Zero-Point Security Exams: The Ultimate 2026 Guide

If you’re exploring a career in offensive security, you’ve probably heard a lot about Zero-Point Security exams. They’re known for practical, hands-on assessments that mirror real red team work—without the fluff. In this ultimate guide for students and early-career learners, we’ll break down the two flagship certifications—Red Team Ops (RTO, often called CRTO) and Red Team Ops II (RTO II, sometimes CRTO II)—and show you exactly how to prepare, how the exams work, what they cost, and why they’re valued by practitioners and hiring managers alike.

By the end, you’ll have a step-by-step plan to pick the right exam, build the right skills, and pass on your terms.

What Are Zero-Point Security Exams?

Zero-Point Security (ZPS) runs two highly regarded, skills-first certifications:

• Red Team Ops (RTO, commonly “CRTO”): Validates that you can operate as a red team operator in Windows/Active Directory (AD) environments using Cobalt Strike and realistic adversary tradecraft.

• Red Team Ops II (RTO II, often “CRTO II” or “Red Team Lead”): Validates detection-aware red teaming: hardened C2, EDR-aware execution, evasive tradecraft, and the leadership mindset to plan and run advanced operations.

What sets ZPS apart:

• Emphasis on practical operations instead of multiple-choice questions.

• Lifetime course access and no-expiry labs on the new platform.

• Free, on-demand exam retakes from within the course.

• Official Cobalt Strike partnership for the introductory CS training, and recognition as a CREST-approved training provider.

Actionable takeaway: If you want a cert that proves you can actually operate in a Windows enterprise like a real operator—not just memorize facts—ZPS is designed for you.

What Changed Recently (2025–2026): Read This First

ZPS modernized how learning and exams work. Here’s the quick summary of updates you should know before planning:

• Exams are now launched from inside the course (not purchased separately on the new site).

• Grading is moving from “collect these flags” to outcome/performance-based assessment.

• Retakes are free, and scheduling is on-demand from the course.

• Pricing uses local purchasing power (PPP), so amounts can vary by region.

• Legacy exams ran on older infrastructure; those attempts had a hard cutover deadline in late 2025. Most students now use the new platform and its policies.

Actionable takeaway: When exam day comes, always read the in-course exam brief first. That brief is the source of truth for timing, scoring, and rules on the version of the platform you’re using.

RTO vs. RTO II: Which Exam Should You Take?

Here’s how to decide which Zero-Point Security exam fits your current level:

• Choose RTO (CRTO) if:

  • You’re comfortable with Windows/AD basics and want to become a strong Cobalt Strike operator.

  • You’ve done some pentesting/home lab work, but want to validate you can run a full internal operation: recon → privesc → lateral movement → DA.

  • You want a practical cert that opens doors for junior to mid-level red team roles.

• Choose RTO II (CRTO II / Red Team Lead) if:

  • You already have RTO (or equivalent experience) and want EDR-aware depth.

  • You’re ready to build or modify custom loaders/injectors, tune OPSEC, and operate around modern controls like AMSI, ETW, ASR, and WDAC.

  • You’re targeting roles where you’ll plan and lead detection-aware engagements.

Rough prerequisite guidance:

• RTO: Windows/AD familiarity is recommended; scripting or programming knowledge (PowerShell/C#/C++) helps but isn’t strictly required.

• RTO II: Recommended to complete RTO first—or have equivalent production experience with Cobalt Strike, Windows internals, and AD operations.

Actionable takeaway: If you’re unsure, start with RTO. It’s a strong foundation and the fastest way to identify gaps before tackling RTO II’s evasion-heavy content.

How the Exams Work: Formats, Timing, and What’s Tested

Zero-Point Security exams are practical and task-focused. You’ll be placed in an enterprise-like environment and expected to achieve outcomes that reflect real offensive operations.

Important platform note: ZPS is transitioning exams from “flag-only” scoring to outcome/performance-based grading delivered directly inside the course. Legacy pages still show flag-based CTF details—use them as a baseline for difficulty and flow—but the in-course exam brief is authoritative for your attempt.

The RTO (CRTO) Exam: Operator-Level Tradecraft

• Goal: Demonstrate that you can use Cobalt Strike and Windows/AD techniques to move in an enterprise environment, escalate privileges, and meet the objective defined by the threat profile.

