Note: This review is regarding the version of the Red Team Ops course from early 2022. There have been some larger changes to both the course content and the exam since then. As such, this review does not fully reflect the current state of the course.
About the Course
Red Team Ops (RTO) by Zero-Point Security is a Red Team course that introduces some technical basics necessary for Red Team operations, such as setting up infrastructure and using Command & Control (C2) tooling to move around in the network. The website describes the course as follows:
Red Team Ops is an online, self-study course that teaches the basic principles, tools and techniques synonymous with red teaming.
Students will first cover the core concepts of adversary simulation, command & control, engagement planning and reporting.
They will then go through each stage of the attack lifecycle – from initial compromise to full domain takeover, data hunting and exfiltration. Students will learn how common “OPSEC failures” can lead to detection by defenders, and how to carry out those attacks in a stealthier way.
Finally, they will learn how to bypass defences such as Windows Defender, AMSI and AppLocker.
Zero-Point Security – Red Team Ops
The Course Material
The course is laid out in multiple segments, ranging from setting up a Cobalt Strike team server and using the associated beacons to make your way through the lab network, to exploiting MSSQL and Active Directory, to finally bypassing basic defenses such as Windows Defender and AppLocker.
The course material is primarily presented in text with some screenshots along the way and a few videos. The reason why videos aren’t available for all the material is that when you buy the course, you get lifetime updates. And the updates are quite frequent. As such, updating the videos every time a change is made would take a bit too much time.
The version of the labs when I did them went hand-in-hand with the written course material, and it was more of a “follow along” type scenario. The lab environment is private, so you don’t have to worry about other students crashing the boxes you are working on. It also includes a copy of Cobalt Strike inside the lab environment for use throughout the course. The downside of this, however, is that copying any text out of the environment is disabled, which is a requirement for the use of Cobalt Strike in the labs.
I would have liked to see a black box lab that you can use as practice for the exam, but that would most likely bring up the price quite a bit, due to the work involved in doing so.
The Exam
The exam is split over 4 days, with a total of 48 hours of runtime. As such, you can stop the exam environment whenever you want and continue with it later. This is extremely generous, especially compared to the OSCP by OffSec, as it allows you to sleep and take care of everyday duties. There are eight (8) flags to obtain, and you need at least six (6) to get a passing score.
There is no need to write a report after you have gotten the necessary points. So once you have your 6 flags done, it’s up to you if you want to continue working on the exam for style points and personal satisfaction. Or you can do what I did and give it a few more hours and then just sit back and relax, knowing you have passed.
The Verdict
I loved this course, as well as the follow-up course (Red Team Ops II). From start to finish, the entirety of the course took me roughly three (3) weeks to complete. I recommend it to anyone who wants to play around with Cobalt Strike, learn some new tools to navigate around Active Directory, or for those who are curious about red teaming. For what you get for the course, and the quality of the materials and the labs, I am honestly surprised that it isn’t more expensive than it is.