Certified Red Teamer - eXpert
(CRTeamerX)
The Certified Red Teamer – eXpert (CRTeamerX) is an expert-level red teaming exam, built to assess a candidate’s ability to conduct stealthy and sophisticated operations within a modern Windows enterprise environment. The exam simulates a highly realistic, detection-aware infrastructure where the candidate starts with low-privileged access and is required to perform advanced lateral and vertical movement, evasion of security controls, abuse of Active Directory features, and full compromise of critical systems, all while maintaining operational stealth and evading defense mechanisms.
Note: The exam details will be sent to you on/before 10th July 2025.
- Practical
- 7 Hours
- Online
- On-demand
- Real world red teaming scenarios
£400
Equivalent Industry Certifications*
*Note: We are not affiliated with any of the certifications mentioned here. These are respected industry certifications, and referenced here to show how our Certified Red Teamer – eXpert (CRTeamerX) exam’s syllabus/difficulty overlaps with these exams.
If you already hold any of these, you’re likely well-prepared to test your knowledge with our exam. If you’re preparing for one, our exam is a great way to test your progress.
Who should take this exam?
The CRTeamerX exam is intended for experienced red teamers, adversary simulation professionals, senior pentesters, detection engineering experts, SOC and blue team leads looking to better understand advanced attacker tradecraft, and seasoned security professionals who want to demonstrate mastery in covert post-exploitation, advanced privilege escalation, and stealthy lateral movement in Windows enterprise environments.
What is the format of the exam?
CRTeamerX is a challenging 7-hour practical exam that demands deep technical understanding, precision, and strategic thinking. Candidates must solve a series of real-world-style challenges involving complex vulnerabilities, multi-forest Active Directory abuse, and advanced evasion. The exam is delivered online, available on-demand, and can be taken from anywhere. Candidates will need to connect to the exam VPN server to access the hardened enterprise infrastructure.
What is the pass criteria for the exam?
The pass criteria are as follows:
- Candidates scoring over 60% marks will be deemed to have successfully passed the exam.
- Candidates scoring over 75% marks will be deemed to have passed with merit.
What is the experience needed to take the exam?
This is an expert-level exam. Candidates should have solid, hands-on experience with Windows red teaming, offensive operations, and enterprise post-exploitation. They are expected to understand advanced topics such as custom C2 operations, Kerberos abuse, lateral movement using living-off-the-land techniques, and stealthy evasion of modern security solutions. Candidates should be able to demonstrate proficiency in executing a full attack chain in mature, monitored environments.
Note: As this is an expert-level exam, a minimum of five years of professional pentesting, red teaming, Active Directory exploitation, and post-exploitation tradecraft experience is recommended.
What will the candidates get?
On completing the exam, each candidate will receive:
- A certificate with their pass/fail and merit status.
- The certificate will contain a certificate number, which can be used by anyone to validate the certificate.
What is the exam retake policy?
Candidates who fail the exam are allowed 1 free exam retake within the exam fee.
What are the benefits of this exam?
This exam will allow candidates to prove their capability in real-world red teaming including stealth, evasion, post-exploitation, and critical asset compromise within an enterprise environment. It adds significant credibility for senior roles in offensive and defensive security teams, consulting positions, and adversary emulation efforts. CRTeamerX helps professionals stand out in the cybersecurity field with an expert-level credential.
How long is the certificate valid for?
The certificate does not have an expiration date. However, it will include the exam version and issue date. As the exam is periodically updated, candidates are encouraged to retake newer versions to stay current with modern red team methodologies.
Will you provide any training that can be taken before the exam?
As an independent certifying authority, we (The SecOps Group) do not provide any training for the exam. Candidates are expected to have acquired relevant skills through real-world experience, independent study, and practical labs. They should thoroughly review the exam syllabus and ensure they have a strong grasp of the tools, techniques, and procedures used in expert-level red team operations. External resources, advanced labs, and adversary simulation frameworks can aid in preparation.
