CREST Examination Changes

A number of strategic changes to the delivery of examinations took place throughout 2016.  The changes have allowed us to scale our examinations capability, providing access to assessment centres throughout the UK and a greater reach to our internationally based company members.  The examinations continue to support talented people in the Cyber Security industry, providing meaningful certifications for people that are starting or developing further in their careers.  This delivery model has allowed us to facilitate sustained investment in new examination content and to continue to deliver the highest quality of examinations to our industry.

CREST is acutely aware that there is a shortage of talented people entering the cyber security industry.  As a consequence,  the CREST Practitioner Security Analyst (CPSA) exam has been restructured to encourage new entrants to gain their first step on the pathway to a career in technical cyber security.

The international influence, and therefore the membership, of CREST has grown in recent years and to support this, CREST selected Pearson Vue to be its global partner for delivering written examinations.  By working with Pearson Vue, CREST is now able to deliver written examinations to candidates in more than 6,000 locations across the world.  This allows CREST to deliver examinations in significantly more locations in the UK, mainland Europe, Asia, Africa, Australasia and the Americas.

Working with Pearson Vue, CREST  made changes to the examination process.  We separated the written aspect of some key examinations from the practical components.  In this process, the written elements are taken in Pearson Vue approved test centers and the practical elements of these examinations are delivered in regional CREST examination centers.  In the USA, our examination center is in New York City.  Examination centers are currently also in Asia, the UK and Australia.

The separation of practical from written elements will be staged across all examinations.  CREST Practitioner Security Analyst (CPSA), CREST Registered Penetration Tester (CRT), CREST Certified Web Applications Tester (CCT App) and CREST Certified Infrastructure Tester (CCT Inf) are the first examinations to undergo this change.  Once these examinations have been successfully migrated to the new examination delivery platform, we intend to roll this out in a phased process across the wider examination programmes.

Key Points

Changes to CPSA
The CREST Practitioner Security Analyst (CPSA) is an entry level certificate for people starting their career in technical cyber security.  It is designed to test candidates’ ability to identify vulnerabilities in both infrastructure and web application resources.  CREST has migrated this examination to a written only format that will be delivered through the Pearson Vue network.

Changes to CRT
The CREST Registered Tester (CRT) examination has long been regarded as a valuable measurement of capability within the Penetration Testing industry.  Candidates sitting the examination had previously been expected to complete both written and practical multiple choice questions, a failure in either of these elements results in non-award of a CRT certificate.  CREST has separated the written examination from the practical examination:  the new CRT examination delivered in regional test centers (eg. New York) is a practical only assessment;  this allows CREST companies and new entrants to the industry to benchmark themselves against the CREST qualifications.

CREST will not be dropping the theory based components of this examination.  Instead, the written elements have been migrated into the CPSA examination.  As a consequence, for an individual to be awarded the CREST Registered Tester status, they will be expected to have passed both the new format CPSA multiple choice (written) and the CRT practical examinations.

An individual passing the written but failing the practical element of the CRT exam will be awarded a Practitioner certificate.  This will allow those who are not sure of their current level of competence to take the examinations in a structured way and position themselves within the profession.

All CRT candidates must have a CPSA pass in order to book to sit the CRT practical to enable the award of a CRT qualification.

OSCP/CRT Equivalence

Individuals that are being granted CRT through OSCP equivalency will be required to take the CPSA examination to be awarded CREST Registered Tester status.  This has been previously referred to in literature as the CRT Top-up examination.  Please also note:
  • OSCP Taken First (No existing CREST Certifications):     Provide evidence of OSCP examination pass and pay US$500 fee to CREST.  CREST will then issue candidate with a voucher that will give the candidate eligibility to sit the CREST CPSA examination at a Pearson Vue Test Centre.  On passing the examination, CREST will issue CRT (Pen) equivalency.
  • Current CREST CPSA taken first (pre 6th June 2016).  OSCP taken second:   Candidates that have old style CPSA exams are not able to use these as part of the OSCP to CRT equivalency programme.  The CPSA exam experienced significant changes in May 2016 and consequently the question bank has experienced significant change.  Candidates that have an old CPSA certification and that are awarded an OSCP certification are encouraged to apply for CRT equivalency under the standard OSCP/CRT equivalency programme.  After paying a US$500 administration fee, candidates will be given a voucher that will entitle them to take the CPSA top up examination at a Pearson Vue Test Center.
  • New CPSA taken alongside OSCP:   Candidates that take CPSA first and then take their OSCP are eligible to be granted CRT (Pen) equivalency.  There is a GBP£100 processing fee for candidates pursuing this approach.  This covers the exam checks that take place between CREST and Offensive security.  After paying GBP£100 and on receipt of appropriate exam checks from Offensive Security, candidates will be awarded CRT (Pen) certifications.

Changes to CREST Certified level examinations
As a consequence of the changes that will be introduced by separating the written components of the CREST Certified Tester (CCT) from the practical components, CREST  made a series of changes to the practical elements of the examinations.  T

he written and practical components of the CREST Certified level Infrastructure and Web Applications examinations are now separate.  The written component is delivered via Pearson Vue test center;  the practical examinations will remain half day examinations delivered in a regional test center (eg. New York City).

All CCT candidates must have a pass in the written examination in order to book the CCT practical in that examination to enable the award of a CCT qualification.

Candidates should ensure that they allow sufficient time for the re-certification process to enable them to maintain their qualification.

CCT level certificates will be valid from the date of passing the practical elements of the examination.  Renewals will be based on the certificate issue date.

All Other examinations

The written elements of all CREST examinations will, in due course, be delivered at a Pearson Vue center of choice.  The practical elements of any CREST examinations will be delivered at an Examination Center.  The CREST Examination Centers will be located in a number of regions globally.  In the USA, the center is in New York City;  in the UK, the center is in Slough, Berkshire;  in Singapore, the center is in the Singapore Institute of Technology.  Other centres will be listed on the CREST website in the near future.

NCSC notification
CREST has briefed the NCSC (formerly CESG) about the changes to the CRT examination format.

Our Frequently Asked Questions, updated on 11.04.2016, contain additional information that Candidates may find helpful.

Flowchart of route to CREST Qualification

Route to Qualification_withoutSAS-SAM v0.2