If you’re building an offensive security career focused on Windows and Active Directory, two certifications from Altered Security (formerly Pentester Academy) keep surfacing: CRTP (Certified Red Team Professional) and CRTE (Certified Red Team Expert). They look similar on paper — both pure AD, both practical, both budget-friendly compared to OSCP or OSEP — but they target very different skill levels and career stages.
In this guide we break down both certifications the way a hiring manager in India would evaluate your CV: what each proves, what each costs in 2026, who should pick which, and how to sequence them alongside OSCP or CRTO for maximum ROI.
Quick Comparison: CRTP vs CRTE at a Glance
| Factor | CRTP | CRTE |
|---|---|---|
| Full name | Certified Red Team Professional | Certified Red Team Expert |
| Vendor | Altered Security | Altered Security |
| Difficulty | Intermediate (entry AD) | Advanced (multi-forest AD) |
| Exam format | 24-hour hands-on lab | 48-hour hands-on lab |
| Exam environment | Single forest, 5 machines | Multi-forest, 7+ machines |
| Lab time included | 30 days | 60 days |
| Passing criteria | Compromise all 5 machines | Compromise all 7+ machines + submit hashes |
| Cost (2026) | ₹20,500 (~US$249) | ₹36,900 (~US$449) |
| Cost in INR (with Macksofy) | ₹22,000–₹28,000 (with mentoring) | ₹40,000–₹50,000 (with mentoring) |
| Prereq knowledge | Basic Windows + networking | CRTP-level AD fluency |
| Validity | Lifetime (no renewal) | Lifetime (no renewal) |
| Report required? | No (screenshots only) | No (screenshots + hashes) |
| Pass rate (industry est.) | ~70-80% | ~50-60% |
What CRTP Teaches and Certifies
CRTP is built around Altered Security’s Attacking and Defending Active Directory course. The syllabus walks you through the full kill chain against a modern Windows enterprise: enumeration, lateral movement, privilege escalation, persistence, and cross-domain attacks — all using native Windows tooling (PowerShell, WMI, BloodHound, Mimikatz, Rubeus).
CRTP syllabus (condensed)
- Enumeration: PowerView, ADExplorer, BloodHound for user/group/ACL discovery
- Local privilege escalation: unquoted service paths, DLL hijacking, token theft
- Lateral movement: PsExec, WMI, PowerShell Remoting, WinRM, Pass-the-Hash, Over-Pass-the-Hash
- Domain privilege escalation: Kerberoasting, ASREPRoasting, DCSync, constrained/unconstrained delegation
- Persistence: Golden Ticket, Silver Ticket, DSRM, Skeleton Key, Custom SSP
- Defense evasion: AMSI bypass, PowerShell constrained language mode, ETW bypass
- Forest and cross-forest attacks: trust abuse basics
The 24-hour exam gives you access to a lab with five machines. Your goal is to compromise all five, documenting each step with screenshots. No formal report is required — you submit a screenshot pack, and results typically land within a week.
What CRTE Teaches and Certifies
CRTE is the next rung on Altered Security’s ladder. It’s built on the Windows Red Team Lab course and focuses on enterprise-scale Active Directory environments with multiple forests and complex trust relationships — the kind of setup you’d find at a Fortune 500 company or a multi-subsidiary Indian conglomerate.
CRTE syllabus (condensed)
- Advanced enumeration: Custom Cypher queries in BloodHound, ACL abuse mapping at scale
- Multi-forest attacks: bidirectional trust abuse, SID filtering bypass, foreign security principals
- Advanced Kerberos: Resource-based constrained delegation (RBCD), S4U2Self/S4U2Proxy chains, PrinterBug + Unconstrained Delegation combos
- Advanced persistence: AdminSDHolder, SIDHistory injection, DCShadow, ACL-based backdoors
- Evasion: In-memory execution, reflective PE loading, AMSI + ETW full bypass, custom EDR evasion
- MSSQL attacks: Linked-server hopping for lateral movement
- ADCS abuse: ESC1 through ESC8 certificate-template misconfigurations
The 48-hour CRTE exam is a multi-forest environment with seven or more machines across trust boundaries. You have to compromise every machine AND submit the NTLM/AES hash of specific administrative accounts. The difficulty jump from CRTP is significant — expect to spend most of your prep time understanding delegation chains and cross-forest trust abuse, not re-practicing Kerberoasting.
The 5 Key Hands-on Differences
1. Scope of the attack surface
CRTP is a single-forest compromise. You’re working inside one trust boundary — everything is reachable from one initial foothold. CRTE drops you into a multi-forest environment where you have to pivot across SID-filtered trusts, bypass defensive mechanisms that exist specifically to break cross-forest attacks, and combine techniques (e.g., RBCD + unconstrained delegation + PrinterBug) to achieve enterprise admin.
