CREST Examinations - Changes to Format

Background
A number of strategic changes to the delivery of examinations took place throughout 2016.  The changes have allowed us to scale our examinations capability, providing access to assessment centres throughout the UK and a greater reach to our internationally based company members.  The examinations continue to support talented people in the Cyber Security industry, providing meaningful certifications for people that are starting or developing further in their careers.  This delivery model has allowed us to facilitate sustained investment in new examination content and to continue to deliver the highest quality of examinations to our industry.

CREST is acutely aware that there is a shortage of talented people entering the cyber security industry.  As a consequence,  the CREST Practitioner Security Analyst (CPSA) exam has been restructured to encourage new entrants to gain their first step on the pathway to a career in technical cyber security.

The international influence, and therefore the membership, of CREST has grown in recent years and to support this, CREST selected Pearson Vue to be its global partner for delivering written examinations.  By working with Pearson Vue, CREST is now able to deliver written examinations to candidates in more than 6,000 locations across the world.  This allows CREST to deliver examinations in significantly more locations in the UK, mainland Europe, Asia, Africa, Australasia and the Americas.

Working with Pearson Vue, CREST have made changes to the examination process.  We have separated the written aspect of some key examinations from the practical components.  In this process, the written elements are taken in Pearson Vue approved test centres and the practical elements of these examinations are delivered in regional CREST examination centres.  In the UK, this will continue to be Slough.  Additional examination centres are being created in Asia and work has started to work toward a centre in the Americas.

The separation of practical from written elements will be staged across all examinations.  CREST Practitioner Security Analyst (CPSA), CREST Registered Penetration Tester (CRT), CREST Certified Web Applications Tester (CCT App),  CREST Certified Infrastructure Tester (CCT Inf) and CREST Certified Simulated Attack Specialist (CC SAS) have all undergone this change.  Further phased migrations across the wider examination programmes will continue to take place.

Key Points

Changes to CPSA
The CREST Practitioner Security Analyst (CPSA) is an entry level certificate for people starting their career in technical cyber security.  It is designed to test candidates’ ability to identify vulnerabilities in both infrastructure and web application resources.  CREST has migrated this examination to a written only format that will be delivered through the Pearson Vue network.  In addition to this, CREST has reduced the price of this examination from £350 to £250 to further stimulate the market.

Changes to CRT
The CREST Registered Tester (CRT) examination has long been regarded as a valuable measurement of capability within the Penetration Testing industry.  Candidates sitting the examination have previously been expected to complete both written and practical multiple choice questions, a failure in either of these elements results in non-award of a CRT certificate.

CREST has separated the written examination from the practical examination:  the new CRT examination delivered in regional test centres (eg. Slough) is a practical only assessment;  this allows CREST companies and new entrants to the industry to benchmark themselves against the CREST qualifications.

CREST will not be dropping the theory based components of this examination.  Instead, the written elements have been migrated into the CPSA examination.  As a consequence, for an individual to be awarded the CREST Registered Tester status, they will be expected to have passed both the new format CPSA multiple choice (written) and the CRT practical examinations. An individual passing the written but failing the practical element of the CRT exam will be awarded a Practitioner certificate.  This will allow those who are not sure of their current level of competence to take the examinations in a structured way and position themselves within the profession.

All CRT candidates must have a CPSA pass in order to book to sit the CRT practical to enable the award of a CRT qualification.

OSCP/CRT Equivalence
Individuals that are being granted CRT through OSCP equivalency will be required to take the CPSA examination to be awarded CREST Registered Tester status.  This has been previously referred to in literature as the CRT Top-up examination.

Please also note:
  • OSCP Taken First (No existing CREST Certifications):     Provide evidence of OSCP examination pass and pay £350 fee to CREST.  CREST will then issue candidate with a voucher that will give the candidate eligibility to sit the CREST CPSA examination at a Pearson Vue Test Centre.  On passing the examination, CREST will issue CRT (PEN) equivalency.
  • Current CREST CPSA taken first (pre 6th June 2016).  OSCP taken second:   Candidates that have old style CPSA exams are not able to use these as part of the OSCP to CRT equivalency programme.  The CPSA exam experienced significant changes in May 2016, and consequently the question bank has experienced significant change.  Candidates that have an old CPSA certification and that are awarded an OSCP certification are encouraged to apply for CRT equivalency under the standard OSCP/CRT equivalency programme.  After paying a £350 administration fee, candidates will be given a voucher that will entitle them to take the CPSA top up examination at a Pearson Vue Test Centre.
  • New CPSA taken alongside OSCP:   Candidates that take CPSA first and then take their OSCP are eligible to be granted CRT (Pen) equivalency.  There is a £100 processing fee for candidates pursuing this approach.  This covers the exam checks that take place between CREST and Offensive security.  After paying £100 and on receipt of appropriate exam checks from Offensive Security, candidates will be awarded CRT (Pen) certifications.
For candidates operating in the UK that wish to achieve CHECK Team leader status, it is not possible to take the OSCP equivalency route to achieving CRT (Pen) status.  Candidates wishing to achieve CHECK Team member status are required to sit CREST CPSA and CREST CRT examinations directly with CREST.
Changes to CREST Certified level examinations
As a consequence of the changes that will be introduced by separating the written components of the CREST Certified Tester from the practical components, CREST has made a series of changes to the practical elements of the examinations.The written and practical components of the CREST Certified level Infrastructure, Web Applications and Simulated Attack Specialist examinations are now separate.  The written component is delivered via Pearson Vue test centre;  the practical examinations will remain half day examinations delivered in a regional test centre (eg. Slough).  All CCT level candidates must have a pass in the written examination in order to book to sit the CCT practical in that examination to enable the award of a CCT qualification.  Candidates should ensure that they allow sufficient time for the re-certification process to enable them to maintain their qualification.  CCT level certificates will be valid from the date of passing the practical elements of the examination.  Renewals will be based on the certificate issue date.
All Other examinations

Further phased migrations across the wider examination programmes will continue to take place whereby the written elements of CREST examinations will be delivered at a Pearson Vue centre of choice and the practical elements at an Examination Centre.

The CREST Examination Centers will be located in a number of regions globally.  In the USA, the center is in New York City;  in the UK, the center is in Slough, Berkshire;  in Singapore, the center is in the Singapore Institute of Technology.  Other centres will be listed on the CREST website in the near future.

NCSC notification: CREST has advised the NCSC of the changes to the CRT examination format.

Our Frequently Asked Questions, updated on 11.04.2016, contain additional information that Candidates may find helpful.

Flowchart of route to CREST Qualification


Route to Qualification_withoutSAS-SAM v0.2