The CRTP certification from Altered Security is a hands-on program designed to teach red team professionals Active Directory penetration testing techniques. The course combines practical labs, guided modules, and interactive exercises, allowing participants to understand AD enumeration, privilege escalation, lateral movement, and persistence in realistic enterprise environments.

We will analyze the course itself, and I won’t dwell too much on details such as purchasing or environment setup, as those are clearly explained on their official website. Instead, I will focus on how the course is structured and, of course, share my personal experience. So, without further ado, let’s get started!

Overview of the CRTP Course

Altered Security offers an official preparatory course designed to guide candidates step by step through the techniques and tools used in the CRTP lab. This course is structured in theory-practice modules that cover all the fundamental areas of red teaming on Active Directory, such as:

• Windows and Active Directory fundamentals, with detailed explanations of how the directory works, authentication protocols (such as Kerberos), and the main vulnerabilities.
• Advanced enumeration techniques, to understand how to gather useful information on objects and relationships within a domain.
• Privilege escalation and access persistence, with real examples and step-by-step simulations.
• Analysis of real attacks, providing practical exercises that replicate scenarios similar to those encountered in the CRTP exam.

The course also includes interactive labs, supporting materials, and access to a Discord community where students can interact with instructors and peers. The videos are presented by Nikhil Mittal (founder of Altered Security) in a very clear manner, sometimes using a bit of humor to make the lessons lighter and more engaging. I imagine he would be a very personable person in real life.

A brief note about the Discord community: in my personal opinion, it is clearly useful in cases where commands don’t work due to virtual machine configurations or environment issues (and sometimes tips are shared regarding executing certain commands not shown in the course). However, because the number of participants is large, you have to ask your questions carefully, since moderators cannot always answer everyone immediately.

Overall, the course’s goal is to ensure that the candidate does not merely “follow the solutions”, but truly understands why each technique works and is able to apply it independently in the exam. This is clearly a positive aspect, as relying solely on memorization is not recommended — you need to understand the parameters for each command, why they are used, and how they affect the environment.

One of the key strengths of the CRTP course is undoubtedly the virtual lab provided to students. It is a complete Windows Active Directory environment, configured to simulate realistic enterprise scenarios with multiple domains, forests, users, groups, and complex policies.

Within the lab, participants can practice all the techniques covered in the course and required for the exam: AD enumeration, privilege escalation, lateral movement, persistence, and much more. The environment is isolated and secure, allowing the testing of real exploits and tools without any risk to external systems. Moreover, the labs often include guided objectives, bonus challenges, and “open-ended” scenarios to stimulate problem-solving and creativity, making the experience very close to that of real-world red teaming.

Personal opinion: having such a comprehensive lab is crucial because it allows students to apply security skills in practice, without having to configure complex environments from scratch. This drastically reduces the learning curve and better prepares the student for both the CRTP exam and real-world professional applications. It is also worth noting the quality of the virtual environment, which never caused me any issues with access or usage.

This is arguably the most valuable part of the certification (one could even say that it is what you are really paying for, more than the certification itself). The fact that it is practical and realistic means it is not just about “memorizing facts”, but about demonstrating real operational skills — something highly appreciated by recruiters in the security field. However, it can be very challenging for those without direct experience with AD in an enterprise environment.

The Certified Red Team Professional (CRTP) exam is entirely hands-on and based on a virtual lab, designed to test candidates’ real-world skills in an enterprise Active Directory environment. During the exam, the candidate is provided with initial limited access to a Windows domain. The main goal is to compromise the environment and obtain domain administrator privileges, then identify weaknesses in other machines connected to the compromised one that allow lateral movement and subsequent privilege escalation.

The main activities required include:

• Enumeration and Reconnaissance: gathering information about users, groups, policies, trust relationships between domains, and security configurations.
• Initial Access: gaining an initial foothold by exploiting real vulnerabilities or misconfigurations, without using trivial exploits.
• Privilege Escalation: escalating privileges to gain full administrative access on one or more domains. This may include techniques such as Kerberoasting, abusing Kerberos delegations, manipulating tokens, and targeting protected objects.
• Lateral Movement and Persistence: extending control to other systems and establishing persistent access, simulating typical red team behavior.
• Final Documentation: compiling a detailed report describing the steps taken, techniques used, and results obtained. This report is evaluated alongside the technical success in the lab.

The exam has a limited duration (approximately 24 hours) and requires successful completion of all the main activities to obtain the certification. It is an intense test that evaluates both technical skills and the ability to think independently and systematically when facing complex problems.

It should be noted that, to complete the exam, it is necessary to gain access to all the virtual machines (not necessarily with administrator privileges), which are five in total. Failing to gain access affects the ability to earn the certification. Another important point is that there are no alternative paths to move from one machine to another. Therefore, if a candidate cannot progress to the next machine, it becomes impossible to access the remaining machines. This means that failing to identify even a single vulnerability among those available can prevent further progress, as was my case: I reached the penultimate machine but could not obtain the necessary privileges to continue.

The CRTP certification from Altered Security stands out for its highly practical and realistic approach, placing candidates in scenarios similar to those faced by a real red team in an enterprise environment. In particular, the course’s virtual lab is an exceptional value: it allows participants to practice on Active Directory, escalate privileges, explore trust relationships between domains, and experiment with advanced techniques in a safe and controlled environment, making learning much more hands-on compared to a purely theoretical course.

At the same time, the final exam faithfully reflects real-world challenges: if a candidate fails to compromise a machine along the attack path, the process gets blocked, preventing further progression. While this can be demanding, it is also what makes the certification so respected: it clearly demonstrates not only knowledge of the techniques but also the ability to successfully apply them in complex, interconnected scenarios.

In summary, CRTP is a highly recommended certification for anyone seeking concrete operational skills in red teaming and Active Directory security, offering an intense learning experience that is directly applicable in a professional setting.