Skip to content

Pwned Labs Microsoft Cloud Attack & Defense Bootcamp
- Expert Edition

Leave with repeatable Microsoft Cloud attack-chain tradecraft and your own validated detections and response playbooks.

  • Replay advanced attacks across Entra ID, Azure, Microsoft 365, Intune, and hybrid environments
  • Live 4-day program (8 hours/day) + 365 days lab access + 1 MCRTE exam attempt included
  • Build and validate KQL rules and Incident Response runbooks at each stage of the chain


    Ideal for: Senior practitioners in cloud red teaming, detection engineering, purple teaming, incident response, and threat hunting, and security architects working hands-on in Microsoft cloud environments.


Designed for modern identity-driven Microsoft Cloud environments

 

May 25–28, 2026 | 12pm–9pm ET | $7,000 USD | Limited cohort size


Already registered? Access here

Choosing between Professional and Expert Edition?



 If you want a broader foundation, MCRTP (Professional Edition) is the recommended starting point. If you want advanced, end-to-end Microsoft Cloud attack chains and detection engineering across the full kill chain, this Expert Edition is for you.

Pwned Labs Microsoft Cloud Attack & Defense Bootcamp - Expert Edition Overview

MCRTE_-1

Master the full Microsoft Cloud attack surface

This intensive 4-day, instructor-led program (8 hours per day) gives practitioners deep, hands-on experience executing real-world attack chains across Entra ID, Azure, Microsoft 365, Intune, workload identities, and hybrid environments. Participants then create and validate detections and response playbooks at each stage of the attack chain.

The curriculum combines offensive cloud techniques with detection engineering, illustrating real-world multi-stage exploitation scenarios that reflect modern adversary behavior in Microsoft Cloud and hybrid environments.

Upon completing the training program, practitioners are prepared to demonstrate their capability in the exam environment. This fully hands-on, scenario-based assessment requires leveraging Entra ID, Azure, Intune, Microsoft 365 applications and Active Directory in a complete exploitation path. Your program registration includes one MCRTE certification exam attempt.

The exam environment evolves gradually over time through periodic rotation of flags and scenario variants. These updates are introduced between cohorts to keep the assessment fresh and aligned with current attack chains, while ensuring the environment remains stable, predictable, and unchanged for each candidate’s exam attempt.

A few days before the bootcamp begins, you’ll receive an optional prep pack to align tools and baseline concepts ahead of day 1.

background-3

Program access and delivery model

This Expert Edition training program is delivered live and instructor-led in focused cohorts.

Public access for individual practitioners is limited to two cohorts per year.

Outside of these public cohorts, the MCRTE program is delivered primarily as a private engagement for organizations building or maturing internal Microsoft Cloud red team and detection engineering capability.

Procurement options include online purchase, invoicing, and bank transfer. Vendor onboarding documentation and attendee substitution are supported. Commercial terms are provided at time of booking.

real_world_attacks-1

Prerequisites and learning outcomes

This program is designed for security professionals, including offensive, defensive, and cloud practitioners who want to deepen their capability with advanced Microsoft Cloud attack and defense tradecraft. Earning the Pwned Labs Microsoft Cloud Red Team Professional (MCRTP) certification provides excellent preparation for this expert-level training, but it is not required.

Practitioners who complete the 4-day program leave with repeatable attack-chain workflows and the detections and response playbooks to defend each step. Passing the exam to earn the MCRTE certification demonstrates proficiency in the following areas:

