Login to profile

CREST Certified Tester - Application (CCT APP)

Book your CCT APP exam today

Book now!

Earn your CCT APP certification

The CREST Certified Tester - Application (CCT APP) exam is a rigorous assessment of the candidate’s ability to assess a network for flaws and vulnerabilities at the network and operating system layer.

The CCT APP is recognised by Governments and regulators around the globe and is accepted by the UK National Cyber Security Council (NCSC) as part of the CHECK scheme.

Cyber Force DESC Dubai CSC logo block The Association of Banks in Singapore logo

CCT APP exam guidance

Syllabus

The CCT APP exam syllabus defines the areas that are assessed within the CCT APP exam.

 

Candidates will be expected to find known vulnerabilities across common networks, applications, infrastructure and databases as well as new syllabus areas which include containerisation, cloud and macOS. CCT APP validates a practitioner’s ability to conduct vulnerability scans using commonly available tools and to interpret the results.

 

Successful CCT APP candidates will be able to demonstrate that they are qualified for Pen Test roles (indicative of 5-6+ years of experience) with respect to:

CCT journey graphic

The above timescales are recommended, not mandatory.

 

  • Soft Skills and Assessment Management

 

The candidate will have a good understanding of the Engagement Lifecycle, Law and Compliance, Scoping, Managing Risk, Client Communications, Record Keeping, Reporting and Platform Preparation. 

 

  • Core Technical Skills

 

The candidate will a deep understanding of the use of prescribed tools to interpret output, Pivoting, Cryptography, and be able to conduct OS fingerprinting. 

 

The candidate will demonstrate a deep understanding of Hardware Security. 

 

  • Web Technologies

 

The candidate will have a good understanding of Web Threat Modelling and Attack Vectors, and Server-Side Includes (SSI) Injection. 

 

The candidate will demonstrate a deep understanding of Web Servers, Web App Frameworks, Mark up Languages, Web Languages, Web APIs, Web App Reconnaissance, Information Gathering, Web Authentication and Authorisation, Input Validation, Fuzzing, XSS, SQL, NoSQL, ORM, XML, LDAP Injections, Mail and OS Command Injection, Sessions, Cookies, Session Hijacking, XS Request Forgery, Mass Assignment, Web Cryptography, Directory Traversal, File Uploads, CRLF Attacks, Web App Logic Flaws and Client Side Vulnerabilities. 

 

  • Databases

 

The candidate will demonstrate a deep understanding of SQL Relational Databases, MS SQL Servers, Oracle RDBMS, MySQL and PostgreSQL and NoSQL. 

 

  • Cloud Security

 

The candidate will have a good understanding of Pen Testing Authorisation, and Denial of Service and Resource Exhaustion.

 

The candidate will demonstrate a deep understanding of Virtual Private Clouds, Logging and Monitoring, IDAM, General Cloud Reconnaissance, and Host to Cloud Transition. 

 

  • Internet Information Gathering and Reconnaissance

 

The candidate will have a good understanding of DNS, Search Engines, News Groups and Mailing Lists, and Social Media. 

 

The candidate will demonstrate a deep understanding of Website Analysis, Information Leakage, and Document Metadata. 

 

  • Networks

 

The candidate will have a good understanding of network connections, Ethernet Protocols, VLAN Tagging, IPv4 and IPv6 Packet Manipulation, Network Architecture, Mapping, and Devices, TCP, UDP, NAC, Wi-Fi, Service Identification, and Host Discovery. 

 

The candidate will demonstrate a deep understanding of IPv4, IPv6, Network Filtering, Traffic Analysis, Service Identification, and Network Intrusion Protection. 

 

  • Network Services

 

The candidate will have a good understanding of the concepts of Unencrypted Services (Telnet, FTP, SNMP, HTTP), Network Configuration Protocols, Management Services, (Telnet, Cisco Reverse Talent), SSH, HTTP, Remote Powershell, WMI, WinRM, RDP, VNC, X), Desktop Access, IPsec, FTP, TFTP, SNMP, SSH, NFS and its security attributes, SMB including Win File shares and Samba, LDAP, Berkely R* Services and trust relationships, X, Finger, RPC Services, NTP, IPMI, VoIP, SMTP and Vulnerable Services. 

 

The candidate will demonstrate a deep understanding of TLS/SSL, Name Resolution Services (DNS, NetBIOS/WINS, LLMNR, mDNS), and Network Authentication.  

