CREST Certification benefits, cost, OSCP equivalent and other details

Cyber security certifications equip individuals with the knowledge and skills to safeguard networks, systems, and data from cyber threats and attacks. These certifications allow technical information security providers to validate their relevant and frequent experience and demonstrate their expertise and commitment to the field. In this article, we will discuss the different types of certifications offered by CREST, their exam formats, their importance for a recognised career path and why you should choose CREST as your certification-providing body.

What are CREST certifications?

CREST certifications are globally recognised technical security benchmarks against an individual’s skills and competence. The professional services sector recognises this, and buyers are willing to pay for various security services.  

What is a CREST exam?

CREST exams benchmark a candidate’s skillset at various levels, i.e. analyst, registered tester, certified tester and attack specialist. 

CREST stands for the Council of Registered Ethical Security Testers. It is a non-profit, UK-based organisation. It was created in response to unregulated penetration vulnerability testing to provide world-class certifications and accreditations to organisations and individuals in the cyber security field.

We have prepared a series of CREST-related topics you might want to explore: 

• CREST penetration testing guide and methodology
• Learn about the CREST Defensible Penetration Test (CDPT) and business benefits
• What is a CREST-approved provider, and why is choosing a CREST-certified company important?
• Procuring the CREST penetration testing services
• Your guide to CREST vulnerability assessments
• Get to know the CREST penetration testing maturity model

What are the benefits of having a CREST certification?

Technical information security providers and experts develop CREST exams and paths. Below are some key benefits of why CREST certification is a popular choice for security professionals to have a recognised career path.

Industry Recognition

CREST certifications are globally respected in the cyber security industry. These certifications are designed to test the certification-taker’s skills and knowledge in a real-world scenario and are highly valued equally by both employers and clients. Achieving a CREST certification is an aspiration, and by getting one, an individual becomes a part of a recognised community of security professionals.

Rigorous testing

They test an individual in real-life challenging scenarios and situations within a limited time frame. The exams guarantee that individuals who earn a CREST certification are well-prepared to tackle cybersecurity challenges in the real world.

Up-to-date knowledge

CREST certifications are regularly updated to reflect the latest developments in the cybersecurity industry and thus ensure that the individual is equipped with the most up-to-date knowledge and skills to undergo testing projects.

Cyber attacks are not a matter of if, but when. Be prepared.

Box-ticking approach to penetration tests is long gone. We help you identify, analyse and remediate vulnerabilities so you don’t see the same pentest report next time.

Book a CREST Approved Penetration Test Today

Flexible training options

CREST offers a range of training options to suit different learning styles and schedules. This includes self-study options as well as in-person and online training courses.

Competitive advantage

Employers often view CREST certification as a sign of an individual’s commitment to their profession and willingness to invest in their career development.

What are the prerequisites for Crest certification?

CREST certifications expect the following hours of relevant and frequent experience.

• Entry-level CREST Practitioner level certifications require a minimum of two years or 2500 hours of professional experience.
• Intermediate-level CREST Registered certifications require three years or 6000 hours of professional experience.
• Senior professionals aiming for CREST Certified level certifications should have 5-6 years or 10000 hours of professional experience.

CREST exams

Each CREST certification exam is valid for three years, after which the candidate has to retake the exam. The three CREST certification levels are:

CREST practitioner level

This CREST certification is an entry-level, professional standards examination aimed at beginners in the cyber field. At the practitioner level, an information security tester should be able to conduct routine assignments under supervision.

CREST registered level

After getting to the practitioner level, CREST-registered level certifications and examinations are the next steps. These certifications and exams target individuals with intermediate expertise and experience in the growth phase.

CREST-certified level

The next step in the CREST certifications and examinations series is the CREST-certified level, which is meant for seasoned and experienced professionals working in the industry. The CREST certification sets a benchmark for experienced tester-level cybersecurity professionals.

CREST Certifications Cost

CREST certification costs vary from region to region. However, the cost structure in the UK region is given below:

• CREST practitioner level exam costs 275 GBP.
• CREST registered level exam costs 395 GBP.
• CREST certified level exam costs 1600 GBP.
  • CREST-certified level exams with both written and practical components, the fee structure is 275 GBP for the written part and 1350 GBP for the practical portion.

CREST qualifications and exam levels

Each of these levels covers three domains of cyber security, i.e. penetration testing, threat intelligence, and cyber incident response.

