You're running a cloud security assessment for Doha Smart Developments, a property-technology operator with smart-building infrastructure across eight mixed-use developments in Lusail and West Bay. The deliverable is an assessment report, a compliance report mapped to three frameworks, and a remediation roadmap timed against a six-month government deadline.
The discipline skills: designing a cloud assessment methodology end-to-end; consolidating an inventory across multiple Azure subscriptions; running reconnaissance and exploitation against a cloud surface; integrating cloud audit logging into the existing defender stack; and mapping findings coherently across three regulatory frameworks at once.
The AI-direction lesson: cloud is new terrain, and AI's instincts were built somewhere else. It defaults to convenient Azure roles rather than least-privileged ones. Its cloud commands may reference deprecated APIs that look syntactically correct and fail silently. The mature register from your last project — context per agent, when not to delegate, when not to connect — carries forward, but the cloud-specific judgments are new.
Your Role
You're the assessor. The methodology, the consolidated inventory, the IAM model, the exploitation plan, the detection coverage, the compliance mapping across QNCF, CIS Azure, and NIST IoT, and the six-month remediation roadmap — yours.
Scaffolding is thin on methodology and guided on the cloud surface itself. No cloud-assessment-methodology template, no Azure-IAM-mapping skeleton, no Defender-for-Cloud interpretation guide, no QNCF crosswalk. You design the assessment. The cloud surface is operated through fixtures and az CLI dry-runs — authentic command syntax and authentic response shapes, no real subscription touched, no cloud cost. The brief is a meeting transcript with two voices on record: Khalid Al-Mansouri, Director of Digital Infrastructure, and Noura Hassan, Cloud Platform Lead. Read it twice.
Four scoped agents — cloud-architecture, IAM-enumeration, exploitation, remediation — each get the cloud context their phase needs and only that. Offensive cloud tooling stays separate from architecture write access. Some decisions are explicitly yours, not the agents': the cloud-specific judgments that AI will happily delegate itself into and produce something plausible-looking but wrong.
What's New
Last time you designed a multi-layer hardening strategy and a zero-trust trust model for a federally regulated wealth-management firm in Toronto, with NIST CSF as the executive frame.
Cloud as the terrain. Every prior project lived on-prem or in containers. Azure enters the track here. The shared responsibility model splits accountability for the first time — the cloud provider secures the infrastructure; you secure the configuration.
A different kind of attack surface. Reconnaissance, exploitation, and hardening you've done before — but not against a cloud surface, where the exploitable thing is often a configuration rather than a vulnerability and the principal control is identity.
Cloud audit as a new SIEM paradigm. Azure Activity Log joins the existing Wazuh + Loki + Suricata + osquery stack. You integrate it without rebuilding what's already working.
Three frameworks mapped at once. QNCF is the Ministry's frame. CIS Azure Benchmarks is the technical baseline. NIST IoT covers the device layer. Findings carry weight when all three are mapped coherently.
The hard part: the methodology is yours to design at a moment when AI knows more cloud syntax than you do. If you don't lock the methodology before any reconnaissance begins, AI will fill the cloud-shaped gap with whatever its training distribution suggests — and the result will validate, run, and miss the assessment Khalid actually needs. Khalid says "fine" to approve and "explain" when he needs more detail. Generalisations get "explain". Specifics get "fine".
Tools
- Claude Code, Codex CLI — driving the four scoped cloud agents and the explicit "not for AI" cloud decisions.
- Doha Smart Developments cloud-fixture lab (Docker + Azure-fixture set) — simulating three Azure subscriptions, the IoT management platform, the building and tenant-app workloads, and the defender stack carried forward from previous projects.
- Azure CLI — new. The
azsurface runs against fixture-replay scripts in dry-run mode. Authentic syntax, authentic response shapes, no real subscription. - Microsoft Defender for Cloud (simulated) — new. Security-posture scoring fixture set, before-and-after remediation snapshots.
- QNCF, CIS Azure Benchmarks v2, NIST IoT — new. The Ministry of Transport and Communications' framework, the technical baseline, and the device-layer profile. The unit introducing them walks through the crosswalk.
- ATT&CK Cloud Matrix — alongside the on-prem matrix you've used since P11. The gap analysis covers both heatmaps now.
- Wazuh, Loki, Grafana, Suricata, osquery — familiar. Azure Activity Log integrates into Loki without rebuilding the existing stack.
- Engagement-memory infrastructure — methodology, consolidated inventory, IAM map, threat model, framework mappings, and cloud-agent specs. CLAUDE.md and AGENTS.md carry forward from last project as continued practice.
- Python, Markdown, YAML, Mermaid, GitHub — assessment report, compliance report, remediation roadmap, diagrams, project repository.
Materials
- First-contact meeting transcript — Khalid and Noura's kickoff at the level Khalid would set engagement scope.
- Cloud-inventory fixture set (
cloud-inventory/) — subscription exports withazCLI JSON, ARM snapshots, IAM role definitions, NSG configurations, storage policies. - Regulatory-context brief — QNCF section structure, CIS Azure Benchmarks v2 reference, NIST IoT control set.
- Doha Smart Developments cloud-fixture lab (
cloud-fixtures/) — simulatedazCLI surface, simulated Defender for Cloud findings, simulated Azure Activity Log samples. - Agent-spec template and CLAUDE.md — familiar; CLAUDE.md carries cloud-assessment verification targets (methodology locked before reconnaissance begins, IAM enumeration through fixture-mediated
azCLI, framework mapping coherent across QNCF, CIS Azure, and NIST IoT).
Everything downstream — the methodology, the IAM model, the exploitation findings, the detection rules, the compliance report, and the remediation roadmap — is yours.