July 4, 2026
Closing Out the CARTP Bootcamp and Where I Am Going Next
The Altered Security CARTP bootcamp wraps up for me this week, and I wanted to put some honest thoughts down before I move on.

By Saqlain Naqvi
2 min read
I spent the last month living inside the lab. 26 learning objectives, 49 flags, and a lot of late nights sitting with concepts that only made sense after I broke something a few times. That was the part of the experience that surprised me most. The material is dense, but the real work happened when I stopped reading and actually pushed against a live tenant. There is a difference between understanding illicit consent grants on paper and watching a phished user hand over Mail. Read to an app you registered five minutes ago. You do not forget that.
What made the bootcamp valuable for me was the range. It moved from initial access through enumeration, into privilege escalation across Entra roles, lateral movement into subscriptions, and abuse of managed identities and automation accounts. Every objective built on the one before it, and by the time I hit the final flags, I could see the tenant as a single connected surface rather than a collection of separate services. That mental shift is worth more to me than any individual exploit.
I am not writing this as a red teamer though, and I want to be clear about that. My focus is cloud security defence and Azure specifically. I went through the offensive material so I could design detections and hardening that actually hold up against how attackers move, not the sanitised version in a vendor slide. Every attack path I worked through in the lab now sits next to a Sentinel KQL query, a Microsoft Cloud Security Benchmark control, and a set of Conditional Access policies I would put in place to break the chain. That is the work I care about.
The next few months are going to be busy. AZ 500 is booked for August, then SC 300 by the end of September. Alongside that, I am consolidating everything from the bootcamp into a series of writeups I will be publishing on my site and here on Medium. The first one, on illicit consent grants and how to catch them early, is already drafted. Pass the PRT is next, then managed identity abuse through automation runbooks. I want each post to walk the full path from attack to detection to prevention, because that is the shape most defenders actually need.
More broadly, this is where I am putting my career. Cloud security consulting is the direction. I have spent the last few years around offensive tooling and forensic work, and I am folding all of that experience into a defender lens for Azure and Microsoft 365 environments. If you are building or securing a tenant and you want to compare notes, my inbox is open.
Thanks to the Altered Security team for a course that respects the student's time. If you are on the fence about CARTP and you work anywhere near an Entra tenant, do it.
More writeups, more detections, more posts coming soon.