Skip to content

Pwned Labs Microsoft Cloud Attack & Defense Bootcamp
- Expert Edition

Leave with repeatable Microsoft Cloud attack-chain tradecraft and your own validated detections and response playbooks.

  • Live 4-day program (8 hours/day) + recordings + 365 days lab access + 1 MCRTE exam attempt
  • Replay advanced attacks across Entra ID, Azure, Microsoft 365, Intune, and hybrid environments
  • Build and validate KQL rules and Incident Response runbooks at each stage of the chain


    Ideal for: Senior practitioners in cloud red teaming, detection engineering, purple teaming, incident response, and threat hunting, and security architects working hands-on in Microsoft cloud environments.


Designed for modern identity-driven Microsoft Cloud environments

 

May 25–28, 2026 | 12pm–9pm ET | $4,000 USD | Limited cohort size
MCRTP alumni and Enterprise customers receive a $500 discount, bringing registration to $3500.


Already registered? Access here

Choosing between Professional and Expert Edition?



 If you want a broader foundation, MCRTP (Professional Edition) is the recommended starting point. If you want advanced, end-to-end Microsoft Cloud attack chains and detection engineering across the full kill chain, this Expert Edition is for you.

Pwned Labs Microsoft Cloud Attack & Defense Bootcamp - Expert Edition Overview

MCRTE_-1

Master the full Microsoft Cloud attack surface

This intensive 4-day, instructor-led program (8 hours per day) gives practitioners deep, hands-on experience executing real-world attack chains across Entra ID, Azure, Microsoft 365, Intune, workload identities, and hybrid environments. Participants then create and validate detections and response playbooks at each stage of the attack chain.

The curriculum combines offensive cloud techniques with detection engineering, illustrating real-world multi-stage exploitation scenarios that reflect modern adversary behavior in Microsoft Cloud and hybrid environments.

Upon completing the training program, practitioners are prepared to demonstrate their capability in the exam environment. This fully hands-on, scenario-based assessment requires leveraging Entra ID, Azure, Intune, Microsoft 365 applications and Active Directory in a complete exploitation path. Your program registration includes one MCRTE certification exam attempt.

The exam environment evolves gradually over time through periodic rotation of flags and scenario variants. These updates are introduced between cohorts to keep the assessment fresh and aligned with current attack chains, while ensuring the environment remains stable, predictable, and unchanged for each candidate’s exam attempt.

A few days before the bootcamp begins, you’ll receive an optional prep pack to align tools and baseline concepts ahead of day 1.

background-3

Program access and delivery model

This Expert Edition training program is delivered live, online, and instructor-led in focused cohorts.

Sessions are recorded. Registered participants receive access to recordings for the duration of their lab access period.

Public access for individual practitioners is limited to two cohorts per year. Outside of these public cohorts, the MCRTE program is delivered primarily as a private engagement for organizations building or maturing internal Microsoft Cloud red team and detection engineering capability.

Procurement options include online purchase, invoicing, and bank transfer. Vendor onboarding documentation and attendee substitution are supported. Commercial terms are provided at time of booking.

real_world_attacks-1

Prerequisites and learning outcomes

This program is designed for security professionals, including offensive, defensive, and cloud practitioners who want to deepen their capability with advanced Microsoft Cloud attack and defense tradecraft. Earning the Pwned Labs Microsoft Cloud Red Team Professional (MCRTP) certification provides excellent preparation for this expert-level training, but it is not required.

Practitioners who complete the 4-day program leave with repeatable attack-chain workflows and the detections and response playbooks to defend each step. Passing the exam to earn the MCRTE certification demonstrates proficiency in the following areas:

