// the find
RhinoSecurityLabs/ccat
Cloud Container Attack Tool (CCAT) is a tool for testing security of container environments.
CCAT is a pentesting tool for attacking cloud container infrastructure — specifically AWS ECR/EKS and GCP GCR/GKE. It automates the ECR enumeration, pull, backdoor, push attack chain that shows up in cloud breach scenarios. Built by Rhino Security Labs, so it comes from people who actually run these attacks professionally.
The ECR backdoor injection workflow (enumerate → pull → inject reverse shell → push) is a well-documented, realistic attack chain that maps directly to real incidents. The Docker-in-Docker setup via mounted socket is honest about the risk it creates, which is more than most tools bother to do. The module structure is clean — each attack primitive is isolated, making it easy to understand what each piece does without wading through monolithic code. Coming from Rhino Security Labs gives it credibility; these aren't theoretical attacks.
Last commit was November 2019 — nearly seven years old. The roadmap lists EKS, ECS, Azure, OpenShift, IBM Cloud, Alibaba as future work, none of which ever shipped. Python 3.5+ targeting in 2019 was already conservative; running it today means fighting dependency rot. The tool covers ECR and GCR but nothing else, so if your engagement involves AKS, ECS tasks, or modern Kubernetes attack surfaces, you're on your own. No tests, no CI, no releases — this is prototype-quality tooling that got abandoned before it reached the scope it promised.