Coming Soon The sequel to ROPS-RT1

Ready to become a SENIOR Red Team Operator?

RT1 taught you to operate. RT2 teaches you to develop and run the op. Build your own C2, select advanced TTPs, and lead a full engagement from planning to impact.

Positioning

From operator to team lead.

ROPS-RT1 gave you the tools and the plan. You learned to get in, persist, mine AD, and hit the objective.

ROPS-RT2 flips it. You're the senior operator building and leading the op. Plan engagements with a two-tier attack path (Plan A, Plan B), select TTPs that minimize operational risk, and make the calls: DC or workstation, which leads to chase, where the team spends its time.

You're also done borrowing tooling. RT2 leans hard into AI-assisted tradecraft: build your own "vibe-coded" C2 that bypasses EDR, write custom BOFs and plugins, set up exotic transports, and chain advanced tunnels. All of it, from scratch.

6Modules, 0 through 5. a full engagement lifecycle

42Hands-on labs in a live enterprise range

24/7Browser access. nothing to install

27+Enterprise VMs in your private range

Advanced CourseRT2 assumes RT1-level experience. we recommend completing ROPS-RT1 or equivalent hands-on Red Team experience before enrolling.

The Platform

Same platform you love. All-new enterprise lab.

RT2 runs on our same cutting-edge range platform, but the lab scenario was built from scratch. A larger, more complex enterprise network with new attack surfaces at every layer.

40+ Machine Enterprise Range

A full corporate network with domain controllers, workstations, servers, and segmented subnets.

Elastic Defend EDR

Real endpoint detection on target machines. Every payload and technique must survive live defenses.

Browser Cookie Theft Opportunities

Multiple browser-based credential and session harvesting targets across the network.

Private Lab Instances

Your own isolated range. No shared state, no noisy neighbors, no cleanup after someone else.

24/7 Browser Access

Everything runs in the browser. Nothing to install, nothing to break on your host.

Signature Tradecraft

Ready to lead a Red Team operation? Make sure your toolkit is built and ready.

A sample of what you'll develop, weaponize, and deploy across the 42 labs. Most of it, you'll build yourself.

Custom C2 Development
Disposable Mythic Agents
AI-Assisted Obfuscation
Custom BOFs & Plugins
Exotic C2 Transports (ICMP, Chat)
EvilNoVNC Phishing
Supply Chain (Poisoned PIP)
HTML Smuggling
Credential Clone Pages
Simulated Vishing
AppDomainManager Injection
InvisibilityCloak
Metatwin Metadata Manipulation
CDN-Fronted C2
COM Object Hijacking
RegisterApplicationRestart
ADCS Exploitation (ESC1/ESC4)
DCOM Lateral Movement
Kerberos PTT via Proxifier
Browser Cookie Theft
Writable AD DACLs
NTLM Harvesting (Farmer)
Neo-reGeorg SOCKS
Chisel Tunneling
Redsocks
WebDAV Payload Delivery
Proxy-Aware C2
Nemesis Data Enrichment
TruffleHog Secret Scanning
BloodHound AD Mapping
Elastic Fleet API Recon
Rubeus
Certipy
SharpHound
Responder
hashcat
Nmap
Obsidian Op Logging
User Workstation Hunting
DCSync
Pass-the-Hash
Scheduled Task Hijacking
PowerShell Profile Injection
Kerberoasting
WAR File Webshell Deployment
XOR Payload Encryption
Curriculum

The full course schedule.

Six modules, 42 labs, one continuous engagement. from planning to impact.

Hands-on lab
Lecture / concept

00Module 0 · The mindset shiftWhat is a Red Team Team Lead?Foundations

Building an Operation Plan (Plan A, Plan B)
Researching Advanced RT TTPs
AI/LLMs + Supercharged Research and POC
On-going Custom C2 Project

01Module 1 · Scoping the engagementPlanning & Infrastructure2 Labs

Lab Scenario Overview
Sifting Customer Expectations/Objectives & Planning
Tool/TTP Selection to Minimize Operational Risk
Lab 1 Brainstorm/Set TTPs Beginning to End
Introduction to Tools in this Class
Lab 2 Research Actual TTPs

