Certified Cloud Pentesting eXpert - Azure

Certified Cloud Pentesting eXpert - Azure
(CCPenX-Az)

The Certified Cloud Pentesting eXpert-Azure (CCPenX-Az) is an expert-level exam designed to test a candidate’s understanding of Microsoft Azure cloud security by simulating a complete attack chain in a real-world scenario in an Azure cloud environment.

Note: The exam details will be sent to you on/before 30th July 2025.

  • Practical
  • 7 Hours
  • Online
  • On-demand
  • Real world pentesting scenarios

£400

Buy Now Add to Cart

Who should take this exam?

The Certified Cloud Pentesting eXpert (CCPenX-Az) exam is designed for security professionals, including cloud security engineers, security analysts, penetration testers, red team members, and individuals with a strong interest in cloud security. This exam evaluates candidates’ in-depth knowledge of cloud security exploitation and their ability to demonstrate expertise in this field.

What is the format of the exam?

This will be a practical CTF-style exam. The time duration of the exam is 7 hours. The exam can be taken online, anytime (on-demand) and from anywhere. The exam will cover a variety of questions to test candidates’ ability to identify and exploit various vulnerabilities on the Azure cloud environment. Candidates will need to connect to the exam VPN server to access the exam environment.

What is the pass criteria for the exam?

The pass criteria are as follows:

  • Candidates scoring over 60% marks will be deemed to have successfully passed the exam.
  • Candidates scoring over 75% marks will be deemed to have passed with merit.

What is the experience needed to take the exam?

This expert-level exam is designed to assess and validate a candidate’s proficiency in performing penetration testing within Azure cloud environments. It spans a broad range of topics focused on cloud security exploitation, with a strong emphasis on Azure resources and Entra ID (Azure AD) identity and access management. Candidates are expected to demonstrate deep expertise in identifying and exploiting cloud misconfigurations, abusing overly permissive roles and privileges, and leveraging access to Azure resources to escalate privileges, move laterally, and gain control over the cloud environment.

Note: It is recommended that candidates should have at least 5 years of professional pentesting experience and at least 12 months of cloud security experience to take this exam.

What will the candidates get?

On completing the exam, each candidate will receive:

  • A certificate with their pass/fail and merit status.
  • The certificate will contain a code/QR link, which can be used by anyone to validate the certificate.

What is the exam retake policy?

Candidates who fail the exam are allowed 1 free exam retake within the exam fees.

What are the benefits of this exam?

The exam will allow candidates to demonstrate their understanding of Azure Cloud Security. This will help them advance in their career.

How long is the certificate valid for?

The certificate does not have an expiration date. However, the passing certificate will mention the details of the exam, such as the exam version and the date. As the exam is updated over time, candidates should retake the newer version exam at their convenience.

Will you provide any training that can be taken before the exam?

Being an independent certifying authority, we (The SecOps Group) do not provide any training for the exam. Candidates should carefully review each topic listed in the syllabus and ensure they have an adequate understanding, the required experience, and the necessary practical knowledge of these topics. Further, the following independent resources can be utilised to prepare for the exams.

Learning Resources

Hacktricks AZRTA Azure Red Team Apprentice

Free/Paid:paid

Type:Course/Labs

Hacktricks AZRTE Azure Red Team Expert

Free/Paid:paid

Type:Course/Labs

Pwned Labs

Free/Paid:both

Type:Course/Labs

HTB BLACKSKY: Cloud Labs

Free/Paid:paid

Type:Labs

CWL CHMRTS

Free/Paid:paid

Type:Course/Labs

InternetAllTheThings

Free/Paid:free

Type:Resources

CloudGoat

Free/Paid:free

Type:Labs

Breaching Azure

Free/Paid:paid

Type:Paid Course/Labs

Azure AD Pentest Lab

Free/Paid:free

Type:Labs

WKL OAOTC

Free/Paid:paid

Type:Paid Course/Labs

SANS SEC510

Free/Paid:paid

Type:Course

MITRE ATT&CK

Free/Paid:free

Type:Framework

Extreme Red Team Laboratories

Free/Paid:free

Type:Labs

Exam Syllabus

Enumeration & Reconnaissance

  • Azure DNS and Subdomain Enumeration
  • IP and Host Discovery
  • Azure Portal and Management Endpoint Enumeration
  • Enumerating Entra ID (formerly Azure AD) Tenants
  • Enumerating Azure Applications and Enterprise Apps
  • Identifying Azure-hosted Web Services
  • Discovering Azure Resource Endpoints
  • Detecting Azure Hybrid Identity (AAD Connect) Artifacts
  • Identifying Publicly Accessible Resources (Blob URLs, App Services, APIs)
  • Crawling Azure-hosted Applications for Metadata and Endpoints

Identity and Access Management (IAM)

  • Enumerating Entra ID Users, Groups, and Roles
  • Abusing Entra ID Roles (e.g., Helpdesk Admin, Application Admin, Privileged Auth Admin)
  • Misuse of Self-Service Group Management Features
  • Discovering and Analyzing Role Assignments and Privileged Access
  • Identifying Conditional Access and MFA Configurations
  • Bypassing MFA via Token Replay or Role Misuse
  • Discovering Federated Identities and External Collaborations
  • Misconfigured App Registrations and API Permissions Azure AD Token Abuse: Refresh, Access, and ID Tokens

Azure Resource Misconfigurations

  • Misconfigured Storage Accounts (Blob, File, Queue, Table)
  • Publicly Accessible Azure Key Vaults
  • Insecure Logic Apps and Function Apps
  • Azure App Service Misconfigurations (Kudu, SCM)
  • Azure Automation Account Abuses
  • Secrets in VM Custom Script Extensions or ARM Templates
  • Exploiting Azure Managed Identities (System/User Assigned)
  • Accessing Misconfigured Cosmos DB, SQL Database, or Redis
  • Network Security Group (NSG) and Firewall Misconfigurations
  • Abusing Azure Resource Graph and Azure CLI for Recon
  • Exposed Diagnostic Logs and Monitoring Data

Vulnerability Identification

  • Identifying Vulnerable Web Applications in Azure Context
  • Misconfigured API Management and Application Gateways
  • Detecting SSRF, RCE, IDOR, and Insecure Deserialization in Azure Apps
  • Overprivileged Apps via OAuth and Microsoft Graph
  • Analyzing Azure RBAC via Resource Graph for Misconfigurations
  • Abuse of Azure Arc or Azure Bastion
  • Exploiting Weaknesses in Azure DevOps and CI/CD Pipelines

Exploitation Techniques

  • Stealing and Reusing Azure Access/Refresh Tokens
  • Token Theft via Azure API Proxies or Misconfigured Apps
  • Extracting Secrets from Azure Key Vaults and App Configs
  • Abuse of Instance Metadata Services (IMDSv1/2)
  • Lateral Movement via Exposed Credentials or Misconfigured Roles
  • Elevating Privileges via Chained Azure Role Assignments
  • Pivoting through Function Apps, Logic Apps, and Automation Accounts
  • Leveraging Run Command on Virtual Machines
  • Abusing Microsoft Defender for Cloud Permissions
  • Persistence Techniques using App Registrations, Roles, or Service Principals