Certified Red Teamer
(CRTeamer)
The Certified Red Teamer (CRTeamer) is an intermediate-level exam, designed to evaluate a candidate’s knowledge and applied expertise in Windows-based Red Team operations. The exam simulates a realistic enterprise scenario where the candidate begins with low-privileged domain user credentials and is required to perform both vertical and lateral movement to escalate access and compromise critical systems within the environment.
£250
Equivalent Industry Certifications*
*Note: We are not affiliated with any of the certifications mentioned here. These are respected industry certifications, and referenced here to show how our Certified Red Teamer (CRTeamer) exam’s syllabus/difficulty overlaps with these exams.
If you already hold any of these, you’re likely well-prepared to test your knowledge with our exam. If you’re preparing for one, our exam is a great way to test your progress.
Our Candidates Say it Best
Viktor Bajraktar
CRTeamer
I’m happy to share that I’ve obtained a new certification, with merit: Certified Red Teamer (CRTeamer) from The SecOps Group (Creators of PentestingExams.com)!
The exam format was something that I had not expected before taking it, but I was pleasantly surprised in the end. The exam is 5 hours 15 minutes long, where you start the exam with an out-of-the-box Kali machine, with no custom tools or C2 server installed and configured. This leaves you with the decision on which C2 you wish to use and setting it up in the given time, which does feel short if you have come unprepared (no ready-to-use setup or custom tooling to bypass detections). With all that said, the exam isn't difficult if you know what you're doing, and once you have everything configured; although I would argue that it's the most difficult part of the exam, considering the time pressure.
Henrik Parkkinen
CRTeamer
CRTeamer (Certified Red Teamer) completed!
And big creds to Sumit Siddharth and the entire team at The SecOps Group (Creators of PentestingExams.com) for the amazing work you’re doing in the cybersecurity learning space. Keep it up!
CRTeamer is played out in a very realistic scenario. Things start out from a low level user account at a hardened client from where the objective is to reach a full domain compromise. 100% practical, fun, challenging, well balanced, and highly recommended for those interested in offensive security.
Who should take this exam?
The CRTeamer exam is intended for pentesters, red team operators, advisory simulation specialists, SOC and Blue Team members looking to understand attacker tradecraft, security consultants and researchers focused on post-exploitation and evasion and security professionals who want to demonstrate expertise in stealthy post-exploitation and red team methodologies, particularly in the Windows domains.
What is the format of the exam?
CRTeamer is an intense 5 hours long practical exam. It requires candidates to solve a number of challenges, identify and exploit various vulnerabilities and obtain flags. The exam can be taken online, anytime (on-demand) and from anywhere. Candidates will need to connect to the exam VPN server to access the vulnerable infrastructure.
Note: While all our professional exams are 4 hour exams, with CRTeamer we have allowed an extra hour.
What is the pass criteria for the exam?
The pass criteria are as follows:
- Candidates scoring over 60% marks will be deemed to have successfully passed the exam.
- Candidates scoring over 75% marks will be deemed to have passed with merit.
What is the experience needed to take the exam?
This is an intermediate-level exam. Candidates should have prior knowledge and experience of Windows exploitation, post-exploitation and red teaming techniques. They should have an understanding of C2 frameworks, Windows internals, and common AV bypass methods. They should be able to demonstrate their practical knowledge of Windows-based Red Team operations for completing a series of tasks on identifying and exploiting vulnerabilities that have been created in the exam environment to mimic real-world scenarios.
Note: As this is an intermediate-level exam, a minimum of two years of professional red teaming experience is recommended.
What will the candidates get?
On completing the exam, each candidate will receive:
- A certificate with their pass/fail and merit status.
- The certificate will contain a certificate number, which can be used by anyone to validate the certificate.
What is the exam retake policy?
Candidates, who fail the exam, are allowed 1 free exam retake within the exam fees.
What are the benefits of this exam?
The exam will allow candidates to demonstrate advanced proficiency in adversarial tradecraft, the ability to operate covertly in live enterprise networks and credibility in both offensive and defensive roles within security teams. This will help them to advance in their career.
How long is the certificate valid for?
The certificate does not have an expiration date. However, the passing certificate will mention the details of the exam such as the exam version and the date. As the exam is updated over time, candidates should retake the newer version as per their convenience.
Will you provide any training that can be taken before the exam?
Being an independent certifying authority, we do not provide any training for the exam. Candidates should carefully go over each topic listed in the syllabus and make sure they have adequate understanding, required experience and practical knowledge of these topics. Further, the following independent resources can be utilised to prepare for the exams.
Learning Resources
Exam Syllabus
Red Team Infrastructure & OPSEC
- Setting up redirectors, staging servers, and C2 profiles
- Managing infrastructure with secure transport and domain fronting
Payload Development & Execution
- Crafting evasive payloads using native tooling and custom binaries
- In-memory execution, unmanaged PowerShell, and script-based delivery
- Obfuscation techniques to evade Windows Defender
Initial Access Techniques
- Common initial foothold vectors in assumed breach scenarios
- Abuse of misconfigured services, scheduled tasks, and login portals
- Using weaponized documents, shortcut files, and signed binaries
Local Enumeration & Reconnaissance
- Gathering host-level information: users, groups, privileges, sessions
- Identifying exploitable misconfigurations and binaries
- Mapping relationships between users, services, and access levels
Windows Privilege Escalation
- Exploiting misconfigurations (e.g., service permissions, UAC bypasses)
- DLL hijacking, unquoted paths, insecure registry/configuration settings
- Escalation via token impersonation, SID abuse, and named pipe manipulation
Credential Access & Replay
- Extracting credentials from memory, vaults, and secure stores
- Bypassing Process Protection to dump secrets
- Reusing credentials with hash/token/ticket-based authentication
Lateral Movement
- Using built-in tools for lateral movement (WMI, WinRM, SMB, etc.)
- Exploiting shared drives, credential reuse, and session tokens
- Bypassing segmentation with pivoting and SOCKS tunnels
Active Directory Enumeration
- Mapping domain structure: users, groups, ACLs, GPOs, trust relationships (if any)
- Discovering paths to privilege escalation via object permissions
- Tools and techniques for stealthy domain enumeration
Kerberos-Based Attacks
- Abuse of ticket-based authentication mechanisms
- Performing common Kerberos abuses (e.g., ticket forging, delegation flaws)
- Using Kerberos artifacts for persistence and lateral access
Domain Privilege Escalation
- Identifying indirect paths to elevated privileges
- Abusing weak ACLs, group memberships, and misconfigurations
- Gaining control of high-privilege accounts from standard user context
Active Directory Persistence
- Implementing durable access without service disruption
- Host-based persistence: autoruns, registry, WMI, and tasks
- Domain-level persistence via permissions, groups, or object backdoors
Living-off-the-Land & Native Binary Abuse
- Leveraging trusted tools (LOLBAS) for stealthy operations
- Executing payloads with signed binaries and native interpreters
- Avoiding custom tooling to bypass controls
PowerShell & .NET Tradecraft
- Using PowerShell effectively in restricted environments such as JEA, AppLocker, etc.
- Bypassing security features: AMSI, transcription, and CLM
- Loading .NET assemblies in-memory for stealthy operations
Offensive .NET & Tool Modification
- Modifying open-source tools to evade detection and bypass controls
- Understanding .NET reflection, loaders, and runtime behavior
- Deploying .NET-based tooling in low-visibility contexts
Privilege Maintenance & Access Expansion
- Identifying machines with delegated or inherited rights
- Maintaining access across reboots and user logins
- Expanding control through harvested access and weak architecture