 

  • Microsoft Windows Security Assessment

 

The candidate will have a good understanding of Windows Reconnaissance, Network and Active Directory Enumeration, Windows Processes, Registry, Windows Remote and Local Exploitation, Patch Management, Windows Desktop Lockdown, Active Directory Attack Paths, and Common Windows Applications. 

 

The candidate will demonstrate a deep understanding of Windows Passwords, Windows File Permissions, Advanced Local Exploitation, and Windows Post Exploitation. 

 

  • Linux/UNIX Security Assessment

 

The candidate will have a good understanding of Linux/Unix reconnaissance, Linux/Unix Network Enumeration, Linux/Unix Processes, Linux Remote exploitation and Unix Exploitation. 

 

The candidate will demonstrate a deep understanding of Linux/Unix Passwords, Linux/Unix File Permissions, Linux Local Exploitation, and Linux / Unix Post Exploitation. 

 

  • Virtualisation

 

The candidate will have a good understanding of Virtualisation Platforms (including VMware, MS HyperV, Citrix, Oracle VirtualBox and Linux KVM), VM Escape and Snapshots. 

 

  • Containerisation

 

The candidate will have a good understanding of Kubernetes and LXD. 

 

The candidate will demonstrate a deep understanding of Containers and Docker. 

 

  • Physical Security

 

The candidate will have a good understanding of Locks, Tamper Seals, Platform Integrity, Boot Sequence, Disk Encryption, Recovery Functionality and Authentication. 

 

  • Secure Development Operations

 

The candidate will have a good understanding of Secure Code Practices, Security of the Development Lifecycle, Infrastructure as Code and Code Repository Security. 

 

  • Social Engineering

 

The candidate will have a good understanding of Phishing and its variations and Vishing.

 

  • macOS Security Assessment

 

The candidate will have a good understanding of macOS, Remote Local and Post Exploitation, Reconnaissance and Passwords, macOS Network Enumeration and macOS file permissions.

 

You can find the full CCT APP exam syllabus here.

Notes for Candidates

CREST Certified Tester – Application (CCT APP) – Notes for Candidates

 

The notes for candidates gathers essential information about the CCT APP exam and intends to support CREST candidates on their preparation increasing their chances of success. It is split into 4 sections:

1. Exam Overview: explains the CCT APP exam and its general scope

2. Exam Structure: information on format, duration, materials allowed

3. Exam Content: details the content structure of the exam and what to expect

4. Exam Grading: information on marking structure and pass mark

 

1. Exam overview

 

The CCT APP is an advanced level examination that tests a candidate’s ability to find known vulnerabilities across common networks, applications, infrastructure and databases as well as containerisation, cloud and macOS. The CCT APP examination also covers a common set of core skills and knowledge and is exclusively available in over 1,000 Pearson VUE test centres globally.

 

2. Exam structure

 

Exam format

The CCT APP exam has two distinct parts:

– A written exam which is made of two components: a multiple-choice test and a written scenario

– A practical exam

 

The multiple-choice component tests a candidates’ knowledge of the subject areas and the scenario assesses a candidates’ risk analysis and report writing skills.

 

The multiple–choice component tests a candidates’ knowledge of the subject areas and the scenario assesses a candidates’ risk analysis and report writing skills.

 

The practical component tests candidates’ hands-on penetration testing methodology and skills against reference networks, hosts and applications. Candidates will not be able to use their own laptops. A version of Kali Linux will be available within the practical exam environment to address the practical assessment. A version of Windows Server 2022 is being tested and will be introduced later in 2024 to further support candidates.

 

Your lab is a unique instance and is built and verified before being displayed to you. All answers are marked automatically.

 

Candidates can now take the written and practical exams in whichever order they prefer.

 

Exam duration

Written exam

The written exam duration is 3 hours in total, split as follows:

– Multiple-choice test (1 hour)

– Written scenario (2 hours)

 

Candidates will be given an additional 20 minutes for reading time prior to the start of written scenario component.

 

Candidates must start with the multiple-choice test followed by the written scenario component. The questions can be answered in any order within each component.

 

Practical exam

The practical exam duration is 3 hours and candidates will be given an additional 15 minutes for reading time prior to the start of the exam.

 

Pre-requisites

There are no pre-requisites to the CCT APP exam.

 

Exam notes

Written exam

The written exam is closed book. Therefore, no books, written notes, internet access or other electronic devices will be allowed. This applies to both components of the written exam: the multiple choice test and the written scenario. 

