ShroudCloud is positioned as OAuth Attack Infrastructure for penetration testing firms, internal corporate red teams, and independent researchers, intended for conducting authentication attack testing in authorized scenarios. It is not a firewall, WAF, or identity protection platform in the traditional sense. Instead, it provides configurable OAuth components, including a malicious IdP and crafted RP, to help test OAuth misconfiguration issues in real targets.
The current Beta scope focuses on two attack flows: Authorization Code Interception and Redirect URI Manipulation. In the former, ShroudCloud acts as a malicious IdP during the authorization handshake, capturing authorization codes and token payloads after the client ID, redirect URI, and scope are configured. In the latter, a crafted RP is used to probe redirect URI validation issues in the target IdP, including open redirects, subdomain confusion, path traversal, and fragment injection. The platform also records full HTTP requests and responses, tokens, codes, redirects, and timing data, making it easier to produce reports and preserve evidence.
No specific pricing is disclosed in the main content. The terms of service indicate that subscriptions are billed monthly, cancellations take effect at the end of the current billing period, and partial months are not refunded. The roadmap mentions that Phase 2 will open individual subscriptions. The product is currently in private development / early access, with Phase 1 mainly centered on the waitlist, so product access remains limited. Compliance certifications, SLA, enterprise support, and payment methods are not specified.
The main advantage is its highly focused positioning: it addresses the recurring pain point for red teams of having to build their own IdP/RP setups for OAuth engagements. Parameterized configuration and session logging can improve both execution and reporting efficiency. The open-source FlawedToken demo target is also useful for practice and client demos. The downside is that the current capability set is still narrow: SAML, MFA bypass, session lifecycle, IaC export, and other features remain on the roadmap. In addition, the terms mention βprivate VPN infrastructure services,β which does not fully align with the product positioning on the homepage, so the service scope should be clarified before procurement.
ShroudCloud is better suited to professional red teams, penetration testing teams, and researchers with clear, authorized authentication testing needs. It is not suitable for ordinary enterprises to purchase directly as a day-to-day security protection tool. Access from mainland China, payment support, and local compliance information are not disclosed, so china_access can only be assessed as unknown. If it is not usable, alternatives include Burp Suite Professional, OWASP ZAP, PortSwiggerβs OAuth testing methodology, or a self-hosted OAuth IdP/RP test environment.
β This review is compiled from public sources and does not constitute a purchase recommendation. Verify all facts on the vendor's official site. Verify on shroudcloud.com official site.
shroudcloud.com is an Unknown Cybersecurity provider. TG4G tracks its product information, an overall rating of 7.0/10, and a China-accessibility score of Workable. Click "Visit Official Site" to reach shroudcloud.com directly.