Seeing Red
Penetration testing and red teaming are critical components of modern cybersecurity, bridging the gap between theoretical vulnerabilities and real-world adversarial tactics. As companies continue to prioritize strong defenses against increasingly sophisticated threats, professionals in these fields are often faced with a dizzying array of certification pathways. Each certification route brings its own blend of specialized expertise, practical simulations, and rigorous examinations designed to validate skillsets in areas such as vulnerability assessment, exploit development, and comprehensive attack strategy. Understanding the distinctions between these credentials—and choosing the one that aligns with both your career goals and your preferred learning style—can accelerate your professional growth in an industry that thrives on continuous evolution.
What this blog ISN'T, is a list of all the fundamentals. We assume you already have those, as the topics covered within these courses will be more in depth. We're also not going to actually cover the actual coursework here, because we're ethical after all. The reviews of each will also be subjective, but not only limited to positive experiences. What this also is not, is endorsed in any way. All of the opinions expressed within are from personal experiences, community feedback, and industry trends. Let's get sucked in.
Step 1 : OSCP - Offensive Security Certified Professional
OffSec Team
Offensive Security’s OSCP (Offensive Security Certified Professional) has long been regarded as a foundational certification for aspiring penetration testers. It is built around a “try harder” philosophy that emphasizes hands-on learning and self-reliance. The course package, historically known as “Penetration Testing with Kali Linux” (PWK), provides a combination of training videos, written material, and lab access. Many in the industry view OSCP as a rite of passage because of its thorough coverage of fundamental hacking techniques and its rigorous exam challenge.
The OSCP curriculum teaches the core concepts of penetration testing against a variety of targets, including Linux and Windows servers and workstations. Students learn to conduct reconnaissance, exploit vulnerabilities, and escalate privileges in a lab environment designed to mimic real-world networks. The course covers topics such as service enumeration, web application testing, password attacks, buffer overflows, and post-exploitation techniques. Much of the learning happens through trial and error: the structured course material gives students an initial roadmap, but the real depth comes from navigating the labs independently and discovering how to pivot between machines, find hidden vulnerabilities, and develop custom exploit strategies.
The labs immerse students in a network filled with multiple targets of varying difficulty, each with unique configurations, vulnerabilities, and obstacles. This lab structure is intended to encourage persistence. Students often find themselves stuck, but the process of researching solutions, experimenting with different approaches, and finally breaking into a host instills the crucial “try harder” mentality. Because the tasks are so hands-on, graduates typically walk away with an ability to apply fundamental hacking techniques in real scenarios. Even if many vulnerabilities in the labs may feel dated, they effectively reinforce core principles.
The OSCP exam has evolved over time but remains known for its practical and demanding nature. Students typically have 24 hours to compromise a set of machines, each assigned a point value based on difficulty. After that hands-on period, there is additional time (often another 24 hours) dedicated to producing a thorough report. The exam forces candidates to demonstrate a range of skills: carefully enumerating each machine, identifying the right exploits, and efficiently documenting steps taken. Success in the exam requires not just technical prowess but also meticulous note-taking and time management. Passing awards the OSCP certification, which enjoys considerable recognition among employers in the cybersecurity industry.
The Good
A major strength of the OSCP is how it challenges students to think independently. The labs and exam are designed to push learners to dig into manuals, read source code, and truly understand exploitation methodologies rather than simply memorize steps. Employers and peers often respect the OSCP because it proves a baseline of practical pentesting competence and determination. The course also covers a broad range of techniques that form the bedrock of penetration testing, and for many, it serves as a strong introduction to ethical hacking as a career path.
The Bad(s)
Criticism that arises is that the OSCP can sometimes feel dated or narrow in its scope. Certain machines in the labs use older vulnerabilities that might not reflect the latest threats. Additionally, the “try harder” or charmingly know in the community as the "Pay Harder" model, while beneficial for resilience, can be frustrating for learners who prefer more guided instruction. Some participants feel the course material does not always prepare them for the trickiest lab or exam targets, which may force heavy reliance on external resources and self-study. Another point of contention is that the single-minded focus on a specific lab environment may not delve deeply into modern enterprise settings, which could include advanced Active Directory defenses, modern EDR solutions, or complex cloud infrastructures.
Step 2 : CRTO - Certified Red Team Operator
https://training.zeropointsecurity.co.uk/courses/red-team-ops
The Certified Red Team Operator (CRTO) course from Zero-Point Security focuses on adversary simulation and red teaming within a Windows-centric environment. Unlike broader penetration testing certifications, it zeroes in on techniques that replicate real-world intrusion campaigns, guiding students through initial footholds, lateral movement, privilege escalation, and defense evasion. By dedicating the curriculum to modern Windows environments and bypassing enterprise-level security controls, CRTO meets the demand for specialized red team skills in today’s threat landscape.