  • Understand advanced Entra ID, Azure, Microsoft 365, Intune, Microsoft Graph and hybrid attack surfaces
  • Execute modern initial access methods including single-factor and MFA phishing, browser injection, and ESTS cookie abuse
  • Perform token theft, exchange and upgrade attacks across Entra ID, Azure Resource Manager, and Microsoft 365
  • Leverage PRT, WHfB, FoCI, NAA, and device-based tokens for stealthy lateral movement
  • Conduct hybrid attack chains spanning multiple Entra ID tenants, Azure, and on-prem AD domains
  • Compromise workload identities and service principals, including app-role infiltration and app-layer takeover
  • Deliver cloud implants through Intune, App Service, Function Apps, Azure ARC and hybrid connections
  • Identify and exploit misconfigurations in conditional access, PIM, MFA enforcement, and workload identity policies
  • Gather identity and asset data with SharpHound and AzureHound and ingest it into BloodHound to map hybrid attack paths and escalation routes.
  • Apply tradecraft to real workload targets, including Azure SQL, Storage, AKS, Data Factory, Cosmos DB, and Private Endpoints
  • Demonstrate end-to-end OPSEC during offensive operations, including telemetry minimization, evasion techniques, and noise reduction.


Defender-Focused Outcomes

  • Assess and improve Microsoft Cloud security posture using Maester, Defender for Cloud, and identity hardening techniques
  • Configure and tune Microsoft Defender XDR components, including Endpoint, Identity, Microsoft 365, Cloud Apps, and workload protections
  • Design and enforce Conditional Access and identity protections to disrupt real Entra ID attack paths
  • Harden Microsoft Entra applications and service principals
  • Integrate Defender XDR and Microsoft Sentinel into a unified detection and response workflow, including investigation and containment playbooks
  • Build, validate, and tune Microsoft Sentinel detections by replaying the real attack tradecraft used earlier in the program
  • Navigate the Microsoft Graph API permission schema and consent model
  • Apply detection engineering fundamentals, including tuning, validation, and introduction to detection-as-code concepts
  • Deepen your understanding of Microsoft Cloud access tokens
advanced_modules

Supplementary modules

In addition to the live, instructor-led training, practitioners gain access to a set of advanced supplementary modules that further expand the training experience across the Microsoft Cloud attack surface and adversarial tradecraft.

If you are a penetration tester, red team operator, cloud security professional, or defender working in Azure or Microsoft 365, this guided expert training and its supplementary modules extend your capability beyond the core skills and into advanced red team tradecraft and detection engineering.

  • AzureHound evasion techniques
  • Evasion and telemetry suppression against Microsoft Defender
  • C2 infrastructure design and deployment
  • Phishing infrastructure within the Microsoft Cloud
  • Malicious Oauth App for Token Harvesting


More information about the program, modules, and MCRTE exam can be found on the FAQs page.

apt_-Dec-16-2025-10-00-39-9463-PM

End-to-end tradecraft and attack chains

The Pwned Labs Microsoft Cloud Attack & Defense Bootcamp – Expert Edition focuses on end-to-end tradecraft and complete attack chains used by modern red teams and threat actors across Azure, Entra ID, Microsoft 365, Intune, and hybrid environments.

Rather than isolated techniques, the program emphasizes full exploitation paths across identity, infrastructure, and cloud workloads, mirroring the complexity and sequencing encountered during real-world engagements.

  • Identify, replicate, and detect advanced tradecraft used in recent Microsoft Cloud intrusions and campaigns
  • Explore multiple attack paths, pivot methods, and hybrid exploitation techniques across cloud and on-prem
  • Create and validate detections and response playbooks, then evict threats, disrupt footholds, and rotate or reset compromised credentials

Meet the expert team

This Expert Edition program is delivered live by the MCRTE instructor team, with structured interaction and guided discussion throughout the program.

Ian_Austin

Ian Austin is a security researcher and educator with a career spanning over 20 years in technical, security and leadership roles for global enterprises.

Ian was Head of Content at Hack The Box, a leading online platform for cybersecurity training and assessment. He also participated in the Green Team of Locked Shields, a NATO cyber defense exercise, contributing to the design and execution of realistic scenarios.

He is the founder of Pwned Labs, providing gamified and immersive cloud security labs for red and blue teams.

MehmetErgene

 

Mehmet Ergene is a five-time Microsoft Security MVP with over 15 years of experience in cybersecurity. His areas of focus include KQL, threat hunting, detection engineering, and data science. He is widely recognized for adapting the RITA beacon analyzer to KQL, giving defenders a powerful new way to detect beaconing activity using native Microsoft tooling.

