SecProve
ExpertVendor-neutralAltered Security· issued from IN

CRTE

Certified Red Team Expert

Multi-forest AD compromise — cross-trust abuse, advanced delegation, and persistence in hardened enterprise environments.

Official page at Altered Security↔ Compare with another cert
Exam fee
$699
Ongoing
$0/yr AMF
Study time
120–200 hrs
Delivery
Hands-on practical lab
Validity
Lifetime

› Quality score

31.0 / 40

Four-axis SecProve rubric, each 0–10. SecProve editorial assessment — each axis carries a written justification so you can push back on any single call without dismissing the whole score.

Blueprint rigor
How well-defined and rigorous the exam blueprint is.
Builds on CRTP with cross-forest, ADCS, exchange, and SQL-server attacks. Outline is detailed but lacks a formal exam-weight document.
7.5/10
Practical evidence
Hands-on labs / written reports vs pure MCQ.
48-hour lab against a hardened multi-forest network with logging/EDR-style telemetry. One of the more demanding AD-focused lab exams available.
9.5/10
Currency & upkeep
How aggressively content is kept current with the field.
Updated with newer techniques (ADCS ESC1-ESC11, RBCD, shadow credentials) as they hit mainstream.
7.0/10
Market recognition
How often this signal actually moves a hiring decision.
Respected in red-team circles but a tier below OSEP/CRTO in raw hiring weight. Often referenced for senior AD-focused roles. [Holders: vendor doesn't publish]
7.0/10

› Market signals

public, citable inputs to the recognition score
Holders worldwide
4,000
as of 2024-12 · source

Vendor doesn't publish exact counts; conservative estimate from community cohort signals.

› Built for these roles

Senior Red Team OperatorAdversary Simulation LeadPrincipal Penetration Tester

› Exam format

48-hour hands-on lab exam against a multi-forest enterprise environment with EDR-style controls. Report submission within 48 hours of lab close. Multiple flags across forest trusts and tier-0 compromise required.

› Recertification

Credential is permanent — no recertification or AMF.

› NICE Framework work roles

The NIST NICE work-role IDs this cert maps to. NICCS lookup.

PD-WRL-001PD-WRL-007
Recognition
GlobalUSEUUK
Exam languages
en

› Core domains covered

The 2 domains this cert is centrally about. Passing the exam demonstrates working knowledge of each.

A9Penetration Testing & Red Teaming

Methodology (OSSTMM, PTES), web/network/mobile pentesting, social engineering, purple teaming.

A6Identity & Access Management

AuthN/AuthZ, SSO, MFA, PAM, RBAC/ABAC, identity governance, FIDO2/passkeys, plus non-human identity: service accounts, workload identity, agent / plugin identities.

› Also touched

Present in the blueprint but not the primary focus — you’ll be introduced but shouldn’t expect depth.

A2Network Security

Firewalls, IDS/IPS, network segmentation, DNS security, SD-WAN, VPN, traffic analysis, wireless security.

A11Detection Engineering & Threat Hunting

SIGMA/YARA/Suricata rule writing, hypothesis-driven hunting, log deep-dives, detection gap analysis.

B4AI in Offensive Security

AI-assisted pentesting, automated recon, AI-generated phishing/social engineering, deepfake attacks.

› Prerequisites

Experience

Solid AD-attack fundamentals — CRTP-level knowledge or equivalent operational experience. Familiarity with multiple C2 frameworks helpful.

Knowledge assumed
  • Active Directory trusts, ADCS, and delegation
  • Lateral movement and persistence techniques
  • Bypassing common Windows security controls (AMSI, AppLocker)

› Progression

requiredrecommended

Where this cert fits in the typical learning path. Required edges are vendor-gated; recommended edges reflect de facto industry progression.

Required prereqs (0)

No vendor-gated prereqs.

Recommended priors (2)
CRTPAltered SecurityOSCPOffSec
CRTE
Altered Security
Required by (0)

No certs require this one.

Recommended next (0)

No follow-on certs reference this one yet.

› Common exam traps to study

Cybersecurity cert exams reuse the same 25 distractor patterns over and over — category confusion, RTO vs RPO, IDS vs IPS, MD5 vs SHA-256, and more. Once you can name the trap, you stop falling for it. Each archetype page covers what it is, the specific pairs candidates confuse, and how to avoid it.

Browse all 25 cert-exam trapsStart with: BEST vs correct

See this cert’s domains highlighted on the interactive map, or compare it against the rest of the catalog.

Highlight on the domain mapBrowse all certifications