Update:
After more and more friends have taken the exam, the picture is becoming quite clear about e.g. CRT.

For the first part, you have a lot of multiple choice questions about theory, you have 30 seconds for each question.

The next part, which most people fail, is the practical part, where you have 2 minutes for each test (total of 50 right now), in a block with 512 IP's, meaning you don't have time to scan the entire block if you want to scan all ports.

Some of these questions are e.g., there is a vulnerability on this IP, find and exploit it. You got 2 minutes.

The best part is, these questions both pratical and theoretical, are generally not that hard. They are around OSCP level, except the practical questions are a lot easier.

In fact, multiple persons have said all of the test is noob easy, but the problem is that it's almost impossible to do in the time allocated. Let me give you a hint, 3 hours in total, and there's over 170 questions in total, 120 theoretical (1 hour) and 50 questions (2 hours).

Assume you have everything open, even Metasploit.
- Read and understand the question: 15-30 seconds
- Figure out what tool to use: 0-15 seconds
- Can't remember the flags? Read the man page: 0-120. (It's easy to loose time here.)
- Run e.g. nmap with a script scan: 30 - 240+ seconds
- Run nmap again because it failed or you used the wrong switch(es): 30 - 240+ seconds
- Perform additional work which may be included in the question: 0-240+ seconds.

Does anyone else see the problem? Even an experienced pentester is not able to do all practical questions in time. It's simply almost impossible, unless you got some sort of automation and perhaps AI on your side.

If you can remember everything, you may be able to get everything right, but you have to be fast typing too, and know everything about everything including exactly how long tools and scripts takes to run.

When you do a real penetration test, does this matter? No, unless a tool is taking way too long to execute, or if you're doing an internal pentest and you only got 1 day, or an external vulnerability assessment and you have +1024 IPs, you have to plan, accordingly, what are the best ways to scan, and you may even use a distributed scanning network.

Can you use multiple laptops during CRT (CREST)? No.

I hope that they will make the questions harder, as a colleague of mine said anyone could do it, it's just time you need, and that if they make the questions harder, they either remove some of the questions, or increase the time-limit.


Another insane thing, is that if you fail CRT (1000$), or CCT (3000$), you have to, pay 1000$ or 3000$, again! A lot of pentesters have a yearly budget of 5000$. Yeah, a retest for the same price as the original certification is very reasonable, not lol.

And fyi, CREST is apparently, non-profit. Imagine a guy fails CCT x3? 9'000$, sure, non-profit. I can agree to the extremely unreasonable prices, which ONLY includes certification, there's no course-ware whatsoever. But a re-test, costing the exact same amount of money, now that's just grotesque. (i.e. super lame)


I haven't even done this exam yet, but many friends have attempted and most have failed, and I am disappointed in that CREST hasn't been shut out from the industry yet or forced to improve, as there's a lot of people complaining.

CREST, does not test a real penetration tester's skills. OSCE will test some of a penetration tester's skills, even though I must agree that I have yet to see any of the scenarios in real life, but it does force you to think outside the box and be creative, which is important as a pentester.

If you're a new in the infosec industry, don't even attempt CRT. You need to know theory by heart, and know the most common switches for several tools as well, and be able to solve a lot of problems fast.

Doing PWB first is a good idea, as you learn the tools, and also to use other tools than the default ones, including a bit of scripting, and to think outside the box. 

I haven't taken the exam myself yet, but from what I was told by people who sat for the exam, not a single one described it nearly as extreme as you did. It will certainly take quite a time before I attempt it, if at all, but I'm curious how difficult it will be.

This is a very interesting thread - I've been looking at getting into InfoSec and I was recommended by an experienced professional I met at an event to get a CRT cert and the job offers would come knocking on my LinkedIn profile.

My current work (I'm a developer currently) have provisionally signed off on paying for the CRT exam but now I'm thinking one of Offensive Security's courses might be a more sensible bet?

Background: I've competed in the UK Cyber Security Challenge the last couple of years and last year my prize for getting to the final was a place on 7safe's Certified Application Security Tester (CAST) course, which was great fun and I completed it with full marks. I really can't afford to resit CRT with my own money at the moment and this thread is about the most information I've found out about what kind of level the syllabus is set at. The whole thing just seems very opaque and not very helpful for someone in my position.

Can anyone recommend an alternative to CREST that would increase my employability and maybe have some actual course materials available?

Is Tiger less opaque?

I guess this goes back to the question in the original post then: How do you prepare for the CRT exam?

Winky smiley noted - I wanted the cert so that I COULD join a pentest company!

Maybe I'm over thinking it and it's not that hard to get into pentesting.