Most certifications teach you a list of things to do. CRTO teaches you how to think when the list runs out.
Why This One?
At some point during your offensive security journey, you start noticing a pattern. Most certifications hand you a checklist. Find this, exploit that, escalate here. It works, and it gets you through exams. But somewhere between finishing the course and sitting in a real engagement, you realize the checklist runs out long before the network does.
I wanted something different, and the Certified Red Team Operator (CRTO) by Zero Point Security ( now part of Fortra ) kept coming up in the right conversations. So I went for it. What I found was a certification that is less interested in teaching you every attack in the book and far more interested in teaching you how to think when you are operating inside a monitored environment.
Pricing First, Because It Is Worth Talking About
RastaMouse has implemented Purchasing Power Parity (PPP) pricing, which means the cost adjusts based on where you are buying from. If you are in a country with lower purchasing power, you pay less. Not a token discount, but a meaningful one that reflects your local economic reality.
It is a rare thing to see in a market that has largely figured out that certifications are a reliable revenue stream regardless of whether they provide genuine value. A lot of what is on offer today is designed to be purchased rather than studied, and failure is quietly built into the business model as a profit center.
CRTO does not do that. What you get for the price: lifetime access to course materials, lifetime access to the labs, and unlimited exam attempts with a cooldown period between them. No per-attempt fee waiting to punish failure. That changes the psychology of the whole experience, and I will come back to that.
The Course
CRTO is not a beginner certification. It assumes you have working familiarity with Active Directory, basic networking, and the general shape of a penetration test. If you do not, the course will not walk you through the fundamentals. You will want to fill those gaps first.
What the course does well is structure its content around the attack lifecycle rather than a flat list of techniques. You start with a primer on Red Teaming, what it actually means, the legal considerations, and the mindset required, before moving into the operational content. From there it follows a logical arc: initial access, reconnaissance, post-exploitation, privilege escalation, persistence, lateral movement, domain dominance, and trust abuse.
Cobalt Strike is the C2 framework at the heart of everything, which is worth pausing on. It is an expensive commercial software, widely used by actual red teams and, awkwardly, by threat actors as well. Learning it here is genuinely useful, not just for the exam but for understanding how mature C2 infrastructure behaves. The course teaches you to configure it properly rather than just click buttons.
There is also a defense evasion section that deserves more attention than it gets in most reviews. It is not a list of bypass techniques to memorize. It is an introduction to why detection happens, which turns out to be far more useful than a list of tools that may or may not work by the time you use them.
Throughout every module, OPSEC considerations are woven in. Not as footnotes, but as genuine decision points. Why does this technique generate noise? What would this look like to a defender? This thread runs through the entire course and is what elevates it from penetration testing content with a red team label into something that actually reflects how careful operators think.
The writing is direct and practical, and the content was being actively updated while I was working through it, which is exactly what lifetime access should mean.
The Labs
The labs in the current version are modular rather than one large continuous environment. Each section of the course has its own focused lab, and there are challenge labs that serve as capstones for the material covered.
You can revisit a specific technique without resetting an entire environment. The labs are included with no additional cost, and the attacker machine comes pre-configured with the tooling you need, so there is no setup overhead eating into your time. Connection was stable throughout and performance was consistent.
The tradeoff is that you do not get to practice a complete attack chain end to end before the exam. The course takes you through each part of the chain in focused pieces, and the exam is the first time you assemble all of it together. For some people that is uncomfortable. For others, the unlimited exam attempts make that first run a genuine learning experience rather than a high-stakes gamble. Given the economics, it is a reasonable tradeoff, though an optional extended lab for full simulation practice would be a welcome addition.
One thing worth knowing: Defender is only fully active in the defense evasion section. If you want to practice evasion in the context of earlier techniques, you can enable it manually, but it adds friction.---
The Exam
The exam is where this certification earns its reputation.
You get 24 hours of exam time spread across 7 days. No scheduling required, just start it when you are ready. The scope and engagement rules are presented at the beginning. Read them carefully, they matter. The attacker machine has everything you need already installed.
The scoring works like this: 50 points for completing objectives, 50 points based on how much noise and how many alerts you generate. Passing requires 85 out of 100.
That second half is the interesting part. Most certifications grade you on whether you got there. This one grades you on how you got there. If you brute-force your way through the environment triggering every alert along the way, you can complete all the objectives and still not pass. That is not a trick or a gotcha. It is the whole point. Red teaming is about operating inside a defended environment without being caught, and the scoring model enforces that mindset rather than just mentioning it in the course materials.
The exam tests what the course teaches, and nothing else. If you have done the work and understood the reasoning behind it, not just memorized the commands, the exam is hard in exactly the right way.
This also does something important when it comes to exam integrity. Brute-forcing attempts does not work because half the points depend on how cleanly you operate, not just whether you completed the objectives. You have to actually understand the material to pass.
What It Does Not Cover
Worth being honest about scope. CRTO does not cover external reconnaissance or OSINT. It does not go deep into AD CS abuse or GPO abuse. The current version is not trying to be a survey of every Active Directory attack technique that exists. It is deliberately focused on operator discipline, engagement behavior, and OPSEC-aware execution within an internal environment.
Whether that is a limitation depends on what you are after. If you want comprehensive AD attack coverage across the board, you will need to look elsewhere as well. If you want to learn how to operate professionally once you are already inside, this is a well-designed place to build that foundation.
Who Should Take This
You should take CRTO if you already have a working knowledge of Active Directory and penetration testing fundamentals and want to start developing real red team operator skills. It is not a starting point, but it is a very good second step.
You should probably not take this as your first certification if you are still learning what Active Directory is. The course will feel frustrating without that background, and there are better places to build the foundation before coming here.
Final Thoughts
The certification market has a real problem. A lot of what is on offer is designed to extract money from people who need credentials, with just enough content to justify the price tag. CRTO is a genuinely different thing, and the proof is in the structural choices. The PPP pricing, the unlimited attempts, the lifetime lab access. These are decisions that cost the vendor something, and they signal clearly what the certification is actually trying to do.
The content backs that up. The OPSEC-first philosophy is not marketing copy. It is structural. It runs through the course, through the labs, and into the exam scoring itself. You cannot game your way around it. You have to understand it.
If you have the foundation and you want to start thinking and operating like a red team professional, CRTO is one of the better investments you can make. The industry would be in a better place if more certifications were built like this one.