  • Understand advanced Entra ID, Azure, Microsoft 365, Intune, Microsoft Graph and hybrid attack surfaces
  • Execute modern initial access methods including single-factor and MFA phishing, browser injection, and ESTS cookie abuse
  • Perform token theft, exchange and upgrade attacks across Entra ID, Azure Resource Manager, and Microsoft 365
  • Leverage PRT, WHfB, FoCI, NAA, and device-based tokens for stealthy lateral movement
  • Conduct hybrid attack chains spanning multiple Entra ID tenants, Azure, and on-prem AD domains
  • Compromise workload identities and service principals, including app-role infiltration and app-layer takeover
  • Deliver cloud implants through Intune, App Service, Function Apps, Azure ARC and hybrid connections
  • Identify and exploit misconfigurations in conditional access, PIM, MFA enforcement, and workload identity policies
  • Gather identity and asset data with SharpHound and AzureHound and ingest it into BloodHound to map hybrid attack paths and escalation routes.
  • Apply tradecraft to real workload targets, including Azure SQL, Storage, AKS, Data Factory, Cosmos DB, and Private Endpoints
  • Demonstrate end-to-end OPSEC during offensive operations, including telemetry suppression, evasion and noise reduction


Defender-Focused Outcomes

  • Assess and improve Microsoft Cloud security posture using Maester, Defender for Cloud, and identity hardening techniques
  • Configure and tune Microsoft Defender XDR components, including Endpoint, Identity, Microsoft 365, Cloud Apps, and workload protections
  • Design and enforce Conditional Access and identity protections to disrupt real Entra ID attack paths
  • Harden Microsoft Entra applications and service principals
  • Integrate Defender XDR and Microsoft Sentinel into a unified detection and response workflow, including investigation and containment playbooks
  • Build, validate, and tune Microsoft Sentinel detections by replaying the real attack tradecraft used earlier in the program
  • Navigate the Microsoft Graph API permission schema and consent model
  • Apply detection engineering fundamentals, including tuning, validation, and introduction to detection-as-code concepts
  • Deepen your understanding of Microsoft Cloud access tokens
advanced_modules

Supplementary modules

In addition to the live, instructor-led training, practitioners gain access to a set of advanced supplementary modules that further expand the training experience across the Microsoft Cloud attack surface and adversarial tradecraft.

If you are a penetration tester, red team operator, cloud security professional, or defender working in Azure or Microsoft 365, this guided expert training and its supplementary modules extend your capability beyond the core skills and into advanced red team tradecraft and detection engineering.

  • AzureHound evasion techniques
  • Evasion and telemetry suppression against Microsoft Defender
  • C2 infrastructure design and deployment
  • Phishing infrastructure within the Microsoft Cloud
  • Malicious Oauth App for Token Harvesting


More information about the program, modules, and MCRTE exam can be found on the FAQs page.

apt_-Dec-16-2025-10-00-39-9463-PM

End-to-end tradecraft and attack chains

The Pwned Labs Microsoft Cloud Attack & Defense Bootcamp – Expert Edition focuses on end-to-end tradecraft and complete attack chains used by modern red teams and threat actors across Azure, Entra ID, Microsoft 365, Intune, and hybrid environments.

Rather than isolated techniques, the program emphasizes full exploitation paths across identity, infrastructure, and cloud workloads, mirroring the complexity and sequencing encountered during real-world engagements.

  • Identify, replicate, and detect advanced tradecraft used in recent Microsoft Cloud intrusions and campaigns
  • Explore multiple attack paths, pivot methods, and hybrid exploitation techniques across cloud and on-prem
  • Create and validate detections and response playbooks, then evict threats, disrupt footholds, and rotate or reset compromised credentials

Meet the expert team

This Expert Edition program is delivered live by the MCRTE instructor team, with structured interaction and guided discussion throughout the program.

Ian_Austin

Ian Austin is a security researcher and educator with a career spanning over 20 years in technical, security and leadership roles for global enterprises.

Ian was Head of Content at Hack The Box, a leading online platform for cybersecurity training and assessment. He also participated in the Green Team of Locked Shields, a NATO cyber defense exercise, contributing to the design and execution of realistic scenarios.

He is the founder of Pwned Labs, providing gamified and immersive cloud security labs for red and blue teams.

Truls_Dahlsveen

 

Truls Dahlsveen is a Security Architect and Microsoft Security MVP in the SIEM and XDR category, with a background spanning system administration, networking, development, automation, and offensive security. He later transitioned fully to the defensive side, where he built a SIEM and SOAR managed service offering based on “as-code” principles for one of Europe’s largest consulting firms.

