866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

Red Team Ops II: A Course and Exam Review Blog Feature
Joseph Choi

By: Joseph Choi

Print/Save as PDF

Red Team Ops II: A Course and Exam Review

Cybersecurity Assessments

For anyone who wants to expand their skills on red teaming with advanced OPSEC tactics and defense bypass techniques, Red Team Ops II (RTO II) is a great course among the many different exams and certifications a cybersecurity professional might invest in to advance their knowledge—and their careers.

At Schellman, every member of our penetration test team is provided time to dedicate to personal development, and I recently used some of mine to complete the RTO II course and exam.

To help any other cybersecurity professional or pen tester that may be considering this course, I’ll detail my journey and experience going through RTO II in this article. After I detail what the course is, my thoughts on the curriculum, and what to expect from the lab/exam, you should have a better idea of whether this avenue is right for you and your career.

What Do You Get with the Red Team Ops II Course?

As released by Zero-Point Security in August of 2022, RTO II is a continuation of Red Team Ops (RTO) that focuses on advanced OPSEC tactics and defense bypass strategies. I decided to take this next offered challenge in the RTO II and purchased it in September of 2022.

When I bought the course, I got access to the course material, 40 hours of lab access, and an exam voucher. However, after checking Zero-Point Security's website more recently, lab access is no longer included with the course anymore—it’s now a subscription service that needs to be purchased separately. The course costs 399 GBP, and the lab subscription (40 hours per month) costs 15 GBP per month.

RTO II Course Breakdown

Before we get into the actual material, there are some things you should probably do before purchasing and diving in:

Recommended Prerequisites for RTO II

  • Complete RTO (you’ll need an understanding of the topics covered in RTO when you take the RTO II exam)
  • Be somewhat comfortable reading and writing C++ and C#.
    • I didn’t have any experience with writing code in either language, so I spent about two weeks learning the basics of these two languages using the following courses:

A particular thing I enjoy about Zero-Point Security's courses is that you have lifetime access to the material, and it’s constantly updated—since I purchased RTO II in September of 2022, it had already been updated a few times. For example, the Protected Processes module was added recently, and where a lot of code samples had been written in C# in the original material, the updates added these code samples written in C++.

Once you reach a similar point of preparation with both of those languages, you’ll likely be more comfortable progressing to the RTO II course, which is much shorter than RTO, but that’s expected since it’s meant to complement RTO with its guidance on the aforementioned advanced OPSEC and defense bypass techniques.

A breakdown of the different RTO II curriculum elements is below:

Red Team Ops II Course Curriculum

  1. Getting Started
  2. C2 Infrastructure
  3. Windows APIs
  4. Process Injection
  5. Defense Evasion
  6. Attack Surface Reduction
  7. Windows Application Defender Control
  8. Protected Processes
  9. EDR Evasion

I found these sections to be well-structured and succinct, despite the very technical topics covered—don’t panic if you don’t get the concept right away. It took me a while to somewhat understand and go through certain modules. For example, the EDR Evasion module went deeper into a few areas that were new to me.

Another thing to note is that, unlike the RTO course, RTO II does not provide any walkthrough videos—no matter the module. I assume that’s because this course is meant for more seasoned red teamers and penetration testers, but it still would’ve been nice to have them for modules such as Attack Surface Reduction and Windows Defender Application Control.

RTO II Lab Review and Tips

When you get to the lab, the environment is hosted on Cyber Ranges and is not connected to the Internet—the only way to connect to the machines is through Apache Guacamole. The lab environment is a bit slow, and I ended up using my development machine in my home lab to replicate most of the Windows APIs and Process Injection modules as opening and compiling code with Visual Studio on the attacker machine took too long.

Still—as I mentioned before—while the course doesn’t come with lab access, I do recommend you consider purchasing the subscription and go through every module and replicate them, as I found it helped me in the exam.

RTO II Exam Review and Tips

Speaking of the exam, you’re given 72 hours over 5 days to collect 4 out of 4 flags—that’s unlike RTO, which requires you to collect 6 out of 8 flags. The exam doesn’t require a report.

After you start, the exam can be paused and resumed whenever you want, but during my own, I had my exam environment randomly shut down, as it turned out that Cyber Ranges did so automatically due to inactivity on the dashboard. To avoid this, refresh the page every 30 minutes or so.

Having followed the course material and replicated them in the lab, I found the exam straight to the point and you should too if you do the same. Things like malleable C2 profiles and C++/C# code you've written in the lab can be used in the exam, but here are some other tips:

  • Remember that this course is a continuation of RTO. Be comfortable with Active Directory enumeration and exploitation.
  • All the tools you need are already on the exam machine, and the existence of certain tools can give you a hint about what you need to do.
  • Again, you must be comfortable writing and reading C# code.

I started the exam at 9 AM and obtained my final flag at around 1:30 PM the next day. The first flag took me a while (around 7 hours), but after that, I was able to collect the rest of the flags relatively quickly. 5 days after completing the exam, I received my Certified Red Team Lead (CRTL) badge via e-mail.

Picture2-3

Moving Forward with RTO II

Overall, I really enjoyed the RTO II course and the exam, and I do feel it’s a great move for someone looking to strengthen their red team skills using advanced OPSEC tactics and defense bypass techniques. And of course, the lifetime access to the course material that allows you to revisit it upon any update is a nice bonus and not something that a lot of companies offer.

Now that you know a bit more about the course and what to expect from the exam, you may be closer to making your purchase of RTO II. But if not, or if you’re thinking this may not be the right step for your desired career progression, feel free to check out our other course reviews and guides that may be more appropriate:

About Joseph Choi

Joseph Choi is a Senior Penetration Tester with Schellman. Based in St. Louis, MO, he has six years of experience within the information security field. Prior to joining Schellman, Joseph worked as a Penetration Tester for an auditing firm and performed various types of penetration tests for financial institutions. He is now primarily focused on performing internal network and web application security assessments.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.