2. Tool sophistication
CRTP teaches you what tools to run (PowerView, Rubeus, Mimikatz). CRTE teaches you when to use which — and more importantly, when to drop standard tooling and write a custom Kerberos abuse or reflective loader because EDR is blocking the usual paths.
3. Defense awareness
CRTP pass requires an offensive mindset. CRTE assumes you understand Windows defenses (Windows Defender ATP, Microsoft Defender for Identity, behavior-based EDR) well enough to evade them. If CRTE drops you in an environment where default Cobalt Strike payloads get caught, you need in-memory-only workflows and payload obfuscation that wasn’t in CRTP.
4. Time management
24 hours for CRTP is generous. 48 hours for CRTE is barely enough if you’re not comfortable with the full toolchain. Most candidates who pass CRTE say they spent 30+ hours actively working on the exam, with sleep and short breaks carefully planned.
5. Reporting and proof
Both certifications use screenshot-based proofs (not the OSCP-style 60-page report). CRTE additionally requires you to submit specific hashes as evidence — which means your exploitation chain has to reach particular privileged accounts, not just achieve domain admin by any path.
Who Should Take Which
Take CRTP if you are:
- A SOC analyst or junior pentester looking to transition into red team work
- A recent OSCP passer who wants to specialise in Windows/AD (OSCP only briefly touches AD)
- A Windows sysadmin moving into offensive security
- Budget-constrained — CRTP is the cheapest credible red team cert in the Indian market
- Preparing for interviews at MSSPs like Lucideus/SISA, Secura, or CERT-In empanelled firms where AD knowledge is table stakes
Take CRTE if you are:
- A CRTP pass with 6-12 months of real pentesting experience
- Preparing for mid-to-senior red team roles at banks, PSUs, or global FAANG security teams
- Planning to take CRTO (Zero-Point Security) or OSEP next — CRTE is excellent bridge content
- Looking to move beyond web/mobile pentesting into pure-infrastructure assessments
Skip both if you are:
- Targeting web application pentester roles — go OSWE instead
- A fresher without OSCP or equivalent hands-on foundation — the AD-specific content will feel disconnected without broader pentest context
- Looking for compliance or GRC roles — CRTP/CRTE are purely offensive, they won’t help with CISA/CISM paths
Where CRTP and CRTE Fit in the Offensive Cert Stack
If you’re building a 2-3 year offensive security career plan from India, here’s a practical sequence that works for most hiring targets:
- Year 1, Month 0-6: CEH v13 AI or OSCP directly if you have 1+ year of networking background.
- Year 1, Month 6-12: CRTP. With OSCP already in hand, CRTP is a 2-3 month effort at most, and the AD depth adds enormous interview weight.
- Year 2, Month 12-18: Real projects. Apply CRTP skills on HackTheBox‘s AD labs and Pro Labs (Offshore, Cybernetics, Dante). Six months of practical work between CRTP and CRTE is what separates passers from failures.
- Year 2, Month 18-24: CRTE or OSEP. If you want vendor recognition and the EC-Council/Offsec ecosystem, pick OSEP. If you want pure AD depth and a cheaper path, pick CRTE.
- Year 3+: CRTO (Zero-Point Security), specialising in a toolchain (Cobalt Strike, Sliver, or Havoc), or moving to OSED/OSEE if exploit development interests you.
How Indian Hiring Managers Weigh CRTP and CRTE
Based on job descriptions pulled from Naukri, LinkedIn India, and Instahyre for red team roles in Mumbai, Bangalore, Hyderabad, and Gurgaon in Q1 2026:
- CRTP is explicitly listed in ~18% of red team JDs, usually phrased as “CRTP, CRTO or equivalent AD experience required”.
- CRTE is listed in ~5% of JDs but shows up in top-tier listings (Big 4 consulting, banking red teams, CERT-In empanelled firms). Its presence on a CV is a strong differentiator because few candidates have it.
- Both are treated as demonstration of AD knowledge — interviewers will still ask you to explain Kerberoasting live, walk them through a real chain you executed, or whiteboard a RBCD attack.
- Neither is a replacement for OSCP as the “do-you-have-hands-on-skills” baseline filter. CRTP alone without OSCP often underperforms a CV with just OSCP for generalist roles.
Preparation Plan: 90-Day Roadmap to CRTP or CRTE
For candidates with OSCP already done:
- Day 1-30: Complete the Altered Security course videos. Work through all flagged scenarios twice — once with guidance, once from memory.
