The table below summarises key differences between the two exams:
CCT exam (pre 2024) | New CCT exam (2024) |
---|---|
Full exam completed in two sittings and over two different days | Full exam completed in two sittings which can be booked for the same day |
Practical exam delivered in hotels at limited locations | Written and practical exams delivered at selected Pearson VUE test centres globally |
The written exam is a multiple-choice test. Total duration is 3 hours | The written exam includes a multiple-choice test (60 minutes) and a written scenario (120 minutes). The total duration is 3 hours The scenario tests report-writing skills and candidates are given an additional 15 minutes of reading time before the scenario component starts |
The practical exam includes a scenario (150 minutes) and a practical (210 minutes hours) test that tests candidates’ hands-on penetration testing. Total duration is 6 hours Candidates are given an additional 15 minutes reading time in each component Candidates are allowed to use their own laptop and tools in the practical exam | The practical exam (180 minute) tests candidates’ hands-on penetration testing. The total duration is 3 hours Candidates are given an additional 20 minutes of reading time before the practical exam starts The practical exam includes a Virtual Kali box with pre-installed tools |
Written exam – closed book Practical exam – open book | Written exam remains closed book Practical exam – candidates are able to pre-upload files ahead of their practical exam using CRESTDrive. These files will be accessible on the day of the exam. Find out more about CRESTDrive here. Candidates should get familiar with the Virtual Kali box in advance and revise key commands for use in the exam |
Candidates must use a SMB share at the beginning to access papers | Exam questions are integrated to the exam screen |
Assessor required to validate exam environment | Non-technical invigilator present |
Smaller skillset tested | Wider skillset tested |
The syllabus has been updated and restructured adding greater depth to the exam.
The exam duration has been extensively assessed to ensure that the time allocated is appropriate to answer all questions.
The CREST Certified Tester – Application (CCT APP) is an advanced level exam that assesses the candidate’s ability to find known vulnerabilities across common networks, applications, infrastructure and databases as well as containerisation, cloud and macOS. The CCT APP examination also covers a common set of core skills and knowledge.
The CCT APP has two distinct parts:
– A written exam of two components: a multiple-choice test and a written scenario
– A practical exam
The successful completion of this examination will confer CREST Certified Tester – Application status to the individual.
Visit our CCT APP page for more information.
The new CCT APP exam is exclusively available at over 1,000 Pearson VUE Test Centres across the globe. You can book your online exam now via the Pearson VUE website.
You can claim your promo code, available for a limited time, on this page.
Promo code expires on the 30 October 2024. Please make sure you have booked your exam by then. You must sit your exam by 30 December 2024.
Please see the following Pearson VUE link and select the correct region for Pearson VUE’s customer support.
Candidates can access a candidate virtual machine ahead of the exam to familiarise themselves with the tooling available in the practical exam environment. The virtual machine host a version of Kali Linux that can be used to perform all required tasks within the exam.
A version of Windows Server 2022 will be introduced in August 2024 to support candidates with a preference for this machine.
You can also find some helpful resources in the ‘Exam Preparation’ section on our CCT APP page. This includes sample questions and scenarios as well as more information about the exam structure.
All current CCT certifications will be valid until their expiry date.
The CCT exams have been approved by the National Cyber Security Centre (NCSC) for CHECK Team Leader (UK only).
CHECK is a UK Government programme under the NCSC which approves cyber security service providers to carry out authorised penetration tests of public sector and critical national infrastructure (CNI) systems and networks.
Candidates will be expected to find known vulnerabilities across common networks, applications, infrastructure and databases as well as new syllabus areas which include Containerisation, Cloud and macOS. CCT APP validates a practitioner’s ability to conduct vulnerability scans using commonly available tools and to interpret the results.
The CCT APP syllabus provides detailed information on the exam topic areas.
Successful CCT APP candidates will be able to demonstrate that they are qualified for Pen Test roles (indicative of 5-6+ years of experience).
Written exam
The written exam is closed book. Therefore, no books, written notes, internet access or other electronic devices will be allowed. This applies to both components of the written exam: the multiple choice test and the written scenario.
Practical exam
Candidates are able to pre-upload files ahead of their practical exam via CRESTDrive. These files will be accessible on the day of the exam. No internet access will be available during the exam meaning that candidates can only access what has been uploaded to CRESTDrive.
We encourage candidates to familiarise themselves with the exam preparation resources available on CREST website such as the exam syllabus, notes for candidates, candidate machine, top tips among others.
Yes. It remains valid for 3 years from the date you sat the exam.
CREST is constantly working to grow our Training Providers programme which has been relaunched in 2024. To find the latest list of providers and filter them by exam and region please visit our dedicated page.
The new CCT APP exam is exclusively available at over 1,000 Pearson VUE Test Centres across the globe. Book your exam online now via the Pearson VUE website.
The quality and credibility of CREST exams depends on maintaining their integrity and security. We use various methods and tools to regularly scan the web for sites that claim to offer our exam materials and as a member of the CREST community, you play a vital role in helping us protect our exam content, their value, and in turn, your certifications.
