If your career goal is “I want to be the person who reaches Domain Admin during a red-team engagement”, you’ll eventually land on three certifications that cover Active Directory attack methodology in different depths: CRTP (Altered Security’s Certified Red Team Professional), CRTE (Altered Security’s Certified Red Team Expert), and OSEP (Offensive Security Experienced Penetration Tester). Which one you take first — and whether you need all three — depends on what stage of the AD attack chain you’re already comfortable with and whether your end goal is consulting, internal red-team work, or a senior offensive-security role.
This guide breaks down what each cert actually covers, the realistic Indian career signal, the cost and time investment, and the decision framework for sequencing them.
TL;DR — the AD-cert ladder
| Cert | Vendor | Difficulty | Focus | Exam length | Approx. cost |
|---|---|---|---|---|---|
| CRTP | Altered Security (formerly Pentester Academy) | Intermediate | AD attack fundamentals — single-forest, classic techniques | 24 hours hands-on | $249-339 USD (with 30 days lab) |
| CRTE | Altered Security | Advanced | Multi-forest AD attack — trusts, cross-forest pivoting, advanced evasion | 48 hours hands-on | $429-489 USD (with 60 days lab) |
| OSEP | Offensive Security | Expert | Evasive techniques — AV/EDR bypass, custom payloads, AD with hardened defences | 48 hours hands-on + 24h report window | $1,599+ USD (PEN-300 bundle) |
If you’ve never popped Domain Admin on a lab, start with CRTP. If you can take down a single-forest AD environment from a foothold but haven’t crossed a trust boundary, do CRTE. If you can do both but get blocked by Defender / EDR / CrowdStrike in real engagements, OSEP is the upgrade.
CRTP — the on-ramp
Certified Red Team Professional is the most popular AD-focused certification in 2026 because it does one thing well: it teaches the AD attack lifecycle from a foothold to Domain Admin in a single forest, with classic techniques you’ll use in 80% of real engagements. The lab includes one parent domain and one child domain, with intentional misconfigurations that map to real-world cases (Kerberoasting weak service accounts, ASREProasting users with pre-auth disabled, constrained delegation abuse, DCSync rights misassigned to standard users, ADCS template ESC1 / ESC8 vulnerabilities).
The exam is 24 hours, with five flags inside the lab environment. Pass mark is 4 of 5 flags submitted with a professional-quality report. Most candidates clear in 12-15 hours of actual exam-window work; the remaining time is buffer for the report.
What CRTP teaches well: BloodHound enumeration, PowerView, AD module queries, Kerberos abuse (Kerberoasting, ASREProasting, unconstrained / constrained / resource-based constrained delegation), DCSync, Pass the Hash, Golden Ticket, Silver Ticket, Diamond Ticket, Domain Persistence (DSRM, AdminSDHolder, Skeleton Key). All of it within a controlled lab where AV is permissive.
What CRTP doesn’t teach: EDR evasion, multi-forest pivoting, hardened AD environments where service-account passwords are randomized, ADCS environments that have been audited, or modern detections that catch the classic techniques. CRTP gives you the textbook playbook — production AD environments often need more.
Indian career signal: CRTP is well-known at consulting firms (Deloitte, KPMG, PwC, EY cybersecurity practices), BFSI red teams, and most boutique offensive-security shops. It’s a strong differentiator from OSCP+ for AD-specific roles. Salary impact for an L2 pentester: roughly ₹2-4 lakh CTC bump in the Indian market.
CRTE — the multi-forest upgrade
Certified Red Team Expert is the natural follow-on. The lab is the same kind of mentor-led, technique-focused environment as CRTP, but with three forests connected by trusts of different types (parent-child, external one-way, external two-way), and the AD environment is hardened — randomized service-account passwords, AppLocker policies, signed PowerShell only, certificate templates audited.
The exam is 48 hours, eight flags, pass mark is 7 of 8. You’ll need to cross forest boundaries, abuse cross-forest trusts, and persist across the multi-forest environment. The techniques required include foreign-domain trust abuse, SID history manipulation, golden / silver tickets crossing trust boundaries, MSSQL link-server chaining for lateral movement, and constrained-delegation chains spanning forests.
