.png)
Get started with Stream's CDRGoat! This post will walk through how to set up your environment, run your first scenario and start gaining value from the detections it generates.
In our launch post we introduced CDRGoat, our scenario-driven project designed to help security teams validate cloud detections against realistic attack paths. With CDRGoat, defenders can practice investigating signals generated by adversary techniques such as SSRF exploitation, IAM privilege escalation, and lateral movement - all in safe, reproducible AWS environments.
Each scenario provisions an intentionally vulnerable environment in your AWS sandbox and includes a full automated attack script. The script replays the attacker’s steps, so defenders can focus entirely on the defensive side: log visibility, alert fidelity, and triage workflows.
This post will walk through how to set up your environment, run your first scenario and start gaining value from the detections it generates.
CDRGoat provisions intentionally vulnerable resources into AWS. It must never be deployed in production. Always use isolated sandbox accounts, expect cloud usage costs while resources are running and ensure resources are destroyed after finishing.
Before running your first scenario, you’ll need a few standard tools:
brew install terraform awscli jqsudo apt update && sudo apt install -y terraform awscli jqEach scenario lives in its own folder, containing both a Terraform plan and an attack script. Terraform provisions the resources, including VPCs, EC2 instances, IAM roles, Lambda functions, and more, depending on the scenario.
1cd scenarios/<scenario-name>
2terraform init
3terraform apply -var='attack_whitelist=["<your-ip>/32"]' -auto-approveOnce your environment is ready, it’s time to launch the adversary simulation. Each scenario includes a prebuilt attack script designed to replay the attacker’s path step by step.
1chmod +x attack.sh
2./attack.shThe script may prompt you for inputs, for example, The external env IP address, but these are always provided in the Terraform outputs. As the script runs, adversary techniques such as credential theft, lateral movement, or database access are executed automatically, generating logs and events in CloudTrail, GuardDuty and other security tools installed.
.png)
When the exercise is complete, destroy the environment with a single command. This ensures all resources are removed, costs are stopped and the environment is ready for the next simulation.
terraform destroy -var='attack_whitelist=[]' -auto-approve1️⃣ CDRGoat Scenario 1: RCE on EC2 to RDS Pivot
2️⃣ CDRGoat Scenario 2: SSRF on EC2 to Lambda Privilege Escalation
3️⃣ CDRGoat Scenario 3: Privilege Escalation via Lambda and IAM Role Enumeration
Cloud breaches rarely depend on a single vulnerability. They happen when multiple weaknesses combine into a chain that attackers can (and do) exploit. CDRGoat was built to mirror that reality: scenarios that escalate step by step, forcing defenders to test whether their detections hold up in practice.
By deploying your first scenario and running the automated attack, you’ll go beyond writing detection rules and validate how your SOC responds under real conditions. Clone the repository, spin up a scenario in your AWS sandbox, and see how your defenses measure up.
This content is provided for educational and informational purposes only. Stream.Security’s CDRGoat is provided as-is without warranties of any kind. By using this project you accept full responsibility for all outcomes. Scenarios are intentionally vulnerable and must only be deployed in isolated, non-production accounts. Stream.Security does not guarantee the accuracy or completeness of the content and assumes no liability for any damages resulting from its use.
Stream.Security does not endorse or condone any illegal activity and disclaims any liability arising from misuse of the material. Stream.Security and project contributors assume no liability for misconfiguration or unintended consequences, including any illegal activity. Ensuring safe and appropriate use is your responsibility.
Stream Security is an AI Detection & Response (AI DR) company built for the era of AI-driven environments across cloud, on-prem, and SaaS. As AI agents operate with real permissions and attackers move at machine speed, Stream enables security teams to keep pace by continuously computing a real-time, deterministic model of their entire environment. Powered by its CloudTwin® technology, Stream instantly understands the full impact of every action across identities, permissions, networks, and resources, allowing organizations to detect, prioritize, and safely respond to threats before they propagate. This transforms security from reactive detection into a true control plane for modern infrastructure.
.png)