The course material is presented in a concise, step-by-step format. Students learn practical attack methods rather than spending excessive time on theory. Modules cover topics like initial phishing-based compromises, credential harvesting, pass-the-hash or pass-the-ticket tactics, Kerberoasting, and various Active Directory exploitation methods. Defense evasion is a major focus, so the content also addresses ways to circumvent antivirus and EDR solutions, including using living-off-the-land binaries and obfuscated payloads. Rather than overwhelming students with academic detail, CRTO aims to equip them with offensive techniques that mirror the workflow of genuine adversaries.
A dedicated lab environment simulates a Windows domain with multiple hosts and user privilege levels, creating a controlled but realistic playground. Learners have access to these machines to replicate the attacks outlined in the course material. This immersion offers a hands-on experience that helps students cement their understanding of how different Windows components can be leveraged, misused, or bypassed. The lab challenges often require investigative problem-solving; although the course notes guide learners, there is a strong emphasis on experimentation and adaptation, underscoring skills that carry over into real corporate networks.
The CRTO exam typically grants a fixed time window (often 48 hours) to compromise a Windows environment resembling the lab scenario. Candidates must enumerate systems, infiltrate various hosts, escalate privileges, and maintain persistence, all while circumventing detection. After these hacking activities, students must compile a written report outlining the vulnerabilities discovered and the techniques employed. Success in this practical assessment earns the Certified Red Team Operator title, which is recognized by many in the security community looking for proven Windows red team capabilities.
The Good
One advantage of CRTO is its core focus on Windows-based adversary simulation, an area that remains central for real-world threat actors. The course’s hands-on teaching style ensures that learners leave with immediately applicable skills. The lab environment feels realistic and includes contemporary Windows security measures, so the techniques taught are relevant to modern networks. The structured yet streamlined documentation means participants do not waste time on extraneous theory, allowing them to devote more attention to practical scenarios.
The Bad(s)
On the flip side, the course’s tight scope might not be suitable for individuals seeking a broader overview of penetration testing or those unfamiliar with Windows internals. The material assumes some preexisting background in Windows security, Active Directory, and basic network penetration testing concepts. Another potential drawback is that the default lab access duration can feel rushed, especially if someone cannot commit consistent hours to practice. Additionally, while CRTO excels in demonstrating how to bypass endpoint defenses, it does not deeply explore other potential layers of modern enterprise security, such as advanced SIEM correlation or complex cloud integrations.
Step 3 : White Knight Labs ODPL - Offensive Development Practitioner Certification
White Knight Labs’ ODPC (Offensive Development Practitioner Certification) is a specialized training program designed for security professionals looking to enhance their skill set in offensive security and penetration testing. It places a strong emphasis on building custom tooling, developing payloads, and conducting red team operations that parallel what advanced attackers might do in real-world scenarios. Unlike many generalized penetration testing courses, ODPC dives into the nuances of tool creation and operational tradecraft, aiming to equip students with the ability to adapt in environments that employ modern defenses and security controls.
The ODPC curriculum is rooted in hands-on exercises and labs rather than passive lectures. Students are introduced to core principles of offensive tooling, including shellcode development, payload obfuscation, and C2 (command-and-control) setup. As the name suggests, the course simulates a complete pipeline: from the initial stages of planning and building an offensive toolkit, to delivering those tools in a contested environment, to refining techniques based on detection or defensive controls encountered. It covers aspects of Windows and Linux exploitation, with a focus on how advanced threat actors evolve their methods when faced with modern endpoint security. Participants learn how to write and customize code in languages like C++, C#, or Python, practice advanced payload creation, and explore ways to bypass defenses such as EDR solutions and Windows Defender.
Practical application is the crux of ODPC. White Knight Labs provides a lab environment with a variety of hosts, each running different security controls or configurations intended to challenge the new offensive techniques being taught. Rather than merely walking through static exercises, participants often have to iteratively refine their payloads, test them against active defenses, and pivot within a simulated network. This cycle of continuous adaptation aims to mirror real red team engagements. The labs are designed so students can witness how seemingly minor changes in code or execution flow can have a substantial impact on detection rates, privilege escalation paths, and lateral movement opportunities.