What CRTE teaches well: Trust enumeration (one-way vs two-way vs forest vs external), cross-trust lateral movement, AppLocker / Constrained Language Mode bypass for PowerShell, advanced Kerberos delegation (unconstrained on a domain controller, RBCD with computer-account creation), and how to operate inside a real-enterprise AD topology rather than a lab toy.
What CRTE doesn’t teach: Modern EDR bypass at depth, custom-payload development, or how to evade an actually-tuned blue team. The lab assumes the defender hasn’t seen you yet — production engagements with managed XDR products often won’t let your classic AD attack chain fire at all.
Indian career signal: CRTE is rarer than CRTP, which is exactly what makes it useful. It signals you’ve operated above the “OSCP + CRTP” baseline and have multi-forest experience. For Indian banking-sector red teams (which almost always have multi-forest AD because of acquisitions), CRTE is a strong asset.
OSEP — the EDR / evasion upgrade
OSEP, from OffSec’s PEN-300 course, is structurally different from CRTP and CRTE. Where Altered Security’s labs focus on AD-attack mechanics in a permissive environment, PEN-300 focuses on bypassing defences — antivirus, application whitelisting (AppLocker, WDAC), endpoint detection (Defender for Endpoint, CrowdStrike Falcon, SentinelOne), and PowerShell logging.
The exam is 48 hours, with one to two flags depending on the scenario. Pass mark is variable, scored on full compromise of the target environment under detection conditions. You’ll need to write custom payloads, evade in-memory scanning, evade AMSI, evade ETW, hide from PowerShell Constrained Language Mode, and execute the classic AD attack chain through all those filters.
What OSEP teaches well: Custom shellcode loaders in C#, .NET reflective loading, AMSI bypass at depth, AppLocker / WDAC bypass through living-off-the-land binaries, ETW manipulation, EDR detection-pattern awareness, and process-injection techniques (early-bird, NtMapViewOfSection, callbacks). PEN-300 also has AD content but treats the classic AD attack chain as something you should already know — you’ll Kerberoast inside a hardened lab where the attack must succeed against detection.
What OSEP doesn’t teach: Multi-forest cross-trust attacks (less depth than CRTE), or AD-specific techniques like ADCS abuse (lighter than CRTP). OSEP assumes AD as a given backdrop and focuses entirely on the evasive layer.
Indian career signal: OSEP is one of the most-respected technical credentials in the Indian offensive-security market. It’s specifically called out by senior red-team JDs at BFSI captives, GCC red teams, and consulting firms. Salary impact: roughly ₹4-8 lakh CTC bump over OSCP+ alone; opens up offensive-security-lead-and-above bands.
Sequencing — which to take when?
The pragmatic order for an Indian candidate building an AD red-team career:
- OSCP+ first (broad penetration testing, classic AD set in the exam — covered in our CRTO vs OSCP guide). Without OSCP+, the deeper AD certs feel disconnected.
- CRTP next (intermediate AD specialism). Best three-month investment in pure-skill terms — you’ll use what you learn on every AD engagement.
- CRTE if your work involves multi-forest environments (BFSI, large GCCs, holding companies). Skip if you only work with single-forest SMB clients.
- OSEP for the evasion layer (any engagement where the customer has an EDR product, which is most of them in 2026). OSEP applies to every engagement, not just AD-heavy ones.
Most senior Indian red-team practitioners hold OSCP+ + CRTP + OSEP, with CRTE added if their day-to-day involves multi-forest topology. The full quartet costs ₹3-3.5 lakh and takes 18-24 months to complete with a day job.
What to drill if you’re prepping for any of the three
Across all three certs, the same foundational drills pay off:
- BloodHound mastery. Not just “run SharpHound, open the GUI” — write your own Cypher queries, understand session-flow analysis, build collection profiles tuned to opsec needs.
- Kerberos at the protocol level. What’s a TGT vs TGS, how does pre-authentication work, what does the AS-REP look like, why does Kerberoasting work, what’s the difference between Pass-the-Ticket and Pass-the-Key.
- Living-off-the-land tooling. Memorise the AD-attack-relevant LOLBAS / GTFOBins entries — certutil, bitsadmin, mshta, regsvr32, wmic, schtasks, conhost. For OSEP especially, this is the bypass surface.
