OSCP vs CRTO: A Comparison and Study Plan

I now have both OSCP and CRTO, and I wanted to write a bit of a comparison between the two. I think they are close enough in terms of skill to make it a fair comparison. There are a lot of articles online about OSCP and CRTO, but I can’t find a direct comparison. I’ll also add a study guide for both of the exams that I think will guarantee a pass.

tl;dr

OSCP is a CTF exam with no particular focus. You get 6 boxes, a mix of Windows and Linux. 3 of the boxes are domain joined Windows machines. OSCP teaches you a strong foundation of hacking Linux and Windows. The course material is terrible.

CRTO is a CTF exam focused on Windows and Active Directory using Cobalt Strike. There’s multiple domains and 8 boxes in total. CRTO teaches you how to use a popular C2 framework and compromise an Active Directory environment. You will learn AD attacks in depth, to a greater extent than what you would find in OSCP. The course material is excellent.

OSCP vs CRTO

Who should take the OSCP exam?

If you want to pursue a career in the offensive security space, OSCP should be your first offensive security certification. It is solid, challenging and gives you a strong foundation. It will teach you how to hack Windows and Linux machines, and you will learn in detail how these operating systems work and their strengths and weaknesses. If you’re at 0 when it comes to hacking skills and even Linux/Windows knowledge, the amount you will learn over the course of time studying and passing OSCP will be immeasurable.

If you are an incident responder or SOC analyst but you want to be above average, I would also recommend taking OSCP because it is important to understand what hacking actually looks like. When you read logs or see a detection, you need to be able to contextualise what is happening. If you have never hacked a box before, you won’t know what’s going on apart from the really obvious stuff like downloading a piece of malware.

What is the OSCP exam like?

OSCP is a 24 hour exam. You get 24 hours to score as many points as possible, and you get points for capturing the user and root flags (10 points each). You need 70/100 to pass. After the 24 hours, you get another 24 hours to submit a findings report to OffSec. That’s all, it’s quite straight forward.

Who should take the CRTO exam?

CRTO is a specialised certification for red teaming, hence the name. You should take CRTO if you want to pursue a career in red teaming. The course material is really good, and you get to play with Cobalt Strike which is pretty inaccessible unless you’re on the job already. I suppose you can use something free like Havoc or Sliver, but Cobalt Strike is the most popular, so it’s good to be familiar with it. CRTO is focused exclusively on Windows and Active Directory. For Windows attacks, it goes into the same amount of detail as OSCP and covers the same stuff. For AD attacks on the other hand, CRTO goes much deeper. If you’ve already done OSCP before CRTO, then you’ll be familiar with most of the AD attacks, but they are just explored further.

Unlike OSCP, I don’t think CRTO is necessary if you want to be a good incident responder or SOC analyst.

What is the CRTO exam like?

CRTO is a 48 hour exam across 4 days. The exam ends when you use the full 48 hours or the 4 days expires. There are several boxes with multiple domains. You need 6 out of 8 flags to pass, each machine has a flag. Everything in the exam is technically in the course material, but there are twists, so not everything is obvious. I had to use external resources during the exam. Fortunately, there’s no report writing, you just submit the flags and you’re done.

Study Plans

Below is my study plan for OSCP and CRTO. I strongly believe you will pass both of the exams if you follow this plan. Remember to be sensible, if you feel weak in a certain area, then study that area more until you are confident in it. We all have our strengths and weaknesses, I am not a genius, so I need a lot of study to pass exams, and some areas I go over again if I feel I need to.

Note: This plan assumes you have zero hacking experience. Adjust accordingly based on your own skillset. I would also recommend taking OSCP before CRTO.

Also, build your own notes! This is just general advice. I use Gitbook and it has been invaluable. I always refer back to it and I have it for life, a big brain dump of everything I learn. I see people releasing their own notes online for people to use, but don’t use them, this is a terrible idea! Build up your own notes from scratch and use them, you will thank yourself later.

OSCP Study Plan

HackTheBox Academy

Complete the following modules:

HackTheBox Labs

Follow the TJNull list for PEN200. Start with V3, then go back to V2 if needed. Make sure to do an approximately equal number of Windows and Linux boxes.

Also, complete the Active Directory 101 track.

