Pentesting Azure Applications
The Definitive Guide to Testing and Securing Deployments
Matt Burrough on attacker behaviour against Azure tenants: identity, storage, VMs, key material handling, and the recon paths that work against real subscriptions.
As an Amazon Associate we earn from qualifying purchases. The link above is sponsored.
- Authors
- Matt Burrough
- Published
- 2018
- Publisher
- No Starch Press
- Pages
- 216
- Language
- English
Read this if
Cloud pentesters whose scope includes Azure subscriptions. Burrough covers identity (Entra ID), storage account abuse, VM-level recon, key material handling, and the role-based access patterns that drive real Azure post-exploitation.
Skip this if
Readers focused on AWS or GCP, or anyone wanting current Azure tradecraft. The book pre-dates the current AAD-now-Entra-ID rebrand and several major service updates; treat it as foundational, not current.
Key takeaways
- Azure attack patterns center on identity and roles, not network-level vulnerabilities; the book's framing reflects that.
- Storage account misconfigurations remain one of the most common Azure findings; the book's coverage of access-key abuse is still relevant.
- Cloud pentest reporting differs meaningfully from network pentest reporting; the book's deliverable templates are useful starting points.
Notes
Pair with current Microsoft Cloud Adoption Framework documentation and with the Azure Security Benchmark for the current control surface. Burrough's blog and conference talks (DEF CON Cloud Village, BSides) are the natural follow-ups. For AWS, see Hacking AWS by Bryan Stevenson; for GCP, see the Google Cloud security documentation directly. The Azure-specific surface evolves quickly; supplement the book with current Microsoft Defender for Cloud and Microsoft Threat Protection writeups.
What to read before
What to read before Pentesting Azure Applications →Beginner · 2014
Penetration Testing
Georgia Weidman's lab-driven introduction to pentesting, walking the reader from setting up a target environment through scanning, exploitation, post-exploitation, and reporting.
Intermediate · 2025
Metasploit
The second edition of the definitive No Starch guide to the Metasploit Framework, updated by the project's original maintainers and newer contributors for the modern Framework.
Intermediate · 2018
The Hacker Playbook 3
Peter Kim's hands-on red-team field manual: assumed-breach scenarios, lateral movement, AV/EDR evasion, and the operational rhythm of a real engagement rather than a checklist of CVEs.
What to read next
What to read after Pentesting Azure Applications →Intermediate · 2025
Metasploit
The second edition of the definitive No Starch guide to the Metasploit Framework, updated by the project's original maintainers and newer contributors for the modern Framework.
Intermediate · 2018
The Hacker Playbook 3
Peter Kim's hands-on red-team field manual: assumed-breach scenarios, lateral movement, AV/EDR evasion, and the operational rhythm of a real engagement rather than a checklist of CVEs.
Advanced · 2017
Attacking Network Protocols
James Forshaw, Project Zero veteran, on how to capture, parse, and break protocols from the wire up to the application layer, with a strong focus on building reusable analysis tooling.
Explore similar books
Alternatives to Pentesting Azure Applications →Intermediate · 2025
Metasploit
The second edition of the definitive No Starch guide to the Metasploit Framework, updated by the project's original maintainers and newer contributors for the modern Framework.
Intermediate · 2018
The Hacker Playbook 3
Peter Kim's hands-on red-team field manual: assumed-breach scenarios, lateral movement, AV/EDR evasion, and the operational rhythm of a real engagement rather than a checklist of CVEs.
Beginner · 2014
Penetration Testing
Georgia Weidman's lab-driven introduction to pentesting, walking the reader from setting up a target environment through scanning, exploitation, post-exploitation, and reporting.