Certified Active Directory Pentesting eXpert

Certified Cloud Pentesting eXpert-AWS

Certified Active Directory Pentesting eXpert
(C-ADPenX)

Certified Active Directory Penetration eXpert (C-ADPenX) is an expert-level exam designed to test a candidate’s expertise in identifying and exploiting vulnerabilities within Microsoft Active Directory (AD) environments. Candidates must demonstrate a deep understanding of AD concepts (both on-prem and Azure AD), attacks, and defenses to pass this challenging exam.

  • Practical
  • 7 Hours
  • Online
  • On-demand
  • Real world pentesting scenarios
£400

Our Candidates Say it Best

Joas A Santos

Joas A Santos

Red Team | Author of Books | Speaker and Teacher | APT Hunting | Adversary Simulation | C-ADPenX

This certification is a Gray Box PenTest focused on an Active Directory environment with multiple Domain Forests, where you need to escalate privileges to DA/DC in each environment. You’ll have access to a Kali Linux machine already connected to the environment, but no direct access to a Windows Domain-joined machine. This means you must secure your initial access before starting privilege escalation and lateral movement.
🔍 Complete enumeration is crucial! Don’t expect to simply use Metasploit to gain a shell via MS17-010 or BlueKeep. Instead, the environment is designed around common AD misconfigurations found in corporate networks.
💡 Exam Highlights: ✔️ You’ll test countless possibilities and sometimes feel lost.
✔️ Start with the basics before diving into complex techniques.
✔️ I wasted a lot of time overcomplicating things—developing PowerShell scripts, troubleshooting BloodHound—when a simple command would have given me the same information.
✔️ Do not ignore the network architecture diagram from the first question.

Astik R

Senior Security Consultant | OSCE³ | 14x CVE | C-ADPenX

I initially thought it would be a mix of AD + Network + WebApp test, but it turned out to be a purely Active Directory-focused exam—no distractions, just AD pentesting! 😅 💀 My first attempt? Failed. Why? Because BloodHound wasn't working (ifykyk). ⚡ Second attempt? Passed! After troubleshooting (and realizing it was a well-known issue ._.), I finally made it through. It was a fun but challenging 7.5-hour exam. You’re provided with a Kali VM via SSH, connected to a network segment, and expected to test pure AD security—and since it’s labeled “eXpert,” you know it’s going to push your limits!

Who should take this exam?

C-ADPenX is intended to be taken by penetration testers, red team members, blue team members, security engineers, and AD administrators who want to validate their expertise in Active Directory security. It is also ideal for anyone seeking to elevate their skills in securing or attacking AD infrastructures.

What is the format of the exam?

C-ADPenX is a rigorous 7-hour practical exam that challenges candidates to identify and exploit real-world vulnerabilities within a simulated AD environment. Candidates will need to:

  • Perform reconnaissance to map and understand the AD infrastructure.
  • Obtain an initial foothold within different AD forests.
  • Exploit misconfigurations to escalate privileges and gain control over multi-domain environments.
  • Demonstrate techniques for persistence, lateral movement, and advanced AD compromises.

The exam can be taken online, anytime (on-demand), and from anywhere. Candidates will need to connect to a dedicated exam VPN server to access the pre-configured AD infrastructure.

What is the pass criteria for the exam?

The pass criteria are as follows:

  • Candidates scoring over 60% marks will be deemed to have successfully passed the exam.
  • Candidates scoring over 75% marks will be deemed to have passed with merit.

What is the experience needed to take the exam?

This is an expert-level exam, and candidates should possess extensive hands-on experience with Active Directory pentesting. Prior knowledge of AD exploitation techniques, Windows security, and privilege escalation is required.

Note: As this is an expert-level exam, a minimum of five years of professional pentesting or red teaming experience is recommended.

What will the candidates get?

Upon successful completion of the exam, candidates will receive:

  • A certificate indicating their pass/fail and merit status.
  • A unique certificate code/QR link for validation purposes.

