Beware of exposed serverless cloud functions, Mandiant warns
The rise of generative AI means the firm's seeing more vulnerable environments: here's what it thinks you should do
Google's Mandiant has warned that exposed serverless cloud functions can give attackers access to secrets and broader cloud environments, urging enterprises to implement new hardening measures.
Serverless deployments generally run custom-developed code that incorporates third-party packages, making them targets for a wide range of application-level attacks, including local and remote file inclusion (LFI/RFI) and command injection.
Mandiant said it’s observed an uptick in the number of public-facing serverless applications that lack authentication, often because of specific business requirements.
The rapid acceleration of generative AI adoption is a big factor here, the researchers noted, with AI workflows, including chatbot interactions, image generation, vibe coding, and multi-step AI agents relying on serverless functions to complete tasks for users.
Once they've managed to exploit an entry point, attackers typically attempt to escalate privileges or move laterally.
Common techniques include extracting secrets stored directly within the application code, reviewing application logic and sensitive data to identify further attack vectors within the environment, and exfiltrating service account bearer tokens from the metadata server via remote code execution (RCE).
"Leveraging these compromised secrets or service accounts allows threat actors to pivot to adjacent systems and workloads, potentially resulting in a total environment takeover if proper hardening strategies are not in place," said Mandiant security consultant Corné de Jong.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
Shoring up defenses
The firm recommends a multi-pronged approach to harden security, including integration of security scanning, code reviews, and least-privilege identity and access management (IAM) capabilities within CI/CD pipelines before deployment.
When it comes to vibe coding, Mandiant recommends multi-layered security enforcement: isolating AI experimentation within dedicated sandbox environments and enforcing strict data egress controls to protect production systems and internal data.
Meanwhile, development environments should be restricted to approved IDEs with human-in-the-loop capabilities, using only verified plugins operating under least privilege to mitigate supply chain vulnerabilities.
Organizations will then need to ensure that all AI-generated software follows Secure Software Development Lifecycle (S-SDLC) controls, while establishing clear internal guidelines regarding permitted use cases.
Keep it in-house
As for runtime controls, Mandiant said that public-facing Cloud Run services should be hosted in a dedicated, isolated Google Cloud project to make sure attackers aren't simply given immediate access to critical internal resources.
Organizations should also restrict ingress traffic for serverless functions to internal only, and use an external Layer 7 ALB to manage internet exposure.
Here, it recommended Cloud Armor, which it said provides Web Application Firewall (WAF) protections that can be integrated with the Load Balancer to filter malicious traffic.
One aspect of a broader architecture
Notably, de Jong warned that hardening Cloud Run services is “only one part of a secure architecture” and a weak link elsewhere in the chain could result in disaster.
“Because these services often connect to other Google Cloud resources, a single compromise can expose additional services. Implementing defense-in-depth is critical,” he said.
“Specifically, when using direct VPC egress or VPC Access connectors, use VPC Service Controls to restrict lateral movement and exfiltration through granular access policies."
While serverless functions are designed to make cloud development faster and more flexible, threat actors are starting to find them as just as convenient, according to Nick Tausek, lead security automation architect at Swimlane.
"An alert tied to one function may suddenly become an identity issue or a lateral movement problem. Manual handoffs slow everything down at exactly the wrong moment. Security operations need to preserve context and adapt response actions as new risks emerge," he said.
"Integration of agentic AI into security platforms can support that process by connecting signals across tools, carrying investigative context forward and helping security teams determine the next appropriate action as an incident evolves.”
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
Hardware shortages force channel partner rethink on infrastructure strategiesNews Almost nine-in-10 channel partners are taking steps to protect customers from pricing volatility and supply constraints
-
How Rathbones Asset Management built strong data foundationsThe firm worked with cloud-native data and AI firm, Snowflake, to turn data into insight that can drive smart decisions
-
Google Cloud Next 2026: all the live updates as they happenLive blog ITPro is on the ground at Google Cloud Next 2026, to cover all the latest announcements from the day one keynote
-
Google Cloud Next 2026 is a chance to demonstrate Google’s unique advantagesOpinion Across hardware, security, and AI optimization, Google Cloud can use its annual event to market itself as the best all-round choice for enterprise AI
-
Wiz: 80% of cloud breaches are caused by basic mistakesNews Wiz Threat Research's analysis of 2025 cloud incidents shows that familiar risks are expanding with scale, shared trust, and AI-driven environments
-
Red Hat, Google Cloud eye legacy modernization gains with partnership expansionNews Red Hat wants to make it easier to migrate and modernize applications
-
Cloud infrastructure spending hit $102.6 billion in Q3 2025 – and AWS marked its strongest performance in three yearsNews Hyperscalers are increasingly offering platform-level capabilities that support multi-model deployment and the reliable operation of AI agents
-
Google Cloud teases revamped partner program ahead of 2026News The cloud giant’s new-look partner ecosystem shifts focus from activity tracking to measurable customer outcomes
-
What Palo Alto Networks' $10bn deal with Google Cloud means for customersNews The extension of an existing partnership between Palo Alto Networks and Google Cloud is designed to boost security amid rise in AI
-
Cohesity deepens Google Cloud alliance in data sovereignty pushNews The pair’s expanded collaboration will focus on new integrations for AI, cybersecurity, and data protection