• Environment: You connect through a web interface to a contained network. Internet/VPN access from the exam network is restricted by design.

• Time management: Historically, the CRTO exam allowed substantial runtime (e.g., 48 hours of active time inside a multi-day window) with pause/resume. On the new platform, timing and submission mechanics are presented inside the course.

• Deliverables: Traditionally no long, formal report. Expect the new platform to focus on demonstrable outcomes and performance.

What’s being tested:

• Windows/AD recon and exploitation: password attacks, Kerberos abuse, ADCS misconfig, lateral movement, domain dominance.

• Cobalt Strike operator skills: beacon management, OPSEC tuning, aggressor scripting basics, stabilizing access.

Actionable exam tip: If you get stuck, pivot your approach rather than forcing one technique. RTO rewards breadth—try an alternate Kerberos path, a different lateral movement method, or a quieter CS OPSEC profile.

The RTO II (CRTO II) Exam: Detection-Aware Red Teaming

• Goal: Show you can operate under pressure from modern defenses. Expect to plan, build, and use custom tooling and hardened C2 while maintaining OPSEC.

• Environment: Similar browser-based access to an isolated enterprise network, with modern endpoint and OS hardening.

• Time management: Historically allowed generous runtime (e.g., 96 hours inside an 8‑day window). The new platform surfaces exact timing in the in-course exam panel.

• Deliverables: Outcome/performance-based rather than report-heavy; focus on what you achieved and how effectively you operated.

What’s being tested:

• EDR-aware execution: evading userland hooks and callbacks, AMSI/ETW bypasses, memory-safety/stealth considerations.

• Hardened C2: redirectors, staging decisions, egress strategies, OPSEC tuning.

• Custom loaders/injectors: process/PPID spoofing, indirect syscalls, stack spoofing, memory allocation strategies that avoid common detections.

• Navigating Microsoft Defender, ASR, and WDAC with careful technique selection.

Actionable exam tip: Treat every step like it’s being watched. Build “safe defaults” into your workflow: calm beaconing, minimal tooling on disk, and planned egress paths. Pre‑bake multiple loader variants.

What You’ll Learn: Syllabus Highlights

Red Team Ops (RTO)

• Active Directory essentials for operators: domains, trusts, GPOs, SPNs, delegation, certificates.

• Kerberos abuse: AS‑REP roasting, Kerberoasting, S4U, unconstrained/ constrained delegation, Golden/Diamond tickets.

• ADCS (Active Directory Certificate Services) abuse: misconfig paths to stealthy persistence and privilege escalation.

• Lateral movement and privesc: service abuses, token tricks, remote execution patterns.

• Cobalt Strike operator workflow: beacon profiles, artifacts, aggressor scripting basics, tasking under OPSEC constraints.

• Operational hygiene: logging awareness, evidence minimization, cleanup and deconfliction.

Actionable learning task: After each module, write a 5–10 step “micro‑playbook” (commands + rationale) you can execute under time pressure. You’ll thank yourself during the exam.

Red Team Ops II (RTO II)

• EDR and Defender internals (operator perspective): how hooks and callbacks work in practice, telemetry paths, and common blind spots.

• AMSI/ETW evasion: patching risks, alternative designs, and ways to reduce obvious indicators.

• Process/injection techniques: APCs, thread hijacking, module stomping, PPID spoofing, stack spoofing, indirect syscalls—plus when (and when not) to use each.

• Hardened C2: multi‑layer redirectors, OPSEC‑aware malleable profiles, staging vs. stageless payload tradeoffs.

• Operating with ASR/WDAC rules: living within guardrails and finding procedural cracks without tripping policies.

• Tooling and builds: compiling cleanly, minimizing suspicious imports, and testing against Defender/EDR in your own lab before “production.”

Actionable learning task: Build a “tool variant matrix”—three loader variants and two injection methods—then run each against the same baseline Defender/EDR to document which combinations pass and why.

Preparation Plans That Work (Step-by-Step)

Below are two proven study plans. Choose the one for your target exam and adjust for your schedule.

RTO (CRTO): 6–8 Week Plan

Weeks 1–2: Fundamentals and lab foundations

• Watch each core module and immediately replicate the technique in lab.

