Post cover image

May 15, 2026

A Pentester’s Journey to 2nd Place at DEF CON Azure IR Training

Why I Attended DEF CON Training in Singapore?

Tiger3080

9 min read

Why I Attended DEF CON Training in Singapore?

Back in April, I was already planning to attend DEF CON Singapore when one of the directors at my company sent me a link to a DEF CON Training course on Azure cloud security.

My first reaction? This is an IR course. I'm a pentester.

None

The course focused on Incident Response: detecting, scoping, and investigating attacks in Azure and Microsoft 365. That's not my world. My world is causing those incidents. I spend my days doing cloud red teaming, Azure AD exploitation, and offensive security consulting. Defensive work wasn't exactly on my radar.

But I was already interested in deepening my Azure knowledge, and honestly, understanding how defenders think has always made me a better attacker. So I figured: why not?

The Instructor: Korstiaan Stam

One thing that made the decision even easier was who was teaching it. Korstiaan Stam is the CEO and Founder of Invictus Incident Response, a specialized cloud IR company whose tooling has been trusted across thousands of real-world engagements. He is also a former SANS Instructor for the FOR509 course.

None

Course Outline

Before diving into what I learned, here's a quick look at what the course actually covers across both days.

None None

Two full days, 8:30 AM to 5:30 PM. As a night person, an 8:30 AM start was already a challenge before the learning even began. But every module had hands-on exercises that kept things moving, and Day 2 ended with live labs and the CTF. No filler, no fluff, just me desperately trying to look awake at 8:30 in the morning.

Price

The course offers two options depending on what you want to walk away with:

None

I went with Option A. My goal was to genuinely learn the defensive side of Azure and M365, and the completion certificate was all I needed for that.

None

Before Training: Preparation

Before heading to Singapore, the requirements were pretty minimal.

  • Just bring a laptop capable of running PowerShell and a browser.
  • Having Excel installed is also useful for handling some CSV files during the labs.

A few days before the training, I received the slide deck. 411 slides…..

None

My first thought was: there is absolutely no way anyone finishes all of this in two days. But somehow, Korstiaan pulled it off. Every. Single. Slide. That alone tells you a lot about the pace of this course.

Day 1

Travel

As I mentioned earlier, I woke up really early that day to make sure I arrived at DEF CON Training on time. The training was hosted at Marina Bay Sands, one of the most iconic venues in Singapore.

None

To get there, I took the MRT from Marine Parade on the TEL, changed at Marina Bay station to the CCL, and rode it to Bayfront station, which drops you right at Marina Bay Sands.

None

But there was a small problem. When I arrived at Marina Bay station and tried to transfer to Bayfront, the connecting passage was closed. It was already 8:00 AM and class started at 8:30, so I just called a Grab. Marina Bay Sands was literally right there in the photo, looks close but trust me, not close enough when you are running late.

None

Arriving at DEF CON Training

Once inside, I followed the DEF CON signs to the check-in area and picked up my learner badge along with some goodies: a DEF CON sticker and a pen. Small things, but there is something about holding that badge for the first time that just makes it feel real.

None

And when I got to the classroom, there were even more goodies waiting, this time from Invictus Incident Response, along with a cheatsheet that we would be using throughout the training. A nice touch before the learning even started.

None

Everything was looking great until it was time to check in for the lab environment. We needed to find our name on the list to get the credentials for logging into the Azure portal. I scanned through the sheet and could not find my name anywhere, until I spotted "SecureD Center". That's my company name, so it was listed under that instead.

None

For anyone who hasn't heard of us, SecureD Center is a cybersecurity professional services company covering a wide range of services including penetration testing, incident response, SOC, digital forensics, consulting, and IT audit. Basically everything related to cybersecurity.

And it got better. When the instructor did a roll call to check attendance, I officially became Mr. SecureD Center 😂. Oh, and if I complete the course, the completion certificate will also have Mr. SecureD Center as the name instead of my real name. But the good news is I can request to change the name on the certificate, so big thanks to the DEF CON training staff for sorting that out.

None

Training Start

The first part of the training covered Azure terminology. I have to give credit here, Korstiaan explained this section really well. I was already familiar with most of it from completing my CARTP and CARTE certifications, but it was a solid foundation for everyone in the room. From there, the course moved into how Azure and M365 differ from each other, and what permissions you actually need as an IR investigator to do your job effectively.

None

Then came logging and KQL, which was new territory for me. The key takeaway was that KQL is the primary query language used to search through logs during an investigation. You need at least a basic understanding of it to work effectively. One important thing I learned is that Microsoft does not store everything in one place, so knowing where to look for specific logs is just as important as knowing how to query them. On top of that, some logs require specific licenses to access, which is something defenders need to plan for.

