I would like to thank FDCA for the great fund that allowed me to take this certification.

CARTP

I picked up 30 days of lab access along with the required course material.

Back in 2023, I did the CRTP from Altered Security, which is fully focused on on-prem Active Directory. Time has passed, and I figured it was time to dive into Azure. CARTP was a natural next step.

For context, I work professionally with Azure every day, so most of the core concepts weren’t new. What was new to me was how to abuse it. Earlier this year, I took the GIAC GCFR, so I was already pretty comfortable with investigating cloud environments, including Azure.

Course Material

You receive a PDF with all the labs and a set of videos you have to download yourself. This part felt a bit outdated. I would have preferred a more modern platform where I could track my progress. As it was, I had to keep tabs on everything manually. They did include a simple platform for submitting flags and answers during the labs, which helped a bit.

You’re given access to a Windows VM where everything happens. That VM is the only system allowed to access the Azure tenant, due to Conditional Access policies configured. You could access the VM either through the browser (Guacamole) or a VPN.

Some of the labs were unstable at times, and I won’t lie, it got frustrating. Things broke, and I had to troubleshoot the environment instead of focusing on the exercises.

The exam

I spent about 4,5 hours completing all the objectives and then two hours writing the report. The VM in the exam was horrible, as it was really downscaled, so a lot of the tasks took forever to do, and often the browser even crash due to leak of memory. I would have loved to use my own VM for the exam and the labs.

The exam covered maybe 10% to 20% percent of the full course content. You don’t need to do any external research to pass, and honestly, I expected it to be harder.

Luckily, I had documented everything properly during the exam, so wrapping up the report was pretty smooth.

Conclusion

I recommend this course if you’re new to Azure abuse and want to learn how different services can be misused. For the price, it’s definitely worth it. That said, I really missed having a proper learning platform. Managing everything through PDFs and offline videos made it feel a bit clunky.