What It Is
The CRTO (Certified Red Team Operator) is ZeroPointSecurity’s Cobalt Strike-focused red team certification. The course covers C2 infrastructure setup, Cobalt Strike beacon management, communication channels and relay between beacons, lateral movement, persistence, evasion, OPSEC tradecraft, Beacon Object Files (BOFs), and Aggressor scripts. The exam is 48 hours against a Windows Active Directory environment with active defenses.
Exam objective: compromise the final target — but that alone isn’t enough to pass. The scoring system factors in OPSEC. You need to stay below a detection threshold throughout the exam to accumulate enough points.
Why I Went for It
Coming from an AD background built with CRTP — manual tool-by-tool exploitation, PowerShell tradecraft, open-source C2 — the CRTO was the natural next step. My team used Cobalt Strike operationally, and I wanted to understand it properly: not just how to run commands, but how the tool actually works, what each action does under the hood, and where the detection risk sits.
Read Everything
The course material is well-structured and dense. Tips are scattered throughout — not always in obvious places. If you skim, you’ll miss them. Read every section carefully, including the parts that seem like context rather than instruction. That’s usually where RastaMouse has slipped in something you’ll need later.
The course also recently moved evasion earlier in the curriculum, placing it before the core technical chapters. That’s the right call and it changes how you approach everything that follows.
The Evasion Chapter
This chapter is the highlight of the course. The theory is solid, but the real value is what you do beyond it — and that’s on you. The course sets up the concepts and shows you the mechanisms, but the evasion chapter is where you should stop following and start experimenting.
Customize your payloads. Test different configurations. Try things that aren’t explicitly asked. This is the chapter where you get to understand how payload staging, obfuscation, and sleep behavior actually work — and where small changes produce meaningfully different detection outcomes. Be curious here, more than anywhere else in the course.
The reason the course puts evasion first now is deliberate: by the time you’re running lateral movement, persistence, or credential operations, the OPSEC mindset is already built in. You’re not bolting evasion on at the end — you’re thinking about detection at every step. That reflects how real engagements should work.
C2 Mechanics
The course covers Cobalt Strike properly — not just “here’s how to use the UI.” Understanding how beacons communicate, how to route through relays, and how to chain beacons across network segments is something you don’t get from just running payloads. BOFs and Aggressor scripts round it out: BOFs for in-process execution of custom capabilities, Aggressor for automating and extending Cobalt Strike’s behavior.
This is one of the strongest parts of the training. Knowing the tool’s architecture changes how you operate it.
The Abstraction Trade-Off
Here’s something worth thinking about carefully. Cobalt Strike makes complex operations simple. jump handles lateral movement in one command. steal_token handles impersonation. That convenience is real — it’s why operators use CS in the first place.
But that convenience has a cost: you can run operations without understanding what’s actually happening. Most of Cobalt Strike’s action commands are abstractions over things that, done manually, involve multiple steps, specific API calls, and distinct detection footprints. A single CS command can silently chain service creation, payload drop, execution, and cleanup — or token duplication, thread injection, and handle manipulation — and none of that is visible unless you know to look for it.
If you’ve done CRTP before CRTO, this is where that background pays off. When you’ve manually built the equivalent operations step by step, you understand what Cobalt Strike is abstracting. You know the detection surface because you’ve seen it bare. You know which step in the chain is the noisy one.
If CRTO is your first serious red team training, be aware of this gap. The course covers OPSEC and detection, but it doesn’t make you build everything from scratch. Supplement it — use the evasion chapter’s lab time to dig into what each command actually does, not just whether it works.
The Exam
48 hours. Active defenses. OPSEC scoring.
The final objective is mandatory — you have to reach it. But reaching it isn’t enough. The scoring penalizes detections, so you need to maintain a minimum OPSEC threshold throughout to accumulate enough points to pass. This is well-designed: it eliminates the strategy of “spray everything noisily, reset detections, and compromise the goal.” You have to work cleanly.
Tips:
- Evasion chapter lab time is exam preparation. Don’t rush it.
- Know your payloads. Understand what each configuration changes before you’re under time pressure.
- OPSEC decisions compound — a noisy early action can raise the baseline alerting level for everything that follows.
- The exam environment reflects the lab. If you’ve worked carefully through the course, the environment shouldn’t surprise you.
Where It Fits
CRTO is the Cobalt Strike-specific path. If you want to operate CS properly and understand it beyond surface usage, this is the right certification. The comparison to CRTP is direct: CRTP teaches you AD exploitation manually, CRTO teaches you to do it through a professional C2.
They complement each other. CRTP gives you the mechanistic understanding; CRTO gives you the operational workflow. Doing both — in that order — produces a significantly stronger operator than either alone.
For deeper evasion and tool development: CRTE/CRTM or more specialized research is the next layer. CRTO is the right step between junior-AD and that level.
Verdict
Strong certification. The OPSEC-first course structure and the detection-weighted exam scoring reflect how red team operations actually work — and that’s rarer than it should be. The evasion chapter alone justifies the cost if you engage with it properly.
Go in curious. Read everything. Experiment past what’s asked. That’s where the real value is.