- One scripted lab end-to-end. Pick one home-lab AD environment, automate provisioning with PowerShell / Terraform, and rebuild it weekly. Repetition is the difference between “I know about Kerberoasting” and “I can do it in three minutes under stress”.
For Indian candidates, the resources that consistently produce passing students are: Altered Security’s BCRTP / BCRTE courses (CRTP / CRTE preparation), OffSec PEN-300 self-study + lab time (OSEP), HackTheBox AD-themed pro labs (Reel, Cybernetics, Offshore, Rasta Labs), and the free Active Directory exploitation chapter of TCM Security’s PEH course as a primer.
How Macksofy Trainings helps
Macksofy Trainings runs an AD-red-team specialism track that prepares candidates for CRTP, CRTE, and OSEP exams. Each cohort is mentor-led and includes our own multi-forest AD lab range (mirroring the kind of topology CRTE candidates will face), weekly mock-attack-chain drills, and structured detection-evasion coaching for the OSEP path.
We are an independent training provider — we are not an Altered Security partner and not an Offensive Security Authorized Training Partner. Our cohorts are exam-prep bootcamps with mentor support, designed to compress the 18-24 month AD-cert ladder into a sequenced study program for working professionals.
For the broader AD attack methodology (the techniques that underlie all three certs), see our cornerstone Active Directory Pentest Guide India 2026 — the 7-phase attack kill chain covered there is the same backbone CRTP and CRTE exams test. For our trainer’s view on CRTO vs OSCP+ before you start the AD specialism, read the CRTO vs OSCP honest comparison.
Program details:
- OSEP (PEN-300) exam-prep bootcamp
- OffSec offensive-security track — Mumbai
- Talk to a trainer about your AD-cert sequencing
Frequently asked questions
Should I do CRTP before OSCP+?
No — OSCP+ first. OSCP+ teaches the broader penetration-testing foundation (Linux enumeration, web app basics, classic Windows privilege escalation, the AD set) that makes CRTP material click. CRTP without OSCP+ feels disconnected because you’ll be drilling AD techniques without the larger attacker mental model.
Is CRTP recognised by Indian enterprises?
Yes, increasingly so. Consulting firms (Deloitte, KPMG, PwC, EY cybersecurity), BFSI red teams, and boutique offensive-security shops in Mumbai / Bangalore / Hyderabad recognise CRTP as a real AD-skill signal. Government PSU and audit-firm roles weight OSCP and CISA more heavily; CRTP is more relevant in private-sector red-team hiring.
How long should I study for CRTP?
Eight to twelve weeks of lab time at 6-8 hours per week, assuming OSCP+-level baseline. The 30-day lab Altered Security includes is generally enough if you study daily; candidates with day-job constraints often add a second 30-day extension.
Is OSEP harder than OSCP+?
Conceptually yes, but in a different dimension. OSCP+ tests breadth — Linux, Windows, web apps, classic AD — under time pressure. OSEP tests depth in evasion against EDR / AppLocker / AMSI. Most candidates find OSEP harder if they’ve never written custom shellcode loaders before; those with .NET / C++ backgrounds find it more accessible.
Can I skip CRTP and CRTE and go straight to OSEP?
Possible but rarely advised. OSEP assumes you can already perform the classic AD attack chain — Kerberoast, abuse delegation, DCSync, Golden Ticket — and adds evasion on top. If those techniques aren’t muscle-memory yet, you’ll spend OSEP’s lab time relearning AD basics under evasion constraints instead of focusing on the evasion craft.
What Indian salary band does the full OSCP+ / CRTP / CRTE / OSEP stack support?
Mid-to-senior offensive-security engineers with this stack and three-to-five years experience sit at ₹22-38 lakh CTC in BFSI / GCC / consulting. Red-team leads with the same stack plus seven+ years cross ₹45 lakh. Boutique-firm partners with this stack plus a public conference / research track can exceed ₹60 lakh including profit share.
References
- Altered Security — Certified Red Team Professional (CRTP) lab
- Altered Security — Certified Red Team Expert (CRTE) lab
- Offensive Security — PEN-300 (OSEP) course page
- BloodHound documentation — SpecterOps
- The Hacker Recipes — AD attack reference
- MITRE ATT&CK Enterprise — adversary techniques
- LOLBAS Project — living off the land binaries and scripts
