Choosing the Right Testing Approach#

Infrastructure security testing is not one activity. It is a spectrum from fully automated scanning to manual adversarial testing. Each approach has different costs, coverage, and compliance implications. Choosing wrong wastes budget on low-value scans or leaves critical gaps unexamined.

The core decision is: what are you trying to learn, and what constraints do you operate under?

Decision Matrix#

When to Use Each Approach#

Use automated scanning when you need continuous visibility into known vulnerabilities across your infrastructure. This is the baseline. Every organization should run automated scans regardless of what other testing they do.

Use Kubernetes-specific testing when you run Kubernetes clusters and need to verify that cluster configuration follows security best practices. CIS benchmarks are the standard here.

Use network scanning when you need to understand your attack surface from the network perspective, verify firewall rules, or confirm that only expected services are exposed.

Use manual penetration testing when you need to validate that your defenses work against a skilled adversary, when compliance requires it (PCI-DSS 11.3), or when you have complex infrastructure where automated tools miss chained attack paths.

Automated Vulnerability Scanning#

Nessus#

Nessus is the most widely deployed commercial vulnerability scanner. It checks for known CVEs, default credentials, misconfigurations, and compliance violations across operating systems, network devices, and applications.

# Nessus is typically run via its web interface or API
# CLI scan using the Nessus API
curl -k -X POST https://nessus-server:8834/scans \
  -H "X-ApiKeys: accessKey=ACCESS;secretKey=SECRET" \
  -d '{
    "uuid": "template-uuid",
    "settings": {
      "name": "Infrastructure Scan Q1",
      "text_targets": "10.0.0.0/24",
      "launch": "ON_DEMAND"
    }
  }'

# Export scan results
curl -k -X POST https://nessus-server:8834/scans/SCAN_ID/export \
  -H "X-ApiKeys: accessKey=ACCESS;secretKey=SECRET" \
  -d '{"format": "csv"}'

Best for: organizations with compliance requirements (PCI, HIPAA, SOC2) that need credentialed scanning and audit-ready reports.

OpenVAS (Greenbone)#

OpenVAS is the open-source alternative. It maintains a large feed of Network Vulnerability Tests (NVTs) updated regularly.

# Install via Docker
docker run -d --name openvas \
  -p 443:443 \
  -e PASSWORD=admin_password \
  greenbone/openvas-scanner

# Using the GVM CLI
gvm-cli --gmp-username admin --gmp-password admin_password \
  socket --socketpath /run/gvmd/gvmd.sock \
  --xml '<create_target><name>Internal Network</name><hosts>10.0.0.0/24</hosts></create_target>'

# Create and start a scan task
gvm-cli --gmp-username admin --gmp-password admin_password \
  socket --socketpath /run/gvmd/gvmd.sock \
  --xml '<create_task><name>Weekly Scan</name><target id="TARGET_ID"/><config id="daba56c8-73ec-11df-a475-002264764cea"/></create_task>'

Best for: organizations that want full control over their scanning infrastructure without per-asset licensing costs.

Nuclei#

Nuclei from ProjectDiscovery runs template-based scans. Its community maintains thousands of detection templates for CVEs, misconfigurations, exposed panels, and default credentials.

# Install
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

# Scan a target with all templates
nuclei -u https://app.example.com -o results.txt

# Scan with specific tags
nuclei -u https://app.example.com -tags cve,misconfig -severity critical,high

# Scan multiple targets from a file
nuclei -l targets.txt -tags kubernetes -o k8s-results.txt

# Use specific templates
nuclei -u https://app.example.com -t exposures/ -t cves/2024/

Best for: security teams that want fast, extensible scanning with community-driven detection rules. Nuclei templates are easy to write for custom checks.

Kubernetes-Specific Testing#

kube-bench: CIS Benchmark Compliance#

kube-bench checks your cluster against the CIS Kubernetes Benchmark. It tests control plane configuration, etcd security, kubelet settings, and workload policies.

# Run as a Kubernetes Job on master nodes
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job-master.yaml
kubectl logs job/kube-bench

# Run on worker nodes
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job-node.yaml

# Run directly on a node
kube-bench run --targets master,node,etcd,policies

# Output as JSON for automated processing
kube-bench run --json > kube-bench-results.json

# Check specific sections only
kube-bench run --targets master --check 1.2.1,1.2.2,1.2.3

Common critical findings: anonymous authentication enabled on the kubelet, no audit policy configured, etcd data not encrypted at rest, permissive RBAC bindings.

kube-hunter: Attack Simulation#

kube-hunter actively probes for Kubernetes security issues from an attacker’s perspective. It discovers exposed APIs, tests for known CVEs, and attempts privilege escalation.

