Blake Grosskopf · Cloud & Identity Offensive Security Researcher
I build and break cloud identity systems — then document both sides.
I build and break cloud identity systems end-to-end — reverse-engineering SaaS auth flows into custom tooling, and chaining real cloud attack paths from public exposure to subscription-level control — then document both the offense and the defense.
- 01 Public blob recon T1526
- 02 App source disclosure T1530
- 03 Hardcoded secrets T1552.001
- 04 Forged admin JWT HS256
- 05 SSRF → file:// T1190
- 06 Storage key + SSH keys T1552.004
- 07 VM managed identity T1078.004
- 08 RG Contributor Impact
01Selected work
All workApproach
How I work
- Build
I stand up the range myself — Terraform, real cloud, real constraints — so the attack path is genuine, not a screenshot.
- Break
External-attacker lens, end to end: public exposure → tokens → secrets → subscription-level control. Evidence, not adjectives.
- Document
Every finding maps to MITRE ATT&CK and ships with the defense — the control, the detection, the one change that breaks the chain.
02Latest writing
All writing- The metadata endpoint depends on the compute type An SSRF into an Azure Function returned an empty metadata response — not because the attack failed, but because Functions has no VM IMDS. A short lesson on matching the metadata endpoint to the compute you actually landed on.
- Your Okta tenant is sprayable by default — and MFA won't fix it The Identity Engine sign-in surface validates passwords from the open internet by design. Here's what actually gates external spraying — and why turning on MFA isn't it.
03Cert spine
- AZ-900 Azure Fundamentals Held
- SC-900 Security, Compliance & Identity Fundamentals Active
- SC-500 Cloud & AI Security Engineer Active
- CARTP Cloud Attack & Red Team Professional Target
Hiring for cloud pentest, red team, or identity security?
I'm open to roles and collaboration. The fastest way to gauge fit is to read a case study — then say hello.