As supply-chain attacks are becoming more common, it's apparent that CI/CD pipelines are ripe for abuse. In a recent offensive engagement, my team set out to identify the breadth of compromise from three assume breach scenarios. In this talk I'd like to discuss some of the pitfalls and findings that we came across while we moonwalked through the cloud environment of a major cyber security company.