GRTP
Coming Soon
Expected availability announced soon
This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.
GRTP
GRTP equips experienced penetration testers with advanced red‑team planning, adversary emulation, command‑and‑control design, initial access, and persistence techniques, aligning practice with the MITRE ATT&CK framework.
180
Minutes
82
Questions
76/100
Passing Score
$979
Exam Cost
Who Should Take This
A security professional who has three to five years of offensive security experience, holds SANS SEC560, GPEN, or equivalent certification, and regularly uses MITRE ATT&CK is ideal. They seek to transition from penetration testing to full‑scale red‑team operations, mastering planning, emulation, and persistence to simulate sophisticated adversaries for their organizations.
What's Covered
1
Domain 1: Red Team Planning and Operations
2
Domain 2: Adversary Emulation and MITRE ATT&CK
3
Domain 3: Command and Control Infrastructure
4
Domain 4: Initial Access Techniques
5
Domain 5: Persistence and Privilege Escalation
6
Domain 6: Lateral Movement and Data Exfiltration
7
Domain 7: Reporting and Purple Team Integration
What's Included in AccelaStudy® AI
Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats
Course Outline
60 learning goals
1
Domain 1: Red Team Planning and Operations
2 topics
Engagement planning and threat profiling
- Describe red team engagement types including full adversary simulation, assumed breach, purple team exercises, and tabletop exercises with their objectives, scope requirements, and deliverables
- Identify red team rules of engagement components including authorized targets, prohibited actions, communication protocols, deconfliction procedures, and emergency stop conditions for safe operations
- Describe red team maturity models and program development stages from initial assessments through continuous adversary simulation with metrics for measuring program effectiveness over time
- Implement red team operation plans including threat profile selection, attack scenario development, objective trees, success criteria, and timeline milestones aligned with organizational risk priorities
- Apply threat intelligence to red team planning by mapping adversary TTPs from threat reports to executable attack scenarios using structured threat profiles and capability gap assessments
Operational security for red teams
- Describe OPSEC principles for red team operations including infrastructure separation, attribution avoidance, communication security, and evidence management throughout the engagement lifecycle
- Implement OPSEC countermeasures including timestomping, log evasion, traffic blending, and tool obfuscation to maintain operational security during prolonged red team engagements
- Execute secure communications setup for red team operations including encrypted channels, out-of-band coordination, and compartmentalized information sharing among team members
- Analyze red team OPSEC failures from published case studies to identify detection opportunities, evaluate the impact of operational security lapses, and improve tradecraft procedures
- Evaluate red team operational security posture by assessing infrastructure isolation, communication channel security, artifact cleanup procedures, and attribution risk across the engagement
2
Domain 2: Adversary Emulation and MITRE ATT&CK
1 topic
ATT&CK-based adversary emulation
- Describe the MITRE ATT&CK framework structure including tactics, techniques, sub-techniques, procedures, data sources, and detection mappings across enterprise, mobile, and ICS matrices
- Identify adversary emulation plan components including threat group selection criteria, technique prioritization based on detection gaps, and evaluation methodology for measuring detection improvement
- Describe MITRE CTID adversary emulation library plans including FIN6, APT29, Carbanak, and Sandworm with their respective TTP sequences and detection evaluation approaches
- Implement adversary emulation plans using MITRE ATT&CK Navigator to map threat group TTPs, prioritize techniques by detection coverage gaps, and create structured execution checklists
- Execute adversary emulation using Atomic Red Team to perform unit-test-style TTP validation, assess individual detection rule coverage, and identify gaps in endpoint telemetry collection
- Execute automated adversary emulation using MITRE Caldera to deploy agents, chain techniques into operations, and measure defensive response times across the kill chain
- Evaluate adversary emulation fidelity by comparing executed TTPs against threat intelligence reports to assess how accurately the red team replicated real-world adversary tradecraft
- Assess detection coverage improvements by comparing pre-engagement and post-engagement ATT&CK technique detection rates using structured coverage scoring methodologies
3
Domain 3: Command and Control Infrastructure
1 topic
C2 framework deployment and management