The ODPC exam usually consists of a multi-day challenge in which candidates must develop or deploy custom tooling to infiltrate and pivot through a lab network. A significant portion of the exam is spent iterating on payloads, bypassing evolving defenses, and documenting every step. After the practical portion, students submit a report detailing their methodologies, findings, and any lessons gleaned from the engagement. Passing this rigorous test earns them the ODPC certification, which signals proficiency in building offensive capabilities and demonstrates a capacity to handle advanced defensive measures within target environments.
The Good
One key strength of ODPC is its emphasis on offensive tool development. Many penetration testing courses limit themselves to off-the-shelf frameworks, but ODPC compels learners to create or adapt their own solutions. This fosters a deeper understanding of exploit mechanics and detection evasion techniques. Another advantage is the hands-on nature of the labs, which simulate a responsive environment that forces students to refine their craft. The focus on contemporary Windows and Linux security measures ensures relevance to modern enterprise environments.
The Bad(s)
For those without any programming background, the learning curve can feel quite steep. The course assumes familiarity with coding concepts and a willingness to work extensively in languages like C# or C++. Some might find the emphasis on development overshadowing broader pentesting fundamentals; those hoping for an all-purpose introduction to penetration testing may need to look elsewhere. Another consideration is that ODPC is a relatively new offering compared to long-established courses, so it may not carry the same name recognition among hiring managers or the broader infosec community.
Step 4: CRTO 2 - Certified Red Team Operator II
Certified Red Team Operator II (CRTO 2) is Zero-Point Security’s advanced follow-up to their well-regarded CRTO course. While CRTO establishes a foundation of Windows red teaming tactics—covering initial access, lateral movement, and common EDR bypass methods—CRTO 2 pushes deeper into complex adversary simulation techniques. It’s designed for security professionals who already possess a solid grasp of Windows internals, Active Directory attacks, and red team workflows, and who want to hone more sophisticated, stealth-oriented, and up-to-date methodologies for evading mature defenses.
CRTO 2 builds on the practical approach introduced in CRTO but shifts to more advanced topics in Windows privilege escalation, network pivoting, defense evasion, and credential abuse. This includes deeper explorations of custom payload development, in-memory injection strategies, advanced obfuscation, and leveraging lesser-known “living-off-the-land” binaries for stealth operations. The course also delves into modern EDR-bypass techniques, encouraging students to adapt their TTPs (tactics, techniques, and procedures) when confronted with well-configured, enterprise-grade security controls. Rather than simply rehashing CRTO’s syllabus, CRTO 2 pushes participants to innovate and refine their offensive toolkit, often requiring the creation or customization of code snippets in languages such as PowerShell, C#, or C++.
Zero-Point Security continues its emphasis on hands-on labs, providing a more challenging Windows domain setup than what students encountered in CRTO. Advanced defenses are in place—ranging from stricter Group Policy enforcement to modern EDR products—that simulate the types of security controls found in large-scale corporate environments. The lab environment typically contains multiple hosts or segments requiring stealthy navigation, and it encourages more complex lateral movement scenarios than a straightforward domain compromise. Students learn to escalate privileges carefully while evading real-time detection, fine-tuning their payloads as they encounter newly triggered alerts or blocked execution attempts.
Similar to CRTO, the CRTO 2 exam involves a time-limited practical test (often 48 hours) in an environment reflective of the advanced labs. Candidates must demonstrate not only a methodical approach to compromise but also the capacity to adapt quickly when faced with unexpected defenses or blocked payloads. Thorough documentation of all steps taken is mandatory, culminating in a report that details the vulnerabilities exploited, the stealth techniques used, and recommended remediation steps. Earning the CRTO 2 certification signals that the student has proven an ability to replicate sophisticated, real-world attacks in a manner that mimics today’s top-tier adversaries.
The Good
One major strength of CRTO 2 is its focus on emerging red team tactics and bypasses, offering participants current and relevant skills to tackle well-defended Windows infrastructures. The inclusion of advanced EDR evasion ensures that learners are not limited to theoretical knowledge but develop actionable approaches to modern detection challenges. The lab-based format allows for immediate application of new techniques, reinforcing problem-solving and creativity. By building on CRTO’s fundamentals, CRTO 2 provides a logical progression for students who want to push their Windows red teaming abilities to a more professional, sophisticated level.
The Bad(s)
Because CRTO 2 assumes familiarity with the material from CRTO (and, ideally, some real-world red team experience), the barrier to entry can be high for those who are still new to Windows offensive security. The advanced lab and time constraints can be stressful if students are unprepared for a steep learning curve. While many appreciate the lean, focused style of Zero-Point Security’s training, some learners might feel the material moves quickly and offers less in-depth theoretical explanation compared to courses that pause for extensive background lessons. Additionally, those seeking coverage of other operating systems or broad pentesting principles may find CRTO 2’s narrow Windows focus too restrictive.