Proving Grounds

Start with the easy boxes and work your way along all of them. You don’t need to complete all of them. I owned 37 of them in total.

OSCP Course Material

I guess you have to do it, because it’s there… but it’s really not great.

OSCP Labs

Complete all of the OSCP labs. Try to do them shortly before the exam, when you’ve already covered the rest of the plan.

CRTO Study Plan

HackTheBox Academy

Complete the following modules:

HackTheBox Labs

Complete the Active Directory 101 track.

CRTO Course Material

Work through the course material slowly, take notes and understand everything you are reading.

Once completed, turn on Windows Defender and do it all again, but this time amend your notes with preferable attacks that you know will bypass Windows Defender.

My Experience

OSCP

I took OSCP in 2023 and I studied a lot for it. I haven’t studied that much for an exam probably ever. I did at least 100, probably 150ish boxes collectively across HackTheBox, Proving Grounds and the OSCP labs. I can’t remember over how long a period, but I reckon it was between 6-9 months. Prior to that, I had done a few CTF style boxes here and there but it wasn’t anything as intense as when I was preparing for the exam. Without a doubt, the time and effort I put into OSCP study has given me such a strong foundation in hacking that it has prepared me for the rest of my career. The amount of knowledge and skills you gain by doing CTFs is immeasurable. You don’t just learn how to hack a system, you learn how that system works. This is why I’d recommend HackTheBox to anyone who wants to get into cybersecurity, regardless of whether they want to specialise in offensive or defensive security. Plus, if you’re on the defender side, how can you defend against attacks if you don’t even know how they work?

I got enough points to pass the exam in about 7 hours. I finished on 90 points, there was 1 box that I couldn’t get a foothold on. I may have been able to get the final box if I spent longer on it, but I stopped shortly after I knew I had enough to pass. The exam was actually more straight forward than expected, the exploitations were not too complex, and I had certainly done much more difficult boxes on HackTheBox. I was actually left thinking “If I knew what was on the exam, I could have taken it months ago without studying so much”. However that’s the thing with OSCP, you don’t know what you’re going to get on the exam, so you have to learn everything. Maybe I got lucky with some easier boxes. Aside from the exam, I had the documentation to produce. This part is straight forward, provided you documented all of your steps with screenshots during the exam. You can just use the OffSec recommended document template, fill it in with all your steps and screenshots, double check it all, triple check it all, and submit.

CRTO

I took CRTO a week ago, and I didn’t study anywhere near as much as I did for OSCP. I probably spent a month going through the course material twice, once without Windows Defender and once with it enabled, as recommended by Rastamouse. Granted, since I already had OSCP, I had that foundation so it made it a bit easier for me. But even if I didn’t have OSCP, I still think I wouldn’t have had to study as much as I did for OSCP. This because unlike OSCP, everything in the CRTO exam is in the course material. If you study and know the course material inside out, you will pass the exam. The best thing about CRTO is that you learn how to use Cobalt Strike, the world’s most popular C2 framework. I really enjoyed it. Like I said, the course material is excellent. Everything is explained very well and you get lifetime access with updates.

I found the exam significantly harder than OSCP. It took me 18 hours to get 60 points which is a pass. I think the main reason I found CRTO so difficult is that I didn’t give it the respect it deserved. I thought it won’t be too difficult, it’s just the course material repeated (everything is technically in the course material, but it does require thinking outside the box at times, it’s not all literally spelled out for you, I had to use Google). Therefore, my notes were very lacking, and during the exam I did not maintain a good note taking process. I got lost in certain attacks, forgot what I was doing, made stupid mistakes, listened to music and got stressed out as a result. It was a sober reminder to never forget the fundamentals: take your time and take good notes.

Final Thoughts

I prefer CRTO to OSCP. Don’t get me wrong, OSCP is like the gold standard for an offensive security certification, but I just had more enjoyment from doing CRTO. OSCP was a lot more stress and pain. CRTO was only stress and pain during the exam, which was largely self inflicted. I just love using a C2 and spreading around a network like a virus, dropping beacons, dumping credentials, evading anti-viruses, circling around like a shark until I can chomp on a domain controller. But the bottom line is, if you want to specialise in offensive security, I recommend OSCP and then CRTO. However if you want to specialise in defensive security, then I recommend OSCP only.