CRTO Review (Certified Red Team Operator)

Ömür Uğur
5 min readFeb 9, 2022


I had a certificate by successfully completing the CRTO exam in the past days, and while my knowledge was still fresh, I decided to write an article to convey to you. (
Red team is actually the most important stage of the tests and many institutions do not provide this service and I had to learn this..
vuln. Ass < Pentest < Red Team ..
I decided to take this training to improve myself on the Red team side and I registered. First of all, I can say that it was a very high quality education and exam experience for me after OSCP.
There were of course similar courses CRTP, CRTE etc. So why did I choose

Both the course lifetime access, the experience of using the CS (Cobalt Strike) tool, and the CRTO badge, which is not found in many people .. these factors led me to the CRTO training and exam.
The training is completely focused training with the CS tool. and lab-exam offers you a fully licensed CS tool.

The certified red team operator is essential for advancement in their careers and for penetration testers who want to become a red team member. They will explore the tactics, techniques and procedures that threat actors use to infiltrate and stay in IT systems. Throughout the hands-on experience, students will apply their knowledge to a live laboratory.

Education :

Course content is one of the certification’s strengths. I think it covers a lot of concepts related to red team building. It is divided into several modules and each corresponds to a tactic used by threat actors. For example, the lateral movement module explains in detail the techniques used to switch from one computer to another.

A very impressive video-pdf in terms of education (access via Thinkific portal)
Lifetime access and updates are available.

Lab :
A lab is an active directory infrastructure made up of three forests. The first Forest has a subdomain and a root domain, while the remaining forests are configured with the inbound and outbound domain Trust respectively. Cobalt strike is now the command and control server of choice in the course.
The lab is designed to allow students to explore the different vulnerabilities described in the course material. The goal is to apply what you learned in the course material to gain a domain manager across all forests. There is also a Splunk instance to review the different logs you left behind. The course talks about some of these determinations and invites you to try them and find ways to bypass them.
To connect to the lab, you need to use your account in Snap labs. After logging in, you can start your private lab and connect to a Kali machine in your web browser via Guacamole. Even if you see a green status, you will have to wait a little longer. It was frustrating at first, but I got used to it. In fact, I noticed that the lab was working well; It only needed a few more minutes to be reached via guacamole.
At the same time, it was quite good that there was no 1-month — 2-month sales like other trainings.
You buy hourly and when you wake up the lab environment, the system starts to decrease in time, which prevents your unnecessary expenses.

I recommend getting other certificates like CRTP in penetration testing, especially if you are completely new to active directory hacking. For me, CRTO is for intermediate penetration testers who want exposure to the Red team. However, if you are familiar with active directory hacking, you can give it a try.
The course is rich and heavy. If you hurry, you will definitely miss many interesting concepts. I recommend focusing on each module, applying your knowledge in the application lab, and making relevant notes to help you quickly reconstruct the attack. Personally, I completed the entire course in 2.5 months, working 1 hour a day on average, and I took the exam to try myself without solving most of the labs 😊 I think 40 hours will be enough for the lab on average.

My working method:
I took my notes about all the articles and videos, wrote the commands and necessary tools in a notebook, and then tried to make examples of the subjects in labs.
If you follow the course step by step, the exam will not be too difficult for you. Attention!! I’m not saying it won’t be forced. It won’t be too hard 😊

I say the exam is not easy, why?

1: Many people spend a lot of time before they get their first sign. However, if you study the course materials carefully, you will understand why. Preparation work is very important.
2: In the quiz, you only have Kali as the attacking machine, meaning you won’t have access to some of the tools you used in the lab. Some of my favorite tools are missing. So, get familiar with multiple similar tools rather than sticking to a single tool.
3: The course materials have everything you need to pass the exam, but that doesn’t mean that copying and pasting the steps can help you pass the exam easily. You need to understand these steps and think outside the box.
4: Except for the last two flags, the attack path is clear.. but you have to be extremely careful. I spent 90% of my exam time troubleshooting and debugging. AV, AMSI, hostname, special characters, single/double quotes, firewall rules, etc. something you should pay attention to, including but not limited to. And the 6th Flag was pretty annoying.. (I didn’t get the 7th and 8th Flag ☹
5: Flag 6 requires multiple steps if you just want to pass the exam. You have to be very careful to avoid any mistakes or you will fail. You will capture flags in order, so if you can’t capture flag 6, you won’t be able to capture flag 7 and flag 8.
6: The last flag is hard, you have to completely compromise 4 hosts to catch it. Frankly, I had about 1 hour left after receiving 6 flags and I couldn’t work hard for 7 and 8 Flags as it was enough for me to pass the exam. I wasn’t completely ready before I took the exam anyway.
The exam is a lot of fun, I think it is much more fun and challenging than the lab. After OSCP, the CRTO exam was a successful exam.

In addition, the exam is 48 hours, but you can finish it in 4 days, so you can stop and continue your time like a lab.
There is no supervisor. you are not writing in any writeup.
You just enter the flags you find on the exam portal.

Key benefits of CRTO
I see that this certification includes several benefits. Above all, I appreciated lifetime access to course content. The course itself is comprehensive and rich. Second, both the practice and exam labs allowed me to apply my knowledge extensively. Third, you get a badge from as proof that you have successfully passed the exam. For the price, I think this certificate gives you more than your money’s worth.

Final Review

1: Course material, lab and exam
2: Red team work
3: The best bridge between OSCP and OSEP
4: Teaching C2
5: The lab and exam are timed and you have the time control

1: Must be a supervisor..
2: I think it should be written in the report, I think the quality of the report is also important for the red team.

This is what I will tell you about education and exam in general, see you in my next education and certificate adventure 😊



Ömür Uğur

Pentest Manager at Turk Telekom | Sr.Penetration Tester | Bug Bounty Hunter | OSCP | OSWP | CRTO | eMAPT | eWPTX | CEH Master | ISO 27001 LA | ICS | @Synack