Step 5 Through ∞ : Supplementary Skills
I strongly recommend that you take the time to strengthen your technical writing skills. At my company, we have an old says that goes "You're only as good as your last report".
Several online courses exist. Some paid, some free. Here are some samples you could consider working through:
Google Technical Writing One, Two, and Accessibility
Write The Docs
Write the Docs
Keeping in mind alongside this, that the world of on-prem is ever diminishing, and the majority of clients these days run either hybrid, or full cloud environments with no on-prem Active Directory, which will mitigate such a large portion of attacks you will be familiar with.
We'll touch on learning some AAD and Entra ID in later blogs, but as a primer for the time being, have a look into the following:
Learning Entra directly from the source is about as good as it gets right now. Understanding the full stack, the authentication flow, and the general environment will go a long way to reinforcing your basics.
wwlpublish
Attacking and Defending Azure/M365 by Xintra
“Attacking and Defending Azure/M365” from Xintra aims to equip security practitioners with the knowledge to both compromise and protect Microsoft’s cloud ecosystem. Given that more organizations are shifting critical workloads to Azure Active Directory (Azure AD) and Microsoft 365 (M365), this course addresses increasingly relevant attack surfaces in identity management, SaaS applications, and the underlying infrastructure. With a focus on realistic scenarios and a mix of offensive and defensive perspectives, the training highlights not just how to exploit misconfigurations and weaknesses in Azure and M365 but also how to detect and mitigate these threats.
The course delves into common attack vectors affecting Azure and M365 tenants, starting with enumeration, reconnaissance, and credential gathering methods suited to cloud environments. Participants learn about password spraying, token manipulation, and privilege escalation paths in Azure AD. Beyond basic identity attacks, the curriculum covers lateral movement across cloud services, app registrations, API permissions, and how attackers pivot once they gain a foothold in a tenant. From a defensive standpoint, the content addresses best practices such as conditional access policies, logging and monitoring with Azure services, MFA configurations, and the use of advanced Microsoft security suites (e.g., Defender for Cloud Apps). The underlying goal is to illustrate how cloud identity and access management (IAM) intricacies can either strengthen or compromise an enterprise security posture.
A standout feature is the inclusion of hands-on labs that mirror a realistic M365/Azure environment. Students typically encounter a live Microsoft 365 tenant or Azure subscription pre-configured with various roles, permissions, and potential misconfigurations. These labs challenge learners to move from theoretical steps to actual exploitation, such as running password attacks or manipulating tokens to escalate privileges in Azure AD. On the defensive side, participants experiment with alerting mechanisms, audit logs, and conditional access rules, learning how to detect malicious activity and tighten security baselines. The interactive exercises encourage a problem-solving mindset, underscoring how attackers adapt when faced with obstacles—and how defenders can stay one step ahead.
While details can vary based on updates to Xintra’s program, the general pattern involves a practical assessment in a cloud-based environment. Candidates need to demonstrate both offensive techniques—like breaching an Azure AD tenant or exfiltrating data from a compromised M365 account—and defensive countermeasures, such as configuring effective conditional access or investigating logs to identify intrusions. Documentation of each step, including evidence of compromise or remediation, is often required in a final report. Success in this rigorous evaluation grants a credential that validates a well-rounded comprehension of Azure/M365 attack-and-defend scenarios.
The Goods
One of the course’s biggest strengths is how it combines red and blue perspectives into a unified syllabus. Rather than focusing solely on hacking or only on defense, it weaves both elements together, reflecting the complexity of modern cloud security. Students can directly see how a misconfiguration exploited during an offensive exercise can later be prevented or quickly detected using Microsoft’s native tools. Another highlight is the real-world lab environment, which gives participants immediate experience with Azure-specific challenges—much more relevant than purely theoretical or on-prem-only simulations. For practitioners aiming to stay at the cutting edge of cloud security, this dual-track approach is extremely beneficial.
The Bad(s)
As a specialized cloud-focused course, the training may feel overwhelming for those new to Azure or lacking foundational Microsoft 365 administration knowledge. Some students could find themselves struggling if they are unaccustomed to Azure Portal navigation, role assignments, or the intricacies of Microsoft licensing. Additionally, because the platform evolves rapidly, course materials can become outdated unless Xintra frequently updates them. There’s also a chance that the hybrid nature of attacking and defending within one curriculum compresses each topic, leaving learners wishing for more extensive deep dives into either the offensive or defensive dimension.
Finally, various community events containing exclusive training which can only be attended in-person. As such, I strongly advise you to get involved in the community, get trained, and give back.
Thanks for reading.