White Knight Labs Training Bundle
White Knight Labs Logo
Menu
Menu

Get ARTOC Certified

Advanced Red Team Operations Certification Course

  • Level > Advanced
  • Real world red team operations labs

Run real campaigns, not isolated exercises. Build infrastructure, defeat modern defenses, and deliver reports clients trust. ARTOC teaches how to plan, deploy, and execute full spectrum red team operations using Cobalt Strike and Havoc C2, multi layered redirectors, cloud based traffic redirection, kernel and user mode evasion, Active Directory exploitation, ADCS abuse, and modern AV and EDR bypass inside a private multi cloud lab environment.

Certification Outcomes

  • Become an officially certified Advanced Red Team Operator, recognized by consultants and internal security teams responsible for enterprise breach simulation.
  • Start training in the student portal and deploy your lab using only AWS access keys. Build infrastructure, launch campaigns, rebuild or destroy environments at any time. Track AWS compute cost, set budgets, and enforce automatic lab stop rules directly through the portal interface.
Linkedin-in X-twitter

Used by consultants, operators, and security teams performing real adversary simulation.

Start learning

What This Certification Course Delivers

The Advanced Red Team Operations Certification validates the ability to conduct end to end red team engagements using modern tooling and infrastructure.

By the end of the course, students will be able to:

  • Deploy resilient C2 infrastructure using Cobalt Strike and Havoc
  • Build redirector chains using cloud CDNs and serverless platforms
  • Conduct initial access, persistence, and lateral movement
  • Exploit Active Directory and ADCS misconfigurations
  • Defeat next generation AV and EDR platforms
  • Operate across AWS, Azure, and GCP
  • Perform kernel and user mode evasion
  • Produce a professional red team report

Student Portal, Lab Deployment, Budget, and Cost Controls


All students are onboarded into the White Knight Labs student portal where all certification content is delivered in Markdown format.

The student portal provides:

  • Automated deployment of a private lab in AWS
  • Integration using only AWS Access Keys
  • Build, destroy, start, stop, and rebuild controls
  • Live cost tracking and usage visibility
  • Budget thresholds and auto stop rules
  • Full administrative control of all systems
  • Private isolated environment per student

Students control infrastructure just as during a real engagement. The portal enforces only student defined guardrails.

Cobalt Strike Server Setup with Redirectors and CDNs

The opening phase of ARTOC focuses on building resilient Command and Control infrastructure before any attack against the stigs.corp environment begins. Students construct a multi layered C2 architecture designed to survive real defensive monitoring.

The setup includes:

  • Cobalt Strike and Havoc C2 servers
  • Traditional HTTP and HTTPS redirectors
  • AWS Lambda and Azure Functions
  • Azure CDN, AWS CloudFront, GCP CDN
  • Multi layer traffic obfuscation

Once validated, students use this exact infrastructure to attack the stigs.corp environment, mirroring real workflows.

Lab Environment Overview

The ARTOC lab mirrors real client networks and supports full red team operations using industry standard frameworks.

Includes:

  • Access to Cobalt Strike and Havoc
  • Bring your own C2 supported
  • Cloud based redirectors
  • Windows and Linux targets with EDR
  • Active Directory and ADCS paths
  • Multi domain and multi cloud attacks

Students execute campaigns, not checklists.

Real World Defensive Targets

ARTOC is built around technologies encountered during live assessments.

  • Multiple enterprise EDR platforms
  • Windows built in defenses
  • Application control restrictions
  • Network and cloud telemetry

These targets reflect environments that challenged White Knight Labs operators on real engagements.

Designed to Challenge Professional Operators

ARTOC is intentionally demanding.

Students will experience:

  • Infrastructure failures
  • Detected payloads
  • Telemetry driven adaptation
  • Multi stage research requirements

Completion demonstrates the ability to:

  • Run campaigns independently
  • Defeat modern defenses
  • Build infrastructure at scale
  • Lead engagements with confidence

Why ARTOC Exists

Most red team training teaches individual techniques. Real engagements require infrastructure design, tradecraft decisions, and adaptation when defenses respond. ARTOC teaches operators how to run engagements end to end using the same workflows used by White Knight Labs on client operations.

  • Build infrastructure before touching a target
  • Operate while defenses are actively hunting
  • Adapt when payloads fail and telemetry changes
  • Deliver a report that mirrors real client work

The ARTOC Transformation

Before ARTOC

  • Relies on stock tooling and public playbooks
  • Struggles when EDR blocks execution
  • Limited experience designing infrastructure
  • Unsure how to structure real engagements

After ARTOC

  • Designs resilient C2 infrastructure
  • Adapts tooling when detections occur
  • Runs multi stage campaigns independently
  • Delivers professional engagement reports

Here's a sneak peek of your training experience

A sample video is available to provide a sneak peek into the certification course structure.

Table of Contents Preview Download


All course material is delivered through the student portal. For transparency, students may download the Table of Contents to review the scope of topics covered prior to enrollment.

Download Table of Contents

Red Team Focus Areas

Hands on training across:

  • Cobalt Strike and Havoc operations
  • CDN and serverless redirectors
  • Cloud infrastructure
  • AD and ADCS exploitation
  • Lateral movement and persistence
  • Kernel and user mode evasion
  • SQL and application abuse
  • Engagement reporting and cleanup

Built From Real Engagements

Every major lab was derived from techniques and problems encountered during White Knight Labs operations.