He was the first to deliver an MXDR-verified solution in Norway and is recognised as the world’s first Microsoft Sentinel Black Belt. Truls holds all available Microsoft Security Black Belts and documents much of his research and experimentation on infernux.no.

Purav

 

Purav Desai is a Microsoft Dual Security MVP with several years of experience working across Microsoft Security disciplines in multiple industries. He specialises in Microsoft 365 incident response and cloud-focused digital forensics, helping organisations investigate identity-driven and cloud-native threats.

Before focusing on incident response, Purav worked across security engineering roles and has remained active in the community through technical talks, knowledge-sharing, and detailed posts on modern Microsoft Cloud security challenges.

Filip-3

 

Filip Jodoin has over half a decade of experience across both red and blue cybersecurity roles, with a strong focus on cloud adversary emulation and modern Microsoft Cloud attack techniques.

Prior to focusing on offensive security, Filip worked in Azure architecture roles at Ubisoft, where he addressed complex Microsoft Cloud security challenges at enterprise scale.

Filip is the MCRTP program designer and focuses on designing and executing realistic attack simulations across Azure, Entra ID, and Microsoft 365 to evaluate detection coverage and defensive readiness.

Edrian

 

Edrian Miranda is an Offensive Security Engineer and Wiz MVP in Cloud Security, with hands-on experience across Azure, AWS, CI/CD pipelines, Kubernetes, containerized workloads, and Active Directory environments.

He focuses on offensive cloud and hybrid attack techniques, sharing research at conferences and community meetups, and developing custom tooling to support advanced cloud security research and adversary simulation.

Through his current and previous roles, Edrian has helped organizations design, secure, and mature cloud security and application security programs across complex environments.

image 52 (1)

Program sessions (May 25–28, 2026)

The Microsoft Cloud Attack & Defense Bootcamp - Expert Edition is delivered in a focused, immersive 4-day format.

The next cohort takes place from May 25th to 28th, with full-day instructor-led sessions throughout.

The 8-hour, instructor-led live classes will take place using Zoom, with private discussion and support channels available in the Pwned Labs Discord. If Discord is restricted in your environment, contact us for an alternate comms option for your cohort or private delivery.

You’ll receive an email after purchase with all the information needed to participate, including a breakdown of each day.

Each live day runs from 12pm to 9pm Eastern Time (ET), including a 1-hour lunch break.

Session themes

  • Day 1 (Monday, May 25): Attacking Entra
  • Day 2 (Tuesday, May 26): Hybrid Attacks
  • Day 3 (Wednesday, May 27): Attacking Azure
  • Day 4 (Thursday, May 28): Detection engineering across the full kill chain

A capstone CTF is available at the end of Day 4 to bring together the core components covered throughout the program.

 

Purchase options


Access to the Microsoft Cloud Attack & Defense Bootcamp - Expert Edition is granted on a cohort basis. Each registration includes participation in the live, instructor-led Expert Edition training, 365 days of lab access and one attempt for the MCRTE certification exam.

Private homepage and channels access, plus the optional prep pack, begin immediately after purchase; lab access starts May 25 (live sessions run May 25-28).

Private delivery available for organizations (10+ seats).

Request private delivery
mcrte-pricing-Jan-07-2026-01-09-43-9067-AM
mcrte_exam_reattempt
 

Preferential pricing: Pwned Labs MCRTP alumni and Enterprise customers receive 50% off MCRTE program registration.

 

Ask your employer to fund MCRTE


Need approval for training spend? Use the ready-made business case below to justify MCRTE for your team.

Business outcomes:

  • Validate and remove real attack paths across Entra ID, Azure, and Microsoft 365
  • Improve detection coverage and response readiness for identity-driven attacks
  • Deliver tuned detections and response playbooks for Microsoft Defender XDR and Sentinel
  • Standardize repeatable investigation and containment workflows the team can operationalize
  • Share reusable detections and playbooks to uplift team-wide capability

Payment options: pay by invoice or card. Private delivery available.

 

Got any Questions? Get in touch