Pentesting Azure Applications
The Definitive Guide to Testing and Securing Deployments
Matt Burrough on attacker behaviour against Azure tenants: identity, storage, VMs, key material handling, and the recon paths that work against real subscriptions.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- Matt Burrough
- Published
- 2018
- Publisher
- No Starch Press
- Pages
- 216
- Language
- English
Read this if
Cloud pentesters whose scope includes Azure subscriptions. Burrough covers identity (Entra ID), storage account abuse, VM-level recon, key material handling, and the role-based access patterns that drive real Azure post-exploitation.
Skip this if
Readers focused on AWS or GCP, or anyone wanting current Azure tradecraft. The book pre-dates the current AAD-now-Entra-ID rebrand and several major service updates; treat it as foundational, not current.
Key takeaways
- Azure attack patterns center on identity and roles, not network-level vulnerabilities; the book's framing reflects that.
- Storage account misconfigurations remain one of the most common Azure findings; the book's coverage of access-key abuse is still relevant.
- Cloud pentest reporting differs meaningfully from network pentest reporting; the book's deliverable templates are useful starting points.
Notes
Pair with current Microsoft Cloud Adoption Framework documentation and with the Azure Security Benchmark for the current control surface. Burrough's blog and conference talks (DEF CON Cloud Village, BSides) are the natural follow-ups. For AWS, see Hacking AWS by Bryan Stevenson; for GCP, see the Google Cloud security documentation directly. The Azure-specific surface evolves quickly; supplement the book with current Microsoft Defender for Cloud and Microsoft Threat Protection writeups.
What to read before
What to read before Pentesting Azure Applications →Beginner · 2014
Penetration Testing
Georgia Weidman's lab-driven introduction to pentesting, walking the reader from setting up a target environment through scanning, exploitation, post-exploitation, and reporting.
Intermediate · 2021
Hacking Kubernetes
A threat-modeling tour of a Kubernetes cluster, component by component, that teaches you to harden defaults by first showing you how each one gets broken.
Intermediate · 2025
Metasploit
The second edition of the definitive No Starch guide to the Metasploit Framework, updated by the project's original maintainers and newer contributors for the modern Framework.
What to read next
What to read after Pentesting Azure Applications →Advanced · 2017
Advanced Penetration Testing
A red-teamer's tour of getting into high-security targets without Metasploit, leaning on custom C2, social engineering, and tradecraft. Strong ideas, uneven execution.
Intermediate · 2021
Hacking Kubernetes
A threat-modeling tour of a Kubernetes cluster, component by component, that teaches you to harden defaults by first showing you how each one gets broken.
Intermediate · 2025
Metasploit
The second edition of the definitive No Starch guide to the Metasploit Framework, updated by the project's original maintainers and newer contributors for the modern Framework.
Explore similar books
Alternatives to Pentesting Azure Applications →Intermediate · 2025
Metasploit
The second edition of the definitive No Starch guide to the Metasploit Framework, updated by the project's original maintainers and newer contributors for the modern Framework.
Intermediate · 2022
Sécurité informatique - Ethical Hacking
The French-language reference for offensive security: a thick, lab-heavy tour of the attacker's toolkit, maintained across editions by the ACISSI collective under the motto “learn the attack to better defend.”
Intermediate · 2021
Hacking Kubernetes
A threat-modeling tour of a Kubernetes cluster, component by component, that teaches you to harden defaults by first showing you how each one gets broken.