• Start a runbook: commands, beacon profiles, OPSEC settings, and the reasoning behind each choice.

• Validate that your AD recon covers both “noisy but fast” and “quiet but slower” options.

Weeks 3–4: End-to-end chains

• Build two full attack chains from assumed breach to DA.

  • Example chain A: Password spray → Local privesc → Kerberoast → Lateral movement → DCSync → Cleanup.

  • Example chain B: AS‑REP roast → Silver ticket pivot → ADCS abuse → DA → Cleanup.

• After each run, shorten your playbook to a compact version you can execute under time pressure.

Weeks 5–6: Reps and resilience

• Practice alternative routes for each step (e.g., different lateral movement methods).

• Dry‑run a “24‑hour sprint”: emulate exam pacing with checkpoints, screen captures, and notes.

• Strengthen your “plan B” and “plan C” for authentication and privesc hurdles.

Week 7–8: Exam execution

• Review the in‑course exam brief carefully for timing and rules on your platform version.

• Launch with a priority map: quick wins first (recon + foothold), then expand.

• Keep a “tactics ledger” in your notes: every action you take, why you took it, and the outcome.

Actionable prep habit: After every practice session, ask “What did I do that was noisy? How could I achieve the same result with fewer signals?” Then update your runbook.

RTO II (CRTO II): 6–10 Week Plan

Weeks 1–2: Tooling base and telemetry

• Stand up a small lab (client + DC + EDR/Defender simulation).

• Rebuild course loaders/injectors and confirm you can compile cleanly.

• Verify baseline telemetry and make sure you know how to tell when you’re being detected.

Weeks 3–6: Evasion depth

• Implement and test AMSI/ETW bypass variations; record what each bypass changes and any drawbacks.

• Experiment with userland hook evasion strategies; compare outcomes across loaders.

• Build two redirector topologies and stress‑test them with your beaconing patterns.

• Iterate on PPID spoofing, indirect syscalls, stack spoofing. Note side effects and reliability tradeoffs.

Weeks 7–8: Mission profiles

• Dry‑run a mission with strict OPSEC: minimal artifacts, careful egress, aggressive cleanup.

• Repeat with a different chain (e.g., a different loader + injection combo) to prove reliability.

Weeks 9–10: Exam readiness

• Read the in‑course brief for current timing and scoring.

• Prepare three “known‑good” loader/injector pairs; if one fails, pivot immediately.

• Plan your C2 operational profile: beacon jitter, sleep strategies, and task cadence.

Actionable prep habit: Keep a “detection diary.” Every time a technique triggers detection, write down the “why,” your hypothesis, what you changed, and the result. This builds operator instinct that pays off on exam day.

Costs, Policies, and What to Expect

• Pricing varies by region via PPP (purchasing power parity). Expect the final price to be shown at checkout on the new site.

• On the legacy portal, course-only prices were in the low hundreds of pounds (e.g., RTO near £365; RTO II near £399), with optional lab bundles at higher amounts. Treat these as snapshots rather than guarantees.

• On the new platform, you:

  • Get lifetime course access and no-expiry labs (a huge advantage for students).

  • Launch exams on demand from inside the course.

  • Have free exam retakes—no financial penalty to learn from a failed attempt and try again.

• Policies like cancellations/reschedules were part of the old booking system; the current flow happens inside the course, where you’ll see updated terms before starting.

Actionable budgeting tip: If you’re price‑sensitive, check the PPP‑adjusted price on the new site and plan to buy when you can dedicate 6–10 weeks for focused study. The lifetime access means you can revisit content anytime—use that to stay sharp after the exam.

Career Value: How Employers See RTO and RTO II

Why these credentials stand out:

• The exams simulate real operator work, so the learning transfers directly to engagement tasks.

• ZPS is a CREST‑approved training provider, and the company co‑authored official Cobalt Strike training. That signals quality and relevance.

• Community reviews consistently praise the practicality of both RTO and RTO II. Hiring managers who value hands-on ability often treat these as strong indicators of readiness for red team roles.

Where each credential fits:

• RTO (CRTO) tells employers you can run a Windows/AD operation with Cobalt Strike and achieve objectives responsibly. It’s an excellent “first real operator” certification.

