Get OADOC Certified
Offensive Active Directory Operations Certification Course
- Level > Beginner to Expert
- 40+ hands-on AD exploitation labs
Learn modern Active Directory attack paths including Kerberos abuse, NTLM and Kerberos relay, AD CS exploitation, delegation attacks, ACL and GPO task abuse, trust boundary compromise across parent and child domains, and endpoint evasion fundamentals inside a private AWS AD forest.
Certification Outcomes
- Become an officially certified Active Directory offensive operator recognized by consultants, red teams, and internal security testing teams.
- Start training in the student portal and deploy your lab using only AWS access keys. Start, stop, rebuild, or destroy your environment whenever you want. Set budgets, track AWS cost, and enforce automatic lab stop rules directly from the portal interface.
Built and maintained by active red team operators.
What This Certification Course Delivers
This certification course teaches how Active Directory is compromised in real organizations, not in isolated or artificial lab environments. Students learn how misconfigurations, trust relationships, permissions, and identity controls are chained together during real enterprise attacks.
By the end of the certification course, students will be able to:
- Perform professional Active Directory enumeration
- Identify and chain multiple AD misconfigurations into viable attack paths
- Abuse Kerberos, NTLM, delegation, ACLs, GPO tasks, service accounts, and trust relationships
- Execute lateral movement across Windows and Linux domain joined systems
- Escalate privileges to full Domain Admin access
- Document exploitation steps and escalation chains in a professional certification report
Student Portal, Lab Deployment, Budget, and Cost Controls
All students are onboarded into the White Knight Labs student portal, where all certification content is delivered in Markdown format.
The student portal provides:
- Automated deployment of a private Active Directory lab environment in AWS
- AWS integration using only an Access Key ID and Secret Access Key
- Automated build, destroy, start, stop, and rebuild of lab systems
- Live AWS compute cost tracking and usage visibility
- Budget configuration and spending thresholds defined by the student
- Automatic lab stop when budget or runtime guardrails are reached
- Full Domain Admin and Local Administrator access to all systems
- A private, isolated lab environment per student
Students are encouraged to explore, modify, break, rebuild, exploit, and harden systems freely. The portal enforces only the budgets and guardrails configured by the student.
Lab Environment Overview
The course walks students through all documented attack paths using a comprehensive lab guide that includes credentials and complete technical details. In addition, the environment contains hidden attack paths that students can independently discover and execute beyond the guided exercises.
By the end of the certification course, students will be able to:
- Parent domain
- Child domain
- External forest with trust relationships
- Domain controllers
- Domain joined Windows workstations
- Linux domain joined hosts
- Enterprise services and service accounts
- Multiple domain exploitation paths
Active Directory Attack Path Diagram
The certification course includes a real attack path diagram demonstrating compromise progression across complex enterprise boundaries.
The diagram highlights:
- Initial access points
- Enumeration flow
- Privilege escalation stages
- Parent to child domain compromise
- External forest trust abuse
- Domain Admin compromise workflow
- Centered Active Directory attack path diagram image
Master real world Active Directory attack paths used by offensive security consultants, red team operators, and internal security teams. OADOC is an on demand certification course built to teach beginners through expert practitioners how enterprise Active Directory environments are compromised using modern attack techniques, realistic misconfigurations, and real operational tradecraft.
Course Preview
A sample video is available to provide a sneak peek into the certification course structure, lab environment, and the depth of attack paths covered.
Table of Contents Preview Download
All course material is delivered through the student portal. For transparency, students may download the Table of Contents to review the scope of topics covered prior to enrollment.
Prerequisites
- No prior experience with Active Directory security or exploitation is required
- Basic familiarity with Windows and Linux operating systems
- Comfortable using the command line on either platform
- Understanding of core networking concepts (IP, DNS, ports, protocols)
- Willingness to progress from foundational topics into advanced attack chains
What You Will Learn
Hands on training is provided across the following areas:
- Active Directory Enumeration
- Kerberos Attacks
- NTLM and Kerberos Relay
- Domain Trust Exploitation
- Delegation Abuse
- GMSA Abuse
- Service Account Compromise
- Scheduled Task and GPO Task Abuse
- ACL and Object Permission Attacks
- Credential Replay and Lateral Movement
- Active Directory Certificate Services exploitation
- EDR bypass fundamentals
- Enterprise persistence techniques
- Cross platform domain joined host abuse
Each module requires live execution inside the student lab environment and professional documentation.
Certification Exam Requirements
The OADOC certification exam is performance based and completed inside the student deployed AWS Active Directory environment managed through the student portal.
Students must:
- Enumerate the Active Directory environment
- Identify misconfigurations and attack paths
- Execute privilege escalation chains
- Achieve Domain Admin access
- Capture required technical flags
- Submit a professional certification report documenting the compromise chain
There are no multiple choice questions. Certification is issued only upon successful practical completion.
Enterprise Relevance and Compliance Alignment
OADOC prepares students to assess and test enterprise Active Directory environments used in organizations operating under regulatory and compliance frameworks including:
HIPAA
PCI DSS
ISO 27001
SOC 2
GDPR
Identity and access security requirements
Compute Costs and Student Responsibility
The student portal includes AWS cost visibility, budget enforcement, and automatic lab stop controls to ensure responsible and auditable lab usage.
Students are responsible for AWS compute costs associated with running their lab environment.
The student portal provides:
- Live cost tracking
- Usage visibility
- Projected spend reporting
- Budget thresholds
- Automatic lab stop when limits are reached
Students may start, stop, destroy, and rebuild labs at any time. White Knight Labs does not impose external lab access time limits.