 

Note: the written scenario component does not include a practical element as it did in previous iterations. 

 

Practical exam

Candidates are able to pre-upload files ahead of their practical exam via CRESTDrive. These files will be accessible on the day of the exam. 

 

3. Exam content

 

The CCT APP syllabus has been revised and updated to include and expand on relevant areas and skills. Areas such as macOS security and social engineering are now part of the exam. There is also more focus on cloud services and security where six new skills have been introduced. Network intrusion protection, Unix exploitation and NoSQL injection are also amongst the areas with new skills. The new exam also builds on the existing soft skills and assessment management section introducing global and regional law and compliance components and report quality assurance.

 

4. Exam grading

 

Written exam (180 marks)

– Multiple choice test (60 marks)

– Written scenario (120 marks)

 

Practical exam

– Four 30-mark sections

– One 60-mark section

 

Pass mark

Written exam

Candidates must achieve at least two thirds or 66% in each component (multiple choice test and written scenario) to achieve a pass. Passing one of the sections but failing the other one will result in a failure overall.

 

Practical exam

Candidates must achieve at least two thirds or 66% in the practical exam to achieve a pass.

 

Feedback

Written exam

Candidates will receive their multiple-choice test results at the end of the exam with a breakdown of the areas and how they have performed.

 

The results for the written scenario component and overall result of their written exam will be provided within 20 days from when the exam has been taken.

 

Practical exam

Candidates will receive an email from Pearson VUE once exam results are available in their Pearson VUE account. Results will usually be available within 24 hours but might take up to 48 hours in some cases due to additional verification checks. Candidates will receive their score in each section. 

 

If you have not received your results after 48 hours and/or if you have any queries, please contact us via [email protected]. 

Preparing for your exam

Here you can find some useful resources to support your exam preparation.

 

Written exam

Sample questions

Examples of questions that help candidates to understand what to expect from the examination environment. You will find our sample questions here.

 

Sample scenario

Please visit the ‘Sample scenario’ drop-down section below.

 

Practical exam

In order to allow candidates to familiarise themselves with the tooling available in the exam environment, a virtual machine is available. The virtual machine hosts a version of Kali Linux, which is the machine available to use during the CCT APP Practical exam. 

 

This virtual machine is an exact copy of the one that candidates will use in the CCT APP Practical exam. This machine have a large number of tools installed, including versions of Nessus and BurpSuite.  

 

The Amazon Machine Image (AMI) provided below is an exact copy of the exam machine, but BurpSuite and Nessus do not have licenses. These are fully licensed in the exam environment at Pearson VUE. 

 

Note: a version of the Windows Server 2022 machine is being tested and will be introduced in August 2024. 

 

Top Tips

Sample questions

Here you can find some official sample questions and answers that will help you familiarise yourself with the exam structure and wording as well as some of the key terms and definitions. 

 

Question 1

An XML injection attack against a web services application might involve: 

A. Introducing SOAP packets

B. Modifying the SQL syntax to inject queries

C. The use of a * character in a form field

D. Abusing XPATH queries to retrieve data illegally

E. Adding a new entry to the WSDL

 

Answer

D. Abusing XPATH queries to retrieve data illegally

 

Question 2

When performing blind SQL injection, what will a successful injection attack result in? 

A. The page redirecting to a standard internal server error page, showing a generic error

B. The system crashes

C. The page showing that an error has occurred and the detailed error description

D. No SQL error being displayed, but different behaviour observed when using different injection strings

E. All of these

 

Answer

D. No SQL error being displayed, but different behaviour observed when using different injection strings

 

Question 3 

Which of the following is a symmetric encryption algorithm?

A. RSA

B. PGP

C. ElGamal

D. Elliptic Curve

E. RC5

 

Answer

E. RC5

 

You can download a PDF version here.

Sample scenario

The written scenario component is part of the written CCT APP exam which also includes a multiple-choice test.

 

The scenario essentially assesses the candidate’s knowledge and ability to write reports. There are also elements related to scoping engagements, assessing risks inherent to their findings and composing an issues’ write up for a report. Candidates could also be expected to demonstrate an understanding of relevant legislation affecting penetration testing in their operating jurisdiction.

 

Format

The written component starts after candidates have submitted their answers to the multiple-choice component within their written exam. They will be given 15 minutes before the scenario examination starts to read through the requirements and no examination activities are permitted during this time.