• RTO II (CRTO II) says you can operate under detection pressure, make smart OPSEC decisions, and customize tooling—skills that distinguish experienced operators and leads.

Actionable career tip: Add a short “operator portfolio” to your resume—three bullet points describing controlled lab outcomes you achieved (e.g., “Built two redirector topologies and evaded baseline Defender with a custom in-memory loader”). This makes your RTO/RTO II story more concrete.

Real-World Application: Projects to Prove Your Skills

Use these small projects to cement concepts and create evidence of your growth:

• Project 1 (RTO level): Build two end‑to‑end chains from assumed breach to DA. Record the fewest steps required, your quietest variant, and the “fallback” you used when plan A failed.

• Project 2 (RTO level): Create a “Cobalt Strike OPSEC checklist” with defaults and when to deviate. Keep it under one page so you actually use it.

• Project 3 (RTO II level): Implement two loaders and two injectors, document detection outcomes on a baseline Defender image, and record exact changes that improved stealth.

• Project 4 (RTO II level): Design a multi‑redirector C2 setup with health checks and failover. Run a 2‑hour exercise where you switch profiles and tasking cadence to simulate pressure.

Actionable portfolio tip: For anything sensitive, redact details and keep it lab-based. Focus on your process, decision-making, and outcomes—not on flashy screenshots.

Exam-Day Playbook and Troubleshooting

Follow this lightweight checklist to reduce surprises:

• Read the in-course exam brief fully. Confirm timing, what’s allowed, and how scoring works on your platform version.

• Prep your workstation:

  • IDE/compilers (if you’re doing RTO II), Cobalt Strike materials, scripts, reference notes.

  • A tidy folder structure for payloads, profiles, and logs.

• Confirm access and stability:

  • Test your browser connection to the environment.

  • Have a backup browser ready.

• Plan your sprints:

  • RTO: Day 1 = recon + foothold + first movement; Day 2 = privesc + full chain + cleanup.

  • RTO II: Build → deploy → verify → pivot. Keep a clean chain for each loader/injector combo.

• Keep a “Forensics & OPSEC” scratchpad:

  • Note every artifact you create and how you’ll clean it.

  • Track noisy moments and how you’ll avoid them next time.

• Pivot early when blocked:

  • Change the lateral movement method, swap loader/injector, or alter your beacon profile. Avoid burning hours on one brittle approach.

• End with cleanup:

  • Remove implants where appropriate, clear temporary artifacts, and close out access paths responsibly.

Actionable troubleshooting tip: If a technique suddenly fails, assume the environment caught on—don’t immediately brute force. Switch to a cleaner variant and reduce your operational footprint.

FAQs

Q1: Do Zero-Point Security courses or labs expire?

A1: On the new platform, courses offer lifetime access and labs are designed with no expiry. That’s ideal for students who need to pace learning.

Q2: How many exam attempts do I get?

A2: Retakes are free on the new platform, and you trigger attempts on demand from inside your course. If you fail, learn, adjust, and try again at no extra cost.

Q3: Are the exams proctored? Do I need to write a report?

A3: Historically, ZPS exams were unproctored and didn’t require a long formal report. With the new platform, focus is on outcome/performance. Always confirm the current rules in the in‑course exam brief before you start.

Q4: How long are the exams?

A4: Legacy exams offered generous runtime within multi-day windows (e.g., 48 or 96 hours of active time). On the new platform, check the exam panel for the exact timing for your attempt.

Q5: Do I need RTO before RTO II?

A5: It’s strongly recommended. RTO II assumes you can already operate in Windows/AD with Cobalt Strike. If you skip RTO, be sure you match that skill level.

Conclusion: Zero-Point Security exams are built for learners who want to prove they can actually operate—plan, adapt, and achieve objectives in realistic Windows/AD environments. If you’re early in your journey, start with RTO to build rock-solid fundamentals and operator confidence. When you’re ready for the next level, RTO II will pressure-test your OPSEC, your tooling, and your ability to thrive under detection.

Your next step is simple: pick a target exam, sketch your 6–10 week plan, and commit. Keep your runbook tight, your OPSEC tighter, and your learning consistent. You’ve got this—one deliberate lab session at a time.