What is the exam retake policy?

Candidates who fail the exam, are allowed one free retake within the exam fee.

What are the benefits of this exam?

The exam will allow candidates to demonstrate their understanding of securing and attacking Active Directory environments. This will help them to advance in their career.

How long is the certificate valid?

The certificate does not have an expiration date. However, it will include the exam version and the date it was taken. Candidates are encouraged to retake updated versions of the exam as it evolves to reflect new attack methods and defenses.

Will you provide any training that can be taken before the exam?

Being an independent certifying authority, we (The SecOps Group) do not provide any training for the exam. Candidates should carefully go over each topic listed in the syllabus and make sure they have adequate understanding, required experience, and practical knowledge of these topics. Further, the following independent resources can be utilized to prepare for the exams.

Learning Resources

MITRE ATT&CK

Free/Paid:free

Type:Training

AD Security

Free/Paid:free

Type:Training

Ired Team

Free/Paid:free

Type:Training

Dirk-Janm

Free/Paid:free

Type:Training

Internal All The Things

Free/Paid:free

Type:Training

Awesome Red Teaming

Free/Paid:free

Type:Training

RedTeam-Tools

Free/Paid:free

Type:Training

Red Teaming Toolkit

Free/Paid:free

Type:Training

GOAD

Free/Paid:free

Type:Training

Vulnerable-AD

Free/Paid:free

Type:Training

Abusing Active Directory Certificate Services

Free/Paid:free

Type:Training

Exam Syllabus

Active Directory Reconnaissance

  • Mapping domain environments, forests, and trusts.
  • Enumerating users, groups, and system details through various techniques.

Credential Harvesting and Attacks

  • Capturing and cracking password hashes.
  • Exploiting authentication mechanisms using Kerberoasting, AS-REP Roasting, and password spraying.
  • Identifying and attacking weak authentication configurations.

Privilege Escalation

  • Identifying and exploiting misconfigured AD objects.
  • Leveraging vulnerabilities in Group Policy Objects (GPOs) and Active Directory Certificate Services (ADCS).
  • Abusing tokens, user privileges, and nested group memberships.

Persistence Techniques

  • Implementing advanced persistence mechanisms in Active Directory environments.
  • Exploiting service accounts, delegated permissions, and other long-term footholds.

Lateral Movement

  • Moving between systems using techniques like Pass-the-Ticket and Pass-the-Hash.
  • Exploiting trust relationships across multi-domain environments.

Lateral Movement

  • Moving between systems using techniques like Pass-the-Ticket and Pass-the-Hash.
  • Exploiting trust relationships across multi-domain environments.

Domain and Forest Compromise

  • Gaining control over domain controllers (DCs) and achieving domain dominance.
  • Extracting and analyzing NTDS databases offline.
  • Manipulating AD configurations to achieve full forest compromise.

Azure Active Directory Exploitation

  • Attacking hybrid environments with Azure AD Connect.
  • Exploiting vulnerabilities in synchronization processes and privileged accounts.

Advanced Techniques for Defense Evasion

  • Bypassing modern security controls, including antivirus and endpoint detection and response (EDR).
  • Using obfuscation techniques to maintain stealth during operations.

Data Extraction and Exfiltration

  • Identifying and extracting sensitive data from compromised environments.
  • Safely handling and securing critical information post-compromise.

Automated Vulnerability Scanning and CVE Exploitation

  • Utilizing automated tools to identify and assess vulnerabilities in AD environments.
  • Exploiting known Common Vulnerabilities and Exposures (CVEs) to escalate privileges and gain unauthorized access.
  • Understanding patch management and mitigation strategies from an attacker's perspective.

Bypassing Security Controls and Advanced Persistence

  • Evading security monitoring tools such as SIEM, EDR, and intrusion detection systems.
  • Leveraging golden ticket, silver ticket, and skeleton key attacks for long-term persistence.
  • Modifying AD security policies to maintain hidden access and persistence.