Achieving CRTO Success: My Journey through the Red Team Operator Exam

Chenny Ren
3 min readOct 26, 2023


Hello, fellow enthusiasts of cybersecurity! I’m thrilled to share the exhilarating story of my successful conquest of the CRTO (Red Team Operator) exam, an achievement distinct from my prior triumphs in OSCP, OSEP, CRTP, and CRTE. This latest endeavor thrust me into a realm closer to the pulse of real-world hacking techniques, and I’m eager to delve into the finer details of my preparation and the exam experience itself.

The CRTO Course — A Dive into Modern Cybersecurity

Zero-Point Security (ZPS) was my guiding light throughout this journey. The course, masterfully curated and delivered by the renowned RastaMouse, or Daniel Duggan, takes us on a thrilling odyssey through the entire attack lifecycle. This encompasses everything from the initial access to persistence, privilege escalation, domain reconnaissance, domain dominance, and exfiltration, among other vital aspects. A standout feature of this course is its comprehensive exploration of different strategies for attacking Active Directory (AD). By the course’s conclusion, students are equipped with the invaluable knowledge of enhancing Operational Security (OPSEC) and mastering fundamental techniques to breach defenses. Cobalt Strike, a commercial tool favored by red teams and APT groups, serves as the crowning jewel in our arsenal.

The CRTO Exam: A Pinnacle of Challenge

To attain the CRTO certification, you must get six out of eight elusive flags, and there’s no need for the daunting task of report writing. The exam stretches over four calendar days, offering a generous 48 hours of invaluable time within the exam lab environment.

Curriculum Highlights

The course underscores Active Directory attacking methodologies, presenting a meticulous breakdown of the attack lifecycle. Each stage, from the initial breach to exfiltration, is dissected with expert precision. Additionally, the course imparts insights into optimizing OPSEC and introduces rudimentary techniques for navigating past impervious defenses. It’s imperative to note that Cobalt Strike, the C2 of choice, plays a pivotal role throughout the course — a tool widely revered among red teams and APT groups.

My CRTO Exam Journey: Navigating the Challenges

Studying the course material diligently smoothed my path to securing the initial foothold flag. However, the real challenge emerged when it came to stabilizing my C2 connection. This phase demanded an in-depth understanding of Cobalt Strike artifacts and the finesse to elude the watchful eyes of antivirus software.

In the realm of Active Directory, I discovered that the CRTO materials made the task significantly more manageable in comparison to the CRTP and CRTE courses. The key lay in executing actions through Cobalt Strike, as opposed to relying on direct PowerShell commands.

I also decided to venture into the exam with a CRTP approach, proving that sometimes, returning to the old-school methods can yield remarkable results. With this strategy, I successfully secured several flags without ever relying on Cobalt Strike. For those who thrive on challenges, this approach is definitely worth considering.

An unexpected revelation during the exam was the generous amount of lab time provided. Completing the entire exam required just 14 hours of my time, spread over two days with a well-deserved break for rest. It’s a reassuring aspect, ensuring the exam doesn’t become an overly taxing endeavor.

In Conclusion: A Rewarding CRTO Journey

My CRTO journey has been nothing short of thrilling. Zero-Point Security’s comprehensive course, fortified with Daniel Duggan’s expertise, prepares candidates for a challenging yet fulfilling experience. The CRTO exam tests your mettle in the world of modern cyber threats, and with dedication and the right approach, success is well within reach.

So, aspiring red team operators, fear not. The CRTO exam is a beast worth conquering, and with the right guidance and determination, you too can emerge victorious. My experience has not only enriched my knowledge but has also opened doors to new opportunities in the realm of ethical hacking and cybersecurity. Cheers to the exhilarating journey of becoming a CRTO!

Disclaimer: Please remember to always abide by ethical and legal standards when practicing and employing your cybersecurity skills.



Chenny Ren

OSCP | OSWP | OSEP | CRTP |CRTE | CRTO | Red Team Professional | SOC engineer