Who This Certification Course Is For
This certification course is designed for:
- Absolute beginners seeking a serious technical challenge
- Entry level penetration testers
- Red team operators
- Blue team engineers transitioning into offensive security
- Security engineers responsible for Active Directory environments
- Students preparing for advanced red team roles
This is a beginner to expert level certification course. Students progress at their own pace based on experience and learning goals.
What You Receive Upon Enrollment
- Lifetime access to the OADOC on demand certification course
- Certification updates for the life of the course
- Private AWS based Active Directory lab environment
- Full lab automation through the student portal
- Budget and cost controls configured by the student
- Student support access through Discord
- Certification exam eligibility
- Official White Knight Labs OADOC certification upon passing
Students do not watch demos. Every technique is executed by the student inside a live Active Directory environment that they control through the White Knight Labs student portal.
Enrollment Information
This is an on demand certification course.
Students may enroll at any time and begin immediately.
All lab deployment, control, cost tracking, and budget enforcement are handled through the student portal.
Certified for Real World AD Exploitation
- Validated Offensive AD Expertise
- Proves ability to enumerate and exploit real Active Directory forests
- Certification badge reflects practical attack execution, not attendance or progress only
- Demonstrates skill in chaining misconfigurations into full domain compromise paths
- Industry Recognition & Trust
- Built and maintained by active red team operators
- Used by consultants and security teams that test enterprise AD environments
- Badge signals real world Domain Admin escalation, lateral movement, and protocol abuse proficiency
- Independent Operator Mindset
- Performance based certification completed through hands on labs and flag capture
- Shows structured problem solving and domain attack path mastery without supervision
- All exploitation documented in a professional certification report
Frequently Asked Questions (F.A.Q)
Is this beginner friendly
- Yes. This is a beginner to expert level, on demand certification course built to scale with the student.
Is anything off limits in the lab
- No. Students have full Domain Admin and Local Administrator access to all lab systems.
What happens if I break the environment
- You can destroy and rebuild the lab at any time through the student portal.
Will the student portal stop me from overspending in AWS
- Yes. The portal tracks live AWS compute costs and lets you set budgets and automatic lab stop rules.
Do I need my own AWS account
- Yes. Students must have their own AWS account with administrative access to generate AWS Access Key ID and Secret Access Key.
Do I share AWS access with White Knight Labs or other students
- No. AWS access keys are entered only into the student portal to deploy your private environment. No shared access is required.
Does the exam voucher expire
- No. One exam voucher is included with the certification course and has no expiration.
How long is the certification exam
- The exam is 48 hours long and performance based inside your private AWS Active Directory lab.
How long do I have to submit my certification report
- After the 48 hour exam, students receive 48 additional hours to submit the professional certification report.
Can I start and stop labs whenever I want
- Yes. Labs can be started and stopped at any time through the student portal.
Can I set budgets and guardrails for lab runtime and AWS cost
- Yes. Budgets, cost thresholds, and runtime guardrails are defined by the student and enforced by the portal.
Are video walkthroughs recorded for every lab
- No. Not all labs include recorded videos at release. New content may be added before a video exists. Every lab includes theory and a complete Markdown walkthrough in the student portal.
Are written steps provided if a video does not exist
- Yes. All labs include written attack steps in Markdown inside the portal.
What does the student portal include
- The portal delivers all labs, theory, exploitation steps, videos, AWS cost tracking, budgets, and course content. Portal access does not expire at this time.
Is live instruction required for this certification course
- No. This is a self study, independent certification course. Students can ask instructors and other students questions over Discord.
Is the lab guide provided as a PDF
- No. All certification course content is delivered through the student portal in Markdown format. The Table of Contents is available for download temporarily for transparency.
Where is support provided
- Support is provided over Discord with guidance from instructors and other students who purchased the certification course.
Is translation officially supported
- No. English is the only supported language at this time. Students may use browser based translation tools, but White Knight Labs does not validate translation accuracy.
How much time is provided for exam retakes
- One retake voucher gives 48 hours of lab runtime plus 48 hours for report submission.
Is the exam retake priced for profit
- No. Exam retakes are priced between $50 and $100 only to cover 48 hours of lab runtime and report submission costs.
Does student portal access expire
- No. Portal access does not expire at this time.
Can I modify domain controllers, services, permissions, and security controls in the lab
- Yes. The environment is intentionally open for testing, modification, exploitation, resets, hardening, and experimentation.
Will I receive access to new certification content and updates
- Yes. Students receive lifetime access to updates as long as the certification course remains active.
What cloud provider is required for labs
- AWS is required for all lab deployments. AWS access keys are used only inside the student portal to deploy a private Active Directory environment.
Are AD attack paths handed out
- Yes. Students are provided with documented attack paths and supporting details, and are guided through executing the full exploitation chains within their AWS deployed environment managed through the student portal. In addition to the guided material, multiple hidden attack paths exist and can be independently discovered and executed by students who wish to go beyond the standard exercises.
Do students control AWS budgets and runtime protections
- Yes. Students define budgets, cost thresholds, runtime guardrails, and automatic stop protections through the portal.
Is this certification course timeboxed
- No. This is on demand. Students take as long as needed to complete the course material and can run labs on their schedule through the portal.
Are flags and a professional report required for certification
- Yes. Certification is issued only after successful attack chain execution, flag capture, and submission of a professional certification report documenting the full compromise chain and flags captured.
Used by consultants, operators, and security teams that test real Active Directory environments.