None

Then came the juicy part: the attack techniques. Most of the techniques themselves were already familiar to me, but the real value was in how Korstiaan explained the detection and investigation side for each one. As a pentester, I sometimes need to give recommendations to clients on how to defend against the attacks I find, and this section gave me a much deeper understanding of that than I have ever had before.

The part that genuinely surprised me was learning that some attack techniques produce no logs at all. As a defender that is terrifying. As a pentester… let's just say that was very useful information. 🤣

And that wrapped up Day 1. After the training, there was a happy hour for anyone who wanted to network, which sounded great. Sadly I had to skip it, I had work to catch up on and honestly I needed the rest to survive Day 2.

None

Day 2

Day 2 shifted focus to Microsoft 365 and the full investigation workflow. We covered what to do when an incident has already occurred, where to pull the logs from, and what tools you need to actually get the job done.

The interesting part was diving into attacker techniques specific to M365. If an attacker manages to compromise an email account, an app, or any user in the tenant, what can they do from there? How far can they go with persistence and data exfiltration? Seeing those scenarios mapped out from both the attacker and investigator perspective was eye opening.

Microsoft Extractor Suite

Before the CTF started, Korstiaan recommended a tool that ended up being essential: the Microsoft Extractor Suite, an open-source PowerShell tool developed by Invictus Incident Response. It is designed to streamline the process of collecting all necessary data from Microsoft environments during an investigation.

It supports a wide range of log sources including the Unified Audit Log, Admin Audit Log, Mailbox Audit Log, Mailbox and Transport Rules, Message Trace Logs, Entra ID Sign-In and Audit Logs, Azure Activity Logs, and more. On top of that, it can pull additional context like registered OAuth applications, MFA status for all users, risky users, and risky detections.

Basically, if you are doing an M365 or Azure investigation, this tool does a lot of the heavy lifting for you.

👉 github.com/invictus-ir/Microsoft-Extractor-Suite

None

CTF

Then it was CTF time. 29 students, all from different countries and companies, competing against each other. Looking around the room, almost everyone was an IR professional or SOC analyst, people who do this kind of investigation every single day. I was one of the very few pentesters in the mix, coming from the complete opposite side of the fence. This was also my first time doing a full IR CTF. I have done forensic CTF challenges before and worked with logs, but this was a completely different level. The volume of logs was massive and you had to query them properly and methodically to make it through. No guessing, just pure investigation. Time to get serious.

None

The first hour was rough. I was struggling to find my footing, not sure where to look or what to query. But once I got familiar with the log sources and started using the cheatsheet effectively, things started clicking and I picked up the pace.

The CTF was structured so that you had to complete challenges sequentially, one unlocking the next. What made it interesting was that the later challenges carried more points, meaning even if you were not the first to solve them, you could still rack up a solid score by pushing through to the end.

Finally, when the dust settled, I ended up in 2nd place with a score of 14,818. Honestly I still can't believe it. What made it even more intense was how close it was. The person in 3rd place was sitting right next to me the whole time, and if they had managed to submit one more challenge, they could have taken my spot. That close. 🥈

None

On top of the placement, Korstiaan had a special challenge coin prepared for the winners. A proper Invictus Incident Response coin, really nice to have something physical to take home as a memory. We took a photo together to mark the moment.

None

And of course, a group shot with the top 3. 🏆

None

Additional Resource

If you are looking for more hands-on practice with real-world cloud incident response scenarios, Invictus Incident Response also runs an online academy at academy.invictus-ir.com. They currently offer on-demand courses for incident response in the Microsoft Cloud and AWS, with Google Cloud coming soon. All courses include live labs and CTF challenges, so you can keep sharpening your skills at your own pace.

None

Closing Thoughts

Who Should Take This Course?

If you work in IR or a SOC and deal with Azure or M365 environments, this course is absolutely for you. But I would also recommend it to anyone who wants to get started in cloud security or go deeper into how Azure and M365 actually work from a security perspective. And if you are a pentester like me, you will still get solid exposure to attack technique concepts, not in deep technical detail, but enough to understand how attackers operate in cloud environments and how defenders see it. Whether you are on the offensive or defensive side, there is something valuable here for everyone.

Is It Worth It?

Honestly, yes. You are getting a former SANS instructor with years of real-world cloud incident response experience, high quality hands-on labs, and a CTF that actually tests everything you learned. The content is practical, not just theoretical. For the price, the value is solid.

This course turned out to be one of the best training experiences I have had. Coming in as a pentester and walking out with a much deeper understanding of the defensive side of Azure and M365 was something I did not expect to value as much as I did. And placing 2nd in the CTF against IR professionals and SOC analysts from around the world made it even more memorable.

A huge thank you to Secure D Center and my director Prathan P for making this opportunity possible. Having a company that invests in your growth makes all the difference. Really appreciate it. 🙏

None

16 hours of intensive training, 2 days at Marina Bay Sands, 29 competitors, and a 2nd place finish. Totally worth it.