The CREST Registered Penetration Tester (CRT) exam is recognised by Governments and regulators around the globe and is recognised by the UK National Cyber Security Centre (NCSC) for its CHECK scheme.
The CREST Registered Penetration Tester (CRT) exam syllabus defines the areas that are assessed within the CRT exam.
Candidates will be expected to find known vulnerabilities across common networks, applications, infrastructure and databases. CRT validates a practitioner’s ability to conduct vulnerability scans using commonly available tools and to interpret the results.
Successful CRT candidates will be able to demonstrate that they are qualified for hands on Pen Test Roles (indicative of 3+ years of experience) with respect to:
Core Technical Skills
The candidate will demonstrate the use of prescribed tools to interpret output and be able to conduct fingerprinting.
Internet Information Gathering and Reconnaissance
The candidate will have a good understanding of DNS, including SOA, NS, MX, A, AAAA, CNAME, PTR, TXT, HINFO, SVT, as well as DNS queries, passive DNS monitoring and dangling DNS entries and their vulnerabilities.
Networks
The candidate will demonstrate a good understanding of network connections, VLAN Tagging, IPv4, network mapping, devices and filtering, traffic analysis (intercept and monitor (PCAP)), TCP, UDP, Service Identification and Host Discovery.
Network Services
The candidate will have a good understanding of the concepts of Unencrypted Services (Telnet, FTP, SNMP, HTTP), TLS/SSL, Name Resolution Services (DNS, NetBIOS/WINS, LLMNR, mDNS), Management Services, (Telnet, Cisco Reverse Talent), SSH, HTTP, Remote Powershell, WMI, WinRM, RDP, VNC, X), Desktop Access, IPsec, FTP, TFTP. SNMP. SSH, NFS and its security attributes, SMB including Win File shares and Samba, LDAP, Berkely R* Services and trust relationships, Finger, RPC Services, NTP and SMTP and Mail Servers.
Microsoft Windows Security
The candidate will demonstrate a good understanding of Windows reconnaissance, network and active directory enumeration, Windows passwords, processes and file permissions, registry, Windows remote and local exploitation, post exploitation, patch management, Windows desktop lockdown and common Windows applications.
Linux/UNIX Security Assessment
The candidate will have a good understanding of Linux/Unix reconnaissance, Linux/Unix network enumeration, Linux/Unix passwords, Linux/Unix file permissions and Linux/Unix processes.
Web Technologies
The candidate will have a good understanding of web servers, web app frameworks (including .NET, J2EE, Coldfusion, Ruby on Rails, NodeJS, Django, Flask), common web applications, web protocols, mark up languages, web app reconnaissance, information gathering, web authentication and authorisation, input validation, XSS, SQL, mail and OS command injection, sessions, cookies, session hijacking, XS request forgery, web cryptography, parameter manipulation, directory traversal, file uploads and web app logic flaws.
Databases
The candidate will have a good understanding of SQL relational databases, MS SQL servers, Oracle RDBMS, MySQL and PostgreSQL, understand user enumeration of usernames, Unix vulnerabilities, FTP, SMTP, NFS, R* Services, X11, RPC services and SSH.
The full syllabus is available here.
CREST Registered Penetration Tester (CRT) – Notes for Candidates
The notes for candidates gathers essential information about the CRT exam and intends to support CREST candidates on their preparation increasing their chances of success. It is split into 6 sections:
1. Exam overview: explains the CRT exam and its general scope
2. Exam structure: information on format, duration, materials allowed
3. Exam preparation: list of resources to help you prepare and practice ahead of your exam
4. Exam content: details the content structure of the exam and what to expect
5. Exam grading: information on marking structure and pass mark
5. Exam booking and logistics: information on exam policies and logistics
1. Exam overview
CREST Registered Penetration Tester (CRT) exam
The CRT exam is an intermediate level examination that tests a candidate’s knowledge in assessing operating systems and common network services. It includes web app security testing and methods to identify common web app and infrastructure security vulnerabilities.
Please ensure you refer to the syllabus available on CREST website when preparing for the exam.
The CRT exam is exclusively available at selected Pearson VUE Test Centres globally.
If you have any queries related to the CRT exam and syllabus, please contact CREST at [email protected]
2. Exam structure
Exam format
The CRT exam remains a practical assessment consisting of multiple choice, flags and short form answers. The main difference is that candidates will not be able to use their own laptops and therefore will not able to access their own tooling. A version of Kali Linux will be available within the exam environment to address the practical assessment.
Exam duration
The exam duration is 2.5 hours and candidates will be given an additional 15 minutes for reading time prior to the start of the exam. The questions can be answered in any order.
Pre-requisites
A valid CREST Practitioner Security Analyst (CPSA) certification is required before you can book and sit the CRT exam.
Exam notes
Candidates are able to pre-upload files ahead of their practical exam via CRESTDrive. These files will be accessible on the day of the exam.
CREST has set up a link where candidates can access the Kali Virtual Machine and familiarise themselves with the tools that will be available during the exam. We also recommend candidates to read the Exam Top Tips which provides guided suggestions on areas to focus when preparing for the CRT exam.
3. Exam preparation and practice
In order to allow candidates to familiarise themselves with the tooling available in the exam environment, a virtual machine is available. The virtual machine will host a version of Kali Linux that can be used to perform all required tasks within the exam. This machine has a large number of tools installed, including licensed versions of Nessus Professional and BurpSuite Professional.
