Introduction

After 3 months of preparation and diving deep into Active Directory attack techniques, I finally sat the Certified Red Team Operator (CRTO) exam by Zero-Point Security. This is my honest review of the experience — what to expect, how hard it is, and whether it's worth your time.

What is the CRTO?

The CRTO is a practical, hands-on red team certification offered by Zero-Point Security. It is built around Cobalt Strike as the primary C2 framework and focuses on realistic adversary simulation techniques rather than CTF-style challenges.

The course covers a wide range of topics including:

  • Active Directory enumeration and exploitation
  • Kerberos attacks (Kerberoasting, AS-REP Roasting, delegation abuses)
  • Lateral movement and pivoting
  • Cross-domain and cross-forest attacks
  • OPSEC fundamentals

The Exam Format

The exam gives you access to a realistic multi-domain lab environment and a clear operational objective: prove access to a target machine by writing a file to its disk. No flags hidden in CTF fashion — you either get in or you don't.

You have 48 hours of lab time (not necessarily consecutive) to complete the objective, which makes it far less stressful than other certifications with a hard countdown clock.

Difficulty & Experience

Honestly, the exam is challenging but fair. If you have gone through the course material carefully and practiced in the lab environment, you will have everything you need. The exam does not throw curveballs outside of what is taught — it rewards methodical thinking and a solid understanding of the attack chain rather than speed.

The environment is a multi-domain Active Directory setup where you start with limited access and need to chain multiple techniques together to reach your final objective. Nothing works in isolation — every step builds on the previous one, which makes it feel like a real-world engagement.

My biggest challenge was staying organized and methodical. It is very easy to go down rabbit holes, so keeping clear notes throughout the exam is essential.

Attack Path Overview

Each step requires a clear understanding of why you are doing something, not just running tools blindly. The exam rewards operators who understand the underlying Kerberos and AD concepts.

Tools Used

The exam is designed around Cobalt Strike, and familiarity with it is a must. Beyond that, the following tools come up regularly throughout the course and exam:

  • Rubeus — for all things Kerberos
  • PowerView / SharpView — for AD enumeration
  • Mimikatz — for credential extraction
  • SCShell — for lateral movement

All tools are pre-staged in the lab environment, so no setup headaches.

Tips & Recommendations

  • Do the labs thoroughly before attempting the exam. The RTO course labs are where you build the muscle memory you'll need.
  • Take notes as you go — document every hash, SID, and ticket you obtain. You will need them later.
  • Don't panic — 48 hours of lab time is generous. Take breaks, come back fresh.
  • Read error messages — when something doesn't work, the error usually tells you exactly why.

Verdict

The CRTO is one of the best practical red team certifications available today. It strikes a great balance between being accessible to intermediate practitioners while still pushing you to think like a real adversary. The course material is excellent, the lab environment is realistic, and the exam is a genuine test of skill.

If you are looking to level up your Active Directory and red team fundamentals, I highly recommend it.

— Atrox