Course overview

The CARTE course follows the same structured approach as other Altered Security training programs. Since I was already familiar with their teaching style from the CARTP course, I found the format consistent and effective. The course includes:
✅ Slides and video lessons for theoretical explanations
✅ Demos showcasing attack techniques
✅ Hands-on labs for practical application

One of the best aspects of the course is its interactive and practical approach. Every concept introduced is immediately tested in a lab environment, reinforcing both understanding and execution. Throughout the course, you’ll encounter questions (flags) related to each assignment. These flags can only be answered correctly if you successfully complete the task, ensuring that you truly grasp and apply the techniques. You submit your answers via an online portal, which also tracks your progress. This learn-apply-validate cycle enhances engagement and effectiveness, making the course both enjoyable and highly educational.

Among the most interesting topics for me were the phishing techniques that bypass security measures like Conditional Access MFA, particularly Device Code Phishing. Additionally, the detailed explanations on authentication tokens and Graph API enumeration using PowerShell were incredibly insightful.

 

Exam experience

The CARTE exam is a 48-hour hands-on assessment designed to test the knowledge and skills gained from the course. The challenge lies in compromising all Azure objects (resources and user accounts) and capturing the final flag.

One of the best aspects of the exam is that it goes beyond the course material, pushing you to discover new attack techniques on your own. The course provides an excellent foundation, but the exam requires adaptability and problem-solving skills to succeed.

Key challenges of the exam:

• No pre-installed tools—you must set them up yourself
• Full enumeration of the Azure environment is crucial
• Heavy reliance on Microsoft Graph API for reconnaissance

At one point, I was stuck on an object for a long time. The breakthrough came when I decided to re-enumerate the entire environment using Graph API, leading me to the missing piece. This highlights how important it is to be thorough in your enumeration process.

After completing the practical portion, you have an additional 48 hours to submit a detailed exam report, documenting your findings and attack methodologies.

 

Conclusion

For those who have already completed CARTP and want to elevate their Azure red teaming skills, I highly recommend CARTE. The course covers advanced attack techniques in great detail, and I guarantee you’ll learn new methods you haven’t encountered before.

Finally, a huge shout-out to Nikhil from Altered Security for developing such a well-structured and informative course!