Certified Red Team Operator (CRTO) Review - October 2025

Hello, Hackers! 

When i initially started this course, It felt like I was going in a different universe. One where I have little exposure on how things work. I initially had really weak skills when it came to AD hacking, and looking back now a little insane for me to jump through (but hey, a little bit of delusion pushes a person a teeny bit).

For a quick refresher, the Certified Red Team Operator (CRTO) certification is a grueling 48 hour (of total environment uptime) exam where you have to conduct an end to end red team operation on a multi-forest active directory environment while remaining undetected. 

In total, I’ve spent around approximately a month and 8 days (around like a minimum of 8–10hrs a day) consuming all the content and going through the labs over and over again to understand the concepts. The hardest for me was the mindset shift from “What component can I bypass/exploit?” to “What misconfigurations can I abuse?”. I initially failed my first attempt in which I got a 75/100 for screwing around with AppLocker and unintentionally using loud lateral movement techniques (oops).

The exam overall is I’d say straightforward and you rarely come up with a scenario where you’ll be stuck on a rabbit hole if you absorbed all the lessons thoroughly. I’d say that ironically I was going through the AD parts smoothly and was stuck one time in a service related exploit during the exam (thanks MSSQL).

Compared to other pentesting certs, this one’s built different. This of course is a red team cert, but other than that it tests your patience with cobalt strike beacons (this is insanely real, had an instance that it took me 5 mins+ just to get a beacon back) and shifts your mindset totally to a misconfiguration perspective rather than pentest and go.

What’s the Difference?

Compared to the previous CRTO, there were modules that were removed and there were some that were added/improved on (best of my knowledge). One of the key things changed was the LMS being used and the fact that retakes are now free and does not need to book to a calendar. In addition, Rasta adopted a ‘purchasing power parity’ model where if you live in a less fortunate country, you’ll get a higher discount. (I have no data if this was used previously but still good to point it out). 

In addition, the labs now are totally separated per module unlike the previous bundle where you have fixed lab hours. (and as far as i know saves your progress throughout the entire course). This introduces a thing where you can go through that module’s lab over and over again without the fear of bricking something and not being able to use it again.

If you want to read more about the changes you can check it out in the official ZPS website: https://www.zeropointsecurity.co.uk/blog/new-site-launch

How can I Prepare / General Prep

Unlike other certification exams where you have to grind outside to better prep, I can say that the course materials are already enough for going through the exam. Because realistically there’s no public lab really out there best to my knowledge that offers cobalt strike for practice... 

In my personal note, this shows how the course is really well made and is worth your money if you’re serious about going to a more red team/adversary sim route. 

Before attempting the exam, I would say that it depends from person to person on their weak points, mine was around cross forest attacks so I just focused my time there before taking the exam until I felt it was good enough for an attempt

During the exam, me and other students have consistently used the course materials + the old CRTO cheat sheet from An0nUD4Y’s GitHub, because in some rare cases, I find it easier to use the older methods while I was in the exam.

Link: https://github.com/An0nUD4Y/CRTO-Notes/blob/main/CRTO%20-%20Cheatsheet.md

Another one is not talked about more but it’s to change the initial mindset of scarcity, the exam retake is unlimited and free so just go through it, understand where you failed and do better on the next attempt. 

Just a disclaimer I would like to raise is to not abuse the unlimited retake without reason (i.e., running the exam instance for full 48hrs without a reason). Just a little due diligence on our end that we want to give the same opportunity to future exam takers and ofc we don’t wanna bankrupt Rasta :P 

Lastly, take a lot of rest from time to time, celebrate your mini wins and don’t forget to give yourself a pat on the back. If you’re stuck in a part during the exam, take a walk, rest, doomscroll on IG reels, anything that gets you off that frustration temporarily so you can think of a better approach. I find new ideas flows naturally when I’m off the screen and doing something productive, like working out or just taking a short walk outside.

Pre-Exam / Exam Start Checklist

For my website readers, I've compiled a checklist that you can use before your start or in your early start in the exam.

• Before taking the exam, grind out on the Defense Evasion Lab first, get your payloads/artifact and resource kits/malleable C2 first polished and undetected by defender (its all in the course)
• While you're in the exam, make sure to not forget to import the important cna files (SQL BOF, etc..)
• Once you get the foothold and found another way to the other machine/s, DO NOT lateral move with PsExec. This is by far the loudest and one of the reasons I've failed in my first attempt. Don't make the same mistake.
• Make full use of BloodHound in the initial stages, map who's admin of who and take a mental note before you proceed.

Mini FAQ

• Do I need previous red team knowledge / do I need to be an expert in defense evasion before taking the exam? Yes and no, yes because of course you need some level of fundamental knowledge on what you are about to do to not struggle in absorbing the course content and no with a caveat, because at some point you have to understand some C/C#/.NET to modify cobalt strike’s artifact/resource kits and other things to your liking to evade AV during the exam
• Do they give out cobalt strike licenses for local installation? No, everything is done through your web browser. Rasta will be eating beans and toast for his whole life if he did
• I bought the old CRTO and want to try the new one, what do i do? Email [email protected]
• Did you miss touching grass? yes very much I was stuck in my place for a month vro 🥀
• CRTL when? +1 day behind release for asking this question

Overall, CRTO is a really great course, I’m a person that gets bored easily and I can say that the teaching style is not boring and it’s in a bite sized manner where after a module you have to demonstrate that knowledge in that designated lab or a challenge where you’re just given a task and you must complete the objective. I would say a challenging exam, but doable if you gone through the material meticulously.