Tenant Projects are the backbone of services in GCP, yet their architecture remains largely misunderstood- even by seasoned cloud security practitioners. This talk takes a deep dive into how GCP implements Tenant Projects, how permissions and interconnected services are structured, and where the cracks start to form.

As part of our research into Vertex AI, we uncovered vulnerabilities that not only compromised Vertex AI itself but also exposed fundamental weaknesses in the Tenant Project model. By understanding the permission model and service interactions, we were able to escalate our findings and take full control over an entire Tenant Project.

We’ll walk through the architecture, highlight the risks, and show real-world exploitation scenarios- unveiling for the first time additional vulnerabilities beyond our initial discoveries. This talk isn’t just about the bugs; it’s about how attackers can abuse the Tenant Project model and what security teams need to do to defend against it.

Expect a mix of deep technical content, hands-on exploitation, and a broader discussion on the implications of GCP’s multi-tenant architecture.