Certified Azure Red Team Expert (CARTE) Review
I couldn’t find a single blog post reviewing the Certified Azure Red Team Expert (CARTE) certification, so I decided—why not write one myself? This is my first blog post on a course review.
Introduction
I have been working as an Offensive Security Consultant for almost 2 years now. Before that, I was a lecturer, Quality Assurance Engineer, and a Security Engineer. I’ve been in the cybersecurity industry since 2020, and suffice to say I’ve done my fair share of certifications, such as CEH Master, PNPT, CRTO, CRTE, among others. As you can see, I mainly focus on Active Directory hacking and Red Teaming. So, when I came across Certified Azure Red Team Expert (CARTE) by Altered Security, it was a no-brainer.
Why did I go straight for Certified Azure Red Team Expert (CARTE) instead of Certified Azure Red Team Professional (CARTP) first? Well, because I was overconfident in my skills—but what a struggle it was to pass CARTE without taking CARTP! I’d highly recommend everyone to do CARTP first and then move on to CARTE unless you already have decent experience in Azure Red Teaming and penetration testing.
I won’t go into every detail about the course material and exam structure since that information is already available on the Altered Security website. Instead, I’ll share my personal journey and tips for anyone planning to attempt this certification.
The Journey
As I mentioned, I was overconfident and decided to jump straight into CARTE instead of taking CARTP. I bought the On-Demand version of CARTE and purchased 60 days of lab access. Before diving into the CARTE course materials, I took two free courses offered by Altered Security: Azure Penetration Testing and Azure Red Teaming. Both can be accessed from their Red Labs platform, which also has many other labs and challenges that you can practice for free. I highly recommend checking them out!
After completing the two free hands-on classes, I jumped into the CARTE course material. The shock I got was unbelievable. In the very first few minutes, Nikhil mentioned that this is an advanced course, so he wouldn’t be diving deep into the concepts or enumeration because that’s covered thoroughly in CARTP. This meant I had to be creative. Whenever Nikhil introduced a new concept, I’d ask AI (ChatGPT, Bard, etc.) to explain it in detail so I could really understand what it was and how it worked. That’s how I grasped most of the content. After watching all the videos, I went into the labs to try out the attacks myself.
Practice Lab
To access the StudentVM and carry out the attacks in the lab, you can either RDP into the VM (after connecting to the VPN) or use web-based access. I personally found the web-based option to be super quick and convenient, and overall, the lab was quite stable.
The only real challenge was that the lab environment is shared. Occasionally, other students would attack the same resources I was using, which slowed my progress because I had to revert resources to their original state before trying again. Still, it was a great learning experience. I learned a lot about attacking Azure resources and moving from Entra ID (Azure AD) to on-prem AD.
Extra Resources
After finishing the course material and practice labs, I wanted to deepen my understanding, so I watched various videos, including:
- EDITED EDITION — Getting Started in Pentesting The Cloud – Azure | Beau Bullock | 1-Hour
- How to Find MFA Bypasses in Conditional Access Policies
- I Hacked The Cloud: Azure Managed Identities
- How To Enumerate Active Directory with BloodHound — (Without Being Overwhelmed!)
- Bypassing Entra ID Conditional Access Like APT: A Deep Dive Into Device Authentication Mechanisms
I specifically watched a video on ROADTools to really understand its features and functionalities:
ROADTools helped me a lot during the exam, so I highly recommend familiarizing yourself with it before you start.
I also checked out various tools, curated lists, and cheatsheets:
- Pentest-Tools-Collection/tools/Azure
- Kyuu-Ji/Awesome-Azure-Pentest
- Gerenios/AADInternals
- ShkudW/EntraEnum
- JumpsecLabs/TokenSmith
- vectra-ai-research/MAAD-AF
- RedByte1337/GraphSpy
- f-bader/TokenTacticsV2
- hausec/PowerZure
- SySS-Research/azurenum
- zh54321/EntraTokenAid
- dafthack/GraphRunner
- mlcsec/Graphpython
- merill/awesome-entra
- cr4ck3rj4ck5/Azure-Pentest-Toolkit
- CloudPentestCheatsheets/Azure.md
Honestly, I didn’t use more than 20% of the above during the exam, but it’s still worth exploring them. Knowing what each tool does can be a lifesaver when you face unexpected scenarios.
Exam
Finally, I decided to sit for my exam on a Saturday morning. You get 48 hours to complete the exam and another 48 hours to submit the report. The report is more or less a walkthrough of how you compromised the environment—why you did what you did, how you did it, and the recommendations to prevent those attacks.
Getting initial access was straightforward. After that, there came a point where I had to figure out how to progress further. I spent a considerable amount of time enumerating everything I could until I finally found a potential way forward. Once I’d moved on to the second half of the exam, it was a lot clearer what the next target was and the path I was supposed to take.
The final part of the exam was the trickiest. I could see the path and had a good idea of what I was supposed to do, but it wasn’t immediately obvious how to put all the pieces together. After plenty of research and digging through Microsoft documentation, I finally pulled it off and snagged that last flag.
Honestly, I’d say 90% of the exam aligns with what you do in the practice lab, so if you thoroughly understand those exercises, you should be well-prepared. Just be ready for a few unexpected twists. I wrapped up the exam in about 12 hours, then spent another 4–5 hours polishing my report. Make sure you’re taking plenty of screenshots and working on your report as you go, so you don’t have to rush at the end.
A few days after submitting, I got the email: I passed and am officially a Certified Azure Red Team Expert (CARTE)!
Conclusion
All in all, it was a fantastic course, and I learned a ton. People often ask me if there are any additional resources they absolutely need for the exam, but honestly, master the course material and labs that Altered Security provides. Most of the exam directly tests your understanding of that content. Yes, I’ve listed a bunch of videos and tools above, but the real key is practicing and truly understanding what CARTE covers. Good luck to anyone planning to attempt it!
Thanks for reading my first blog post on a course review. I hope this helps!
Disclaimer
This review reflects my personal experience with the Certified Azure Red Team Expert (CARTE) course by Altered Security. I am not affiliated with or endorsed by Altered Security.
