> For the complete documentation index, see [llms.txt](https://ghostwirez.gitbook.io/whoami/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ghostwirez.gitbook.io/whoami/writeups/certified-red-team-operator-crto-review-or-ghostwirez.md).

# Certified Red Team Operator (CRTO) Review | ghostwirez

### Background

Last month, I finally passed the [Certified Red Team Operator (CRTO)](https://certs.zeropointsecurity.co.uk/3c7c222f-7909-42cd-a106-8062f884be76#acc.0NLJFZvl) from **Zero-Point Security**.

<figure><img src="/files/kkq4dICfU3ZoJVubyrLL" alt="" width="563"><figcaption></figcaption></figure>

After wrapping up the Certified Penetration Testing Specialist (CPTS) from **HackTheBox**, I took a deliberate break from getting certifications. When I felt that I was ready, I decided CRTO was the right next step, as it fits in the red team territory, covering the kind of adversary simulation tradecraft that I wanted to build depth in.

I spent roughly six weeks going through the material. I didn’t rush it, I took my time with each module and made sure I actually understood the content rather than just grinding through it to reach the exam.

#### **What does the CRTO cover?**

<figure><img src="/files/QQ1EpKirniA59C0GsyEI" alt="" width="504"><figcaption></figcaption></figure>

The CRTO is built around **Red Team Ops**, Daniel Duggan’s [course](https://www.zeropointsecurity.co.uk/course/red-team-ops) offered through Zero-Point Security. It uses **Cobalt Strike** as the primary C2 framework and walks you through the full red team kill chain inside a simulated multi-domain enterprise environment.

The certification is entirely hands-on. You’ll be:

* **Operating a C2 framework (Cobalt Strike)** across a live multi-domain AD environment.
* **Moving through the full attack lifecycle** — from initial access all the way to domain dominance and trust exploitation.
* **Practicing OPSEC-conscious tradecraft** at every phase, not just running exploits.
* **Abusing Active Directory misconfigurations** including Kerberos delegation, ADCS, and domain trusts.
* **Thinking like an operator**, not a CTF player

One thing I genuinely appreciate is that Daniel consistently updates the course material. By the time I finished, new content had already been added which meant I had to circle back and go through the updates before sitting the exam.

#### Lab Experience

The lab is now structured around unlimited access wherein you can spin up sessions as many times as you need without burning a fixed hour bank. That said, each individual session is time-boxed per module (roughly 30 minutes to 1 hour depending on complexity). Once a session ends, you simply start a new one.

In practice, this is plenty of time to work through the material and the unlimited reset means you can revisit any module without penalty.

#### Exam Experience

The exam has been updated to a new format which is different from most reviews you’ll find online, so if you’re going off older writeups, some details will be outdated.

Here’s how it works now:

* **24 hours to complete** (previously 48 hours), with the ability to pause and resume within a 7-day window.
* **No report writing. No proctoring.**
* **Unlimited free retakes** — once you pass, you can no longer retake the exam.
* **PPP (Purchasing Power Parity) pricing** — the cost is adjusted based on your country’s per-capita income, making it more accessible depending on where you’re from.
* **Scoring is 100 points total** — 50% for achieving the operational objective, 50% for OPSEC points.
* **Passing score is 85%** — meaning you can fail even if you complete the objective, if you were too noisy getting there.

That last point is worth sitting with. The exam isn’t just asking *can you get in* — it’s asking *can you get in cleanly*.

The objective itself is straightforward in concept, you’re given a target network with a clear end goal, authorized scopes, restricted hosts, and rules of engagement that mirror a real engagement. No flags, no CTF checkpoints. Just one objective and a network standing between you and it.

#### Timeline

| Milestone                       | Date                       |
| ------------------------------- | -------------------------- |
| Purchased *Red Team Ops* course | September 23, 2025         |
| Completed the course            | December 2, 2025           |
| Course updates released         | December 2025 – March 2026 |
| Multiple exam attempts          | Early 2026                 |
| **Passed the CRTO**             | **April 18, 2026**         |

#### Key Takeaways and Tips for Anyone Studying

* The course expects that you have **prior knowledge in Active Directory** as it focuses more on how to use Cobalt Strike.
* Deeply understand **all three Kerberos delegation types**, don’t just memorize syntax, understand why each one works and what the KDC is actually doing.
* Know your **trust attack directions** (parent-child, inbound, outbound), each requires a fundamentally different approach.
* Research the **alternative approaches** in every module, they’re often more practical in restricted environments and may be what you need in the exam.
* Apply **OPSEC thinking from day one**.
* The exam has **no time pressure** in the traditional sense, be methodical, not rushed.

#### Final Thoughts

The CRTO is one of the most practical red team certifications available at this level. It teaches you to think like a red team operator, how to chain techniques, and operate without creating obvious noise.

Big thanks to Daniel Duggan (RastaMouse) for continuously improving Red Team Ops. The updates make a real difference.

#### Let's Connect

If you’re studying for the CRTO or want to talk red team tradecraft, feel free to reach out. You can also find me through [LinkedIn](https://www.linkedin.com/in/arvinrafaellegaspi/) and in the [CyberwireZ](https://discord.gg/np3eptqS4K) community, where we regularly discuss offensive/defensive security, run HTB meetups, and share resources.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://ghostwirez.gitbook.io/whoami/writeups/certified-red-team-operator-crto-review-or-ghostwirez.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.