- Describe C2 framework architectures including Cobalt Strike, Mythic, Sliver, and Havoc with their listener types, agent capabilities, and operational security features for red team operations
- Identify C2 communication channels including HTTP/S, DNS, SMB named pipes, DoH, and cloud service-based channels with their detection characteristics and operational tradeoffs
- Implement C2 infrastructure using redirectors, domain fronting, CDN-based communication, and cloud function relays to establish resilient and attribution-resistant command channels
- Configure Cobalt Strike Malleable C2 profiles to customize beacon traffic patterns, HTTP headers, and network indicators that mimic legitimate application traffic for network detection evasion
- Implement C2 infrastructure monitoring and resilience including fallback channels, automated infrastructure rotation, and dead-drop resolvers for maintaining persistent command access
- Execute peer-to-peer C2 communication using SMB and TCP pivot listeners to maintain command channels through segmented network environments without direct internet access
- Analyze C2 traffic patterns to assess detectability by network monitoring tools, evaluate traffic blending effectiveness, and compare framework-specific signatures across NIDS and proxy solutions
- Compare C2 framework capabilities across Cobalt Strike, Mythic, Sliver, and open-source alternatives to evaluate agent flexibility, OPSEC features, and suitability for different engagement types
4
Domain 4: Initial Access Techniques
1 topic
Initial access vectors and payload delivery
- Describe initial access vectors including spearphishing attachments, spearphishing links, drive-by compromise, supply chain compromise, and trusted relationship abuse per MITRE ATT&CK tactics
- Identify email security gateway bypass techniques including attachment format manipulation, macro obfuscation, HTML smuggling, and reputation-based filter evasion for payload delivery
- Implement spearphishing campaigns using GoPhish with custom email infrastructure including SPF/DKIM/DMARC configuration, lookalike domain registration, and click-through tracking
- Execute payload development for initial access including Office macro weaponization, ISO/LNK packaging, HTML smuggling, and DLL sideloading that bypass email gateway and endpoint filtering
- Implement external attack surface exploitation including VPN gateway vulnerabilities, exposed RDP, web application exploitation, and password spraying against cloud identity providers
- Execute social engineering techniques including pretexting, vishing, and physical USB drop campaigns for initial access in red team engagements with appropriate authorization and documentation
- Implement endpoint detection evasion for initial access payloads including AMSI bypass, ETW patching, process injection, and reflective loading techniques to avoid EDR detection
- Analyze initial access technique effectiveness by evaluating payload delivery rates, detection evasion performance, and comparing techniques against the target organization security stack
5
Domain 5: Persistence and Privilege Escalation
1 topic
Post-exploitation persistence and escalation
- Identify Windows persistence mechanisms including registry run keys, scheduled tasks, WMI event subscriptions, DLL hijacking, COM object hijacking, and service creation with detection indicators
- Identify Linux persistence techniques including cron jobs, systemd services, SSH authorized keys, LD_PRELOAD injection, and PAM module backdoors with their respective detection methods
- Describe Active Directory persistence techniques including golden tickets, diamond tickets, skeleton key, AdminSDHolder modification, and DSRM password backdoors with their detection characteristics
- Implement Windows privilege escalation using token impersonation, unquoted service paths, DLL hijacking, UAC bypass, and named pipe impersonation in authorized test environments
- Execute Active Directory privilege escalation including DACL abuse, Group Policy modification, AD CS certificate template exploitation (ESC1-ESC8), and RBCD attacks for domain compromise
- Implement persistence mechanisms on compromised hosts using registry modifications, scheduled tasks, WMI subscriptions, and golden certificate techniques for long-term access maintenance
- Execute cloud persistence techniques including backdoor application registrations, federated identity provider manipulation, and service principal credential addition in Azure AD and AWS
- Analyze persistence and privilege escalation detection coverage to identify gaps in endpoint telemetry, evaluate EDR detection capabilities, and recommend monitoring improvements
- Assess organizational exposure to privilege escalation paths by analyzing Active Directory configuration weaknesses, group membership chains, and certificate services misconfigurations
6
Domain 6: Lateral Movement and Data Exfiltration
1 topic
Network propagation and data theft
