CREST Certified Red Team Manager (CCRTM)

The CREST Certified Red Team Manager (CCRTM) exam is an advanced level examination and is aimed at candidates with relevant knowledge and hands on experience managing threat intelligence-led penetration tests or red team engagements, often known as simulated attacks or adversary simulation.   

Successful candidates will be able to demonstrate knowledge in a number of areas, including: 

• Key Concepts 

Tests fundamental knowledge of red teaming methodologies, assessment types, industry frameworks, and essential terminology for red team managers. Ensures a clear understanding of when and how to apply different testing approaches, regulatory requirements, and attack path modeling techniques. 

• Planning and Scoping 

Focuses on stakeholder coordination, requirement analysis, and defining project parameters to ensure engagements align with business objectives, risk appetite, and regulatory or legal constraints. 

• Project Management, Governance and Oversight 

Covers essential knowledge on effective project management, governance and oversight that are critical for executing structured, intelligence-led red team engagements while maintaining independent integrity and regulatory compliance. This area of the syllabus tests knowledge on the lifecycle of a red team engagement, control group responsibilities, communication strategies, incident management, and stakeholder coordination. 

• Legal, Ethical and Moral Aspects of Attack Management 

Tests if candidates understand and know how to navigate the legal, ethical, and regulatory frameworks governing offensive security operations. Covers compliance with cybercrime laws, data protection regulations, privacy rights, contractual obligations, and ethical considerations in red teaming engagements. 

• Risk Management, Reporting and Communication 

Checks candidate’s ability to implement effective risk management and communication in threat-led engagements to ensure that identified risks are understood, monitored, mitigated, and reported clearly. Candidates are tested on risk assessment methodologies, engagement-specific risks, relevant risk frameworks, and clear risk articulation to stakeholders. 

• Rules of Engagement, Contingencies and Scenario Simulation 

Focuses on establishing structured test plans, defining attack scenarios from defined threat intelligence, planning contingencies, and enforcing rules of engagement to ensure controlled, compliant, and effective red team operations. 

• Threat Intelligence 

Tests a candidate’s ability to understand and comprehend different levels on threat intelligence (TI), ranging from tactical, operational and strategic intelligence. It also tests the candidates ability to understand attack vectors, adversary tactics, and environmental risks. This section covers TI methodologies, data sources, legal considerations, and threat modelling. 

• Attack Methodology, Key Stages and Common Frameworks 

Assesses if candidates have a deep understanding of attack methodologies, frameworks, and key attack techniques is essential for designing and executing realistic and effective red team engagements. The exam is aligned to industry-standard attack models, for example MITRE, techniques for initial access, lateral movement, privilege escalation, persistence, and considerations for cloud and hybrid environments. 

• Dropper/Implant Design, Safety and Secure Coding 

Focuses on the candidate’s ability to ensure a secure, controlled, and ethical deployment of implants, droppers, shellcode and modules in red team engagements. It covers infrastructure security, implant safety, data handling, and cryptographic controls to minimise risks for both clients and cybersecurity providers and the inherent risks of introducing tooling to production environments without the appropriate controls and/or safeguards.  

You can find the full CRTM exam syllabus here.

CREST Certified Red Team Manager (CCRTM) – Notes for Candidates 

The notes for candidates gathers essential information about the CCRTM exam and intends to support CREST candidates on their preparation increasing their chances of success. 

1. Exam overview

The CREST Certified Red Team Manager (CCRTM) examination assesses the expertise needed to lead a simulated attack informed by relevant threat intelligence and real-world scenarios. Candidates will be expected to demonstrate this knowledge by answering tailored questions supplemented by injects and threat intelligence in a similar way that this would be presented in the real-world engagement. 

2. Exam structure

Exam format 

The CCRTM exam has two distinct parts: 

– A written exam which is made of two components: a multiple-choice test and a long form component. 

– A written scenario exam which is made of a red team engagement scenario. 

For the scenario exam, candidates will be given a TI pack containing information around the target of the assessment and scenario background which will include details on the threat actor and goals of the engagement. 

Candidates can take the exams in whichever order they prefer although we suggest candidates to start their exam path with the Multiple Choice & Long Form exam.  

