On my journey to learn how to test Azure cloud environments, I realized that a comprehensive understanding of Red Teaming was also an essential skill to effectively assess and identify vulnerabilities, misconfigurations and weaknesses.

In search of practical labs to learn and practice my red teaming skills, I stumbled upon Pwned Labs, a platform that offers a wide range of cutting-edge cloud-based labs for hands-on practice. The platform was founded by Ian Austin, a seasoned security researcher with over 20 years of experience. He has an impressive technical background, from systems administration to participating in the prestigious NATO-sponsored event, Locked Shields cyber defense exercise. This would explain his “purple” focus, with emphasis on both red and blue team capabilities. He has fulfilled the roles of System Administrator, Security Engineer, Penetration Tester, Security Researcher and was head of content and innovation at Hack The Box, which really caught my eye. Moreover, he has a background in psychology which rounds off a pretty nice knowledge cocktail for an instructor if you ask me.

During my exploration of the Pwned Labs platform, I came across an advertisement for their upcoming Microsoft Cloud Attack and Defense Bootcamp — a live 4-week-long, instructor-led bootcamp with a structured learning path designed to equip participants with the knowledge and skills necessary to conduct red team assessments of Azure environments.

Given the value being proposed, I was surprised by the relatively low cost of the bootcamp compared to other similar offerings on the market, so I decided to take this opportunity and enroll in the bootcamp.

Exam Certificate

Bootcamp Certificate

What is MCRTP?

The Microsoft Cloud Red Team Professional is a certification offered by Pwned Labs designed to validate your ability to perform a red teaming assessment over a Microsoft Azure cloud environment. To prove your skills you’ll need to pass their 24h exam by assessing and identifying security weaknesses and misconfigurations in a lab environment and capture a flag.

To prepare you for the exam, Pwned Labs has created a comprehensive 4-week bootcamp with a hands-on structured path.

You’ll learn:

  • Key Azure, Entra ID and Microsoft Graph concepts
  • Leveraging Azure resources and features to gain initial access and move laterally
  • Modern phishing techniques to gain initial access
  • Lateral movement with token abuse
  • Using Office/Microsoft 365 to find sensitive data
  • Enumerating and Exploiting Conditional Access Policy and MFA enablement gaps
  • Lateral Movement from On-Prem AD to Azure and vice-versa
  • Detecting threats with Microsoft Sentinel

Pricing & Material

The bootcamp comes at $349. It includes the bootcamp materials, lifetime access to the bootcamp content — let me repeat that, lifetime access — where you can explore multiple azure resources, 45 day access to Pwned Labs premium lab access, and not 1 but 2 certification exam attempt vouchers.

The bootcamp materials include:

  • 4 Live Sessions led by Ian himself.
  • Video recordings of the zoom sessions that you can watch and review on your own time.
  • Slides used in the sessions.
  • Pwned Labs premium labs that include detailed and comprehensive write-ups.
  • Access to a private Discord Channel where you can interact with the community.

Bootcamp Review

Ian starts the bootcamp by providing a general Microsoft Cloud overview, explaining simple concepts. He then goes through the topics programmed for the session, explaining how the Azure resources work and demonstrating real world and trending threat actor techniques. After that, participants engage in a hands-on challenge, applying the learned techniques in the bootcamp lab. Finally, the solution to the challenge is demonstrated live and Ian discusses how the exploited vulnerabilities could be mitigated. This iterative process repeats for 2 to 3 times per zoom session. At the end of each session there is a Q&A section where we can ask and discuss questions that arise from the structured learning path labs and from the the bootcamp session.

I personally really liked this approach, as I like to learn hands-on and this kept the 4h zoom sessions dynamic and engaging.
The first session was a bit turbulent as everybody in the zoom call had permissions to unmute themselves. As expected, Ian got bombarded with non-relevant questions. This was addressed promptly and the following sessions were way smoother with small Q&A sections after each topic.

In my opinion this is not an entry-level course. You’ll be better off if you complete some introductory pentesting certifications before attempting this one. You should have intermediate level knowledge in Webapp, Active Directory and Cloud pentesting.

As an internal penetration tester, the defending sections for each topic were of special interest to me. As I want to be as useful as possible to developers and systems administrators when mitigating vulnerabilities.

Labs

The structured learning path is divided in 4 weeks, one deditcated to each session. In these learning paths you’ll find the labs from Pwned Labs — free and premium tier — carefully organized for each bootcamp topic. You also get reading recommendations for blog posts written by the Pwned Labs research team.

The lab environments contain pretty much every azure resource that you can think of. The Entra Id directory is particularly well-designed, with roles and permissions that are logical and intuitive.
The write-ups for the challenges will include explanations on how to use the tools in exploitation process — I learned about 30 Azure related tools, for windows and linux.

Honestly, these are probably the best labs that I’ve experienced and I’ve tested quite a bunch of them, from certifications to CTF platforms and even home hosted labs. I didn’t encounter a single stability issue while using the labs. Which means that I could fully focus on learning the materials, test and troubleshoot the tools that were being used. I encourage you to give them a try, as majority of them are free. You can test the labs for yourself and read the write-ups.

Exam

The exam consists of a 24 hour challenge in which you are tasked with simulating a real-world attack on a mock company’s Azure environment to uncover vulnerabilities before malicious actors do. In this Red Team assessment you get a “leg up” (assumed breach) and the objective is to find what resources you can access and if it’s possible to capitalize on these security flaws to move laterally, get access to sensitive information and compromise more resources.

The exam is completely self-contained, no phishing or external resources are needed. It’s not proctored, and at the end you only need to submit a single flag to prove your skills, with no written report or additional documentation needed.

I personally had quite a bit of trouble with this exam, but some of it was self imposed 😅. It took me 14h straight hours to find the final flag, I had to go through a lot of enumeration to find the chain attacks.
It was quite impressive to me how the exam was designed. The challenges are made in a way that you have to stack your knowledge to solve a single task. There was a lot of creativity involved in the development of the exam lab and at the end you really feel like you proved your newly acquired skills.

Conclusion

I really enjoyed this certification. It was fun, interesting, refreshing and challenging. I’m glad I enrolled in the bootcamp, as this format forced me to work extra hard. I tried to complete every challenge programmed for each week before every session. That means pretty much all my free time was allocated to this objective. It’s intense, but I find that I learn the most when I really immerse myself in a subject for a period of time.

I hate this marketing cliché, but I’m going to have to say it, this certification is really “To security professionals by security professionals”. It has everything that you would look for in a good certification. Well designed and stable labs, comprehensive materials, a structured learning path and a lot of support. The community in Discord is active and engaging, it’s a great space to share ideas and learn from others. The exam is challenging yet fair, you have 2 exam attempt vouchers. This demonstrates to me that they have a genuine interest in your learning success, rather than seeking to profit from possible failures. There’s no intrusive proctoring process or requirement for a written report — a refreshing change from the usual process.

The best part was the Discord channel. It was awesome to be able to freely ask questions there, participate in discussions with experienced people and try to help the other participants with any issues that we faced.
It’s worth mentioning that Ian was there the whole time providing lightning fast support to anyone that encountered issues. He’s incredibly humble and understanding, and went so far as to include some of my contributions from the Discord channel in the official lab write-ups, which I think really demonstrates his genuine commitment to sharing knowledge.

If you are looking to take you Azure Red Teaming skills to the next level, I would strongly encourage you to hop on the next bootcamp.

You can get it from here.