and emerging attack vectors identified in recent days.

Through simulated attack scenarios, practical labs, and real-world case studies, participants will learn to detect modern TTPs, implement effective security controls, and improve observability and incident response capabilities.

Course Outline: 

Section 1: Foundation & Threat Landscape
 
1.1    Fast-Track Kubernetes 101 for Defenders

• Architecture deep-dive from a security perspective
  
• Attack surface analysis and entry points
  
• Understanding AI/ML workload orchestration patterns

1.2    Threat Modeling & Intelligence

• MITRE ATT&CK for Containers framework (latest tactics)
  
• Analysis of latest recent Kubernetes incident trends
  
• Anonymous authentication exploitation patterns
  
• STRIDE methodology adapted for cloud-native environments
  
• Behavioral threat detection using IOCs

1.3    Defensive kubectl Kung-Fu: Advanced API Auditing

• API server security hardening beyond basics
  
• Detecting lateral movement through API abuse
  
• Advanced RBAC audit techniques
  
• API server attack path analysis

1.4    Supply Chain Security Revolution

• Container image signing with Sigstore/Cosign
  
• Software Bill of Materials (SBOM) enforcement
  
• Provenance verification and attestation
  
• Private registry threat modeling
  
• Third-party dependency risk assessment

Section 2: Advanced Hardening & Attack Path Mitigation

2.1    Next-Gen Container Isolation

• Container escape prevention with gVisor/Kata/etc.
  
• Advanced security profiles like KuberArmor or AppArmor & seccomp-bpf
  
• User namespace security considerations
  
• Privileged container detection strategies
  

2.2    Zero-Trust Network Security

• Service mesh security (Istio/Linkerd security policies)
  
• eBPF-based network monitoring and enforcement
  
• East-west traffic encryption patterns
  
• Network policy testing and validation

2.3    Identity & Access Management Revolution

• RBAC security assessment methodology
  
• ServiceAccount token security
  
• Workload identity & federation
  
• Pod Security Standards (PSS) enforcement

2.4    Modern Application Delivery Security

• GitOps security patterns and threat modeling
  
• Helm security beyond basics (OCI registries)
• Kustomize security considerations
  
• ArgoCD/Flux security hardening

2.5    Secrets & Data Protection

• External Secrets Operator patterns
  
• HashiCorp Vault integration security
  
• CSI driver security considerations
  
• Encryption at rest with cloud KMS integration

2.6    Cloud-Native Defense Integration

• Cloud provider security service integration
  
• Workload identity and IRSA security patterns
  
• Cloud metadata API protection strategies
  
• Multi-cloud security considerations

Section 3: Detection, Monitoring & AI-Enhanced Response

3.1    Runtime Security Revolution 

• Falco rule customization and tuning
  
• eBPF-based monitoring with Tetragon/Tracee
  
• Cilium Hubble for network observability
  
• Container runtime security (containerd/CRI-O)

3.2    AI/ML Workload Security Specialization

• GPU resource abuse detection
  
• Model poisoning prevention strategies
  
• ML pipeline security monitoring
  
• Jupyter/MLflow security considerations

3.3    Advanced Threat Detection

• Behavioral anomaly detection with ML
  
• Cryptomining detection patterns
  
• Advanced persistent threat (APT) indicators
  
• Secrets scanning in runtime environments

3.4    Policy-as-Code & Governance

• OPA Gatekeeper advanced policies
  
• Kyverno policy engine comparison
  
• Polaris policy validation
  
• Spotter universal security policy engine
  
• Policy testing and CI/CD integration

3.5    Persistence & Evasion Hunting

• Sidecar injection attack detection
  
• Init container abuse patterns
  
• DaemonSet privilege escalation hunting
  
• Node-level persistence techniques

3.6    Incident Response Playbooks

• Automated response orchestration
  
• Container forensics techniques
  
• Kubernetes-native incident response tools

Section 4: Auditing, Automation & Future-Ready Defense

4.1    Comprehensive Security Posture Assessment

• Multi-tool audit orchestration
  
• KubeAudit, Trivy, Kubescape, Kube-score, Spotter comparison
  
• Popeye resource optimization auditing
  
• Custom policy development

4.2    Compliance & Benchmarking Excellence

• CIS Kubernetes Benchmark implementation
  
• NIST Cybersecurity Framework mapping
  
• SOC 2 compliance for Kubernetes
  
• PCI-DSS container security requirements

4.3    DevSecOps Integration Mastery

• Security scanning in GitOps workflows
  
• Admission controller testing in CI/CD
  
• Infrastructure as Code security scanning
  
• Progressive delivery security gates

4.4    Real-World Case Study Deep Dives

• Kubernetes cryptojacking incident analysis
  
• Misconfigured API server exploitation case studies
  
• Supply chain attack post-mortems
  
• AI/ML infrastructure compromise scenarios

4.5    Security Maturity & Future Direction

• Kubernetes Security Maturity Model (KSMM)
  
