The honest version: A portfolio of three solid public write-ups beats three certifications with no practical work โ every cloud security hiring manager we know agrees on this. The projects below are what we'd want to see in a candidate's GitHub or blog. Pick three you find interesting, do them well, publish each one, and link them prominently from your LinkedIn and resume.
All seven are doable on the free tier of one cloud (or entirely locally for some) with the guardrails on the home lab page. Total cost: $0โ$15 across all of them if you tear down resources at end of session.
๐ On this page
The 7 projects
Each card links to a step-by-step walkthrough with prerequisites, deliverables, success criteria, and what hiring managers look for in the write-up.
Walk every CloudGoat scenario
The canonical AWS-attack lab. Pick a scenario, exploit it end-to-end, then write up the kill chain and remediation. Repeat for every scenario.
Build a multi-account AWS Org with SCPs
Terraform a 3-account organization with IAM Identity Center, baseline guardrail SCPs, and centralized CloudTrail. Real production-shape work.
Prowler audit + remediation
Run Prowler against your own account, document every finding, and Terraform the fix for each one. Before/after screenshots are gold.
Build 5 detections in a lab SIEM
Stand up Wazuh / Elastic / Matano, ship CloudTrail to it, write Sigma rules for 5 MITRE ATT&CK Cloud techniques, validate with Stratus Red Team.
Recreate the Capital One breach in your lab
Build the vulnerable architecture (WAF + SSRF-able service + IMDSv1 + over-privileged role), exploit it, then build the controls and detections that close it.
Contribute to an open-source cloud security tool
Prowler, Cloud Custodian, Pacu, ROADtools, Steampipe, KICS โ pick one, fix a "good first issue," ship the PR, write up what you learned.
Write a CNAPP comparison
Trial 3 CNAPPs against the same vulnerable account. Compare findings, false-positive rate, remediation guidance, and price-to-value. Honest write-up wins.
An unfinished project shipped publicly beats a finished project nobody can see. โ the only portfolio rule that matters
Where to publish your write-ups
The project is half the value; publishing it is the other half. Pick one or two surfaces โ don't spread yourself across five.
- GitHub repo with a thorough README. The default and the strongest single signal. Include screenshots, the Terraform / scripts you wrote, and a "what I learned" section. Pin the repo on your profile.
- Personal blog (GitHub Pages, Substack, dev.to, Hashnode). Long-form write-up. SEO-discoverable; recruiters Google candidates.
- LinkedIn post linking back to the write-up. Where most cloud security hiring managers actually live. One post per project.
- 5-minute lightning talk at a CSOH Friday Zoom. Highest-bandwidth way to make your work visible to working practitioners. We routinely run them.
- Conference CFP. BSides cities, fwd:cloudsec, DEF CON Cloud Village all welcome first-time speakers. A CloudGoat write-up has been the entry-point talk for many people in our community.
How to talk about them in interviews
Hiring managers ask "tell me about a project you're proud of." This is the answer. Frame each one as a STAR-style story you can tell in 90 seconds:
- Situation: what you set out to learn or demonstrate.
- Task: the specific decision points (which scenario, which controls, which IAM design).
- Action: what you actually did, including a moment where you had to debug something non-obvious.
- Result: what the artifact looks like, what you'd do differently, what surprised you.
The "what surprised me" beat is the one most candidates miss and the one most interviewers grade on. It signals you actually did the work and reflected on it.
Common mistakes
- Building a "cloud security dashboard" toy webapp. Hiring managers see hundreds. Build operational artifacts that look like real production work, not portfolio bait.
- Cloning someone else's CloudGoat write-up and republishing it. Recognizable instantly. Always make the kill-chain and remediation in your own voice, with your own screenshots.
- Doing the project but not publishing. Half the value is the write-up. If it's not public, it doesn't exist for the hiring funnel.
- Picking seven projects and finishing none. Pick three. Ship each one. Then add more.
- Hiding work because "it's not perfect yet." Publish at 80%. The act of publishing is what teaches you.
- Listing the project on your resume but not linking to it. A recruiter has 20 seconds. Hyperlink directly to the GitHub repo or write-up.
Where next
- Set up your home lab โ most projects need a real cloud account with budget guardrails.
- Careers guide โ what hiring managers look for and how the portfolio fits in.
- CTF directory โ the lab platforms many of these projects use.
- Learning path โ where the projects fit into the bigger arc.
- Friday Zoom + Signal chat โ share your write-up and get feedback from working practitioners.