Certifications, Learning Material, Reviews, Training Labs

Certified Azure Red Team Expert (CARTE) Review

April 15, 2026 | by Stefano Lanaro | Leave a comment

Introduction

The Certified Azure Red Team Expert is a penetration testing/red teaming certification and course provided by Altered Security, which is known in the industry for providing great courses and bootcamps.

In this review, I take the time to talk about my experience with this certification, the pros, and cons of enrolling in the course, my thoughts after taking and passing the exam, and a few tips and tricks.

Pros

  • At a starting price of $449 USD, it provides great value for your money, especially in the cloud-based pentesting world.
  • In terms of advanced Azure/Entra ID Active Directory courses, due to the complexity and cost involved in setting up practice labs, this will be the best way to get some hands-on experience.
  • As always the Altered Security support team is amazing. They are always be very quick to reply to any issue or question I had. Keep in mind their support team is based in India so try to get in touch with them between 8am-10pm GMT+5:30, although they often did reply to my queries outside of those hours.
  • The teacher for the course is Keanu Nys, who is a very well known pentester/red teamer, and the creator of GraphSpy.
  • The course not only shows the attack themselves, but also ways that you can automate them or make them more OPSEC-safe.
  • For almost every technique and attack used throughout the course, a mitigation/remediation strategy is provided in the course which is something that is often overlooked in penetration testing courses.
  • The security tools offered by Microsoft to help protect Azure Cloud are explained in detail throughout the course, which is invaluable knowledge for red teamers.
  • The content of the course, which you have lifetime access to, often gets updated with new content or additional commands.

Cons

  • Altered Security still isn’t as recognized as other providers such as Offensive Security, so the certification won’t look as shiny on your resume.
  • While it’s great to have a cloud environment to practice Azure AD pentesting on, I wish the course came with a CTF or simulated exam environment that students could practice on prior to sitting the exam. At the time when I took the course, the environment used to walk through the lab material is the only one available to practice.
  • Some of the techniques and commands shown during the course may not work as well in the student VM provided and due to the shared nature of the course and CTF cloud environments, these would sometimes have issues due to other students accidentally breaking them. I was stuck for a few hours on a few exercises for a few hours because of this but the support team was very quick to help.
  • The flag system it uses follows the course material, meaning it can be completed by using all of the commands prior to the exercise, I personally would have appreciated if there were flags to capture that simulated an entire environment (in order to give students an idea of what the exam is like) rather than one-off tasks.
  • The course does not cover Azure basics, which for some may be a negative, but to me this is totally fair to avoid bloating the course content with repeated material from their CARTP course.

Background

I have been wanting to improve my Azure pentesting skills for a while, and after dealing with the beast that OSWE is I felt like I was finally ready. I had already passed the CARTP exam a few years ago and since then I had gained some more cloud pentesting experience, however I felt like I still wanted to learn more.

It is recommended to tackle the CARTP course and exam before diving into CARTE, however if you are already quite experienced with Azure and Entra ID pentesting you may be able to jump straight into it. Additionally, knowledge of PowerShell can also help greatly although it isn’t necessary at all.

The Course

The course provides both videos and PDF slides to follow along (with a web-style lab manual), the content walks through various advanced enumeration, exploitation, lateral movement, privilege escalation, and persistence techniques that can be used in an Azure Active Directory environment.

Unlike the CARTP course, basic enumeration techniques are not covered, which is something I personally liked. When I did the CRTE course, I found that there was a lot of repetition from the CRTP content that shouldn’t really be part of an advanced course. Instead, CARTE focuses on more advanced attacks and concepts, while still developing on top of the foundation that CARTP built.

The material is very easy to follow, and all of the commands and techniques are very well explained by the instructor, not only explaining the command itself but how it works under the hood. This also helped me understand all of the different ways that Microsoft has designed to interact with Azure and Entra ID services.

The following are some of the techniques taught throughout the course:

  • Manual and Dynamic Device Code Phishing.
  • Family of Client IDs (FOCI).
  • Evading MFA.
  • JWT Assertion.
  • ​Attributed-based Access Control (ABAC).
  • Application permissions.
  • ​Authentication Strength and Conditional Access.
  • Temporary Access Pass (TAP).
  • ​Privileged Identity Management (PIM) role assignments.
  • Mutable claims in applications.
  • Logic apps.
  • Hybrid identity and Cloud Sync.
  • GitHub Actions and Components.
  • Automation Accounts.
  • Microsoft Entra Kerberos and Azure File Shares.
  • Illicit Consent Grant.
  • Session Cookie Replay.
  • Cloud Service Providers and Partners in Azure.
  • Azure Arc.
  • SQL Servers and Azure SQL Database.
  • SAML SSO in Entra ID.
  • Cloud to on-prem lateral movement.
  • Cross-tenant attacks.