• Emerging security tools landscape
  
• Cloud-native security platform integration
  

Difficulty Level:

Intermediate/Advanced

Suggested Prerequisites:

• Basic Kubernetes knowledge (kubectl, YAML manifests)
  
• Container security fundamentals
  
• Linux system administration experience
  
• Familiarity with cloud provider security services
  

Target Audience - Who should take this course?

• Blue Team analysts and SOC engineers
  
• Security engineers and Security architects
  
• Cloud/DevSecOps professionals and platform engineers
  
• Incident response specialists
  
• Security consultants and auditors
  

What Students Should Bring:

You have to bring your laptop with a browser and we will provide you with access to the browser-based labs.

Students will be provided with:

• 200+ page digital workbook with step-by-step labs and references
  
• Custom lab environment for continued practice
  
• Security policy templates and implementation guides
  
• Incident response playbooks specifically for Kubernetes
  
• Tool comparison matrices and frameworks
  

Trainer(s) Bio:

Madhu Akula is a pragmatic security leader and creator of Spotter - Universal Kubernetes Security Engine and Kubernetes Goat, an intentionally vulnerable by-design Kubernetes Cluster to learn and practice Kubernetes Security. Also published author and cloud-native security architect with extensive experience. Also, he is an active member of the international security, DevOps, and cloud-native communities (null, DevSecOps, AllDayDevOps, AWS, CNCF, USENIX, OWASP, etc). Holds industry certifications like OSCP (Offensive Security Certified Professional), CKA (Certified Kubernetes Administrator), CKS (Certified Kubernetes Security Specialist), etc.

Madhu frequently speaks and runs training sessions at security events and conferences around the world including DEFCON (24, 26, 27, 28, 29, 30, 31 & 32), BlackHat (2018, 19, 21, 22, 23, 24 & 25), USENIX LISA (2018, 19 & 21), SANS Cloud Security Summit 2021 & 2022, O'Reilly Velocity EU, GitHub Satellite, Appsec EU (2018, 19 & 22), All Day DevOps (2016, 17, 18, 19, 20, 21, 22, 23 & 24), DevSecCon (London, Singapore, Boston), DevOpsDays India, c0c0n(2017, 18 & 20), Nullcon (2018, 19, 21 & 22 & 25), SACON, WeAreDevelopers, null and multiple others.

His research has identified vulnerabilities in over 200+ companies and organisations including; Google, Microsoft, LinkedIn, eBay, AT&T, WordPress, NTOP Adobe, etc, and is credited with multiple CVEs, Acknowledgements, and rewards. He is co-author of Security Automation with Ansible2 (ISBN-13: 978-1788394512), which is listed as a technical resource by Red Hat Ansible. He is the technical reviewer for Learn Kubernetes Security, and Practical Ansible2 books by Packt Pub. Also won 1st prize for building an Infrastructure Security Monitoring solution at InMobi flagship hackathon among 100+ engineering teams. In addition to his technical expertise, Madhu advises startups on building exceptional products and communities, helping them add significant value along the way.

Registration Terms and Conditions: 

Trainings are refundable before October 2, 2025, minus a non-refundable processing fee of $250.

Trainings are non-refundable after October 2, 2025.

Training tickets may be transferred. Please email us at training@defcon.org for specifics.

If a training does not reach the minimum registration requirement, it may be cancelled. In the event the training you choose is cancelled, you will be provided the option of receiving a full refund or transferring to another training (subject to availability).

Failure to attend the training without prior written notification, will be considered a no-show. No refund will be given.

By purchasing this ticket you agree to abide by the DEF CON Training Code of Conduct and the registration terms and conditions listed above.

Several breaks will be included throughout the day. Please note that food is not included.

All courses come with a certificate of completion, contingent upon attendance at all course sessions.