There is mention about simulating in Web Security Scanner. "Web Security Scanner cross-site scripting (XSS) injection testing *simulates* an injection attack by inserting a benign test string into user-editable fields and then performing various user actions." https://cloud.google.com/security-command-center/docs/how-to-remediate-web-security-scanner-findings#xss

Titan Security Keys are a physical form of two-step verification (2SV) that provide the highest level of account security by using cryptographic signatures to verify the user and the URL of the login page.
Cryptographic Security: Titan Security Keys use a hardware-based cryptographic method to authenticate users, which is resistant to phishing attacks. This ensures that the authentication process is secure and not susceptible to being intercepted or spoofed.
URL Verification: Titan Security Keys verify the URL of the login page during the authentication process, providing an additional layer of security against phishing attempts that may try to redirect users to malicious websites.
Ease of Use: These keys are easy to use and integrate with Google's 2SV process, providing a seamless and highly secure authentication method for users.
Reference:
Titan Security Keys

Access Google Cloud Console:
Log in to the Google Cloud Console with administrative privileges.
Navigate to the "IAM & Admin" section.
Set Session Length Timeout:
Go to the "Settings" page within IAM & Admin.
Locate the "Session control" settings.
Configure the session length timeout to a shorter duration, such as 15 or 30 minutes. This ensures that user sessions expire automatically after the specified time of inactivity.
Apply and Enforce the Policy:
Save the changes and ensure the new session timeout policy is applied across all users and services.
Communicate the new policy to employees, highlighting the importance of session security and the rationale behind the change.
Additional Security Measures:
Consider implementing additional measures such as automatic screen locks and secure session management practices.
Educate employees on the importance of logging out of their sessions and securing their devices when not in use.
Reference:
Google Cloud IAM Documentation
Session Management Best Practices

"Isolate VMs using service accounts when possible" "even though it is possible to uses tags for target filtering in this manner, we recommend that you use service accounts where possible. Target tags are not access-controlled and can be changed by someone with the instanceAdmin role while VMs are in service. Service accounts are access-controlled, meaning that a specific user must be explicitly authorized to use a service account. There can only be one service account per instance, whereas there can be multiple tags. Also, service accounts assigned to a VM can only be changed when the VM is stopped." https://cloud.google.com/solutions/best-practices-vpc-design#isolate-vms-service-accounts

When using Google Cloud's Platform-as-a-Service (PaaS) offerings like App Engine, Google manages the infrastructure, including the underlying OS, runtime, and scaling. However, securing the application code itself, such as defending against cross-site scripting (XSS) and SQL injection (SQLi) attacks, remains the responsibility of the user. This involves implementing secure coding practices, validating inputs, and employing appropriate security measures within the application.
Reference:
Google Cloud: Shared responsibility model
App Engine security