There’s a specific moment in a red teamer’s career when OSCP stops feeling like the ceiling and starts feeling like the floor. You’ve got your shells. You can pivot. You understand the methodology. But real engagements don’t look like OSCP machines. They look like hardened Active Directory environments with EDR, segmented networks, and defenders who are actually watching.
That’s exactly the gap the CRTO fills.
The Certified Red Team Operator from Zero-Point Security is the most practical red team certification I’ve seen in the mid-level space. It’s taught by Daniel Duggan (known in the community as RastaMouse), covers Cobalt Strike end-to-end, and teaches you how to operate inside a defended environment — not just pop boxes.
This is a full honest review. What the course covers, how hard the exam is, what it costs, and whether it’s the right next step for you.
What Is the CRTO?
The Certified Red Team Operator is tied to Zero-Point Security’s Red Team Ops (RTO) course. It’s a practical, adversary-simulation focused certification that covers the full lifecycle of a red team engagement — from initial access through full domain compromise — using Cobalt Strike as the primary C2 framework.
This is not a beginner cert. It’s also not a cert for people who just want to pad their resume. The CRTO is built for practitioners who want to operate like an actual adversary inside a defended environment, understand tradecraft at a technical level, and learn how to use one of the industry’s most widely deployed red team tools.
RastaMouse is the real deal. His blog, his research, and the quality of the course content reflect someone who actually does this work — not someone who read about it.
Who Should Take It
CRTO is for you if:
- You’ve passed OSCP or have equivalent hands-on experience
- You want to move from “pentesting” into genuine red team operations
- You need to learn Cobalt Strike in a structured, legal environment
- You’re targeting senior red team operator or adversary simulation roles
- You want to understand offense in environments with actual defenses
CRTO is not for you if:
- You’re still learning basic enumeration and exploitation fundamentals
- You haven’t worked with Active Directory attacks yet
- You’re looking for a cert that impresses HR screeners over practitioners
If you don’t have OSCP yet, finish that first. Then come back.
What the Course Covers
The Red Team Ops course is structured around a realistic red team engagement. You work through the full attack chain inside a lab environment that mirrors what you’d face on a real engagement. Key topics:
Command & Control (Cobalt Strike)
This is where the course stands out. You learn Cobalt Strike from the ground up — malleable C2 profiles, listener configuration, payload generation, and operational security around your infrastructure. You learn how to set up redirectors, how to blend into legitimate traffic, and how to manage a long-term engagement without burning your C2.
Most people learn Cobalt Strike by fumbling around with a trial license or piecing together blog posts. RTO gives you structured instruction with a real lab environment.
Active Directory Attack Chains
The course covers the full internal AD attack chain:
- Domain reconnaissance with BloodHound
- Kerberoasting and AS-REP roasting
- Pass-the-Hash, Pass-the-Ticket
- DCSync
- ACL abuse
- Forest and domain trust attacks
These aren’t isolated techniques. You learn how they chain together into an actual engagement flow.
Defense Evasion
This is the section that separates CRTO from most other certs. You learn how to operate against Windows Defender and other AV/EDR products — how to generate payloads that don’t immediately detonate, how to use process injection and PPID spoofing, and how to think about evasion operationally rather than as a one-time bypass.
You’re not just running tools. You’re understanding why defenders catch you — and how to not get caught.
Pivoting and Lateral Movement
Multi-segment network traversal, SOCKS proxies through Cobalt Strike, and pivot techniques that work in real environments with firewall rules and segmentation.
Operational Security
How to maintain OPSEC during an engagement — covering your tracks, being deliberate about log generation, and operating with the awareness that someone may be watching.
Exam Format
The CRTO exam is a 48-hour practical exam conducted entirely in a dedicated lab environment. You’re given a realistic internal network — a multi-machine Active Directory environment — and your objective is to compromise it using red team tradecraft.
The exam is objective-based, not CTF-style. You’re collecting flags by completing specific attack milestones (initial foothold, lateral movement, domain admin, etc.). Passing requires completing a defined number of objectives, not necessarily every single one.
Key logistics:
- Duration: 48 hours
- Format: Browser-based lab environment (Snap Labs)
- No report required — this is objective-based, not report-graded
- Passing threshold: Approximately 6 out of 8 flags (specifics may vary)
- Retake policy: Retakes available at reduced cost
The 48-hour window is generous. Most candidates who are well-prepared finish in 12–20 hours. But if you get stuck on specific objectives, that buffer matters.
One caveat: Unlike OSCP, CRTO doesn’t require a written report. For pure skill validation this is fine, but if you’re also trying to demonstrate your ability to write client deliverables, you’ll want to practice that separately.
Difficulty
Honest calibration: harder than OSCP’s standalone machines, easier than OSCP’s AD set if you’ve actually done the course.
The exam tests whether you can apply the course material. If you’ve worked through the labs thoroughly, the techniques are familiar. What makes the exam genuinely challenging is the combination of:
- Defense evasion requirements — payloads that worked in the lab may not drop cleanly without tuning
- Operational continuity — maintaining persistence and managing your C2 across a multi-machine environment
- Logical attack chaining — knowing the sequence, not just the individual techniques
The biggest failure mode candidates report: rushing into the exam without thoroughly completing the labs. RTO has a significant amount of lab content. Do all of it. Cobalt Strike has a learning curve and the exam will expose gaps fast.
