Skip to main content

A look at CloudBreach's Offensive Azure Security Professional

· 4 min read

Recently I completed the course materials for CloudBreach's "Breaching Azure" and took the lab exam, obtaining their "Offensive Azure Security Professional" (OASP) certification. Microsoft's Azure and security certifications focus on building and defending cloud services, not trying to bypass defenses, making this certification quite different.

For more information on OASP, have a look at the CloudBreach labs page: https://cloudbreach.io/labs/

Motivation

I'd not heard of Cloudbreach until last year. I was looking for some new cost effective training materials to continue my professional learning, yet didn't have any free time to start until this year. This meant that I wanted a Black Friday deal that didn't require an immediate start. Cloudbreach offering had a 6 month window before start, so it fit my requirements.

Afterwards I found that there is very limited range of cloud security pentesting offerings - the only one that I could find aside from CloudBreach was the AlteredSecurity range, which I'll likely look into later this year.

The course

The course is a very straightforward design - you nominate your start date and shortly before the scheduled start, course materials and lab credentials are provided.

The lab design is very straightforward, and the VM is accessed via a browser (and is very responsive). All tools are provided so it's easy to dive right in and start experimenting - any troubleshooting will be due to student's mistakes or actual cloud resource failures.

I've had only one lab glitch that was promptly fixed after asking for help in the Discord channel.

The course materials are very simple, just a 100 or so page PDF. It's quite straightforward - there is no video content but it is not necessary for this course.

For background, CloudBreach also provide two short online-only modules for Azure basics and Azure Pentesting basics that you can complete in a few hours as a supplement.

Additionally, the Discord channel has a vibrant discussion and additional reference material is often posted.

While you get a month of lab access, how much you need depends on your knowledge and ability to learn. If you have working knowledge of Azure then you can go through the content much faster as you can focus on the exploitable misconfiguration and already know how it is supposed to work.

The exam

The exam is a 24 hour lab exam with a report afterwards, like many similar offerings. Just like the labs, all the tools are provided and in the event of any infrastructure issues, staff will address them. My exam VM had in fact locked up and I was very happy to see that I could still get support and get back into it. I'd been granted extra time to make up for the time lost but in the end, didn't need it.

The exam is best described as fair and designed to test your skills and ability to figure things out. It is definitely not built to fail students. As such, if you are comfortable with the course you'll probably find the exam on the easy side.

Summary

The CloudBreach Breaching Azure course is a good introduction to common Azure and related cloud misconfigurations. CloudBreach also provide reliable support for any issues (which is a major factor in having a positive experience).

Is it for everyone? I feel I got good value out of it and having a few Microsoft cloud certifications it is nice to see a completely different take on Azure security. Conversely, if you have never heard of Azure Storage or Kubernetes you may want to devote more time to get the full value out of it.

I look forward to a more difficult course offering from CloudBreach that builds on this one, or perhaps an AWS variant.