Red Team Ops II: A Course and Exam Review
For anyone who wants to expand their skills on red teaming with advanced OPSEC tactics and defense bypass techniques, Red Team Ops II (RTO II) is a great course among the many different exams and certifications a cybersecurity professional might invest in to advance their knowledge—and their careers.
At Schellman, every member of our penetration test team is provided time to dedicate to personal development, and I recently used some of mine to complete the RTO II course and exam.
To help any other cybersecurity professional or pen tester that may be considering this course, I’ll detail my journey and experience going through RTO II in this article. After I detail what the course is, my thoughts on the curriculum, and what to expect from the lab/exam, you should have a better idea of whether this avenue is right for you and your career.
What Do You Get with the Red Team Ops II Course?
As released by Zero-Point Security in August of 2022, RTO II is a continuation of Red Team Ops (RTO) that focuses on advanced OPSEC tactics and defense bypass strategies. I decided to take this next offered challenge in the RTO II and purchased it in September of 2022.
When I bought the course, I got access to the course material, 40 hours of lab access, and an exam voucher. However, after checking Zero-Point Security's website more recently, lab access is no longer included with the course anymore—it’s now a subscription service that needs to be purchased separately. The course costs 399 GBP, and the lab subscription (40 hours per month) costs 15 GBP per month.
RTO II Course Breakdown
Before we get into the actual material, there are some things you should probably do before purchasing and diving in:
Recommended Prerequisites for RTO II
- Complete RTO (you’ll need an understanding of the topics covered in RTO when you take the RTO II exam)
- Be somewhat comfortable reading and writing C++ and C#.
- I didn’t have any experience with writing code in either language, so I spent about two weeks learning the basics of these two languages using the following courses:
- For C++: codecademy’s free courses,
- For C#: I went through Zero-Point Security’s C# for n00bs course
- I didn’t have any experience with writing code in either language, so I spent about two weeks learning the basics of these two languages using the following courses:
A particular thing I enjoy about Zero-Point Security's courses is that you have lifetime access to the material, and it’s constantly updated—since I purchased RTO II in September of 2022, it had already been updated a few times. For example, the Protected Processes module was added recently, and where a lot of code samples had been written in C# in the original material, the updates added these code samples written in C++.
Once you reach a similar point of preparation with both of those languages, you’ll likely be more comfortable progressing to the RTO II course, which is much shorter than RTO, but that’s expected since it’s meant to complement RTO with its guidance on the aforementioned advanced OPSEC and defense bypass techniques.
A breakdown of the different RTO II curriculum elements is below:
Red Team Ops II Course Curriculum
- Getting Started
- C2 Infrastructure
- Windows APIs
- Process Injection
- Defense Evasion
- Attack Surface Reduction
- Windows Application Defender Control
- Protected Processes
- EDR Evasion
I found these sections to be well-structured and succinct, despite the very technical topics covered—don’t panic if you don’t get the concept right away. It took me a while to somewhat understand and go through certain modules. For example, the EDR Evasion module went deeper into a few areas that were new to me.
Another thing to note is that, unlike the RTO course, RTO II does not provide any walkthrough videos—no matter the module. I assume that’s because this course is meant for more seasoned red teamers and penetration testers, but it still would’ve been nice to have them for modules such as Attack Surface Reduction and Windows Defender Application Control.
RTO II Lab Review and Tips
When you get to the lab, the environment is hosted on Cyber Ranges and is not connected to the Internet—the only way to connect to the machines is through Apache Guacamole. The lab environment is a bit slow, and I ended up using my development machine in my home lab to replicate most of the Windows APIs and Process Injection modules as opening and compiling code with Visual Studio on the attacker machine took too long.
Still—as I mentioned before—while the course doesn’t come with lab access, I do recommend you consider purchasing the subscription and go through every module and replicate them, as I found it helped me in the exam.
RTO II Exam Review and Tips
Speaking of the exam, you’re given 72 hours over 5 days to collect 4 out of 4 flags—that’s unlike RTO, which requires you to collect 6 out of 8 flags. The exam doesn’t require a report.
After you start, the exam can be paused and resumed whenever you want, but during my own, I had my exam environment randomly shut down, as it turned out that Cyber Ranges did so automatically due to inactivity on the dashboard. To avoid this, refresh the page every 30 minutes or so.
Having followed the course material and replicated them in the lab, I found the exam straight to the point and you should too if you do the same. Things like malleable C2 profiles and C++/C# code you've written in the lab can be used in the exam, but here are some other tips:
- Remember that this course is a continuation of RTO. Be comfortable with Active Directory enumeration and exploitation.
- All the tools you need are already on the exam machine, and the existence of certain tools can give you a hint about what you need to do.
- Again, you must be comfortable writing and reading C# code.
I started the exam at 9 AM and obtained my final flag at around 1:30 PM the next day. The first flag took me a while (around 7 hours), but after that, I was able to collect the rest of the flags relatively quickly. 5 days after completing the exam, I received my Certified Red Team Lead (CRTL) badge via e-mail.
Moving Forward with RTO II
Overall, I really enjoyed the RTO II course and the exam, and I do feel it’s a great move for someone looking to strengthen their red team skills using advanced OPSEC tactics and defense bypass techniques. And of course, the lifetime access to the course material that allows you to revisit it upon any update is a nice bonus and not something that a lot of companies offer.
Now that you know a bit more about the course and what to expect from the exam, you may be closer to making your purchase of RTO II. But if not, or if you’re thinking this may not be the right step for your desired career progression, feel free to check out our other course reviews and guides that may be more appropriate:
About Joseph Choi
Joseph Choi is a Senior Penetration Tester with Schellman. Based in St. Louis, MO, he has six years of experience within the information security field. Prior to joining Schellman, Joseph worked as a Penetration Tester for an auditing firm and performed various types of penetration tests for financial institutions. He is now primarily focused on performing internal network and web application security assessments.