Learning Resources
Exam Syllabus
Red Team Infrastructure & OPSEC
- Setting up redirectors, staging servers, and C2 profiles
- Managing infrastructure with secure transport and domain fronting
- Practicing operational security during all engagement phases
Payload Development & Execution
- Crafting evasive payloads using native tooling and custom binaries
- In-memory execution, unmanaged PowerShell, and script-based delivery
- Obfuscation techniques to evade Windows Defender
Initial Access Techniques
- Common initial foothold vectors in assumed breach scenarios
- Abuse of misconfigured services, scheduled tasks, and login portals
- Using weaponized documents, shortcut files, and signed binaries
Local Enumeration & Reconnaissance
- Gathering host-level information: users, groups, privileges, sessions
- Identifying exploitable misconfigurations and binaries
- Mapping relationships between users, services, and access levels
Windows Privilege Escalation
- Exploiting misconfigurations (e.g., service permissions, UAC bypasses)
- DLL hijacking, unquoted paths, insecure registry/configuration settings
- Escalation via token impersonation, SID abuse, and named pipe manipulation
Credential Access & Replay
- Extracting credentials from memory, vaults, and secure stores
- Bypassing Process Protection to dump secretsDumping secrets by various methods including tokens, tickets by various methods including including LSASS using safe and stealthy techniques
- Reusing credentials with hash/token/ticket-based authentication
Lateral Movement
- Using built-in tools for lateral movement (WMI, WinRM, SMB, etc.)
- Exploiting shared drives, credential reuse, and session tokens
- Bypassing segmentation with pivoting and SOCKS tunnels
Active Directory Enumeration
- Mapping domain structure: users, groups, ACLs, GPOs, trust relationships (if any)
- Discovering paths to privilege escalation via object permissions
- Tools and techniques for stealthy domain enumeration
Kerberos-Based Attacks
- Abuse of ticket-based authentication mechanisms
- Performing common Kerberos abuses (e.g., ticket forging, delegation flaws)
- Using Kerberos artifacts for persistence and lateral access
Domain Privilege Escalation
- Identifying indirect paths to elevated privileges
- Abusing weak ACLs, group memberships, and misconfigurations
- Gaining control of high-privilege accounts from standard user context
Active Directory Persistence
- Implementing durable access without service disruption
- Host-based persistence: autoruns, registry, WMI, and tasks
- Domain-level persistence via permissions, groups, or object backdoors
Living-off-the-Land & Native Binary Abuse
- Leveraging trusted tools (LOLBAS) for stealthy operations
- Executing payloads with signed binaries and native interpreters
- Avoiding custom tooling to bypass controls
PowerShell & .NET Tradecraft
- Using PowerShell effectively in restricted environments such as JEA, AppLocker etc.
- Bypassing security features: AMSI, transcription, and CLM
- Loading .NET assemblies in-memory for stealthy operations
Offensive .NET & Tool Modification
- Modifying open-source tools to evade detection and bypass controls
- Understanding .NET reflection, loaders, and runtime behavior
- Deploying .NET-based tooling in low-visibility contexts
Privilege Maintenance & Access Expansion
- Identifying machines with delegated or inherited rights
- Maintaining access across reboots and user logins
- Expanding control through harvested access and weak architecture
MSSQL & Database Exploitation
- Enumerating and interacting with exposed MSSQL instances for post-exploitation
- Abusing xp_cmdshell, clr assemblies, and linked servers for code execution
- Escalating privileges via MSSQL impersonation and trust misconfigurations
Advanced Windows Privilege Escalation
- Leveraging CVEs (e.g., PrintNightmare, HiveNightmare, Juicy Potato variants) in real-world contexts
- Chaining escalation paths using misconfigured services, COM abuse, and DLL side-loading
- Exploring advanced token manipulation and domain privilege boundaries
Advanced Credential Access & Session Hijacking
- Leveraging API hooks and COM interfaces for stealthy credential extraction
- Session hijacking using token stealing, PTH/PTT chaining, and named pipe impersonation
- Persistence through credential artifact planting and logon interception
Domain Trust Abuse & Forest-Level Attacks
- Exploiting trust misconfigurations across domain and forest boundaries
- Attacking inter-domain delegation and SIDHistory abuse
- Enumerating and abusing external trusts, TGT forwarding, and forest-wide groups
Advanced Kerberos Abuse
- Performing golden/silver/diamond ticket attacks and detection evasion
- Abusing constrained delegation, RBCD chaining, and S4U2self/S4U2proxy flows
- Enumerating and exploiting service principal misconfigurations
Advanced C2 Management & OPSEC
- Designing custom C2 channels over uncommon protocols (DNS, SMB, WMI, HTTPS2)
- Implementing resilient multi-stage payload delivery and fallback infrastructure
- OPSEC-aware pivoting, beacon placement, and traffic blending techniques
Evasion through Binary Rewriting & Custom Loaders
- Rebuilding executables with low detection footprint using C++, Nim, and Rust
- Utilizing manual mapping, shellcode loaders, and in-memory execution frameworks
- Integrating C2 stagers into legitimate binaries using section injection and resource abuse
Advanced Pivoting & Network Evasion
- Performing network-aware pivoting through constrained environments
- Chaining multiple tunnel types (SOCKS, named pipes, DNS, SSH) for stealth
- Bypassing segmentation using misconfigured ACLs and service exposure