After more and more friends have taken the exam, the picture is becoming quite clear about e.g. CRT.
For the first part, you have a lot of multiple choice questions about theory, you have 30 seconds for each question.
The next part, which most people fail, is the practical part, where you have 2 minutes for each test (total of 50 right now), in a block with 512 IP's, meaning you don't have time to scan the entire block if you want to scan all ports.
Some of these questions are e.g., there is a vulnerability on this IP, find and exploit it. You got 2 minutes.
The best part is, these questions both pratical and theoretical, are generally not that hard. They are around OSCP level, except the practical questions are a lot easier.
In fact, multiple persons have said all of the test is noob easy, but the problem is that it's almost impossible to do in the time allocated. Let me give you a hint, 3 hours in total, and there's over 170 questions in total, 120 theoretical (1 hour) and 50 questions (2 hours).
Assume you have everything open, even Metasploit.
- Read and understand the question: 15-30 seconds
- Figure out what tool to use: 0-15 seconds
- Can't remember the flags? Read the man page: 0-120. (It's easy to loose time here.)
- Run e.g. nmap with a script scan: 30 - 240+ seconds
- Run nmap again because it failed or you used the wrong switch(es): 30 - 240+ seconds
- Perform additional work which may be included in the question: 0-240+ seconds.
Does anyone else see the problem? Even an experienced pentester is not able to do all practical questions in time. It's simply almost impossible, unless you got some sort of automation and perhaps AI on your side.
If you can remember everything, you may be able to get everything right, but you have to be fast typing too, and know everything about everything including exactly how long tools and scripts takes to run.
When you do a real penetration test, does this matter? No, unless a tool is taking way too long to execute, or if you're doing an internal pentest and you only got 1 day, or an external vulnerability assessment and you have +1024 IPs, you have to plan, accordingly, what are the best ways to scan, and you may even use a distributed scanning network.
Can you use multiple laptops during CRT (CREST)? No.
I hope that they will make the questions harder, as a colleague of mine said anyone could do it, it's just time you need, and that if they make the questions harder, they either remove some of the questions, or increase the time-limit.
Another insane thing, is that if you fail CRT (1000$), or CCT (3000$), you have to, pay 1000$ or 3000$, again! A lot of pentesters have a yearly budget of 5000$. Yeah, a retest for the same price as the original certification is very reasonable, not lol.
And fyi, CREST is apparently, non-profit. Imagine a guy fails CCT x3? 9'000$, sure, non-profit. I can agree to the extremely unreasonable prices, which ONLY includes certification, there's no course-ware whatsoever. But a re-test, costing the exact same amount of money, now that's just grotesque. (i.e. super lame)
I haven't even done this exam yet, but many friends have attempted and most have failed, and I am disappointed in that CREST hasn't been shut out from the industry yet or forced to improve, as there's a lot of people complaining.
CREST, does not test a real penetration tester's skills. OSCE will test some of a penetration tester's skills, even though I must agree that I have yet to see any of the scenarios in real life, but it does force you to think outside the box and be creative, which is important as a pentester.
I'm an InterN0T'er