Mehmet has also delivered standout presentations at major industry events, including the SANS DFIR Summit. He brings all of that hands-on expertise into his courses, making complex topics accessible and helping security professionals sharpen their skills in real-world detection and analysis.

YasirGilani

 

Yasir Gilani is a seasoned security leader with 30 years of experience building security functions across financial services, government, energy, and commodities. He specialises in cloud-native security, adversarial threats, and security architecture spanning infrastructure, identity, data, AI, and APIs.

Known for combining strategic leadership with hands-on offensive security, he stays deeply embedded in engineering work alongside CISOs and senior leadership. Yasir is also a Pwned Labs contributor who built Mirage, the platform's Azure and M365 cyber range. He brings that real-world depth into his work, guiding digital transformation with a security-by-design mindset.

Filip-3

 

Filip Jodoin has over half a decade of experience across both red and blue cybersecurity roles, with a strong focus on cloud adversary emulation and modern Microsoft Cloud attack techniques.

Prior to focusing on offensive security, Filip worked in Azure architecture roles at Ubisoft, where he addressed complex Microsoft Cloud security challenges at enterprise scale.

Filip is the MCRTP program designer and focuses on designing and executing realistic attack simulations across Azure, Entra ID, and Microsoft 365 to evaluate detection coverage and defensive readiness.

Edrian

 

Edrian Miranda is an Offensive Security Engineer and Wiz MVP in Cloud Security, with hands-on experience across Azure, AWS, CI/CD pipelines, Kubernetes, containerized workloads, and Active Directory environments.

He focuses on offensive cloud and hybrid attack techniques, sharing research at conferences and community meetups, and developing custom tooling to support advanced cloud security research and adversary simulation.

Through his current and previous roles, Edrian has helped organizations design, secure, and mature cloud security and application security programs across complex environments.

image 52 (1)

Program sessions (May 25–28, 2026)

The Microsoft Cloud Attack & Defense Bootcamp - Expert Edition is delivered in a focused, immersive 4-day format.

The next cohort takes place from May 25th to 28th, with full-day instructor-led sessions throughout.

The 8-hour, instructor-led live classes will take place using Zoom, with private discussion and support channels available in the Pwned Labs Discord. If Discord is restricted in your environment, contact us for an alternate comms option for your cohort or private delivery.

You’ll receive an email after purchase with all the information needed to participate, including a breakdown of each day.

Each live day runs from 12pm to 9pm Eastern Time (ET), including a 1-hour lunch break.

Session themes

  • Day 1 (Monday, May 25): Attacking Entra
  • Day 2 (Tuesday, May 26): Hybrid Attacks
  • Day 3 (Wednesday, May 27): Attacking Azure
  • Day 4 (Thursday, May 28): Detection engineering across the full kill chain

A capstone CTF is available at the end of Day 4 to bring together the core components covered throughout the program.

 

Purchase options


Access to the Microsoft Cloud Attack & Defense Bootcamp - Expert Edition is granted on a cohort basis. Each registration includes participation in the live, instructor-led Expert Edition training, 365 days of lab access and one attempt for the MCRTE certification exam.

Private homepage and channels access, plus the optional prep pack, begin immediately after purchase; lab access starts May 25 (live sessions run May 25-28).

Private delivery available for organizations (10+ seats).

Request private delivery
mcrte_pricing-3
mcrte_exam_reattempt
 

Preferential pricing: MCRTP alumni and Enterprise customers receive registration at $3500, reflecting a $500 discount.

 

Ask your employer to fund MCRTE


Need approval for training spend? Use the ready-made business case below to justify MCRTE for your team.

Business outcomes:

  • Validate and remove real attack paths across Entra ID, Azure, and Microsoft 365
  • Improve detection coverage and response readiness for identity-driven attacks
  • Deliver tuned detections and response playbooks for Microsoft Defender XDR and Sentinel
  • Standardize repeatable investigation and containment workflows the team can operationalize
  • Share reusable detections and playbooks to uplift team-wide capability

Payment options: pay by invoice or card. Private delivery available.

 

Got any Questions? Get in touch