CREST-Certified Azure Cloud Security Review and Azure Penetration Testing
Azure penetration testing aligned to the CIS Microsoft Azure Foundations Benchmark. Manual exploitation across Entra ID (Azure AD), RBAC, Key Vault, Storage Accounts, App Services, Functions, AKS, and Azure Policy. Multi-tenant and multi-subscription supported.
Azure CSPM tells you what’s misconfigured. We tell you what’s exploitable.
Azure Defender flags exposed Storage Accounts and weak RBAC roles. It cannot tell you whether your Function App’s Managed Identity can read every Key Vault in your subscription, whether your AKS pod can assume the cluster identity, or whether your Logic App authoriser has standing access to production secrets.
Our Azure cloud security review combines automated CIS Microsoft Azure Foundations scanning with manual exploitation across Entra ID, Storage, Key Vault, AKS, and the Azure Resource Manager control plane. Reports satisfy ISO 27001 Annex A.13.1, SOC 2 CC6.6, PCI DSS Req 11.3, and align with NCSC cloud security principles and Microsoft’s Secure Future Initiative — without translation work.
12 AZURE SERVICES AUDITED
What We Test in Azure Cloud Security Review
Aligned to the CIS Microsoft Azure Foundations Benchmark v3.0. Multi-tenant Entra ID, multi-subscription, hybrid cloud supported.
Identity Provider
Conditional access bypass, role assignment audit, MFA enforcement, guest user audit, OAuth app review, hybrid AD trust.
Role-Based Access Control
Standing access audit, custom role review, ownership boundary enforcement, privileged identity management (PIM) configuration.
Secrets & Keys
Access policy abuse, soft-delete protection, automatic rotation, network restrictions, managed identity boundary.
Blob, File, Queue, Table
Public access enforcement, SAS token leakage, network isolation, hierarchical namespace privilege escalation.
Kubernetes Service
Pod-to-node escape, RBAC, network policies, Azure CNI scrutiny, Managed Identity boundary, image registry security.
Azure Functions
Trigger authentication, function key leakage, host.json review, Managed Identity privilege scope.
Web Apps
Authentication providers, deployment slot security, Kudu / SCM exposure, environment variable leakage.
Workflow Automation
Connector auth review, callback URL exposure, run history scrutiny, parameter injection paths.
Microsoft Defender for Cloud
Coverage analysis, alert tuning, security baseline drift, compliance score validation.
Audit & Monitoring
Log retention, diagnostic settings completeness, Sentinel integration, log integrity.
VNet, NSG, ASG
Public IP audit, NSG rule review, ASG segmentation, Private Endpoint enforcement, Bastion configuration.
Multi-tenant Boundary
Subscription role assignment, resource lock review, Cost Management isolation, Azure Policy enforcement.
FOUR-PHASE METHODOLOGY
Azure Cloud Security Review — From Tenant Discovery to Hardening Plan
Read-only by default. Manual exploitation only with explicit written approval per resource type.
Tenant Discovery
CIS Benchmark Audit
Manual Exploitation
Report & Hardening
Verified Accreditations Auditors Accept
Every accreditation independently issued by a recognised UK certification body. Click CREST to verify our membership.
COMPLIANCE READY
Azure Reports Mapped to Every Framework
Findings tagged to CIS Benchmark control IDs and your specific compliance framework. Audit teams submit directly without translation.
CIS Microsoft Azure Foundations v3.0
Control-by-control compliance score and remediation evidence accepted by enterprise audit teams.
Microsoft Cloud Security Benchmark
Microsoft’s own security recommendations for Azure tenants — automated assessment included.
ISO 27001 (Annex A)
A.13 network security, A.14 secure development, A.18 compliance — Azure-control evidence in the format ISO auditors accept.
SOC 2 Type I & II
CC6.6 logical access, CC7.1 vulnerability identification, CC7.2 monitoring evidence accepted by SOC 2 auditors.
PCI DSS
Req 1, 2, 7, 8, 11.3 control evidence for Azure-hosted PCI scope, including segmentation and encryption attestation.
NCSC Cloud Security Principles
14 principles assessed including data in transit, supply chain, identity, separation, and audit information.
TRANSPARENT PRICING
Transparent Azure Cloud Security Review Pricing
All tiers include the same depth of testing. Price varies by Azure estate complexity — subscription count, service breadth, resource volume, and Entra ID tenant scope.
Depends on Azure estate size
Single subscription, ≤10 services in use, ≤50 resources, single Entra ID tenant. Typically 4-5 day engagement.
- ✓Free retests included
- ✓Free rescheduling
- ✓No cancellation fees
- ✓24-hour scope to active testing
- ✓Live findings to client portal
- ✓Executive + technical report
- ✓60-min walkthrough call
- ✓Letter of attestation
Depends on Azure estate size
Multi-subscription (3-10), 10-20 services, 50-200 resources, AKS or Functions, hybrid AD. Typically 7-10 day engagement.
