What It Is
The CRTP (Certified Red Team Professional) from Altered Security is a hands-on Active Directory red team certification. The training covers AD enumeration, offensive PowerShell and .NET tradecraft, local and domain privilege escalation, persistence, cross-trust attacks, ADCS abuse, and — importantly — detection and bypass methods for Microsoft Defender and MDI. The exam is 24 hours of exploitation plus 48 hours to submit the report.
Exam objective: achieve OS command execution on every machine in a fully-patched multi-domain/multi-forest Active Directory environment.
Why I Went for It
Same context as the CPTS — I was an apprentice on a red team. The team had its own tooling and methods, and I wanted to expand beyond that, learn different approaches, and build a more solid technical foundation in AD attacks. The CRTP covered the gaps: structured methodology, evasion techniques, and a lab where I could actually practice without constraints.
The Windows-First Approach
Most pentest training defaults to Kali and Linux tools. CRTP doesn’t — everything is done from a Windows machine. That’s the right call. In real-world post-exploitation, you’re operating from a compromised Windows endpoint, not a Kali box. The course covers PowerShell, LOLBins, .NET offensive tooling, and native Windows commands. You also get a Sliver C2 lab manual as an alternative to the default tooling, which is genuinely useful.
This approach translates more directly to real engagements than most certifications at this level.
The Training Lab
The lab contains multiple Windows machines, multiple domains, and multiple forests — a complete enterprise AD environment. Windows Defender is enabled on all machines. Microsoft XDR is integrated throughout: every action you take generates telemetry you can review. That combination is what makes the lab valuable — you’re not just practicing exploitation, you’re seeing exactly what you leave behind.
Practical tips for the lab:
- Run through the course material and the lab in parallel. Don’t batch all the reading first.
- When something doesn’t stick, redo the manipulation. Repetition works better than re-reading.
- Use the XDR actively. Test your techniques, check what triggered, and figure out how to do it quieter.
- Use every day of your lab access before starting the exam. Unused time is wasted once you launch it.
One issue worth mentioning: I ran into a machine that was legitimately broken during my lab time. If you’re stuck and something feels genuinely off, open a support ticket. They asked for screenshots, confirmed the issue was on their end, reset the machine, and it worked fine after. Support was responsive.
Note-Taking
The course is dense. Don’t copy-paste the content into notes — synthesize it. What I found useful: a general section per attack type covering the concept, why it exists, how to detect it, and how to patch it, then a separate technical section with commands and required context. These two types of notes serve different purposes during the exam, and mixing them is how you end up scrolling for five minutes looking for a command.
Obsidian worked well for me — linked notes and fast search made it easy to navigate under pressure.
The Exam
24 hours to compromise the environment, 48 hours to submit the report. The objective is OS command execution on all machines — you don’t need to become Domain Admin on everything, you need to prove you got there (or got as far as possible with demonstrated methodology).
The report isn’t just a list of commands. You’re expected to explain your thought process — why you chose each approach, what you expected to find, what you concluded. Understanding over output.
Tips:
- Get proper sleep before starting. 24 hours goes faster than you think.
- When you’re stuck, step back. Fresh eyes after a short break have saved me more than any tool.
- Keep notes organized throughout the exam, not just during lab prep.
- Follow a methodology. The environment has multiple paths — don’t thrash randomly.
What I Got Out of It
The lab + XDR combination is the main thing. Seeing what detection actually looks like on the other side of your actions changes how you think about evasion. It’s not just “run the command” anymore — it’s “run the command and understand why it triggered or didn’t.”
The Discord community is genuinely active and useful. Lifetime access to course materials is a plus you don’t always get with other providers.
The one thing it doesn’t fully address: advanced tool development or custom bypass techniques. That’s by design — this is a junior-level certification. CRTE and CRTM go further into offensive tooling and bypassing more mature defenses.
Where It Fits
CRTP is the closest equivalent to RTO 1 (ZeroPointSecurity) in difficulty and target audience. The key difference: CRTP focuses on open-source tooling and manual exploitation, with Sliver as the C2 option. RTO 1 is built around Cobalt Strike. Both are legitimate — the choice depends on whether you want generalist AD red team foundations or early specialization in CS operator work.
For AD coverage at a deeper level: CRTE is the natural follow-up. For dedicated Cobalt Strike training: RTO. For a broader pentest foundation first: CPTS or OSCP.
Verdict
Bought this during Black Friday for around €200 — money very well spent. Dense course material, high-quality lab, XDR access, and a methodology that actually translates to real engagements. It’s a junior certification but it’s a serious one.
If you’re getting into red teaming, this is a strong first step. If you’re in blue team or SOC, there’s real value here too — understanding what attacks look like from the attacker side makes detection work significantly better.