Skip to main content
  1. Certifications/

Certified Red Team Operator

·2 mins
Table of Contents
crto-cert

Introduction #

If you’re looking to move beyond penetration testing and into the world of simulated attacks, the Certified Red Team Operator (CRTO) by Zero-Point Security is likely on your radar. It’s widely considered a gold standard for learning Active Directory exploitation and mastering Command & Control (C2) frameworks.

Having just come off the back of the exam, I want to break down my experience. Whether you’re already enrolled or just weighing the investment, here is my honest take on the course material, the lab environment, and the final challenge.

The Goal #

You’re expected to operate inside an enterprise environment using Cobalt Strike and Windows/Active Directory techniques. This isn’t just about “getting shells”. It’s about progressively escalating privileges and achieving specific operational objectives, just like a real operator would.

Scoring & OPSEC #

Scoring is split into two parts:

50 points for achieving the operational objectives 50 points for maintaining good OPSEC

The passing score is 85, so both execution and stealth matter.

Triggering detections will reduce your OPSEC score, which means you can technically complete objectives and still fail if your activity is too noisy. The exam rewards clean, controlled operations, not just success at any cost.

The Environment #

Access is provided through a web-based interface into a fully isolated lab environment. There’s no internet access and no VPN involved, so everything you need is already inside the network.

You’re given 24 hours of active runtime, which you can spread across a 7-day window. You can pause and resume sessions, but once the 24 hours are used up, that’s it. So time management matters.

What’s Actually Tested #

This isn’t a guessing game or typical CTF. The focus is on execution and decision-making:

  • AD Recon & Exploitation: Kerberos abuse, ADCS misconfigurations, and lateral movement
  • Privilege Escalation: Moving from a low-privileged user to full domain control
  • Cobalt Strike Usage: Managing Beacons, maintaining access, and applying OPSEC to stay under the radar

The Deliverables #

There’s no long report writing here. The platform tracks your progress based on objectives completed, so success is measured by what you actually achieve in the environment.

Exam Tip: Pivot, Don’t Force #

If something isn’t working, don’t tunnel on it. Switch approaches. Try a different lateral movement path, revisit your enumeration, or adjust your OPSEC. Progress in this exam comes from adaptability, not persistence on a single technique.