2025-08-04 –, Florentine E
Shadow IT and forgotten proof-of-concept environments frequently become the weak links attackers exploit—unmonitored, undocumented, and outside standard security controls. Whether it's a forgotten cloud instance left open to the internet or a testing environment quietly turned into a production system, these deployments often fly under the radar until they become part of an incident. Once discovered, accurately scoping the environment is critical to identifying existing resources, active services, and their exposure to the internet. Our open-source tool, Luminaut, scans cloud environments to identify services exposed to the internet, providing critical context from the inside out to jumpstart your investigation. Within minutes, Luminaut will highlight exposed IP addresses and associated compute and networking resources, layering on a timeline from cloud audit logging and context from external scanners. Whether working an incident for an enterprise security team or responding to a customer’s AWS or Google Cloud environment, Luminaut helps answer critical scoping questions—what is exposed, where it’s running, and how long it has been there—giving investigators a head start on triage, root cause analysis, and informing stakeholders.
We developed this tool, and talk, after years of responding to incidents started from exposure of resources. The initial version supported AWS resource exposure investigation, and was presented at ShmooCon 2025. Since then, we are working on an integration of Google Cloud and increasing our coverage of AWS resources. This CLI tool has found success from practitioners in reducing the time spent during the identification phase of triage.
While other tools support similar features, Luminaut stands separate by focusing on the discovery of resources and leveraging an inside-out approach for detection. Luminaut starts by enumerating internet facing network interfaces, tracing them to attached resources and services to identify what components construct the network path. It then uses available audit history from sources like CloudTrail and AWS Config to provide available context on how the resources were created. In addition to the internal identification, Luminaut can use external resources to gather information about services running on the exposed interfaces. This includes using nmap, whatweb, and shodan to provide information on applications or frameworks available at the exposed ports.
For a case study, we plan on discussing the DeepSeek DB exposure from earlier this year, though if there is another significant exposure or related case study between now and August, we will update our presentation to reference that instead. We are planning a live demo, though will prepare a backup of tool usage and capability in the case that we face a demo failure.
Our project is available on GitHub here: https://github.com/luminaut-org/luminaut. In addition to the tool, our GitHub also hosts the documentation and our prior presentation slides. Our prior talk is available on YouTube here: https://youtu.be/-_jUZBMeU5w?si=e-Q3gFavTdhpecRY&t=16700
Chapin Bryce is a cybersecurity consultant turned software developer. His current focus is on cloud security and threat data, through building tools to support investigations and strengthen organizational security. Chapin is an author of two books on using Python in digital forensics.
Brittney Argirakis is a cybersecurity professional specializing in digital forensics and incident response. Over the past 8+ years, Brittney has worked in consulting roles in large enterprise, government, healthcare, and non-profit, leading investigations and training sessions on DFIR topics.