Top Red Team training to boost your Cybersecurity career
Hello ethical hackers. Today, I will go through the red team training courses and certifications I took this year. If you would like to pursue a career in red teaming and don’t know which certifications to take, this is for you.
Why Red team training?
First of all, let me tell you why I chose to pursue a career in red teaming. Until recently, I was doing different kinds of penetration testing assessments. I hacked web applications, internal and wireless networks, mobile applications, APIs… the usual pentest stuff. I have enjoyed finding vulnerabilities, reporting them to my clients, and helping them become more secure. However, I found myself stuck in a limited scope time and time again. I didn’t have the privilege of pivoting through a compromised machine and reaching other targets because they fell out of scope. I also couldn’t breach the perimeter of my clients’ infrastructures through phishing. Those tactics are not usually part of penetration testing.
However, if you look into any threat intelligence report, they are classic among real threat groups. And I really wanted to perform the same for my clients. Therefore, my desire to follow a red team career seemed natural. Unfortunately, due to the nature of these engagements, it is not easy to just spin up a virtual machine or play CTFs. I needed serious training to kickstart my red teaming career.
The best Red team training courses criteria
I didn’t just pick any certification out there; I had several criteria in mind to help me cherry-pick the best red team training courses.
Hands-on lab
The first criteria I’m seeking in any certification is hands-on training. I believe that we learn by practicing, especially in cyber security. I don’t like spending hours reading lengthy courses full of theory. Don’t get me wrong, I love reading books. But I believe that getting certified is not like reading a book. Therefore, the certifications I am willing to tackle should have hands-on training in a practical lab.
Course content
The course content is the next element I’m looking for when choosing a certification. It has to cover the topics I’m looking for. In the case of red teaming, the ideal course would cover the different tactics and techniques used by threat actors.
Some technologies should be covered as well, such as Active Directory. Nowadays, most companies use Active Directory to manage their infrastructure. Therefore, it does not make sense to pay for a course that does not cover that.
Support
The support plays a big role in deciding which red teaming certification I would take. I’m looking for a reasonable response time with actually satisfying answers, to be more precise.
Additionally, I’m also looking for efficient communication channels. For instance, real-time chat would be better than email. If there is a community, that would be even better.
Exam
I really dislike multiple-choice questions in cybersecurity exams. I want to earn my certification by successfully attacking a network using what I’ve learned in the lab. Hence, the exam should be hands-on. It should be challenging, invite the candidate to think outside the box and allow enough time, including break time.
Ideally, the report should be required because it makes a big difference in the professional world.
Delivery
Of course, having all the above is good, but delivering them is also a crucial criterion. It would be a pity to have a great lab full of hacking techniques, only to experience repetitive connection losses or slow machines.
Price
I left this at the end, but the price also plays a role in my choice. I don’t mind if it’s expensive, as long as it matches the previous criteria. However, if one certification offers the same while being cheaper, I would naturally choose it.
Entry-level “Red Team” training: CRTP
The Certified Red Team Professional certification comes from AlteredSecurity.
Its name can be misleading since the course content is focused on Active Directory, not Red teaming. However, it is the best certification for entry-level active directory hacking. It touches upon red teaming on some parts of the course, but it’s far from enough.
The course content comes in both PDF and videos. Personally, I was satisfied with their quality. However, the videos could have been edited better.
The lab is stable and available throughout the time package you buy. It is accessible either from your web browser or using RDP, and it is meant to be a companion of the course. In fact, the course and the videos explain the concepts by applying them in that same lab.
The support is based on email, and you receive replies within several hours. The answers are usually satisfactory. There’s also a Discord server which I believe is maintained by the community.
For $249 for the 30-days package, it is an accessible certification. I believe you don’t really need to buy more than that.
The exam is based on a lab of five machines. You have to compromise at least four of them using the techniques you have learned from the course. Besides, a professional report should be written and sent to AlteredSecurity. Once you pass the exam, you receive a verifiable certification to share with your network.