02Module 2 · Building the arsenalRecon & Dev16 Labs

Understanding Web Proxies & Protocol Behavior
Domain Aging, CDN Selection & Redirector Hardening
Infrastructure Cut Sheets & Stream Separation
Lab 3 CDN Configuration & Testing
Static Sigs, Behavioral Detect & Shellcode Loading
Artifact Awareness & Entropy Concerns
AppDomainInjection & Obfuscation Techniques
Metatwin & Binary Metadata Manipulation
Lab 5 Custom AppDomainInjection + Metatwin
EvilNoVNC Overview
Lab 4 EvilNoVNC Configuration & Setup
Supply Chain Attack Concepts
Lab 6 Supply Chain Attacks (Poisoned PIP)
AI-Assisted Obfuscation & Iterative Testing
Lab 7 Chisel Obfuscation with Claude
Testing Methodology (Lab vs Live)
Lab 8 Test & Evaluate Everything
Invisibility Cloak
Lab 9 Invisibility Cloak
In-House C2 Development with AI
Why Vibe-Coded C2s Make Sense
Models & Tooling Options
Best Practices
Lab 10 In-House C2: Initial Build
Writing BOFs & Custom Plugins
Lab 11 In-House C2: Adding Plugins
File Upload/Download & Long-Running Tasks
Lab 12 In-House C2: File Upload/Download
Exotic C2 Transports
Lab 13 In-House C2: Exotic C2 Transport
IP Source Protection & HTML Smuggling
Where to Host Payloads
Lab 14 HTML Smuggling Through Web Proxies
Custom CredGrab Development & Credential Storage
Lab 15 Deploying Custom Cred Grab to Scenario
Evil Browser & Sandbox Browser Concepts
Lab 16 Deploying EvilNoVNC to Scenario
Malicious Extension Development
Lab 17 Deploying Malicious PIP to Scenario
Brief Scanning & Port Recon
Lab 18 NMAP Scanning

03Module 3 · Getting the footholdInitial Access7 Labs

Vishing Tradecraft & Phone Presence
Redirector Security & Managing Multiple IA Techniques
Lab 19 First Callback (Cred Grab)
Lab 20 Triaging Email Access
Novel User Persistence
Lab 21 Installing User Persistence
Lab 22 Capturing Credentials with EvilNoVNC
Managing Multiple Initial Access Callbacks
Lab 23 Managing Multiple IA
ReGeorge SOCKS Tunneling & Domain Joined *Nix
Lab 24 ReGeorge SOCKS Tunneling
Lab 25 Poisoned PIP Access
Operations Review & Management Briefing Exercise

04Module 4 · Owning the domainEscalate & Fortify11 Labs

Day-of-Ops Team Lead Standup
Evaluating Leads & Dead Ends
Lab 26 LDAP Dump via SOCKS
Redsocks Overview
Lab 27 Redsocks
ADCS Overview (Authenticating with Certificates)
Lab 28 ADCS Discovery & Exploitation
Operational Logging
Lab 29 Red Team Logging (Obsidian)
Data Analysis with Nemesis
Lab 30 Nemesis (Data Analysis)
Why Fortification Matters & Anti-Forensics
Team Lead Moment: Picking a Workstation
Lab 31 Domain Fortification
Lab 32 Domain Fortification + Custom Exotic C2
Corporate Web Proxy Challenges
Lab 33 Making Custom C2 Proxy Aware
Cross-Domain Pivot Strategy
Finding Target User Workstations
Lab 34 Finding User Workstations
Cookie Stealing (AD Auth vs Password-Based Auth)
Lab 35 Hijacking Authentication Cookies
TruffleHog & Git Repo Triage
Lab 36 Triaging Git Repos with TruffleHog

05Module 5 · Objective completeImpact6 Labs

Breaking Down Complex Tunnels
Team Lead: Decomposing Complex Attacks Into Steps
WebDAV Overview
Lab 37 Advanced Tunneling + Pivoting (WebDAV)
Farmer & NTLMv2 Hash Collection
Lab 38 NTLM Hash Harvesting & Cracking (Farmer)
Hunting Writable Active Directory DACLs
Lab 39 Writable Active Directory DACLs
Team Lead Decision: DC or Workstation
Lab 40 Exploring AD for Targets of Interest
Proxifier & Kerberos Ticket Injection
Lab 41 Proxifier + Kerberos PTT
Lab 42 Custom C2: C2 Over Ping
Conclusion & Assessment Completion
Certification

A new take on certification

No multiple choice. No memorization. You prove it by doing it. the way a real engagement plays out. Finished the exam? Prepare your 15 minute brief to existing Senior Red Team Operators and be ready to answer any questions they may have.

ROPS-RT2 Certified

Fully hands-on, proctored exam. Prove your skills live. there is no multiple choice.

End-to-end mock engagement in a fresh environment you've never touched.

Tradecraft & operator-logging review. you're judged on how you work, not just the flag.

15-minute live brief to senior Red Team operators. Present your findings, defend your decisions, and answer hard questions from experienced operators who have been there.

Exam format and duration will be confirmed at launch.
Your Instructor

Taught by someone who's led the op.

Nick Downer
Founder & Lead Instructor · Rogue Labs

Nick has spent 10+ years running Red Team operations across the DoD and commercial sectors. the kind of engagements where planning, restraint, and team leadership matter as much as the exploit.

He co-authored RTFMv2, created the RTFM Video Library, built ROPS-RT1 (the hands-on Red Team course that started it all), and designed the Rogue Arena cyber range platform from the ground up. Over 400+ students have trained on his tradecraft. RT2 is the course he wishes existed when he first had to lead instead of operate.