Cost
The Red Team Ops course and CRTO exam bundle is priced at £399 GBP (approximately $499-$510 USD depending on exchange rate). This includes:
- Lifetime access to the course content
- 40 hours of Snap Labs lab time (additional hours purchasable)
- One CRTO exam attempt
- Certificate upon passing
For context on price-to-value:
| Cert | Price (USD) | Report Required | AD Focus | Cobalt Strike |
|---|---|---|---|---|
| OSCP | ~$1,499 | ✅ Yes | ✅ Yes | ❌ No |
| CRTO | ~$499 | ❌ No | ✅ Yes | ✅ Yes |
| CRTE | ~$249 | ❌ No | ✅ Heavy | ❌ No |
| PNPT | ~$499 | ✅ Yes | ✅ Yes | ❌ No |
At ~$499 with lifetime course access and Cobalt Strike training, CRTO has one of the best price-to-value ratios in the red team space.
Additional lab time runs approximately £10 per 10 hours, which is reasonable if you need extended practice.
Study Resources
Zero-Point Security Course Material
The course itself is the primary resource. It’s text-and-lab based (no video lectures), which some people find more efficient than watching hours of footage. The writing is technical and dense — exactly how it should be.
Work through every module. Don’t skip the evasion sections.
RastaMouse Blog
rastamouse.me — RastaMouse’s personal research blog. If something in the course material feels thin, his blog posts often go deeper. Some of the evasion techniques in the course originated here.
Recommended Books
The Hacker Playbook 3 by Peter Kim
The closest thing to a real-world red team engagement methodology book. Kim’s playbooks are structured around actual attack chains — AD lateral movement, external recon, C2 operations. This is required reading alongside the CRTO course. The PT3 is heavily AD-focused, which matches exactly what CRTO tests.
Attacking and Defending Active Directory by Nikhil Mittal
Deep-dive reference on AD attack techniques. If you want to understand the underlying mechanics of Kerberoasting, trust attacks, and ACL abuse beyond what a course covers, this book fills those gaps. Essential for anyone serious about AD red teaming at a technical level.
Operator Handbook by Joshua Picolet
A dense reference covering red team TTPs, OSINT, and defensive analysis — useful for operational methodology rather than just technique execution. Good desk reference once you’re running real engagements.
CRTO vs OSCP: How They Compare
These certifications address different parts of the offensive security stack. They’re not in competition — they’re sequential.
| OSCP | CRTO | |
|---|---|---|
| Level | Mid-level | Mid-to-senior |
| Price | ~$1,499 | ~$499 |
| C2 Framework | Basic tools (MSF, manual) | Cobalt Strike (full) |
| Report Required | ✅ Yes | ❌ No |
| AD Depth | Moderate | Deep |
| Defense Evasion | Minimal | Significant |
| Industry Recognition | ✅✅✅ Excellent | ✅✅ Strong (practitioners) |
| Best After | eJPT / foundational | OSCP / equivalent |
OSCP still wins on resume recognition with generalist enterprise employers and HR screeners. CRTO wins on practitioner credibility — if you’re interviewing with an actual red team, they’ll rate CRTO highly. They signal different things to different audiences.
The realistic path for a serious red team career in 2026:
eJPT (optional) → OSCP → CRTO → CRTE or OSED
OSCP validates general penetration testing competence. CRTO validates you can operate at the adversary simulation level. CRTE (Certified Red Team Expert, by Altered Security) pushes deeper on advanced AD techniques. OSED covers exploit development for those going into more specialized research roles.
Is CRTO Worth It in 2026?
Yes — strongly, for the right person.
If you have OSCP and you’re serious about red team operations, CRTO is probably the best ~$500 you can spend on a certification. The Cobalt Strike training alone is worth it. Learning to operate against real defenses in a structured environment is worth it. And the quality of RastaMouse’s instruction is genuinely high.
What CRTO won’t do: it won’t help you much in the job market at large companies whose HR filters sort on OSCP, CISSP, and certification name recognition. If you’re targeting a specialized red team role, adversary simulation position, or consulting work — CRTO signals exactly the right things to exactly the right people.
The practitioner community respects it. That matters more than HR keyword matching for this role.
Next steps:
- Enroll in Red Team Ops at Zero-Point Security
- Get OSCP first if you haven’t: OSCP Review 2026
- If you want more AD depth next: look into CRTE from Altered Security
Recommended Books
All affiliate links — we may earn a small commission at no extra cost to you.
The Hacker Playbook 3 by Peter Kim
Real-world red team engagement methodology. Essential reading alongside the CRTO course.
Attacking and Defending Active Directory by Nikhil Mittal
Deep reference on AD attacks. Covers the techniques that underpin almost everything in the CRTO exam.
Operator Handbook by Joshua Picolet
Dense red team TTP reference. Useful operational companion once you’re running live engagements.
Written by a certified security professional (CISSP, OSCP) with 14+ years in offensive security and security leadership.
Need Cybersecurity Content Written by Practitioners?
RedTeamGuide is powered by CipherWrite — a cybersecurity content service run by OSCP and CISSP-certified practitioners with 14+ years in offensive security and security leadership.
If your company needs blog articles, whitepapers, or LinkedIn content written by someone who’s actually done the work — not a generalist writer with a SEO checklist — check out CipherWrite on Fiverr .