Azure penetration testing

Research-led Azure pentest, Entra ID to data, end to end.

CREST-accredited researchers attack Azure environments the way an adversary would: Entra ID abuse, Managed Identity escalation, Graph API exfil, Key Vault leaks, AKS escape. Two weeks from kickoff to a report your auditor accepts.

GET YOUR SCOPING CALL

Talk to a security expert

Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure

Airbase
Quiltt
Pacvue
Imagine Learning

Why this matters

Most Azure pentests stop at the Defender dashboard. Attackers chain through Entra ID.

  • Defender for Cloud flags 200 mediums; none prove the Entra ID chain that ends in Global Admin.

  • Managed Identity and service principal abuse only become criticals when chained with Graph API permissions and Key Vault leaks. Checklist firms miss the chain.

  • Hybrid identity (AD Connect, federation) seams sit where single-cloud testers blink.

Here is what we ship.

Why teams pick us

Path to Global Admin, not 200 mediums.

  • Azure-specific bug classes

    Entra ID role abuse, Managed Identity escalation, Graph API over-permission, Key Vault access policy gaps, AKS pod identity bypass.

  • Chained to data, not config

    We do not stop at 'role is overly permissive.' We prove the path to your storage account and your secrets.

  • Evidence for the right auditor

    SOC 2, ISO 27001, Azure CIS Benchmark, Microsoft FedRAMP. Findings tagged to controls.

How it works

From intro to report in two weeks.

  1. Scope across tenants

    Tell us subscriptions, tenants, and the data surface that matters. Reader role provisioned on the call.

  2. Researchers chain paths

    Entra ID-to-data and Managed-Identity-to-Graph chains. Hybrid and federation included.

  3. Findings with az CLI reproducers

    Each finding ships with reproducer, az and Graph CLI commands, and a fix per control.

Research ledger,

Coordinated disclosures published by SL7 research.

The same researchers run your engagement.

Full advisories index

What founders say

Thank you for being our pentest partners. Our user base is safer because of y'all.
Vinay Hiremath

Vinay Hiremath

Co-founder, Loom

View tweet

Common questions

What buyers ask before they sign.

What access do you need?
Reader role per subscription and Directory Reader in Entra ID. Scoped to the engagement, no writes without explicit approval.
Will you find Entra ID escalation?
Yes. Role-assignment gaps, app consent abuse, OAuth scope creep, conditional-access bypass, hybrid-identity drift.
Is it safe on production?
Yes. Read-only and recon by default. Destructive actions require explicit per-finding approval.
What about AKS and Functions?
Covered. Pod identity, container escape, Functions env-var exfil, Managed Identity pass-through.
Do you map to CIS or FedRAMP?
Yes. Findings tagged to CIS Azure Foundations, Microsoft FedRAMP, SOC 2, and ISO 27001 Annex A.

Ready to see the path from Entra ID to data?

20-minute scoping call with the lead Azure pentester. Multi-tenant, hybrid identity, and the seams between them.

CREST · CERT-In · SOC 2 · ISO 27001