ProfessionalVendor-neutralAltered Security· issued from IN

CRTP

Certified Red Team Professional

Hands-on Active Directory attacker — Kerberos abuse, trust attacks, and lateral movement against a real multi-domain forest.

Official page at Altered Security ↔ Compare with another cert

Exam fee

$499

Ongoing

$0/yr AMF

Study time

80–160 hrs

Delivery

Hands-on practical lab

Validity

Lifetime

› Quality score

31.0 / 40

Four-axis SecProve rubric, each 0–10. SecProve editorial assessment — each axis carries a written justification so you can push back on any single call without dismissing the whole score.

Blueprint rigor

How well-defined and rigorous the exam blueprint is.

Course syllabus is well-structured around AD attack primitives (Kerberoast, DCSync, delegation abuse, trust attacks). No formal weighted blueprint, but the lab maps 1:1 to taught content.

7.5/10

Practical evidence

Hands-on labs / written reports vs pure MCQ.

Pure lab exam with required written report. Considered the de facto starting point for AD red-team practitioners alongside CRTO.

9.0/10

Currency & upkeep

How aggressively content is kept current with the field.

Lab content is refreshed when major Windows / AD attack techniques emerge (e.g., post-Certified Pre-Owned ADCS additions). Cadence is irregular but not stale.

7.0/10

Market recognition

How often this signal actually moves a hiring decision.

Strong recognition in offensive-security / red-team hiring. Frequently listed alongside OSCP and CRTO for AD-heavy roles. [Holders: vendor doesn't publish]

7.5/10

› Market signals

public, citable inputs to the recognition score

Holders worldwide

15,000

as of 2024-12 · source

Vendor doesn't publish exact holder counts; estimate based on community indicators.

› Built for these roles

Red Team OperatorPenetration Tester (AD-focused)Adversary Simulation EngineerInternal Security Assessor

› Exam format

24-hour hands-on lab exam against a multi-domain Windows AD forest, followed by 48 hours to submit a written report. Five flag captures required across enumeration, privilege escalation, and cross-domain compromise.

› Recertification

Credential is permanent — no recertification or AMF.

› NICE Framework work roles

The NIST NICE work-role IDs this cert maps to. NICCS lookup.

PD-WRL-001PD-WRL-007

Recognition

GlobalUSEUUK

Exam languages

› Core domains covered

The 2 domains this cert is centrally about. Passing the exam demonstrates working knowledge of each.

A9Penetration Testing & Red Teaming

Methodology (OSSTMM, PTES), web/network/mobile pentesting, social engineering, purple teaming.

A6Identity & Access Management

AuthN/AuthZ, SSO, MFA, PAM, RBAC/ABAC, identity governance, FIDO2/passkeys, plus non-human identity: service accounts, workload identity, agent / plugin identities.

› Also touched

Present in the blueprint but not the primary focus — you’ll be introduced but shouldn’t expect depth.

A2Network Security

Firewalls, IDS/IPS, network segmentation, DNS security, SD-WAN, VPN, traffic analysis, wireless security.

A11Detection Engineering & Threat Hunting

SIGMA/YARA/Suricata rule writing, hypothesis-driven hunting, log deep-dives, detection gap analysis.

B4AI in Offensive Security

AI-assisted pentesting, automated recon, AI-generated phishing/social engineering, deepfake attacks.

› Prerequisites

Experience

Comfort with Windows command line, PowerShell, and basic AD concepts. Prior pentesting exposure recommended but not strictly required — the course covers fundamentals.

Knowledge assumed

Active Directory objects, trusts, and Kerberos
PowerShell scripting basics
Windows privilege model and tokens

› Progression

requiredrecommended

Where this cert fits in the typical learning path. Required edges are vendor-gated; recommended edges reflect de facto industry progression.

Required prereqs (0)

No vendor-gated prereqs.

Recommended priors (2)

OSCPOffSec CRTOZero-Point Security

CRTP

Altered Security

Required by (0)

No certs require this one.

Recommended next (1)

CRTEAltered Security

› Careers that commonly pursue this cert

Threat Exposure Management / Attack Surface Analyst

External-first role: inventories what an attacker can see, tracks what's new, and drives closure through the org. The outside-in counterpart to vuln management.

See this cert’s domains highlighted on the interactive map, or compare it against the rest of the catalog.

Highlight on the domain map Browse all certifications