Offensive Security Learning Center

What Is CRTO? | Cobalt

Written by Cobalt | Mar 6, 2026 12:02:17 AM

The Certified Red Team Operator (CRTO) cybersecurity certification validates the ability to simulate adversarial attacks in a Windows Active Directory (A/D) environment using Cobalt Strike tools. How does it compare to other popular red teaming certifications? Is it worth your while, and what does it take to pass?

Use our guide to help you decide whether CRTO certification is right for you.

What Is Certified Red Team Operator (CRTO) Certification?

Certified Red Team Operator is a cybersecurity certification that demonstrates the ability to conduct adversary simulation and emulation skills using the Cobalt Strike hacking platform and supporting C# command and utilities. It emphasizes tactics, techniques, and procedures deployed in a Command and Control (C2) framework, such as evasion of endpoint detection and response (EDR) security tools and post-exploitation maneuvers.

CRTO and an optional supporting training course are offered by cybersecurity training provider Zero-Point Security, founded by pentester Daniel Duggan. The test is administered through the company’s online portal.

CRTO is considered an advanced red teaming certification for red teamers with prior experience. The course and exam are self-guided and require taking initiative to understand and apply the material. The course covers the entire red teaming process, from initial access to reporting. The exam allows 48 hours of lab access over a four-day period.

Zero-Point Security also offers a CRTO II certification focused on more advanced offensive security tactics and defense bypass strategies. It is designed to help build more secure and resilient on-premise C2 infrastructure with public cloud redirectors and HTTPS. Zero-Point Security recommends taking the basic CRTO course before attempting CRTO II.

Key Differences Between CRTO and CRTP Certification

CRTO represents a more advanced option than another popular red teaming certification, Certified Red Team Professional (CRTP). CRTP, administered by cybersecurity training company Altered Security, offers a beginner-friendly hands-on certification for aspiring red team specialists. It validates the ability to understand and evaluate security in an Enterprise Active Directory (EAD) environment containing multiple domains and forests, using interactive tools such as PowerShell, Mimikatz, and BloodHound. Applicants have 24 hours to use a foothold machine to gain OS level command execution on five target servers.

CRTP differs from CRTO in its purpose, methods, tools, length, and difficulty:

  • Purpose: CRTP validates Enterprise Active Directory red teaming skill, while CRTO validates AD Command and Control (C2) framework red teaming skill.
  • Tools: CRTP deploys interactive tools such as PowerShell, while CRTO deploys Cobalt Strike and supporting C# command and utilities.
  • Length: CRTP allows 24 hours to complete, while CRTO allows 48 hours over four days.
  • Difficulty: CRTP is designed to be beginner-friendly for applicants with no red teaming experience or minimal experience and takes a guided approach, while CRTO is intended for experienced applicants and requires more initiative.

These differences make CRTP more suitable for novice red teamers who want to master the basics of Active Directory security, while CRTO is better for experienced applicants seeking to validate advanced AD Command and Control and Cobalt Strike skills.

Benefits of CRTO

CRTO training and certification benefit cybersecurity professionals by providing advanced red teaming skills, validating hands-on know-how, and deepening resume credentials. Taking CRTO training and earning the certification lets you:

  • Master the practical use of Active Directory Command and Control red teaming methods
  • Learn advanced red teaming skills such as evading Windows Defender
  • Gain experience using the Cobalt Strike platform
  • Validate practical red teaming experience to employers and clients
  • Prepare for common red teaming questions employers are likely to ask during the interview process
  • Acquire advanced skills and certification at an affordable price
  • Access over 20 labs with no expiry or extensions
  • Take unlimited free exams as many times as you need to pass, with no financial penalty for failing
  • Gain lifetime access to course materials and updates
  • Receive lifetime certification with no expiration

For cybersecurity professionals seeking positions with red teaming qualifications, CRTO provides valuable experience and a resume credential to enhance other popular certifications, such as Offensive Security Certified Professional (OSCP) and CRTP.

Is CRTO Certification Worth It in 2026?

CRTO certification is most valuable for experienced red teamers who want to gain advanced C2 skills and experience using Cobalt Strike. If you’re new to red teaming, you should first pursue more basic certification courses and certifications such as OSCP and CRTP before tackling the CRTO. If you already have these credentials and some experience under your belt, CRTO and CRTO II can help you enhance your red teaming skills, gain hands-on familiarity with Cobalt Strike applications, and bolster your resume.

CRTO certification can also be valuable to other IT professionals. For instance, Active Directory administrators will find the course helpful for understanding attack methods.

CRTO Course Curriculum

The CRTO course teaches foundational red teaming principles, tools, and techniques, with an emphasis on adversary simulation using Cobalt Strike and C# tools. It begins by covering the key concepts of adversary simulation, Command and Control, and engagement planning and reporting.

The course then progresses through the stages of the attack lifecycle from initial compromise to domain takeover, data hunting, and data exfiltration. It explores how operations security failures can trigger defenders’ detection and how attacks can be conducted stealthily.

Finally, the course teaches how to evade defensive tools such as Windows Defender, Windows Antimalware Scan Interface (AMSI), and AppLocker. You learn how to execute adversarial attacks first with these tools turned off and then with them turned on.

The full curriculum includes:

  • Core red teaming concepts
  • Credential theft
  • Pivoting
  • Command and Control using Cobalt Strike
  • Password cracking
  • Active Directory Certificate Services
  • External reconnaissance
  • Domain reconnaissance
  • Group policy
  • Initial compromise
  • User impersonation
  • MS SQL servers
  • Host reconnaissance
  • Lateral movement
  • Microsoft Configuration Manager (ConfigMgr)
  • Host persistence
  • Data protection API
  • Domain dominance
  • Host privilege escalation
  • Keberos
  • Forest and domain trusts
  • Local Administration Password Solution (LAPS)
  • Microsoft Defender Antivirus
  • Application whitelisting
  • Data hunting and exfiltration
  • Extending Cobalt Strike
  • Exam preparation

The full course covers 20 hours of material. It includes lifetime access, non-expiring lab access, and free exam attempts.

CRTO Exam Requirements and Skill Areas

Zero-Point Security recommends that, before taking the CRTO course, you should have a strong working knowledge of Windows and Active Directory environments. Familiarity with C, C#, and PowerShell, and previous pentesting experience are beneficial but not essential.

To pass the exam, you must capture 6 out of 8 flags from target machines in an Active Directory environment within 48 hours of lab time, which can be paused and spread out over up to four days. You access the lab and exam environments via a web browser using SnapLabs. You are provided with access to a Kali Linux machine and a Windows machine to conduct your attacks.

The exam tests your skill to emulate Command and Control attacks using the Cobalt Strike hacking platform and C# tools. You will be evaluated on your ability to:

  • Perform reconnaissance on a Windows A/D environment
  • Escalate privileges on an initial host
  • Execute lateral movement pivots within the network
  • Achieve domain administration and complete designated objectives

You should be able to reproduce all attacks covered in the course.

The CRTO course and exam currently cost £399 (about $540 as of late February 2026). You do not have to take the course to take the exam, but you cannot pay for the exam separately. CRTO certification does not expire.

Read More about Cybersecurity Certifications in the Cobalt Learning Center

CRTO represents one of the growing array of specialized certifications that have become available to cybersecurity professionals in today’s market. Deciding which certification you need and preparing to pass tests can take a significant time investment. We offer guides to today’s leading certifications to help you choose which one is right for your career path and to help you plan for success. Learn more about certification options and requirements by visiting the Cobalt Offensive Security Learning Center.
View full post