Exam duration 

Multiple Choice & Long Form exam 

The exam duration is 3 hours in total, split as follows: 

– Multiple-choice test (1 hour) 

– Long from component (2 hours) 

Candidates will be given an additional 15 minutes for reading time prior to the start of the long form component. 

Candidates must start with the multiple-choice test followed by the long form component. The questions can be answered in any order within each component. 

Scenario exam 

The written scenario exam duration is 3 hours and candidates will be given an additional 15 minutes for reading time prior to the start of the exam. 

Candidates should note that the breakdown of marks approximates to one mark per minute throughout each exam and respective components. If a candidate spends significantly more time than suggested by the marks for any one section or question, they are potentially missing out on marks that could have been obtained more quickly later in the exam. Where candidates are struggling with a particular question or section they are strongly advised to move on and return later in the session if remaining time permits 

Pre-requisites 

There are no pre-requisites to the CCRTM exam. 

Exam notes 

Multiple Choice & Long Form exam 

The Multiple Choice & Long From exam is closed book. Therefore, no books, written notes, internet access or other electronic devices will be allowed. This applies to both components of the written exam: the multiple-choice test and the written scenario.  

Scenario exam 

The Scenario exam is closed book. Therefore, no books, written notes, internet access or other electronic devices will be allowed. Relevant information to the exam questions will be provided in the exam environment. 

3. Exam grading

Multiple Choice & Long Form exam 

– Multiple choice test (60 marks) 

– Long form component (120 marks) 

Scenario exam 

– Scenario component (180 marks)  

Pass mark 

Multiple Choice & Long Form exam 

– Multiple choice test: candidates must achieve at least two thirds or 40 marks in this section. 

– Long form component: candidates must achieve at least two thirds or 80 marks in this section. 

Passing one of the sections but failing the other one will result in a failure overall.  

Scenario exam 

– Scenario component: candidates must achieve at least two thirds or 120 marks in this exam. 

Feedback 

Multiple Choice & Long Form exam 

Results of the multiple-choice test will be available for candidates at the end of the exam via their Pearson VUE account and will provide a breakdown of the areas and how they have performed.  

The results for the long form component and overall result of their Multiple Choice & Long Form exam will be provided by CREST within 20 days from when the exam has been taken.  

Scenario exam 

The results for the Scenario exam will be provided by CREST within 20 days from when the exam has been taken. Candidates will receive their score in each section.  

If you have not received your results after 20 days and/or if you have any queries, please contact us via [email protected]  

Here you can find some useful resources to support your exam preparation. 

Multiple Choice & Long Form exam 

The multiple choice component is made of 60 questions where each question has one correct answer out of 5 options. No marks are deducted for incorrect answers.  

The long form component is made of 4 long form questions where each is worth of 30 marks. These marks might be broken down into smaller questions. 

Scenario exam

This section is structured around scenario questions that test the candidates knowledge of different stages of an engagement and on the role of the Red Team Manager.  

Candidates are also provided with a TI pack with relevant information and contextualisation to help them with the Scoping and Risk Management section.  

The CCRTM exam is exclusively available in selected Pearson VUE Test Centres across the globe. You can book your exam now via CREST :: Pearson VUE.

CREST Pearson VUE vouchers

Pearson VUE vouchers are available from CREST for companies and individuals who either have an account with CREST or need an alternative payment method. These vouchers will be sent on receipt of a paid invoice. For more information please contact [email protected].

Invigilation 

A test centre administrator/invigilator will be present throughout the examination to answer any procedural questions that candidates may have and assist in troubleshooting. The invigilator will not provide any support or advice related to the exam content. 

If an issue does occur, a case will be filed. Every effort will be made to accommodate the continuation of your exam and all cases will be investigated and resolved within 3-5 business days. Pearson VUE should provide you with a case ID number. Please ensure you retain this information as this may be required at a later date.  

Special accommodations

Candidates must contact the CREST Support team at least 2 weeks before the potential exam date with a formal medical report from a qualified medical practitioner specialising in the particular condition. Candidates should register an account with Pearson VUE but not book an exam until the accommodation request has been processed. For more information, please contact [email protected]

How to cancel, postpone or reschedule

This is done through your own Pearson VUE registration and exam booking page and must be done at least 24hrs before your exam date.

Looking for more info on our CCRTM exam? Check out our handy CCRTM FAQs.