About CRTO

The Certified Red Team Operator (CRTO) certification, developed by Zero-Point Security, is a highly practical course designed to equip cybersecurity professionals with real-world red teaming skills. Focused on adversary simulation using Cobalt Strike, CRTO goes beyond traditional penetration testing by emphasizing stealth, operational security (OPSEC), and post-exploitation tactics commonly used by advanced threat actors.

The training covers a wide range of techniques, including initial access, privilege escalation, credential access, lateral movement, and Active Directory attacks, all mapped to the MITRE ATT&CK framework.

CRTO Cobalt Strike

The Updated CRTO

The new CRTO is now a CREST-approved Training Provider, meaning the course is closely aligned with CREST's certification framework and professional development standards. This makes it an excellent choice for professionals seeking both formal recognition and practical, hands-on expertise in red teaming.

This updated release of the CRTO course brings several key enhancements. It includes revised pricing, separate lab and exam fees, and a new hands-on format that allows students to interactively practice each section.

To make the course more accessible globally, Purchasing Power Parity (PPP) is now supported - enabling students from different countries to benefit from regionally adjusted pricing. Additionally, the exam is now free and can be retaken as many times as needed, with unlimited lab access and lifetime availability of course materials, offering a flexible and student-friendly learning experience.

Lastly, the digital certificate is now provided through Accredible, with a new certificate and badge design that looks more modern and professional.

The Good Things

Beyond the great value in terms of pricing, exam flexibility, and unlimited lab access, several other aspects make the CRTO course stand out:

  • Clear and approachable introduction to red teaming: Great for beginners, with easy-to-follow explanations.
  • Well-structured content: The course is organized in a logical way that makes it easy to take notes and follow along. The material is comprehensive — no need to rely on external sources like Google.
  • Solid Cobalt Strike coverage: The C2 section is especially helpful for those new to Cobalt Strike, with practical and clear demonstrations.
  • Law and compliance module: A valuable addition, particularly for those targeting the UK market or working in regulated environments.
  • Completion certificate included: You’ll also receive a certificate of completion, in addition to the main certification if you pass the exam.
  • Excellent coverage of Cobalt Strike defense evasion: The explanations around artifacts and source kits, beacon memory behavior, and post-exploitation fork-and-run techniques were clear, practical, and very well presented.
  • Strong focus on OPSEC: Nearly every technique includes practical OPSEC tips, helping learners understand how to operate stealthily.
    If CRTO could be described in one word, it would be: OPSEC.

The Bad Things

Of course, like any course, CRTO has its strengths and areas that might not suit everyone. Some of the points I’ll mention below may not be considered drawbacks by others - in fact, a few could be intentional design choices to reduce costs or simplify delivery:

  • Limited explanation of process injection techniques: These are covered at a high level, but lack depth, especially from a coding perspective. While deep knowledge isn’t required to pass the exam, process injection is a core red team concept that deserves more attention in a red teaming course.
    OffSec’s OSEP course really shines in this area.
  • Discovery phase: Active Directory enumeration feels limited – Key areas like OU structure, GPOs, and user hunting are not deeply covered, nor is the relationship between AD objects clearly explored. However, the use of BOFHound instead of BloodHound was a nice touch.
  • Lack of video content for many sections: Some sections (e.g., defense evasion, forest/domain trusts) don’t have accompanying videos. If you're a visual learner, you may find yourself relying more on reading. That said, videos have started to appear at the end of a few sections, so this may improve over time.
  • Lab experience feels too guided: Each lab comes with a sidebar that walks you through exact commands and steps, which can limit real hands-on thinking. This format may be helpful for some, but personally, it felt less engaging. Labs are time-limited to 30 minutes (extendable by 15), which is usually enough.
  • Lack of end-of-course challenge labs: Unlike OSEP, CRTO doesn’t include challenge-based labs to apply what you’ve learned in a realistic scenario. These could have added more depth to the experience.
  • No final exercise to combine techniques: One thing I enjoyed in OSEP was the final chaining of techniques into a full attack path. CRTO doesn’t offer a similar exercise to tie everything together and showcase how different skills interact toward a goal.

The Exam

The exam is an assumed breach scenario with 48 hours long and introduces a new, well-designed format that reinforces the main focus of the course - OPSEC. Unlike the previous version where passing was based on simply capturing flags, the updated exam now requires you to consider operational security throughout your engagement.

Even if you achieve the main objective, that alone earns only 50 points. To pass, you’ll need at least 85 points, which means you must demonstrate stealth and proper OPSEC practices in your approach.

The exam scenario itself was fair and straightforward. In many cases, I could anticipate the next steps, even before running enumeration - though I did confirm my assumptions through it :).
Overall, the course material is sufficient to fully prepare you for the exam.

Tips

A few tips that might help you succeed in the CRTO Exam:

  • Don’t overthink it: Stick to what’s covered in the course. There’s no need to invent new techniques; everything you need is already provided in the material.
  • Defense evasion and delegation are your allies: Pay close attention to these sections; they’re critical for staying stealthy and gaining access in the right way.
  • Don’t rush when you find a path: One wrong command can generate an Indicator of Compromise (IOC) and cost you points. Take your time and think through each action.
  • The exam starts with an assumed breach: You’ll be given GUI access to a foothold machine with local administrator privileges, so focus on what you can do from there.
  • Always have alternative methods: Be ready with multiple approaches to achieve your objective, and always choose the one that creates less noise.

Overall

The CRTO is an excellent certification for those focused on OPSEC-conscious operations and real-world command-and-control (C2) frameworks like Cobalt Strike. It’s well-respected in the industry and can significantly advance your career - whether you’re pursuing your first role or transitioning from penetration testing to red team operations.

While it has a few minor drawbacks, the course continues to improve over time, and the learning experience itself is invaluable and worth it.

Considering the value it provides, the price is a steal.