Serverless architecture presents new security challenges. Some are equal to those we know from traditional application development, but some take a new form. Both, developers and attackers must start thinking differently to gain the upper hand. Damn Vulnerable Serverless Application (DVSA) is a deliberately vulnerable, open-source tool, aiming to be an aid for security professionals to test their skills and tools in a legal environment. In this talk, I will cover common attack vectors which have changed from what we were used to. After this talk, you should be able to deploy your own vulnerable app and have basic skills to gain your serverless pen-testing advantage.