- Describe lateral movement techniques including PsExec, WMI, WinRM, RDP, SSH, DCOM, and SMB-based execution with their network signatures and authentication requirements
- Identify data exfiltration channels and techniques including HTTPS uploads, DNS tunneling, cloud storage APIs, email-based exfiltration, and steganography with their detection profiles
- Implement credential harvesting using Mimikatz, Rubeus, and SharpDPAPI to extract NTLM hashes, Kerberos tickets, DPAPI secrets, and cached credentials from compromised Windows systems
- Execute lateral movement across Windows domains using Pass-the-Hash, Pass-the-Ticket, and overpass-the-hash techniques with CrackMapExec and Impacket for network propagation
- Implement internal network reconnaissance using BloodHound for AD mapping, internal port scanning, share enumeration, and service discovery to identify high-value targets and attack paths
- Execute data discovery and staging techniques including sensitive file identification, SharePoint and OneDrive enumeration, database extraction, and data compression for exfiltration preparation
- Implement data exfiltration through multiple channels including HTTPS uploads, DNS tunneling, cloud storage APIs, and encrypted archives to demonstrate DLP bypass capabilities
- Analyze lateral movement paths and credential theft chains to identify network segmentation weaknesses, evaluate monitoring blind spots, and assess credential hygiene practices
- Evaluate data loss prevention effectiveness by testing exfiltration channels against DLP controls, assessing classification policy coverage, and identifying bypass opportunities
7
Domain 7: Reporting and Purple Team Integration
1 topic
Red team reporting and detection improvement
- Describe red team report components including executive summary, attack narrative, technique-by-technique findings, detection evaluation matrix, and prioritized remediation recommendations
- Identify purple team exercise formats including detection validation workshops, tabletop replays, live replay sessions, and continuous purple team programs with their respective objectives
- Implement red team engagement documentation including attack chain diagrams, evidence screenshots, command logs, and timeline reconstruction for comprehensive finding presentation
- Apply purple team methodology by collaborating with blue team to replay techniques, validate detection rules, tune SIEM alerts, and develop new analytics from red team findings
- Implement MITRE ATT&CK detection coverage matrices that quantify before-and-after capabilities across tactics and techniques resulting from red team engagement improvements
- Execute detection engineering workshops with SOC teams to translate red team attack procedures into specific Sigma, YARA, and Splunk SPL detection rules for automated alerting
- Evaluate red team program effectiveness by analyzing engagement metrics including detection improvement trends, mean-time-to-detect changes, and overall security posture advancement
- Assess organizational defensive maturity by comparing red team findings across multiple engagements to identify persistent weaknesses, measure remediation effectiveness, and guide security investment
Scope
Included Topics
- All domains covered by the GIAC GRTP certification aligned with SANS SEC565: Red Team Operations and Adversary Emulation, including engagement planning, OPSEC, MITRE ATT&CK adversary emulation, C2 infrastructure, initial access, persistence, privilege escalation, lateral movement, exfiltration, and purple team integration.
- Red team operational tradecraft including infrastructure separation, attribution avoidance, traffic blending, tool obfuscation, and long-duration adversary simulation against enterprise environments with full kill chain coverage.
- Red team toolchain including Cobalt Strike, Mythic, Sliver, BloodHound, Mimikatz, Rubeus, CrackMapExec, Impacket, GoPhish, Atomic Red Team, and MITRE Caldera for adversary emulation and detection validation.
- Purple team collaboration methodologies for translating red team findings into detection improvements, SIEM rule development, Sigma rule creation, and measurable security posture advancement.
Not Covered
- Advanced binary exploitation, shellcode development, and memory corruption techniques covered by GIAC GXPN at the exploit research level.
- Cloud-specific penetration testing methodologies covered by GIAC GCPN including cloud service exploitation and container security testing beyond basic cloud persistence.
- Malware development and reverse engineering at the depth covered by GIAC GREM.
- Defensive security operations, SOC workflows, and incident response procedures covered by GIAC GCIH beyond what is needed for purple team collaboration.
- Physical security assessment beyond digital social engineering techniques for initial access.
Official Exam Page
Learn more at GIAC Certifications
GRTP is coming soon
Adaptive learning that maps your knowledge and closes your gaps.
Create Free Account to Be Notified