- ✓Free retests included
- ✓Free rescheduling
- ✓No cancellation fees
- ✓24-hour scope to active testing
- ✓Live findings to client portal
- ✓Executive + technical report
- ✓60-min walkthrough call
- ✓Letter of attestation
Depends on Azure estate size
Enterprise tenant (10+ subscriptions), 20+ services, 200+ resources, multi-region, AKS + multi-tenant Entra. Typically 10-15 day engagement.
- ✓Free retests included
- ✓Free rescheduling
- ✓No cancellation fees
- ✓24-hour scope to active testing
- ✓Live findings to client portal
- ✓Executive + technical report
- ✓60-min walkthrough call
- ✓Letter of attestation
Azure Cloud Security Review for Your Sector
Azure deployment patterns vary by sector. We test the controls your regulators specifically require.
Fintech
FCA-regulated firms, Open Banking, payment APIs, PCI scoping.
SaaS
Multi-tenant isolation, SSO/SAML/OIDC, customer-data perimeter, SOC 2 evidence.
Healthcare
NHS DSPT, NHS DTAC, EHR integration, telehealth, patient-data PII.
Insurance
FCA / PRA Operational Resilience, claims data, broker integrations, cyber underwriting evidence.
Law
Privileged-data confidentiality, partner-tier scrutiny, SRA Cyber Standard alignment.
Public Sector
CCS / G-Cloud framework, NCSC-aligned, SC-cleared testers available.
What You Actually Get
Five things that distinguish our service from automated scans and box-tick competitors.
What You Get From Azure Penetration Testing
CIS Benchmark + Microsoft SFI Aligned
Read-Only by Default
Bicep / Terraform / ARM Patches
UK CREST + IASME + ISO 27001 + ISO 9001
Frequently Asked
How long does an Azure cloud security review take?
Single-subscription review (≤10 services, ≤50 resources) typically takes 4-5 working days. Mid-market multi-subscription takes 7-10 days. Enterprise multi-tenant Entra ID environments take 10-15 days.
How much does Azure penetration testing cost in the UK?
Single-subscription engagements £6,000-£10,000. Multi-subscription (most commonly commissioned) £10,000-£18,000. Enterprise £18,000-£28,000. All quotes are fixed-price after scoping.
Do you follow the CIS Microsoft Azure Foundations Benchmark?
Yes. Every Azure engagement includes a control-by-control CIS Microsoft Azure Foundations v3.0 assessment, plus the Microsoft Cloud Security Benchmark (MCSB). Findings are tagged to specific CIS control IDs.
Do you test Entra ID (Azure Active Directory)?
Yes. Entra ID is the highest-impact attack surface in modern Azure tenants. We audit role assignments, Conditional Access policies, MFA enforcement, guest user permissions, OAuth application consent, and hybrid AD synchronisation security.
Is testing read-only or do you make changes?
Read-only by default. We use the Azure-built Reader and SecurityReader roles for discovery and CIS audit. Manual exploitation phases run only with explicit written authorisation per resource type, in agreed maintenance windows.
Do you test AKS / Kubernetes pod security?
Yes. AKS reviews include control-plane configuration, RBAC, Azure CNI network policies, pod identity boundaries (Managed Identity, IRSA equivalents), node IAM trust, container image registry security, and pod-to-node escape paths.
What about multi-subscription Azure environments?
Multi-subscription testing is fully supported. We map the entire Management Group structure, evaluate Azure Policy assignments, audit cross-subscription RBAC, review Azure Lighthouse delegations, and test resource lock effectiveness.
Do you test Bicep / ARM / Terraform IaC?
Yes. Pre-deployment IaC review is offered as a separate engagement or bundled with cloud testing. We review Bicep, ARM templates, Terraform / OpenTofu, and Pulumi for misconfigurations, secret leakage, and policy violations.
Can you provide remediation guidance?
Yes. Every finding ships with prioritised remediation guidance and example Bicep / Terraform / ARM patches. For high-severity findings we include direct engineer access via our portal during remediation.
Do you test Microsoft Defender for Cloud configuration?
Yes. We audit Defender for Cloud coverage, recommendation tuning, regulatory compliance score, and alert routing to Sentinel or third-party SIEM. Coverage gaps are the most common Azure finding.
Are your testers UK-based and what certifications do they hold?
All Azure testers are vetted UK or international engineers. Relevant certifications: CREST CRT and CCT INF, AZ-500 (Microsoft Certified: Azure Security Engineer Associate), OSCP, OSCE. SC-cleared testers available for public-sector and regulated-financial engagements.
Do you sign NDAs?
Yes. Standard NDA before any technical detail is shared. We operate under a project-specific master agreement that includes data handling, deliverable IP, and breach notification clauses.
Book an Azure Security Review Scoping Call
30 minutes with a CREST-certified Azure security specialist. Fixed-price quote within 24 hours. No sales pipeline.
