Certified Red Team Professional (CRTP)

Written by Christian on
Certified Red Team Professional (CRTP)

Certified Red Team Professional (CRTP)

Difficulty: Medium

Link: https://www.alteredsecurity.com/adlab

Pricing: $249 - $499

Course Content

This course is heavily focused on abusing and attacking Active Directory in various ways. This is super beneficial for Assume breach and internal network penetration testing, as this is often the scope for the test. The labs are beginner friendly and come with a lot of help in terms of walkthroughs and lab manuals. Throughout the course, you will also learn about how to create detections for various attacks used in the lab, and how to harden the environment. The course is taught by Nikhil Mittal who is a very experienced and proficient teacher. He has done several talks at BlackHat and Defcon. There are several purchase options for the course, and the difference is on how long you want your lab period. I went for 60 days, which was plenty enough for working full-time.


  • Good understanding of the attack lifecycle
  • Natural to do CRTP after OSCP/eCPPTv2
  • Networking understanding
  • Basic understanding of Active Directory
  • Basic understanding of Windows and SQL


  • Practice various attacks in a fully patched realistic Windows environment with Server 2022 and SQL Server 2017 machines.
  • Multiple domains and forests to understand and practice cross-trust attacks.
  • Learn and understand concepts of well-known Windows and Active Directory attacks.
  • Learn to use Windows as an attack platform and use trusted features of the OS like PowerShell and others for attacks.
  • Try scripts, tools, and new attacks in a fully functional AD environment.

There is a huge list of topics that you will be guided through, like:

  • Active Directory Enumeration
  • Local Privilege Escalation
  • Domain Privilege Escalation
  • Domain Persistence and Dominance
  • Cross Trust Attacks
  • Forest Persistence and Dominance
  • Defenses - Monitoring
  • Defenses and bypass
  • Deception
  • Powershell


The Exam is a 48-hour non-proctored exam, where you have 24 hours to do the labs and 24 hours to write a comprehensive and detailed report of your findings. I really like the way that the exam is structured, as this is very similar to doing a customer engagement.

On the exam, you get access to a student-vm, like in an assume breach assignment, and then you have to compromise the rest of the forest by moving laterally from that machine. I was stuck on one of the first steps for several hours but managed to land on the next host after banging my head against the wall enough.

The exam lab worked great, and I didn’t experience any issues going through it. If you have done all the labs prior to the exam, you will be fine, and you will not need to learn anything beyond what you have learned in the course.

Overall Conclusion

I have nothing but praise for this course. I strongly urge anyone interested in gaining a comprehensive understanding of the various attack methods involved in an Assumed Breach assessment to enroll in it. Moreover, this course proves beneficial for consultants specializing in detection engineering, as it covers a wide range of taught artifacts.

Nikhil is very good at explaining the concepts in the exam, and the labs are great. I did have some minor issues with the labs prior to the exam, but support was quick to help me out.

In my opinion, this exam stands out as the most authentic and closely resembling a real-world assessment experience for offensive consultants, among the certifications I have personally undertaken or been aware of.



Christian bidrager til sporet omkring samfundspåvirkning. Han er også hovedansvarlig for kontakt med samarbejdspartnere og støttemedlemmer.