CREST penetration testing certifications

CREST penetration testing certifications are further classified as follows:

• CREST Practitioner Security Analyst (CPSA)
• CREST Registered Penetration Tester (CRT)
• CREST Certified Infrastructure Tester (CCT INF)
• CREST Certified Web Applications Tester (CCT APP)
• CREST Certified Simulated Attack Specialist (CCSAS)
• CREST Certified Simulated Attack Manager (CCSAM)

CREST threat intelligence certifications

CREST threat intelligence certifications are further categorised as follows:

• CREST Practitioner Threat Intelligence Analyst (CPTIA)
• CREST Registered Threat Intelligence Analyst (CRTIA)
• CREST Certified Threat Intelligence Manager (CCTIM)

CREST cyber incident response certifications

CREST cyber incident response certifications are further classified as follows:

• CREST Practitioner Intrusion Analyst (CPIA)
• CREST Registered Intrusion Analyst (CRIA)
• CREST Certified Network Intrusion Analyst (CCNIA)
• CREST Certified Host Intrusion Analyst (CCHIA)
• CREST Certified Incident Manager (CCIM)

CREST exams format and success criteria

CREST offers six penetration testing certifications, each designed to assess the skills and knowledge of cybersecurity professionals with relevant and frequent experience. Below is a high-level overview of the different CREST penetration testing certifications:

CREST practitioner security analyst (CPSA)

CPSA is an entry-level exam that tests an individual’s knowledge of operating systems, networks, and network services, web application penetration testing, and the methodology to identify vulnerabilities in web applications.

• Prerequisites: There are no prerequisites to the exam.
• Exam format: The exam is a multiple-choice written assessment with 120 questions, which has to be completed in 2 hours.
• Success Criteria: The candidate should achieve a minimum of 60% to pass the examination.

CREST registered tester (CRT)

The CRT is an intermediate-level certification that tests an individual’s theoretical and practical knowledge in operating systems and operating system vulnerabilities, networks and network vulnerabilities, web application vulnerabilities, and web application penetration testing methodologies.

• Prerequisites: The candidate must have the CPSA to take the CRT.
• Exam format: The exam consists of a multiple-choice written assessment and a practical assessment, which must be completed in 2.5 hours.
• Success Criteria: The candidate should achieve a minimum of 60% in each component to pass the examination.

CREST-certified infrastructure tester (CCT-INF)

The CCT-INF exam tests the candidate on their knowledge and skillset in infrastructure penetration testing, operating system, and network vulnerabilities and how to exploit them.

CREST-certified web application tester (CCT-APP)

The CCT-APP exam tests the pen testers on their knowledge and skillset in web and testing subjects, application penetration testing methodology, web application penetration testing vulnerabilities, and how to exploit them.

CCT-INF and CCT-APP have the same exam format, as discussed below.

• Exam format: The exam consists of a multiple-choice written assessment and a practical assessment. The breakdown is as follows:
• MCQ written assessment: 150 questions to be completed in 2.5 hours.
• Practical assessment: The valuable component is further divided into two sections:
• Scenario question: 1 scenario question with 15 minutes to read the question paper and 2.5 hours to complete the practical part.
• Assault questions: 1 assault question with 15 minutes to read the question paper and 3.5 hours to complete the practical assessment.

Sample questions for both CCT-INF and CCT-APP can be found at the below links:

For CCT-INF:

• Scenario paper: https://www.crest-approved.org/wp-content/uploads/2022/07/Sample-CCT-Infrastructure-Scenario-Paper.pdf
• Assault paper: https://www.crest-approved.org/wp-content/uploads/2022/07/Sample-CCT-Infrastructure-Practical-Paper.pdf

For CCT-APP:

• Scenario paper: https://www.crest-approved.org/wp-content/uploads/2022/09/Sample-CCT-Application-Scenario-Paper.pdf
• Assault paper: https://www.crest-approved.org/wp-content/uploads/2022/09/Sample-CCT-Application-Practical-Paper.pdf

Success Criteria: The candidate must submit a report on each section and achieve a minimum of 67% in each component to pass the examination successfully.

CREST-certified simulated attack specialist (CCSAS)

The CCSAS certification is an experienced senior tester level certification that tests candidates’ knowledge of planning and delivering a simulated red team attack. This includes trojans and trojanised files, phishing campaigns, implant development, defence evasion techniques, lateral movement, etc.

