Last week, I took the CRTO exam offered by Zero-Point Security.
Journey
I began the course with three months of lab access in October 2024 and completed the material by December 2024. However, due to other priorities, I paused my studies for a while. In June 2025, I restarted the course from the beginning and registered for an additional two weeks of lab time. During this period, I first practiced in the lab without Windows Defender enabled, and then repeated the exercises with Windows Defender active, which gave me much more confidence.
The exam
The exam provides 4 days (48 hours of lab access) to complete the challenges. To pass, I needed to capture at least 6 out of 8 flags. I was a bit stuck on the third flag, but after taking some breaks I managed to solve it. From there, progress was smoother, and after about 8 hours I successfully captured 6 flags and passed the exam. I decided not to attempt the 7th and 8th flags afterward.
In the next day, I received the badge.
What I learned
I really enjoyed the course and gained a lot of practical knowledge. This was my first time using Cobalt Strike, and I learned:
-
Cobaltstrike
- Basic concept and usage
- Customization techniques
- Bypassing Windows Defender in some scenarios
-
Post exploitation tools
- Mimikatz
- Rubeus
- Powershell scripts such as PowerView
The lab also included Elasticsearch and Kibana, which I could leverage to collect and analyze data from an OPSEC perspective.
Next steps
Since Zero-Point Security has launched a new site, I plan to retake the CRTO exam there. I’m also looking forward to attempting CRTL once it becomes available on the new platform.