Assumed Breach is a penetration testing methodology that helps reduce the cost and complexity of an assessment by providing initial access. At an organization with a traditional on-premises network, an Assumed Breach engagement may provide to the tester Domain User credentials or a workstation joined to the network as a point of initial access. None of this makes sense for cloud-native organizations that have no traditional on-premises network and operate through a stitchwork of disparate vendors and services. Providing credentials to a typical employee account may yield no real ability to move toward a testing goal, and workstations may not even have access to production networks. This talk discusses a methodology for scoping and executing a goal-based Assumed Breach penetration test at a cloud-native organization. Offensive security professionals who come up against a wide variety of targets, as well as organizations who have invested heavily in cloud infrastructure will benefit from the discussion. The talk will work through all testing phases, from intelligence gathering to scoping the attack surface to setting up access at key points in the platform architecture. In addition to methodology, realistic technical examples will be presented. Ultimately the goal of a cloud-native Assumed Breach test remains the same as in a traditional setting, achieving a successful test by delivering impactful results that improve organizational security.