 

Once the written scenario starts, candidates will need to answer long form questions and will be given 120 minutes to do so. There is no requirement to complete each question in the order that they are presented meaning that candidates are free to complete them as they wish, provided that they do so within the allotted time.

 

Reminder: candidates must achieve the minimum pass mark in both the multiple-choice and written scenario parts to pass their written exam.

 

Marking

The written scenario is manually marked by CREST Assessors. The total marks on this section is 120 marks.

 

Sample scenario

You can read our sample scenario document online, which contains useful and sample information related to the CREST Certified Tester (CCT) examination scenario component.

Booking your exam

The CCT APP written exam is exclusively available in over 1,000 Pearson VUE Test Centres across the globe. You can book your exam now via CREST :: Pearson VUE.

 

Invigilation

A test centre administrator/invigilator will be present throughout the examination to answer any procedural questions that candidates may have and assist in troubleshooting. The invigilator will not provide any support or advice related to the exam content.

 

If an issue does occur, a case will be filed. Every effort will be made to accommodate the continuation of your exam and all cases will be investigated and resolved within 3-5 business days. Pearson VUE should provide you with a case ID number. Please ensure you retain this information as this may be required at a later date. 

 

Communication of results

Written exam

Examination results will be emailed to the candidate within 20 working days of the examination.

 

Practical exam

Candidates will receive an email from Pearson VUE once exam results are available in their Pearson VUE account. Results will usually be available within 24 hours but might take up to 48 hours in some cases due to additional verification checks. Candidates will receive their score in each section. 

 

If you have not received your results after 48 hours and/or if you have any queries, please contact us via [email protected]. 

 

Promo codes (for candidates) 

Claim your promo code and unlock up to 75%* discount on the CCT exam. Click here to claim your promo code.

 

CREST Pearson VUE vouchers

Pearson VUE vouchers are available from CREST for companies and individuals who either have an account with CREST or need an alternative payment method. These vouchers will be sent on receipt of a paid invoice. For more information please contact [email protected].

 

Special accommodations

Candidates must contact the CREST Support team at least 2 weeks before the potential exam date with a formal medical report from a qualified medical practitioner specialising in the particular condition. Candidates should register an account with Pearson VUE but not book an exam until the accommodation request has been processed. For more information, please contact [email protected].

 

How to cancel, postpone or reschedule

This is done through your own Pearson VUE registration and exam booking page and must be done at least 24hrs before your exam date.

What has changed in the new CCT exams?

The table below summarises key differences between the two exams:

 

CCT exam (pre 2024) New CCT exam (2024)
Full exam completed in two sittings and over two different days Full exam completed in two sittings which can be booked for the same day
Practical exam delivered in hotels at limited locationsWritten and practical exams delivered at selected Pearson VUE test centres globally
The written exam is a multiple-choice test. Total duration is 3 hoursThe written exam includes a multiple-choice test (60 minutes) and a written scenario (120 minutes). The total duration is 3 hours

The scenario tests report-writing skills and candidates are given an additional 15 minutes of reading time before the scenario component starts
The practical exam includes a scenario (150 minutes) and a practical (210 minutes hours) test that tests candidates’ hands-on penetration testing. Total duration is 6 hours

Candidates are given an additional 15 minutes reading time in each component

Candidates are allowed to use their own laptop and tools in the practical exam
The practical exam (180 minute) tests candidates’ hands-on penetration testing. The total duration is 3 hours

Candidates are given an additional 20 minutes of reading time before the practical exam starts

The practical exam includes a Virtual Kali box with pre-installed tools
Written exam – closed book

Practical exam – open book
Written exam remains closed book

Practical exam – candidates are able to pre-upload files ahead of their practical exam using CRESTDrive. These files will be accessible on the day of the exam. Find out more about CRESTDrive here.

Candidates should get familiar with the Virtual Kali box in advance and revise key commands for use in the exam
Candidates must use a SMB share at the beginning to access papersExam questions are integrated to the exam screen 
Assessor required to validate exam environment Non-technical invigilator present 
Smaller skillset tested  Wider skillset tested

 

The syllabus has been updated and restructured adding greater depth to the exam. 

 

The exam duration has been extensively assessed to ensure that the time allocated is appropriate to answer all questions.  

FAQs

Looking for more info on our CCT APP exam? Check out our handy CCT APP FAQs.

Ready to book your CCT APP exam?

Book now!
CREST icon logo small

Promotion

YouTube logo

Cyber Security Careers Advice

Check out these handy resources to help you on your cyber security career pathway

Watch on YouTube