# Run from outside the cluster (external attacker perspective)
kube-hunter --remote target-cluster.example.com

# Run from inside a pod (compromised pod perspective)
kubectl run kube-hunter --image=aquasec/kube-hunter \
  --restart=Never -- --pod

# Run in active mode (actually exploits vulnerabilities it finds)
# WARNING: only use in test environments
kube-hunter --remote target-cluster.example.com --active

# Output as JSON
kube-hunter --remote target-cluster.example.com --report json

kube-hunter tests for: exposed Kubernetes dashboard, unauthenticated API server access, exposed etcd, kubelet API access, pod escape vectors, and known Kubernetes CVEs.

Kubescape: Multi-Framework Assessment#

# Scan against NSA-CISA hardening guide
kubescape scan framework nsa --enable-host-scan

# Scan against MITRE ATT&CK for containers
kubescape scan framework mitre

# Scan a specific namespace
kubescape scan framework cis-v1.23-t1.0.1 --include-namespaces production

# Scan specific workloads
kubescape scan workload Deployment/myapp -n production

# Output for CI/CD with exit code on failure
kubescape scan framework nsa --fail-threshold 50 --compliance-threshold 80

Trivy: Kubernetes Misconfiguration Scanning#

# Scan a running cluster for misconfigurations
trivy k8s --report summary cluster

# Detailed scan of a specific namespace
trivy k8s --namespace production --report all

# Scan for vulnerabilities in all running images
trivy k8s --scanners vuln --report summary cluster

# Scan Kubernetes manifests before deployment
trivy config ./k8s-manifests/

Network Scanning#

Nmap: Service Discovery and Enumeration#

# Discover live hosts on a subnet
nmap -sn 10.0.0.0/24

# Full port scan with service detection
nmap -sV -p- target.example.com

# Scan for common Kubernetes-related ports
nmap -sV -p 443,6443,2379,2380,10250,10251,10252,10255,30000-32767 target.example.com

# Scan with vulnerability detection scripts
nmap -sV --script vuln target.example.com

# UDP scan for SNMP, DNS, and other UDP services
nmap -sU -p 53,161,162,500,4500 target.example.com

# Output as XML for tool integration
nmap -sV -oX scan-results.xml 10.0.0.0/24

Key Kubernetes ports to check: 6443 (API server), 2379-2380 (etcd), 10250 (kubelet API), 10255 (kubelet read-only), 30000-32767 (NodePort range).

Credential Testing#

Test for default and weak credentials across infrastructure components:

# Test SSH with common credentials (use only on authorized targets)
nmap --script ssh-brute -p 22 target.example.com

# Test Kubernetes API with anonymous access
kubectl --server=https://target:6443 --insecure-skip-tls-verify auth can-i --list

# Check for exposed etcd without authentication
curl -s https://target:2379/v2/keys/ --insecure

# Test kubelet API for unauthenticated access
curl -sk https://target:10250/pods/

# Check for exposed Kubernetes dashboard
curl -sk https://target:8443/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/

Compliance Mapping#

PCI-DSS#

• Requirement 11.2: Run automated vulnerability scans at least quarterly and after any significant change. Internal scans can use OpenVAS or Nessus. External scans require an Approved Scanning Vendor (ASV).
• Requirement 11.3: Perform penetration testing at least annually and after any significant change. Must include network-layer and application-layer tests.
• Requirement 6.1: Establish a process to identify and rank new security vulnerabilities using external sources (NVD, vendor advisories).

SOC2#

• CC4.1: Management evaluates controls through assessments and testing. Annual penetration testing satisfies this criterion.
• CC7.1: Detect anomalies and evaluate for security events. Continuous automated scanning feeds this control.
• CC7.2: Monitor system components for anomalies indicative of malicious acts. Runtime scanning and network monitoring.

CIS Benchmarks#

CIS benchmarks are not compliance standards themselves but are referenced by nearly every compliance framework. Run kube-bench for Kubernetes, docker-bench-security for Docker, and CIS-CAT for operating systems. Document results and remediation as evidence for auditors.

Building a Testing Program#

A complete infrastructure security testing program layers multiple approaches:

1. Continuous (every build): Container image scanning with trivy, SBOM generation, dependency vulnerability checks. Automated, zero human effort per scan.
2. Weekly: kube-bench and kubescape scans against all clusters. Nmap scans of external attack surface. Review and triage new findings.
3. Monthly: Full internal network vulnerability scan with Nessus or OpenVAS. Credential rotation verification. Review of RBAC permissions.
4. Quarterly: Compliance-driven scans (PCI-DSS ASV scans). Trend analysis on vulnerability metrics. Update scanning templates and policies.
5. Annually: Full manual penetration test by external firm. Red team exercise if budget allows. Architecture review against current threat landscape.

Each layer catches what the layer above misses. Automated scanning catches known CVEs but misses business logic flaws. Manual testing catches logic flaws but cannot run continuously. Together, they provide comprehensive coverage.