This analytic detects the use of the GCPloit exploitation framework within the Google Cloud Platform (GCP) environment by analyzing GCP Pub/Sub messages. A specific timeout setting of 539 seconds in function requests is the key indicator of possible GCPloit activity. Recognizing this behavior is critical as GCPloit can facilitate privilege escalation and lateral movement among high-privileged accounts. If this detection is confirmed as malicious, it can signal unauthorized access attempts, allowing attackers to compromise sensitive data and resources within GCP. The detection relies on the search query that filters for narrated GCP Pub/Sub messages to identify potential misuse of GCPloit. Care should be taken as other legitimate processes may also generate similar timeout values, hence monitoring the source user and the target accounts for unusual patterns is advised.