ProfessionalVendor-neutralAltered Security· issued from IN

CRTP

Certified Red Team Professional

Hands-on Active Directory attacker — Kerberos abuse, trust attacks, and lateral movement against a real multi-domain forest.

Official page at Altered Security ↔ Compare with another cert

Exam fee

$499

Ongoing

$0/yr AMF

Study time

80–160 hrs

Delivery

Hands-on practical lab

Validity

Lifetime

› Quality score

31.0 / 40

Four-axis SecProve rubric, each 0–10. SecProve editorial assessment — each axis carries a written justification so you can push back on any single call without dismissing the whole score.

Blueprint rigor

How well-defined and rigorous the exam blueprint is.

Course syllabus is well-structured around AD attack primitives (Kerberoast, DCSync, delegation abuse, trust attacks). No formal weighted blueprint, but the lab maps 1:1 to taught content.

7.5/10

Practical evidence

Hands-on labs / written reports vs pure MCQ.

Pure lab exam with required written report. Considered the de facto starting point for AD red-team practitioners alongside CRTO.

9.0/10

Currency & upkeep

How aggressively content is kept current with the field.

Lab content is refreshed when major Windows / AD attack techniques emerge (e.g., post-Certified Pre-Owned ADCS additions). Cadence is irregular but not stale.

7.0/10

Market recognition

How often this signal actually moves a hiring decision.

Strong recognition in offensive-security / red-team hiring. Frequently listed alongside OSCP and CRTO for AD-heavy roles. [Holders: vendor doesn't publish]

7.5/10

› Market signals

public, citable inputs to the recognition score

Holders worldwide

15,000

as of 2024-12 · source

Vendor doesn't publish exact holder counts; estimate based on community indicators.

› Built for these roles

Red Team OperatorPenetration Tester (AD-focused)Adversary Simulation EngineerInternal Security Assessor

› Exam format

24-hour hands-on lab exam against a multi-domain Windows AD forest, followed by 48 hours to submit a written report. Five flag captures required across enumeration, privilege escalation, and cross-domain compromise.

› Recertification

Credential is permanent — no recertification or AMF.

› NICE Framework work roles

The NIST NICE work-role IDs this cert maps to. NICCS lookup.

PD-WRL-001PD-WRL-007

Recognition

GlobalUSEUUK

Exam languages

› Core domains covered

The 2 domains this cert is centrally about. Passing the exam demonstrates working knowledge of each.

A9Penetration Testing & Red Teaming

Methodology (OSSTMM, PTES), web/network/mobile pentesting, social engineering, purple teaming.

A6Identity & Access Management

AuthN/AuthZ, SSO, MFA, PAM, RBAC/ABAC, identity governance, FIDO2/passkeys, plus non-human identity: service accounts, workload identity, agent / plugin identities.

› Also touched

Present in the blueprint but not the primary focus — you’ll be introduced but shouldn’t expect depth.

A2Network Security

Firewalls, IDS/IPS, network segmentation, DNS security, SD-WAN, VPN, traffic analysis, wireless security.

A11Detection Engineering & Threat Hunting

SIGMA/YARA/Suricata rule writing, hypothesis-driven hunting, log deep-dives, detection gap analysis.

B4AI in Offensive Security

AI-assisted pentesting, automated recon, AI-generated phishing/social engineering, deepfake attacks.

› Prerequisites

Experience

Comfort with Windows command line, PowerShell, and basic AD concepts. Prior pentesting exposure recommended but not strictly required — the course covers fundamentals.

Knowledge assumed

Active Directory objects, trusts, and Kerberos
PowerShell scripting basics
Windows privilege model and tokens

› Progression

requiredrecommended

Where this cert fits in the typical learning path. Required edges are vendor-gated; recommended edges reflect de facto industry progression.

Required prereqs (0)

No vendor-gated prereqs.

Recommended priors (2)

OSCPOffSec CRTOZero-Point Security

CRTP

Altered Security

Required by (0)

No certs require this one.

Recommended next (1)

CRTEAltered Security

› Careers that commonly pursue this cert

Threat Exposure Management / Attack Surface Analyst

External-first role: inventories what an attacker can see, tracks what's new, and drives closure through the org. The outside-in counterpart to vuln management.

› Common exam traps to study

Cybersecurity cert exams reuse the same 25 distractor patterns over and over — category confusion, RTO vs RPO, IDS vs IPS, MD5 vs SHA-256, and more. Once you can name the trap, you stop falling for it. Each archetype page covers what it is, the specific pairs candidates confuse, and how to avoid it.

Browse all 25 cert-exam traps Start with: BEST vs correct

See this cert’s domains highlighted on the interactive map, or compare it against the rest of the catalog.

Highlight on the domain map Browse all certifications