Get ARTOC Certified
Advanced Red Team Operations Certification – Live Instructor Led Training
- Level > Advanced
- Full spectrum red team operations executed live
Operate like a real adversary with live guidance from experienced red team operators. The live ARTOC training teaches students how to plan, build, and execute full red team engagements using modern infrastructure, realistic attack paths, and professional tradecraft. Students learn to deploy resilient command and control infrastructure, exploit Active Directory and cloud environments, evade modern defensive controls, and adapt tooling when detections occur while following along with instructors in real time.
Prefer to train at your own pace
View the On-Demand Advanced Red Team Operations Certification:
Certification Outcomes
- Become an officially certified Advanced Red Team Operator, recognized by organizations performing mature red team engagements, adversary simulation, and advanced offensive security assessments.
- All training, labs, and certification workflows are delivered through the White Knight Labs student portal. Live training students deploy, manage, reset, and destroy lab environments directly through the portal, with instructors walking through real engagement workflows during each training day.
Used by consultants, operators, and security teams conducting advanced adversary simulation.
Student Portal and Lab Experience
Live training students use the same student portal as on-demand students.
The portal provides:
- Centralized access to all course content
- Guided lab deployment and teardown
- Build, reset, and destroy lab controls
- Environment visibility and tracking
- Private isolated lab environments
- Full control over testing workflows
Students operate inside environments designed to reflect real enterprise targets.
Cobalt Strike Server Setup with Redirectors and CDNs
The opening phase of the live ARTOC training focuses on building professional grade attack infrastructure before engaging target environments.
Students build and operate:
- Cobalt Strike and Havoc C2 servers
- Multi layer redirector chains
- Traditional HTTP(S) redirectors
- AWS Lambda and Azure Functions
- Azure CDN, AWS CloudFront, and GCP CDN
This layered infrastructure is used throughout the course to attack the target environments and demonstrates how real red teams protect and sustain C2 operations during engagements.
Lab Environment Overview
ARTOC labs simulate mature enterprise environments with realistic defensive maturity.
Includes:
- Multi domain Active Directory environments
- Trust boundaries and forest relationships
- Hybrid on prem and cloud attack paths
- Hardened endpoints and servers
- Realistic privilege escalation and lateral movement
Students execute full engagement style attack chains rather than isolated demonstrations.
Real World Defensive Targets
The live ARTOC course includes defensive controls encountered during real red team operations.
- Next generation AV and EDR platforms
- Logging and telemetry pipelines
- Application control and Windows defenses
- Detection driven response scenarios
Instructors explain how these controls detect activity and how attackers adapt.
Immediate Access After Purchase
Students who purchase the live training receive immediate access to the full ARTOC course content and student portal.
- Begin reviewing content and preparing tooling right away
- Deploy and explore lab environments before the live training begins
- Arrive prepared with context and questions
- Use live sessions to refine execution and tradecraft
Live training students receive the same content and labs as on-demand students, with the added benefit of live instruction.
To view the full self paced version of this course, see the on-demand ARTOC certification:
Why Live ARTOC Exists
The on-demand course teaches advanced techniques.
The live training teaches how experienced operators think, adapt, and recover when things fail.
Live ARTOC exists for students who want:
- Real time explanations when payloads and infrastructure fail
- Instructor insight into tradecraft decisions and OPSEC tradeoffs
- Accountability to stay on pace with advanced material
- Exposure to how professional red teams troubleshoot detections
This mirrors how real red team operations are executed during enterprise engagements.
Live Training Format
The live ARTOC training is intentionally demanding.
- Four consecutive training days
- Six hours of live instruction per day
- One hour break per day
- Delivered live over Zoom
- Fast paced and execution focused
This format reflects real red team and adversary simulation timelines.
What Makes the Live Training Different
Live training students receive everything included in the on-demand course, plus:
- Four days of live instructor led training
- Step by step walkthroughs of complex attack chains
- Real time explanations of infrastructure and tradecraft decisions
- Live troubleshooting when payloads or C2 fail
- A private Discord channel for the live cohort
- Direct access to instructors during and after sessions
- Recorded live sessions provided after training
Students learn not just what works, but why certain approaches fail.
Private Discord Access
Live training students receive access to a private Discord channel limited to the training cohort.
- Ask questions during and between sessions
- Share blockers and receive instructor guidance
- Learn from peers executing the same attack paths
- Continue discussions after live sessions end
This access is exclusive to live training students.
Here’s a Sneak Peek of Your Training Experience
A sample video is available to provide a sneak peek into the certification course structure and execution style.
Table of Contents Preview Download
All course material is delivered through the student portal. For transparency, students may download the Table of Contents to review the scope of topics covered prior to enrollment.
What You Will Be Able To Do After Live ARTOC
By the end of the live training, students will be able to:
- Design and deploy resilient command and control infrastructure
- Execute full Active Directory compromise paths
- Defeat modern endpoint defenses
- Perform lateral movement and persistence
- Adapt tooling and tradecraft when detections occur
- Lead advanced red team engagements with confidence
Live Training Schedule
Upcoming live ARTOC training sessions are listed on the White Knight Labs events calendar.
View upcoming live training dates:
Not ready for scheduled dates?
The on-demand ARTOC certification is always available:
Certification Exam
Live training includes the same ARTOC certification and exam as the on-demand course.