If you have any doubts about the legitimacy of a resource, or have any information about fraudulent behaviour or misconduct, please report in confidence using our exam security reporting form. Alternatively, you can email us at [email protected].
Written exam
The written exam duration is 3 hours in total, split as follows:
– Multiple-choice test (1 hour)
– Written scenario (2 hours)
Candidates will be given an additional 15 minutes for reading time prior to the start of written scenario component.
Candidates must start with the multiple-choice test followed by the written scenario component. The questions can be answered in any order within each component.
Practical exam
The practical exam duration is 3 hours and candidates will be given an additional 20 minutes for reading time prior to the start of the exam.
The new CCT APP exam is made of two parts as follows:
– A written exam which is made of two components: a multiple-choice test and a written scenario
– A practical exam
The multiple choice component tests a candidates’ knowledge of the subject and the scenario assesses a candidates’ ability to assess risk and report writing skills.
Candidates will be expected to find known vulnerabilities across common networks, applications, infrastructure and databases as well as containerisation, cloud and macOS. The CCT APP examination also covers a common set of core skills and knowledge. Candidates will not be able to use their own laptops and therefore will not able to access their own tooling. A version of Kali Linux will be available within the practical exam environment to address the practical assessment.
Previously, candidates had to take and pass the written exam before being able to take the practical exam. In the new exam, candidates may take the exams in any order.
Written exam
Candidates will receive their multiple choice test results at the end of the exam with a breakdown on the areas and on how they have performed.
The results for the written scenario component and overall result of their written exam will be provided within 20 days from when the exam has been taken.
Practical exam
Candidates will receive an email from Pearson VUE once exam results are available in their Pearson VUE account. Results will usually be available within 24 hours but might take up to 48 hours in some cases due to additional verification checks. Candidates will receive their score in each section.
If you have not received your results after 48 hours and/or if you have any queries, please contact us via [email protected].
No. In the new CCT APP exam, candidates can book their written and practical exams in whichever order they prefer.
Candidates must contact the CREST support team at least 2 weeks before the potential exam date with a formal medical report from a qualified medical practitioner in the particular condition. Candidates should register an account with Pearson VUE but not book an exam date until the accommodation request has been processed. For more information, please contact [email protected]
You will be required to sign both when booking the CCT APP exam at Pearson VUE.
Electronic items such as mobile phones, smart watches, ear buds etc will not be permitted to be taken into the exam. You will be required to surrender all electronic items and potentially other personal items. Lockers will be provided. Pearson VUE Comfort Aid List
For more information about exam notes please review our ‘Notes for Candidates’ section on the CCT APP page.
Yes. You can only book the CREST CCT APP exam through a Pearson VUE account. Please follow the link to set up an account if you have not already done so: Pearson VUE.
If you do run out of time, or forget to save, then your exam will be auto submitted.
You will be provided with a 5-minute warning notification.
You need to bring two forms of government issued IDs one of which must have a picture. Most candidates bring their passport and the driver’s licence. No photocopies will be accepted. Please see the following link for more detailed information: English (pearsonvue.com)
Pearson VUE provides relevant information for candidates via their resource hub: helpful resources for test-takers
You will need to arrive at least 15 minutes before your exam starts to allow time to complete the sign in process.
Don’t forget to bring your two forms of government issued IDs.
Access to the Kali virtual machine desktop will be provided via the Pearson VUE secure browser.
You need to use the provided virtual machines to perform the required testing. All required tooling is pre-installed into the virtual machines.
The virtual machines have no access to the internet; therefore, you won’t be able to update, download any tools or notes outside those stored in CRESTDrive, search blogs etc.
It might take a few moments to load the virtual machines into the Peason VUE secure browser and this is perfectly normal. Your exam time during this period will be paused until the virtual machines are fully loaded.
You won’t be able to copy and paste between the candidate virtual machine and the examination answer window.
The hotel-based CCT practical exams have had their last cohort taking place in July 2024. Unsuccessful candidates can retake their exams in Pearson VUE and candidates with a valid written exam are exempt from the multiple-choice component when taking the written exam.
CRESTDrive allows candidates to upload files ahead of the exam to then access these files when taking their exam. No internet access will be available during the exam meaning that candidates can only access what has been uploaded to CRESTDrive. We encourage candidates to familiarise themselves with the exam preparation resources available on CREST website such as exam syllabus, notes for candidates, candidate machine, among others.
This is possible, but as these tools and scripts cannot be tested, CREST has no way to ensure that they will work. Candidates can upload files up to a combined 100MB in size. Candidates utilising CRESTDrive are also subject to its terms and conditions.
Please find all detailed information including guidelines on how to use it, retention periods and other relevant information on the dedicated CRESTDrive page.
After the exam, files uploaded will be archived and candidates will no longer have access to them. Exam candidates’ files will be archived for three months and then securely deleted. More details available on the dedicated CRESTDrive page.