  • Redirector designs used on live jobs
  • EDR bypass scenarios from enterprise
  • AD paths modeled on clients
  • Reporting based on delivered work

Who This Course Is For

Who This Course Is Not For

  • Cloud security testers
  • Red team operators moving to cloud
  • Consultants assessing GCP
  • Engineers defending GCP environments
  • Zero cloud experience
  • Theory only learners
  • Multiple choice seekers

How ARTOC Is Different

Most training teaches how to use a tool. ARTOC teaches how to run an engagement when tools stop working. Students build infrastructure first, then operate against defenses that actively resist. Success requires adaptation, not memorization.

Certification Exam Requirements

The exam is performance based inside the lab.

Students must:

  • Deploy functional C2
  • Compromise targets
  • Defeat defenses
  • Capture flags
  • Demonstrate stability
  • Submit a professional report
Exam Reference

What You Receive

  • Lifetime course access
  • Ongoing updates
  • Private AWS lab
  • Portal automation
  • Budget controls
  • Discord support
  • One exam voucher
  • Official ARTOC certification

Enrollment Information

On demand certification.

Progress at your pace.

All deployment and cost control handled in the portal.

Enroll in ARTOC Now

Certified for Real World Red Team Operations

  • Validated Red Team Expertise
  • Proves the ability to plan, build, and execute full red team campaigns against modern defenses
  • Certification badge reflects practical compromise and operational tradecraft, not attendance or progress only
  • Demonstrates skill in defeating EDR, Windows defenses, application control, and network monitoring through real engagement workflows
  • Industry Recognition & Trust
  • Built and maintained by active red team operators
  • Used by consultants and security teams performing enterprise adversary simulation
  • Badge signals real world experience in domain compromise, lateral movement, and protocol abuse
  • Independent Operator Mindset
  • Performance based certification completed through hands on campaign labs and flag capture
  • Demonstrates independent decision making when payloads fail and defenses respond
  • All attack paths and operations documented in a professional red team certification report

Frequently Asked Questions (F.A.Q)

  • No. ARTOC is an advanced certification course. Students are expected to already understand penetration testing, basic red team tradecraft, and Windows and Active Directory fundamentals.
  • Students should be familiar with C2 frameworks, Active Directory concepts, basic cloud usage, and common lateral movement techniques before enrolling.
  • Yes. ARTOC includes live EDR and defensive targets commonly found in enterprise environments. These targets behave as they would during real client engagements.
  • The course includes enterprise EDR platforms, Windows built in defenses, application control mechanisms, and cloud and network telemetry controls.
  • Yes. Lab systems are air gapped or specially configured to prevent leakage or unintended interaction outside the environment. The labs are safe, controlled, and isolated.
  • Students access targets using Guacamole and RDP. This provides browser based interaction while maintaining isolation and operational safety.
  • ARTOC provides access to Cobalt Strike and Havoc C2. Students may also bring and operate their own C2 framework.
  • Yes. Students receive controlled access to Cobalt Strike within the lab environment.
  • Yes. Access is intentionally restricted. Students have enough capability to learn, operate, and abuse the framework, but administrative access to the team server is prevented. Students may not bring their own Cobalt Strike license.
  • Yes. Students can experiment with malleable profiles, generate working beacons, and test detection tradeoffs and stability.
  • The course uses current Cobalt Strike releases. New versions are tested before being introduced to ensure stability.
  • Yes. Havoc C2 is fully supported and can be used alongside or instead of Cobalt Strike.
  • Yes. Students may bring and operate their own C2 within the lab environment.
  • Yes. Students must have an AWS account with administrative access to generate Access Key ID and Secret Access Key.
  • Yes. The portal tracks live AWS compute cost and projected spend.
  • Yes. Students can define budgets, runtime limits, and automatic stop rules in the portal.
  • Students can destroy and rebuild the lab at any time through the portal.
  • No. Not all labs include videos at release. All labs include theory and complete Markdown walkthroughs in the portal.
  • This is a self study on demand certification. Students work independently and may ask questions over Discord.
  • Support is provided over Discord by instructors and other students.
  • The course is updated at least two times per year with new labs, defenses, and techniques.
  • Yes. EDR targets and configurations may rotate to remain current with real world conditions.
  • Portal access does not expire at this time and remains available for the life of the course.
  • Yes. ARTOC includes a performance based exam completed inside the lab.
  • The exam is 48 hours long with an additional 48 hours to submit the report.
  • No. One exam voucher is included with no expiration.
  • Students must deploy C2 infrastructure, compromise targets, bypass defenses, capture flags, and submit a professional report.
  • Yes. ARTOC is intentionally challenging. Students will encounter detections, failed payloads, and infrastructure redesign just like real engagements.
  • English is the only supported language at this time. Browser translation may assist but is not officially supported.
Github Linkedin-in X-twitter Discord

Quick Links

Contact

Services & Company Inquiries:

Student Support (Billing, Labs, Content, Vouchers, Tickets):

Copyright © 2026 White Knight Labs – All rights reserved