Azure penetration testing services
Azure penetration testing. From one token to tenant Owner.
Most Azure compromise runs through identity: a token replayed, a managed identity over-scoped, a role nobody audited. We test how those gaps chain from a single foothold to tenant Owner, then show you exactly where to cut the path.
Entra-first
Actor tokens, PRT replay, device-code phishing, tested against your tenant by hand.
Identity to Owner
Managed-identity over-scope and federation tampering chained to subscription Owner.
Re-test included
We verify your fixes at no extra cost. One engagement, closed loop.
The window from vulnerability discovery to exploitation has gone from weeks to hours.
Trusted by security teams across Fintech, SaaS & Education, Enterprise & Telecom, Security & Critical Infrastructure
On record
What we test
Six surfaces. Six named bug classes.
These are not generic categories, they are the primitives our Azure pentesters chain into engagement findings.
- Entra ID actor tokens
- Undocumented service-to-service actor tokens accepted by legacy AAD Graph without source-tenant validation, cross-tenant Global Admin (CVE-2025-55241).
- Primary Refresh Token replay
- Extract CloudAP-protected PRTs from a joined host, replay via roadtx to mint MSGraph tokens that satisfy MFA and conditional access.
- Device-code & CA bypass
- Device-code phishing chained with phantom-device DRS registration marks the attacker workstation compliant, conditional-access policy waved through.
- Managed identity over-privilege
- Workload SSRF reaches IMDS, lifts a system-assigned identity with Contributor at subscription scope, then pivots tenant-wide (CVE-2025-62207).
- Workload identity federation
- Swap the federated-credential issuer URL on an Entra app, persistent service-principal access without a stored secret, no rotation signal.
- Subscription & KeyVault RBAC
- Owner or User Access Administrator at subscription scope plus permissive KeyVault access policies, reveals secrets, cert private keys, AKV-stored SAS tokens.
Identity chain.
One phish becomes tenant Owner.
A phished employee gives up a Primary Refresh Token. With roadtx and CloudAP, that one token becomes a session, the session becomes a role, and the role becomes tenant Owner. We run that exact chain on your tenant and show you where it breaks.
Meet your Azure lead
Hands on every Azure engagement.
John Dill
vCISO at SecureLayer7
15+
Years in offensive security
150+
Engagements led to date
99.99%
On-time engagement delivery
John scopes Azure engagements against your Entra tenant, subscription topology, and hybrid-identity boundary. He sits in the room from kick-off through findings review and re-test.
- Scopes Entra ID, conditional access, and managed-identity paths against your real risk model.
- Walks every AKS, Key Vault, and workload-identity finding live with your team.
- Drives remediation review and re-test until every tenant-wide path is closed.
Ready to scope an Azure pentest? Book 30 minutes with John to walk through your Entra tenant, subscription layout, and timeline.
Book a 30-min callAZURE PENTEST ENGAGEMENT.
How we run an Azure pentest. Tenant-wide, closed-loop.
Threat-modelled to your tenant, Entra graph, and subscription topology. Aligned with Microsoft's pentest rules-of-engagement, not a template we run against every cloud.
- 01Scope & rules-of-engagement
- 02Read-only access provisioning
- 03Tenant reconnaissance
- 04RBAC review
- 05Active exploitation
- 06Post-exploitation & blast-radius
- 07Reporting & remediation
- 08Re-test & closure
Insights
Azure security Resources.
Field notes on Entra ID abuse paths, Storage blob exposure, and managed-identity privilege drift, written by the reviewers who run Azure pentests.
Tested by industry.
The bug classes named below come from real engagements in each sector. Pick the closest fit.
Tech SaaS
Multi-tenant SaaS on Azure, Entra ID drift, conditional-access bypasses.
FinTech
Banking workloads on Azure, Key Vault boundaries, M365 + Defender attack paths.
HealthTech
HIPAA-aligned Azure tenants, PHI in Storage, Healthcare APIs on Azure.
Built for United Kingdom engagements
What changes when we deliver here.
Compliance scoping
NCSC Cloud Principle 9 identity-and-authentication mapping
Regulatory framework
FCA FG16/5 paragraph 4 outsourcing-access control evidence
Local engagements
UK insurer cleaned 312 Conditional Access gaps post-engagement
Local pricing
GBP per-tenant fee, fixed regardless of subscription count
Compliance scoping
NCSC CAF C1 monitoring-outcome detection coverage
Azure testing, UK detail.
Do you test Entra ID and PIM together?
Yes. Conditional Access bypass, dormant PIM eligible-role abuse and refresh-token theft sit in baseline scope. Findings cite Entra audit-log path.
How does this fit FCA FG16/5?
Cloud outsourcing under FG16/5 paragraph 4 — access, monitoring, exit. Each is a discrete finding section, signed by the engagement lead.
Can you test Sentinel and Defender for Cloud?
Detection-side testing — we trigger findings and check Sentinel rule fires. Detection gaps map to NCSC CAF C1 monitoring outcomes.
Where is tenant data held?
UK South tenancy default. Customer-managed keys, RBAC scoped to the engagement, deleted on close.
Delivery in United Kingdom
Azure pentest. Entra ID and PIM first.
Entra ID, PIM, Conditional Access and Storage findings mapped to NCSC Cloud Principle 9 and FCA FG16/5 paragraph 4. UK South region default.
- Direct line
- +44-20-0000-0000
- Office
- London, United Kingdom
Frameworks scoped: CREST · NCSC CAF · UK GDPR · PCI DSS · ISO/IEC 27001.
Sample engagement report
See what arrives in your inbox.
A pre-vetted Azure engagement sample: full vulnerability narrative, working proof-of-exploit traces, and Bicep, ARM, or Terraform fix guidance you can hand to your platform team. Sent on request after a 5-minute scoping call.