Update: I now have an affiliate program with AlteredSecurity where you can now use the coupon code “thehackerish” for a 5% discount on when purchasing using Stripe. Valid for all of our current on-demand classes and bootcamps, but not for exam reattempts and lab extensions.
If you’d like to know more about this certification, feel free to watch this video.
Medium-level “Red team” training course: CRTE
Since I’ve enjoyed CRTP, I didn’t hesitate to take this certification. However, I was a bit disappointed.
The certified red team expert is also from AlteredSecurity. Like CRTP, this “Red team” training certification focuses on Active Directory only. It comes with the same course, the same lab size, the same support, the same exam requirements. Yet, it is more expensive. So what’s the difference?
The only difference is the lab’s difficulty. In fact, firewall rules prevent direct access to most of the servers. There is a hardened jump server that should be compromised first. Other than that, there is no difference.
I was disappointed to pay for an entire certification package and only get to practice in a slightly hardened lab.
If you’d like to know more about this certification, feel free to watch this video.
Advanced Active directory hacking: CRTM
The Certified Red Team Master is another certification from AlteredSecurity. It covers advanced topics in active directory hacking. Most of the technologies discussed during the course can be found in enterprise-level environments.
The course content is almost the same as the CRTP course, with a few additional videos covering the new concepts.
Although I was skeptical because of my previous experience with CRTE, I still took this certification thanks to one factor, the huge lab! It comprises seven or eight forests. You can imagine the number of vulnerabilities you will be playing with. It took me 2 months to go through it. The access was stable during the entire time. If I learned one thing from this lab, it would be enumeration. Honestly, I honed my enumeration skills to hop from one Forest to another.
The support here is no different than the other “Red teaming” certifications from AlteredSecurity.
The exam was different, though. In fact, 50% was about compromising 5 servers inside the lab, while the other 50% required patching the vulnerabilities you found. Additionally, you would have to send a detailed report describing your steps to compromise and fix the lab.
This one is the most expensive among the three AlteredSecurity courses, but I think it’s still valuable if we consider the lab size and the patching aspect.
If you’d like to know more about this certification, feel free to watch this video.
A real Red team training certification: CRTO
The Certified Red Team Operator certification comes from zero point security. It covers the tactics, techniques, and procedures used during a Red Teaming engagement to emulate a real threat actor.
The course content is hosted on an online MOOC platform. It is composed of modules that cover the building blocks of a Red team engagement from start to finish. Overall, the content of each module is rich; some even contain videos. However, other modules, such as reporting, lack details. But what’s good about this certification is its lifetime access to the course content and its future updates.
The lab is an active directory environment that contains all sorts of vulnerabilities discussed in the course. It is limited in time, one hour to be precise. If you run out of time, you have to purchase additional hours. You can only access the lab using your web browser to prevent stealing Cobalt Strike.
Currently, there is a Discord server where you can interact with the community and the creator of the certification, Daniel Duggan, also known as @_Rastamouse. If you run into technical issues in the lab, you can drop a message and hope someone answers you.
The exam is an active directory environment that resembles the lab. You have to collect the flags you find along the way. You pass when you submit 6 out of 8 flags. No reporting is required. When you succeed, you receive a verifiable badge of accomplishment in the following days.
I particularly enjoyed the exam because I could combine multiple attack vectors to compromise an external forest. It was a rewarding feeling.
If you have experience in penetration testing and active directory hacking, you don’t need more than a month to accomplish the lab. Combined with life access to the course content, I think that the price of this certification is reasonable.
If you’d like to know more about this certification, feel free to watch this video.
Conclusion
I hope you found this helpful. Regarding my Red teaming journey, my next move would be to get certified OSEP. Make sure to subscribe to get notified when I give you my feedback.
Don’t hesitate to drop me a comment below if you have additional questions regarding those Red teaming certifications. Also, let me know if you know any other ones that match my criteria, I would be more than happy to see your suggestions.
Until next time, stay curious, keep learning and go find some bugs.