• Prerequisites: The information security tester must have the CCT-INF to take the CCSAS.
• Exam format: The exam consists of three components: a multiple-choice written assessment, a long and descriptive written assessment, and a practical assessment. The breakdown is as follows:
• Written assessment: The written assessment should be completed in 2.5 hours.
• MCQ written assessment: 90 questions.
• Descriptive assessment: 4 descriptive questions, out of which three must be answered successfully
• Practical assessment: The practical assessment should be completed in 3.5 hours and intended to simulate several real-world attack situations. For example, performing client-side exploitation attacks, pivoting and lateral movement, workstation and browser enumeration, server exploitation, and application-level exploitation.

Success Criteria: The candidate should achieve a minimum of 67% in each component to pass the examination.

CREST-certified simulated attack manager (CCSAM)

The CCSAM certification evaluates the knowledge and expertise of security professionals in leading a specialised team that conducts simulated red team attacks. This examination measures the candidate’s ability to carry out realistic, legal, and safe simulated attacks while ensuring thorough documentation and collection of evidence. The ultimate goal is to provide actionable intelligence on organisational risks and vulnerabilities while minimising potential harm to the customer’s staff, data, and systems.

• Exam format: The exam consists of a multiple-choice assessment and a long and descriptive written. The breakdown is as follows:
• MCQ written assessment: 150 multiple-choice questions and one compulsory descriptive question to be completed in 2.5 hours.
• Descriptive assessment: 3 descriptive questions, 2, and 1 scenario-based question, are to be answered.
• Success Criteria: The candidate should achieve a minimum of 70% in each component to pass the examination.

CREST certification vs OSCP

OffSec’s OSCP is another well-recognised penetration testing certification in the industry equivalent to the CREST CRT. The OSCP is a rigorous certification exam requiring candidates to compromise a set of Windows and Linux machines in a 24-hour. The findings and outcomes of the penetration test are to be documented and submitted to OffSec in the form of a professional penetration testing report. OSCP is an efficient certification exam, unlike the CRT, which also has an MCQ-based component.

How do you get CREST after OSCP?

Candidates wishing to get a CREST certification after having the OSCP must pass the CPSA first and then submit their equivalency appeal to CREST for the CRT. This is only valid until the first three years of achieving the OSCP. After three years, to get the CRT due to the equivalency, the candidate has to attempt the OSCP again.

Parting thoughts – why are cyber security certifications necessary?

Cyber threats are evolving exponentially, and it is essential to have qualified cybersecurity professionals who can prevent the compromise and breach of sensitive information and secure networks from potential attacks. By earning these certifications, professionals demonstrate their commitment to the field, make advancements, increase their career opportunities and earning potential, and contribute to digital systems and data safety and security.

Secure code is an essential element for business growth

Show your customers and supply chain you can manage application risks with secure coding practices.

Book a web app pen test to secure your code

Frequently Asked Questions (FAQs)

Can I reschedule my examination?

Yes, you can reschedule your examination with a written notice to CREST within 21 days of registering for the exam.

What is the Hard Disk Drive Wiping Policy?

Candidates must remove their hard disks and submit them to the Assessor at the end of the examination. The Assessor will begin the wiping process of the hard disk and return the wiped and clean disk to the candidate within 42 days. For more information, please visit CREST’s official guide.

Can I extend the time allowed for an examination?

No, completing the tasks within the allotted time is a part of the examination. All the exam tasks are achievable within the permitted time provided the candidate is competent, confident, and knows what they are doing.

What proof does CREST require to extend my allowed time because of a medical condition?

In case of a medical condition or emergency that qualifies for a time extension, CREST requires a letter from the doctor or the medical consultant to back your request.

Can I listen to music during the examination?

Yes, you can listen to music during the exam, provided that it does not disturb the other candidates taking the exam. You will have to bring your headphones/earphones to use.

When will I receive my exam results?

CREST delivers exam results within 30 days of the candidate taking the examination.

How long do I have to wait before I can retake the exam?

CREST has different retake periods for both written and practical exams. Generally, for the written portion, the retake period is seven days; for reasonable, it is eight weeks (2 months). You must refer to official sources for accurate information. For more information, please visit CREST’s official exam retake timetable.