- Performance based certification exam
- Conducted in a protected lab environment
- 48 hours for hands on exploitation
- 48 hours to submit a professional certification report
- One exam voucher included
- Exam voucher does not expire
Certification standards are identical regardless of training format.
Enrollment Information
Live instructor led certification training.
Four days of structured, hands on execution.
Immediate access to all course content through the student portal.
All labs deployed, managed, and reset through the portal just like the on-demand course.
Certified for Real World Red Team Operations
- Validated Red Team Expertise
- Proves the ability to plan and execute full red team operations during guided, live execution
- Certification badge reflects hands on compromise and tradecraft, not attendance
- Demonstrates mastery of infrastructure, identity abuse, and lateral movement
- Industry Recognition & Trust
- Built and delivered by active red team operators
- Used by consultants and security teams performing adversary simulation
- Badge signals real world red team operational capability
- Independent Operator Mindset
- Performance based labs completed during and after live instruction
- Builds confidence troubleshooting failures with instructor guidance
- All attack paths and outcomes documented in a professional certification report
Frequently Asked Questions (F.A.Q)
Is ARTOC beginner friendly
- No. ARTOC is an advanced red team certification. Students should already be comfortable with offensive security fundamentals, Active Directory, and basic tradecraft before enrolling.
What prior experience is recommended
- Prior experience with penetration testing or red team operations is strongly recommended. Students should be comfortable using command line tooling, understanding Windows internals, and operating within Active Directory environments. Familiarity with Cobalt Strike or similar C2 frameworks is helpful.
Is this course instructor led or self study
- ARTOC live training is instructor led over scheduled training days. Students also receive full access to all course content through the student portal and may continue working through labs independently before and after the live sessions.
How is the live training delivered
- Live training is delivered remotely over Zoom with instructors walking through attack paths, infrastructure, and labs in real time. Students are expected to follow along and actively participate.
When will Zoom invites be sent
- Zoom invitations and session details are sent one to two weeks before the scheduled training start date.
Can live training dates change
- Yes. In rare cases, scheduled live training dates may change due to instructor availability, illness, or unforeseen issues. Students will be notified as early as possible if changes occur.
Does this course use real EDR targets
- Yes. ARTOC includes live EDR targets based on real defensive technologies encountered during professional red team engagements.
What defensive technologies are included
- The course includes modern endpoint defenses such as EDR, Windows security controls, application control, logging, and telemetry pipelines commonly found in enterprise environments.
Are the lab systems isolated
- Yes. All lab environments are fully isolated and designed specifically for training and certification use.
How do students access the lab systems
- Students access lab systems through the White Knight Labs student portal using controlled methods such as browser based access, Guacamole, and RDP depending on the lab.
What Command and Control frameworks are used
- ARTOC uses Cobalt Strike and Havoc C2 as primary command and control frameworks.
Do students receive access to Cobalt Strike
- Yes. Students receive controlled access to Cobalt Strike as part of the course.
Is Cobalt Strike locked down
- Yes. Cobalt Strike access is intentionally restricted. Students are given sufficient access to learn, operate, and gain experience without administrative control over the team server.
Can students modify profiles and create beacons
- Yes. Students can modify profiles, generate payloads, and establish working beacons during the course.
Which version of Cobalt Strike is used
- ARTOC uses recent stable versions of Cobalt Strike. New versions are tested internally before being introduced into the course.
Is Havoc C2 supported
- Yes. Havoc C2 is fully supported and used throughout the course.
Can I bring my own Command and Control framework
- Yes. Students may bring and use their own C2 frameworks, provided they comply with lab rules and do not interfere with shared infrastructure.
Do I need my own AWS account
- Yes. Students must have their own AWS account with sufficient permissions to deploy lab infrastructure.
Does the portal track AWS cost
- The student portal provides visibility into lab usage, but students are responsible for monitoring costs within their own AWS account.
Can I set budgets and auto stop rules
- Yes. Students can configure AWS budgets and automatic stop rules to help control spending.
What happens if I break the environment
- Students can destroy and rebuild their lab environment at any time through the student portal.
Are all labs supported by video walkthroughs
- No. Not all labs include video walkthroughs. Some labs receive videos later as content is expanded. All labs include detailed written guidance and explanations in the student portal.
Where is support provided
- Support is provided through a private Discord channel for live training students, where instructors and peers can assist.
How often is ARTOC updated
- ARTOC is updated regularly to reflect changes in tooling, defensive technologies, and real world red team techniques.
Will defensive targets change
- Yes. Defensive targets evolve over time. EDR platforms and defensive configurations are rotated and updated to maintain realism.
How long do I have access
- Course content and portal access do not expire at this time and remain available for the life of the certification.
Is there a certification exam
- Yes. ARTOC includes a performance based certification exam.
How long is the exam
- Students have 48 hours to complete the exam, followed by an additional 48 hours to submit a professional red team report.
Does the exam voucher expire
- No. One exam voucher is included with the course and does not expire.
What is required to pass
- Students must successfully compromise required targets, demonstrate effective offensive tradecraft, capture flags, and submit a professional certification report.
Is this course designed to be difficult
- Yes. ARTOC is intentionally challenging and mirrors the complexity and friction of real red team operations.
What language is supported
- English is the only supported language at this time. Browser based translation tools may assist but are not officially supported.
