My CRTP Certification Journey
Intro
I signed up for the CRTP course during the Diwali sale which cost me $199 — including lifetime access to course materials, 30 days of lab access, and one exam attempt.
Course & Lab
As I already have a background in pwning Active Directory infrastructures in my day-to-day job, I decided 30 days of lab would be enough. The course material is packed with video content, slides, and a lab manual. The key point is you can activate the lab anytime within 90 days of purchase. So I made a plan to finish watching the videos first and then dive into the lab environment.
The course is taught based on the assume breach methodology, starting with access to a user machine as an initial foothold. It covers:
- Active Directory enumeration
- Local privilege escalation
- Domain privilege escalation
- Domain persistence and dominance
- Cross-trust attacks
- Forest persistence and dominance
- Defenses & deception
The course heavily relies on PowerShell tools for enumeration. For exploitation and persistence, tools like Mimikatz (and its various implementations) and Rubeus are used. The instructor (Nikhil Mittal) explains each concept, script, and tool in a very understandable manner.
The course also provides a Covenant C2 framework lab manual and covers red teaming concepts such as OPSEC, MDI detection & bypass, and recently introduced beta EDR bypass content.
I enjoyed the course a lot since I could relate the content to my day-to-day work. I recommend taking notes of everything learned during the course and lab — it will help during the exam and real assessments. I used Notion for note-taking:
During lab time, you might get stuck sometimes. Refer to the lab manual and understand what’s wrong with your approach. Don’t blindly run tools — knowing the tools and context is necessary.
Having a full-time day job, I managed to spend 4–5 hours daily during preparation. I planned to dive into the Covenant C2 lab manual too, but I ended up procrastinating until I lost lab access. I recommend anyone interested in red teaming to spend time with it — there’s no other course at this price range providing a C2 in an AD lab environment.
Exam
After the lab access ended, I attempted the CRTP exam. The exam consists of 5 machines (excluding the initial foothold/jump server). To pass, you must compromise all 5 machines within 24 hours and provide a detailed report.
On the early morning of Jan 27, I started the exam around 6:30 NPT with all necessary tools and notes prepared. Since the provided machine doesn’t contain any tools, you need to transfer them to the exam VM.
Both lab and exam can be accessed via VPN or Guacamole. I used Guacamole throughout.
The exam was straightforward for anyone who follows the course methodology. I struggled mostly with tool troubleshooting and occasional environment disconnects. You can contact the lab support team via Discord or email if you face any issues.
After ~11 hours, I completed the exam and started writing the report using my Notion notes. I submitted the report to the lab support team, and on Jan 29 I received confirmation that I had passed the exam.
Final Thoughts
Is the CRTP certification worth the time and money?
It completely depends on your background and goals. In my context, Active Directory exploitation is an invaluable skillset since I face AD environments most of the time during internal network assessments. At this price range, there is no other training providing such good content and a lab environment.
Even though the course is well-structured, I also explored other resources that helped during preparation. Check them below.