- Day 31-60: Practice in lab. Take 10+ runs at the full attack chain without notes. Write custom PowerShell for each primitive (Kerberoast, DCSync, delegation abuse) so you’re not dependent on public tooling.
- Day 61-75: Spend time on HackTheBox AD boxes like Forest, Sauna, Active, Cascade for variety. These expose patterns Altered Security’s lab doesn’t cover.
- Day 76-90: Mock exam — simulate the 24-hour format on Altered Security’s lab, no notes except your command cheat sheet.
CRTP and CRTE Costs in India (2026)
| Option | CRTP | CRTE |
|---|---|---|
| Direct from Altered Security (course + 30/60d lab + exam) | ₹20,500 (US$249) | ₹36,900 (US$449) |
| Exam-only retake voucher | ₹8,250 | ₹16,500 |
| With mentoring (Macksofy guided cohort) | ₹22,000–₹28,000 | ₹40,000–₹50,000 |
| Extension of lab access (+30 days) | ₹4,100 | ₹8,250 |
These are among the best value-for-money certifications in offensive security when you compare against OSEP (US$1,799) or OSCP (US$1,699) for comparable depth.
Frequently Asked Questions
Is CRTP a replacement for OSCP?
No. OSCP validates broad pentesting skills across Linux, Windows, web, and buffer overflows. CRTP is a deep dive into Active Directory alone. Most Indian hiring managers treat them as complementary — OSCP as the baseline and CRTP as the AD specialization.
Can I take CRTE directly without CRTP?
Technically yes, but practically no. CRTE assumes CRTP-level fluency with Kerberos, delegation, and PowerView. If you skip CRTP you’ll spend the first two weeks of your CRTE prep catching up, effectively paying more money for the same outcome. Exception: OSEP holders can usually jump straight to CRTE.
Do CRTP/CRTE expire?
No. Both are lifetime certifications with no renewal fee or CPE requirement, unlike CEH (which requires annual CPEs).
What pass rate should I expect?
Altered Security doesn’t publish official pass rates. Community estimates put CRTP at ~70-80% (for candidates who completed the course) and CRTE at ~50-60%. First-time CRTE pass rate drops significantly for candidates who didn’t also do CRTP first.
Is the exam proctored?
No. Both exams are unproctored — you access the lab from home, submit screenshots and hashes at the end. Altered Security relies on the difficulty of the exam itself to prevent cheating.
CRTP or CRTO — which is better for me?
CRTO (Zero-Point Security) teaches the same AD attack surface but through the lens of Cobalt Strike operator workflows — it’s more aligned with actual red team engagements that use commercial tooling. If your target employer uses Cobalt Strike, take CRTO. If your target employer wants you to demonstrate general AD attack knowledge with open-source tooling, take CRTP. Many senior red teamers do both.
Will CRTP/CRTE help for GRC or SOC roles?
Marginally. CRTP does improve a SOC analyst’s ability to detect AD attacks (because you understand what they look like). But for pure SOC or GRC career paths, SOC analyst training or CTIA plus GRC certs like ISO 27001 LA will give better ROI than CRTP.
Does Macksofy offer CRTP or CRTE training?
Yes. Macksofy runs guided CRTP and CRTE bootcamps with live mentoring, weekly lab review sessions, and pre-exam mock attacks. Contact us for the next cohort dates via our training enrolment page.
Which certification do Indian banks and PSUs prefer?
Banks (SBI, HDFC, ICICI) and PSUs (BHEL, ONGC) running their own red team functions typically list CRTP or CRTO in JDs for junior red teamers and CRTE, OSEP, or OSCE3 for senior roles. CERT-In empanelment requirements focus on OSCP/CEH, so for consulting firms doing VAPT for these clients, OSCP + CRTP is the highest-ROI stack.
The Verdict
CRTP is the best first red team certification for Indian offensive security professionals in 2026. It’s affordable, focused, and hiring managers know the brand. Take it within six months of passing OSCP while the hands-on muscle is fresh.
CRTE is a strong second step — take it only after you’ve applied CRTP skills in real engagements. Taking both back-to-back without field experience is a common mistake that leads to CRTE exam fails and wasted budget.
Either way, don’t skip OSCP. In the Indian hiring market in 2026, OSCP remains the non-negotiable baseline for offensive security roles — CRTP and CRTE are specialization layers on top of it, not replacements.
References & Further Reading
Authoritative resources cited or relevant to the topics covered above:
- Altered Security — CRTP course
- Altered Security — CRTE course
- BloodHound official documentation
- MITRE ATT&CK — Credential Access
- Microsoft Active Directory Security Best Practices