Throughout the course, at the end of each section, there will be learning objectives that students can complete to practice the techniques taught in the course in a lab environment provided by the course, which is made of multiple Azure tenants, to be able to replicate all of the necessary attacks. While I did have some issues while running a few of the attacks due to automation not working or configuration changes, the support was always available for any help.

The structure of the course material is different to that of other courses, instead of standalone sections and topics, there are four entire kill chains starting from unauthenticated access, where students have to compromise various resources and complete all learning objectives

Throughout the material, the course also teaches what information is logged and what attacks may be prevented by Microsoft’s security tooling, how to avoid raising too many alarm bells, and how to prevent most of the attacks demonstrated to secure an Azure Active Directory environment.

I really enjoyed going through the course material and completing all of the learning objectives, and most of these attacks are applicable to real-world penetration testing.

A lot of the attacks and information present in the course can also be found on HackTricks.

The Exam

The exam consists of a 48-hour hands-on assessment (an extra hour is also provided to make up for the setup time which should take approximately 15 minutes), the environment is made of 6 Azure resources, 1 Entra ID User and 2 Enterprise Applications which are spread across two tenants. You get access to a VM and that VM doesn’t count as a valid target. The goal of the exam lab is to compromise all the resources and capture the final flag.

After the exam has ended, an additional 48 hours are provided to write up a detailed report, which should contain a complete walkthrough with all of the steps performed, as well as practical recommendations. The entire lab can be reverted, which will bring it back to its initial state.

The initial machine does not come with any tools so you will need to transfer those, I personally did not need to transfer any tools however I did have to install all of the Microsoft CLI tools which took quite some time. Be careful if you are installing other tools that use Az PowerShell or other libraries as part of their dependencies as these may create conflicts.

Unlike Offensive Security exams, it is not proctored and you do not need to let anyone know if you are taking a break.

I started my exam on the 3rd of April 2026 at about 11 am Sydney time, and despite some initial roadblocks with the tooling I was using, within the first hour or two I had initial access in the tenant.

At around 1 pm I took a break for some lunch and a walk outside. After coming back, I fairly quickly noticed something interesting and proceeded to go down a rabbit hole for a few hours. I even contacted the support team thinking something was wrong with the lab, but after coming back and doing a bit more enumeration the path forward was clear.

After compromising the next resource and further enumerating the tenant I was not quite sure how to proceed, as there didn’t seem to be a clear attack path. After trying several attack vectors and staying up until 2 am or so I decided to finally go to bed for some well deserved rest.

I couldn’t really get any quality sleep as I kept thinking about the exam and why I was so stuck, however in the morning after a coffee I was back at it. I was again stuck for the majority of the day, but after some more enumeration using a different approach, I finally found the information I was missing which allowed me to progress further.

Although it was already 7 pm and I was mentally exhausted, I knew I was only a couple of steps away from the final flag. The next two attacks were fairly straightforward but involved a little extra research as they weren’t covered in the same exact way in the course. At around 10 pm I had finally found the flag, and after making sure I had all of my notes I collapsed into bed.

The morning after I started writing up the report which only took me about three hours to complete since I already had very detailed notes, and ended up being 24 pages. I simply added an executive summary at the beginning which included overall background, results, and recommendations, as well as detailed information about each step and remediation strategies for each vulnerability that was identified.

If you are worried about being able to pass the exam, make sure you understand all of the concepts explained in the course and you are able to execute the attacks with little to no assistance. While some parts may not be covered exactly the same in the course, with a bit of creativity and research they can be overcome without too much trouble.

If you are like me and tend to get stuck in rabbit holes, try to take a step back, go for a walk and think about your current strategies and some alternative approaches you may need to take instead.

While the use of AI tools is allowed, and they can be very useful to debug errors and help with enumeration, they can often confuse you and send you down even bigger rabbit holes without realising it, so use these with extreme caution and only when you actually understand what you are asking them and what they are suggesting you to do.

After finishing the report I sent it to the email address specified in the portal, received a response almost immediately letting me know it was being reviewed, and within about 3 working days I received the following email:

I also received the digital for it on Accredible a couple of days later.

Conclusion

I thoroughly enjoyed this course, and I was especially satisfied with the exam experience, which I found to be tough but fair. If only I hadn’t lost so much time and energy on side-quests, it would have been perfect. I learned a lot of new techniques and I now feel a lot more knowledgeable and confident when it comes to Azure and Entra ID.