Pacu — Install, Use, Optimise (2026)

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 29, 2026
2 min read

AWS exploitation framework — modular post-exploitation toolkit for compromised AWS credentials.

Use case: Cloud (AWS)Difficulty: AdvancedHomepage: https://github.com/RhinoSecurityLabs/pacu

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

pipx

pipx install pacu

Source

git clone https://github.com/RhinoSecurityLabs/pacu && cd pacu && pip install -e .

Run

pacu

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Set up session

pacu → set_keys → enter access_key + secret

Whoami / current context

whoami

Run permission enumeration

run iam__enum_permissions

Privesc enum

run iam__privesc_scan

Backdoor IAM users

run iam__backdoor_users_keys

CloudTrail manipulation

run detection__disruption

List all available modules

list

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

  • Pacu is INTERACTIVE-first. For automation: pacu --session NAME --module-name X --module-args "..." headless.
  • AWS API rate-limits: most modules respect them but iam__enum_permissions on big accounts (1000+ resources) takes 30+ min. Run sequentially.
  • set_regions to limit scope before aws_enum* modules — full account scan across 30 regions is slow.
  • SQLite session DB at ~/.local/share/pacu/sessions/ — back it up after big enumerations to avoid re-running.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

  • GuardDuty detects most enumeration patterns. Modern AWS engagements assume detection within 5-15 min.
  • iam__backdoor_users_keys creates real backdoors — make sure scope authorises this. Cleanup with iam__detect_honeytokens after.
  • Some modules require admin-level perms to test fully — they will fail silently on lesser creds.
  • CloudTrail logs Pacu API calls with module-specific User-Agent strings — defenders can detect from logs.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

  • CloudFox (BishopFox) — newer enumeration-focused tool, less destructive.
  • aws_consoler — pivot creds to console session.
  • weirdAAL — older, larger module catalog.

India context and engagement notes

For Indian cloud audits (RBI ITS / SEBI CSCRF): Pacu’s permission-enum + privesc-scan are the authoritative test set. Always run with read-only flag set + skip destructive modules. CloudFox is becoming the new default for non-destructive enumeration — consider for audit work.


⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants