CREST Information

Viewing 32 reply threads
  • Author
    • #5524
      Don Donzal

      As many of you may know, CREST is a UK non-profit offering credentials in ethical security testing. They are making attempts to move out of just providing credentials in the UK and are moving into the US market and eventually go global.

      I’d like to talk to any EH-Net reader about their thoughts and experiences with CREST. Please PM me with your thoughts on the org and their offerings.

      For those who don’t know, here is the about section:

      CREST is a not for profit organisation and is governed by a formal Memorandum of Association (MOA) as a company limited by guarantee. Under this MOA, companies are invited to join a trade association as members, subject to certifying that they meet the minimum standards of ethics, methodologies, and technical capability.

      In contracting a CREST member organisation to perform a security test, a client can feel secure in the knowledge that the work will be carried out to rigorous standards by qualified, knowledgeable individuals.

      Penetration testing is a widely accepted method of assuring information security and has become an integral part of many organisations operational and technology risk management programs. Yet despite the widespread use of penetration testing, there has historically been a definite lack of agreed standards and practices.

      CREST (Council of Registered Ethical Security Testers) was created in response to the need for regulated and professional security testers to serve the global information security marketplace. CREST`s main aim is to represent the information security testing industry and offer a demonstrable level of assurance as to the competency of organisations and individuals within those approved companies.

      CREST is a standards-based organisation for penetration test suppliers incorporating a best practice technical certification programme for individual consultants. Additionally CREST provides its members with a framework of guidance including standards, methodologies and recommendations aimed at ensuring the very highest standards of leading-edge security testing

      For more info:


    • #34865

      Hi Don,

      I would be interested it what you find about these guys as a company. The seven safe guys have mentioned that they do 2 courses that get you CREST qualified. Would just be out of interest now though.

    • #34866

      Yes, I have also heard the same thing from Ian Glover at a conference here in the UK recently.  I am hoping we get some answers to this one as CREST CCT Infastructure exam also gives you CHECK Team Leader status which is pretty much the certification Pen Testers in UK want to have.  They have also released an intermediate level CRT which is next on my list!

    • #34867

      NBISE is now accepting registration for beta CREST exams

    • #34868

      I always see that certification. It looks interesting and pricy too.

    • #34869

      I am scheduled for the Oct. 18th to take the CRT in Orlando.  I currently hold a CCNA, CWNA, OSCP, Security+.  I have been looking around for study material for the CREST exams and it seems to be non-existent.  If anyone else is taking it and are interested in studying please feel free to drop me a pm.

      Also for a little background, to be able to touch a .gov systems in the UK you have to be CHECK certified by CESG (guessing it’s similiar to NSA here).  CREST certs are a requirement to become CHECK certified, so from what I understand CESG helped defined the objectives, etc.  <– Info about CESG  <– Info about CHECK

      *Disclaimer*  This is just from what I have read and gather from talking to people in the UK

    • #34870

      I’m also scheduled for the CRT in Orlando. I’m still debating this week whether I’m actually willing to pony up 600.00 for an exam I don’t know much about or if I’d be better off paying for that GCIH challenge I keep meaning to take (Am a class alumni but never took exam and will need for GSE). If anyone has more info I’d appreciate it. The following link may help in preparation.

      Feel free to hit me up in you want to coordinate study. For pentesting certs I have GPEN and GAWN only (in addition to CISSP, CISA and some other GIAC and other industry certs)

    • #34871

      Thought I would just also add that the pilot exam is the EXACT same exam as the one in the UK.  So if you take it you will be ‘officially’ CREST certified, regardless of what becomes of NBISE.

    • #34872

      @ JrGong – There is indeed no “official” reading or training for the CREST certification. I know a few people whom have performed the CCT level certifications and they have confirmed that as long as you know the information on the syllabus and have a few years experience pen testng you should be ok.  It certainly IS NOT an easy certification and is very far from CEH level.  I am intending to do the CRT (intermediate level) here in the UK at the end of the year  🙂

    • #34873

      Thanks for the info T_Bone.  I think I have most of the knowledge that is on the syllabus but I do not have any experience doing pentesting so I m brushing up on methodologies etc.

    • #34874

      Having researched a lot of options I decided to take the CAST course because I wanted to prep for the CREST application tester exam and it is a hands on course aligned with CREST.

      Having gained the CSTA and CSTP certs with 7Safe previously (I am in the UK), I found the CAST exam to be a major step up in terms of the learning level.  It is designed to make you think, and our instructor was an experienced pen tester. The exam was a series of challenges – and in the end about 30% of us managed a pass.

      I understand this is being offered in the US as well, what with CREST becoming an international standard.

    • #34875

      @ trighger

      Wow that course does sound pretty difficult if only 30% passed. Sounds like it would be good prep for the CREST CCT level if this is the case 🙂

    • #34876

      Hi guys,

      Any thoughts about what kindda study requirements are need for CREST Registered Tester Certification Examination, CREST entry level certification?

      Today I was informed that I must aim for if I want to make an extra buck for my family.

      Also, if I don’t ask for too much, which might be the study papers that should be used for “acquire the target”?

      I mean I’m trying get “intel” about how difficult it will be based on “know your enemy” before anything else concept 🙂

      Thanks much,


    • #34877

      They have indeed and somewhat unfortunately come to Australia as well.

      This is the reaction from most information security professionals down under:

      What are the extremely fair examination fees? (GST means “tax”.)
      – CREST Registered Tester – $1,000 + GST (GST = ~100$)
      – CREST Certified Tester (Certified Web Application Tester) – $3,000 + GST (GST = ~300$)
      – CREST Certified Tester (Certified Infrastructure Tester) – $3,000 + GST (GST = ~300$)

      These fees, only include the certification (and examination process), for this non-profit company.

      As they have a hand in the government, CREST may become mandatory in Australia.

      CRT – Registered Tester:

      CCT – Certified Web Application Tester:

      CCT – Certified Infrastructure Tester:

      Random facts and opinions:
      – Does it expire? Yes, I think it’s every 4 years or so. Wouldn’t be much of a non-profit if all their uhm, zero profits isn’t recurring.
      – What’s up with the price? It’s not really a non-profit company when you have to pay that much for a certification.
      – How’s the exam, technology wise? You’re tested in both current AND seriously outdated information, some of it which a penetration tester may never see or need to hear about.
      – How hard is the exam? Almost impossible, at one point you have e.g. 50 practical questions where each often requires a hack of a custom application. (CCT Web App.)
      – These practical questions, what are they? Some of them are related to e.g. Blind SQL Injection, where you have to pretty much dump an entire database, where tools such as sqlmap does not work, so you end up having to do it manually, which costs you too much, so you fail and will have to take a retest, which is around 1000$ more, plus GST.
      – Is it realistic? Not really. People with 10 years of experience within information, where 5 may be penetration or even the whole 10 years, fail this certification. Despite that I can personally vouch for their skills. Some people come from extreme hacker backgrounds, with so much knowledge you wonder if they are even human, as they have come up with amazing hacks, unreleased research, etc, yet, these people fail too.
      – What’s the best way to prepare for this exam? Check out the syllabus (region wise), and study all topics in depth. You will definitely be tested in topics you most likely don’t need in your job. (i.e. how certain protocols work, oh I forgot, this is more like a computer science exam at some points.)

      What do I think? I think it’s bs, it’s certifications like these that make the infosec industry a joke, especially if it becomes mandatory. CRT and CCT, doesn’t make you a penetration tester or a true hacker, it’s hard yes, just like CHECK Team Leader, but it does not prove your true skill.

      True skill is proven by what you have specialised in, and what you do with that skill. If you’re able to think outside the box, and perform advanced hacks and understanding the entire process, then you’ve got the right skills.

      Who’s the leaders in courses and certifications?
      – Offensive Security
      – Corelan
      – SANS & GIAC (SOME of their advanced courses, not all of them.)
      – Immunity Inc
      – SensePost (I have heard they’re pretty good, not 100% sure about their courses but their name pops up all the time.)
      – Some BlackHat courses (I know that these are different vendors offering courses here.)
      – And probably a few others I forgot to mention.

      Let’s take a look at the syllabus.

      First I wonder, why aren’t these mentioned:
      – Cross-Site Request Forgery (This doesn’t seem to be mentioned, or is it under the XSS category? If so, major fail, it has nothing to do with XSS even though it can be used with XSS.)
      – Local and Remote File Inclusion (Any web app pentester must know about these. And no they are NOT named code injection in case CREST named them that.)
      – DNS Classes (INternet, CHaos, etc.)
      – Advanced Cross-Site Scripting (As this certification is aimed at “experts” it seems, it should have at least a basic module about what’s possible with XSS, e.g. )

      Now here comes my “WHY GOD WHY” section:
      – Token ring (When was the last time you pentested this? I know how it works, but seriously, this isn’t a computer science exam.)
      – Generating ICMP packets (LOL? Yes, you can use Scapy, hping3, or for that sake “ping”, all of them can generate ICMP packets for you, some of them can generate one (ping), while some can be used to generate virtually all (hping3, and Scapy). But why? Why do you need to be able to prove this?
      – rusers (When was the last time you were able to execute this command? 10, 20 years ago?)
      – rwho (When was the last time you were able to execute this command? 10, 20 years ago?)
      – finger (When was the last time you were able to execute this command? 10, 20 years ago?)
      – Berkeley r* services? (When was the last time, or how often have you seen these enabled? I have seen some once or twice over the last year or so, but were they listening on the Internet? No.)
      – CRLF Attacks? (LOL, seriously? Call it header injection ffs.)

      As I haven’t taken the exam yet, but friends have and even right now, some colleagues are taking the certification, the picture I have had drawn out by them doesn’t seem pretty.

    • #34878

      Woaaa….THANKS so much MaXe for such detailed overview picture.

      Despite the fact that I’m totally agree with your sayings, especially with the security professionals reaction, CREST became on demand for each under the Queen influence areas.

      NO CREST, no contract, almost no matter what do you eventually have beside. Soon they will ask for NATO clearance as well.

      However, I like their CRT syllabus. It’s well structured, awesome learning guide though.

      I’ll check the rest of certif providers that you pointed me and I’ll go with to my boss for an additional further talk.


    • #34879

      No problem, if you’re already working in penetration testing, I suggest you aim for CRT (or CCT) as soon as possible, as it is as you say, no CREST, no contract a lot of places. When I had interviews over the phone for jobs in England, I was often asked for CHECK and/or CREST as if it would be normal for me to have them, despite never having been there before. (And since CREST only existed in the UK at that time afaik, why would anyone else have the cert when there’s no need. Most people I’ve met that didn’t come from England, had never heard of CREST.)

      There are some pentest jobs in certain countries, that does require a high clearance. Well, they require it at least in Denmark and Australia for doing special type of government work naturally.

      But it wouldn’t surprise me if a NATO clearance will be required soon, meaning it will be even harder for newbies to get into ethical hacking. I can understand that for certain projects (when you are already having the job), e.g. here, that you’re getting an extensive background check.

    • #34880

      After more and more friends have taken the exam, the picture is becoming quite clear about e.g. CRT.

      For the first part, you have a lot of multiple choice questions about theory, you have 30 seconds for each question.

      The next part, which most people fail, is the practical part, where you have 2 minutes for each test (total of 50 right now), in a block with 512 IP’s, meaning you don’t have time to scan the entire block if you want to scan all ports.

      Some of these questions are e.g., there is a vulnerability on this IP, find and exploit it. You got 2 minutes.

      The best part is, these questions both pratical and theoretical, are generally not that hard. They are around OSCP level, except the practical questions are a lot easier.

      In fact, multiple persons have said all of the test is noob easy, but the problem is that it’s almost impossible to do in the time allocated. Let me give you a hint, 3 hours in total, and there’s over 170 questions in total, 120 theoretical (1 hour) and 50 questions (2 hours).

      Assume you have everything open, even Metasploit.
      – Read and understand the question: 15-30 seconds
      – Figure out what tool to use: 0-15 seconds
      – Can’t remember the flags? Read the man page: 0-120. (It’s easy to loose time here.)
      – Run e.g. nmap with a script scan: 30 – 240+ seconds
      – Run nmap again because it failed or you used the wrong switch(es): 30 – 240+ seconds
      – Perform additional work which may be included in the question: 0-240+ seconds.

      Does anyone else see the problem? Even an experienced pentester is not able to do all practical questions in time. It’s simply almost impossible, unless you got some sort of automation and perhaps AI on your side.

      If you can remember everything, you may be able to get everything right, but you have to be fast typing too, and know everything about everything including exactly how long tools and scripts takes to run.

      When you do a real penetration test, does this matter? No, unless a tool is taking way too long to execute, or if you’re doing an internal pentest and you only got 1 day, or an external vulnerability assessment and you have +1024 IPs, you have to plan, accordingly, what are the best ways to scan, and you may even use a distributed scanning network.

      Can you use multiple laptops during CRT (CREST)? No.

      I hope that they will make the questions harder, as a colleague of mine said anyone could do it, it’s just time you need, and that if they make the questions harder, they either remove some of the questions, or increase the time-limit.

      Another insane thing, is that if you fail CRT (1000$), or CCT (3000$), you have to, pay 1000$ or 3000$, again! A lot of pentesters have a yearly budget of 5000$. Yeah, a retest for the same price as the original certification is very reasonable, not lol.

      And fyi, CREST is apparently, non-profit. Imagine a guy fails CCT x3? 9’000$, sure, non-profit. I can agree to the extremely unreasonable prices, which ONLY includes certification, there’s no course-ware whatsoever. But a re-test, costing the exact same amount of money, now that’s just grotesque. (i.e. super lame)

      I haven’t even done this exam yet, but many friends have attempted and most have failed, and I am disappointed in that CREST hasn’t been shut out from the industry yet or forced to improve, as there’s a lot of people complaining.

      CREST, does not test a real penetration tester’s skills. OSCE will test some of a penetration tester’s skills, even though I must agree that I have yet to see any of the scenarios in real life, but it does force you to think outside the box and be creative, which is important as a pentester.

    • #34881

      Nice hints mate and again, very interesting details into the big picture. I really appreciated your help into this matter. THANKS!

      I’ve spoken with my boss and I’ve let him knows that in this CREST job failure ain’t an option so I need some preparation.

      I’ve succeeded to obtain an slight delay into pursuing CRT with an intermediate goal thought, Penetration Testing with BackTrack (PWB) as a start.

      Unfortunately, the company won’t cover the exam expenses to I’ll need to cover it with my earnings, maybe some OninePoker nights will help me out. But, as Bill Gates said, life is a bitch and military teach me very well this aspect 🙂


    • #34882

      If you’re a new in the infosec industry, don’t even attempt CRT. You need to know theory by heart, and know the most common switches for several tools as well, and be able to solve a lot of problems fast.

      Doing PWB first is a good idea, as you learn the tools, and also to use other tools than the default ones, including a bit of scripting, and to think outside the box.  ;D

    • #34883

      I won’t say new into InfoSec after 9+ years but yes, a little more than new into Pentest field.

      I’ve already played and won with ECSA and CEH but these are just as appetizer starters into the field. I wanna move up step by step to the “Premier league”.

      Scripting, yes, so far I love Python.

      However, I’ve still have a drawback about PWB training due of their new announced release of BT, KALI. Then some course changes will take place and so.

      ’till then I’ve decided to practice on the free platforms as and



    • #34884

      @MaXe wrote:

      – How hard is the exam? Almost impossible, at one point you have e.g. 50 practical questions where each often requires a hack of a custom application. (CCT Web App.)
      – Is it realistic? Not really. People with 10 years of experience within information, where 5 may be penetration or even the whole 10 years, fail this certification. Despite that I can personally vouch for their skills. Some people come from extreme hacker backgrounds, with so much knowledge you wonder if they are even human, as they have come up with amazing hacks, unreleased research, etc, yet, these people fail too.

      I haven’t taken the exam myself yet, but from what I was told by people who sat for the exam, not a single one described it nearly as extreme as you did. It will certainly take quite a time before I attempt it, if at all, but I’m curious how difficult it will be.

    • #34885

      The thing is, it isn’t hard questions from what I heard. It’s simply the time being allocated that’s extreme and these are facts just a couple of days old. The time being allocated, may variate between Australia and the UK. Also, despite that a friend thought he failed recently, he actually passed. (He didn’t complete everything.)

    • #34886

      This is a very interesting thread – I’ve been looking at getting into InfoSec and I was recommended by an experienced professional I met at an event to get a CRT cert and the job offers would come knocking on my LinkedIn profile.

      My current work (I’m a developer currently) have provisionally signed off on paying for the CRT exam but now I’m thinking one of Offensive Security’s courses might be a more sensible bet?

      Background: I’ve competed in the UK Cyber Security Challenge the last couple of years and last year my prize for getting to the final was a place on 7safe’s Certified Application Security Tester (CAST) course, which was great fun and I completed it with full marks. I really can’t afford to resit CRT with my own money at the moment and this thread is about the most information I’ve found out about what kind of level the syllabus is set at. The whole thing just seems very opaque and not very helpful for someone in my position.

      Can anyone recommend an alternative to CREST that would increase my employability and maybe have some actual course materials available?

    • #34887

      Background – I’m a security engineer working in the UK, who works on government systems performing Pen tests.

      It depends on what you’re looking for Strawp. There are only two examinations that I know of that will allow you to work on government systems in the UK (and obtain CHECK status). One is CREST, and the other is Tiger.

      If you want to do Pen testing in the UK you effectivally have to do government work, which means obtaining one of the above certifications (either junior lever or senior level).

      If you’re looking at jumping right in at decent money, you need to have CREST/Tiger already. The reason being is that you can’t touch govenment systems without one of those certs, so the Pen testing companies can’t really get you doing much for them, apart from the odd PCI check and some bank stuff.

      If you don’t mind being on a lower wage for a small amount of time (assuming you can pass the junior exams fairly quickly), any decent Pen testing cert (SEC560, OSCP, etc) will get your foot in the door with a Pen testing company here. From there they’ll push you through the junior CREST/Tiger certs, and then the senior certs, so you can obtain CHECK Team Leader status, and perform government testing on your own (juniors are not allowed to test government systems without a team leader being present).

      Hope that makes sense.

    • #34888

      Is Tiger less opaque?

    • #34889

      From what I hear from the guys that have taken it – the Tiger exams are slightly easier than CREST, but the CREST certifications are more respected.

      Both of which have to be reviewed by CESG (GCHQ) to award the same status (CHECK tester) so I imagine that they’re going to be fairly similar.

    • #34890

      I guess this goes back to the question in the original post then: How do you prepare for the CRT exam?

    • #34891

      Join a Pen Testing company 😉

      I hear that the 7safe course is pretty good for prep work.

      I wanted to jump directly into CHECK Team Lead (Infrastructure) status, but there wasn’t much information around for that, so I went the other route and decided to go down the GPEN path, to be followed up by OSCP at a later date.

    • #34892

      @UKSecurityGuy wrote:

      Join a Pen Testing company 😉

      Winky smiley noted – I wanted the cert so that I COULD join a pentest company!

      Maybe I’m over thinking it and it’s not that hard to get into pentesting.

    • #34893

      Yeah – there is a lot of “join our company and we’ll teach you how to pass an exam” in this industry.

      Like I said previously, if you just want to get into Pen Testing, and you’re not bothered at the level you first join at, then get any decent Pen Testing certification and then apply to one of the ever growing number of Pen Testing companies in the UK.

    • #34894


      What kind of salary ranges do “junior” pentesters command?

    • #34895

      @Strawp wrote:

      I guess this goes back to the question in the original post then: How do you prepare for the CRT exam?

      I’m also from the UK, and am also working towards a career in Penetration testing. I’m currently working on the OSCP, and once I’ve got that I’m going for CRT.

      I’ve been using the crest-technical-syllabus to fill in any gaps in my knowledge.

      @UKSecurityGuy wrote:

      I hear that the 7safe course is pretty good for prep work.

      I took this recently, and was really impressed with the quality of both the materials and the instructors. You’ve already done the CAST so I guess you know that already.

      UKSecurityGuy’s advice is spot on from what I’ve seen so far researching jobs in the UK.

      @Strawp wrote:

      What kind of salary ranges do “junior” pentesters command?

      From what I’ve seen this can vary considerably depending on the company and your experience.

    • #34896

      Is there anyone that in the meanwhile took this exam? Either CRT or CCT?
      Any tips/advises to share?


Viewing 32 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.


Sign in with Caendra

Forgot password?Sign up

Forgot your details?