Please access the Kali Virtual Machine here.
The CRT Amazon image is the exact copy of the exam machine but Burp Suite and Nessus do not have licenses. These are fully licensed in the exam environment in Pearson VUE.
Image of exam layout
Please note that:
Additional resources to help with your preparation:
Sample questions
Examples of questions that help candidates to understand what to expect from the examination environment. You’ll find our sample questions here.
Top tips
This document offers some useful tips to help prepare for the exam.
4. Exam content
New areas being covered in the CRT exam are Routing Manipulation and Networks.
This practical exam contains infrastructure that would typically be found in a real-world test of a medium to large-size organisation. Candidates will be expected to demonstrate their capabilities and competence in:
Assessing IP networks
Candidates will need to demonstrate a good understanding of the technologies in use and their implications, as well as simply being able to run tools and scripts.
For further information on the skills being assessed, consult the exam Syllabus.
The subsections covered in the infrastructure stage are as follows:
Network awareness
Candidates will be required to identify hosts and services on an IP network, to enumerate basic information, and to interact with basic services.
Vulnerability assessment
Candidates will be required to find vulnerabilities that might typically be identified by vulnerability scanners and exploit them to extract related information.
Simple exploitation
Candidates will be required to exploit systems and services in order to obtain key pieces of data, such as emails, passwords, or data from a database.
Desktop lockdown
Candidates will be given access to a restricted desktop environment. They will be required to bypass the restrictions in order to collect specific data.
Routing manipulation
Candidates will be required to understand and interact with IP networks in order to access systems and services that would otherwise be inaccessible.
Web application assessment details
The application assessment consists of multiple simple web applications. The web applications will be based on common web application technologies hosted on Windows and Unix platforms.
Pages have been designed to provide the candidate with a series of generic vulnerabilities to find, assess and exploit.
5. Exam grading
Mark allocation
The exam breakdown consists of 160 marks split between Infrastructure (100 marks) and Applications (60 marks). The detailed breakdown is available on the following table:
Components | Total Marks |
---|---|
Infrastructure | 100 20 20 20 20 20 |
Web Application | 60 60 |
Pass mark
Candidates must achieve at least 60% in both Infrastructure and Web Application to achieve a pass. Passing one of the sections but failing the other one will result in a failure overall.
Feedback
Unsuccessful candidates will be informed about their scores in the Infrastructure and Web Application components where they achieved a lower mark than 60%. The scores will not be disclosed for components where they were successful and have achieved 60% or more.
6. Exam booking and logistics
Exam location
The CRT exam is delivered at a wide number of Pearson VUE centres that meet the technical requirements for this examination. Please visit the Pearson VUE website and follow the on-screen instructions to schedule your examination.
Retake policy
Unsuccessful candidates may retake the CRT exam 8 weeks after the original exam date.
Invigilation
A test centre administrator/invigilator will be present throughout the examination to answer any procedural questions that candidates may have and assist in troubleshooting. The invigilator will not provide any support or advice related to the exam content.
If an issue does occur, a case will be filed. Every effort will be made to accommodate the continuation of your exam and all cases will be investigated and resolved within 3-5 business days. Pearson VUE should provide you with a case ID number. Please ensure you retain this information as this may be required at a later date.
Communication of results
Examination results will be emailed to the candidate within 5 working days of the examination. Digitally signed certificates, where appropriate, will be emailed to candidates
Special accommodations
Candidates must contact the CREST support team at least 2 weeks before the potential exam date with a formal medical report from a qualified medical practitioner specialising in the particular condition. Candidates should register an account with Pearson VUE but not book an exam date until the accommodation request has been processed. Please check CREST Special Accommodations policy for more information
In order to allow candidates to familiarise themselves with the tooling available in the exam environment, a virtual machine is available. The virtual machine will host a version of Kali Linux that can be used to perform all required tasks within the exam. This machine has a large number of tools installed, including licensed versions of Nessus Professional and BurpSuite Professional.
Please access the Kali Virtual Machine here.
The CRT Amazon image is the exact copy of the exam machine but Burp Suite and Nessus do not have licenses. These are fully licensed in the exam environment in Pearson VUE.
Image above shows exam layout.
Additional resources to help with your preparation:
Sample questions
Examples of questions that help candidates to understand what to expect from the examination environment.
Available training
There are a number of CREST Training Providers offering CRT training. Lab Based training is also available.
Top tips
This document offers some useful tips to help prepare for the exam.
Below are some official sample questions and answers that will help familiarise you with the exam structure and wording as well as some of the key terms and definitions.
Example Network Awareness
Find the box named jaguar and identify what domain it resides in. Provide the NetBIOS domain name.
The correct answer is “bigcats”.
Example Vulnerability Assessment
Identify a valid user on the host named monkey that is also in the /home/kali/Desktop/Candidate/wordlist.txt file.
The correct answer is “janet”.
Example Simple Exploitation
Exploit 10.0.1.27 and provide the trophy value from a file with ‘trophy’ or ‘secret’ in its name.
The correct answer is “trophy-12345”.
Example Desktop Lockdown
Find the ‘zenicarna’ file and provide the trophy value.
The correct answer is “trophy-54321”.
Example Routing
Attempt to access the telnet server on 172.20.31.10 via 172.17.89.254 and obtain the value in the service banner.
The correct answer is “trophy-98765”.
Example Web Application
Zenicarna has deployed a new authentication mechanism to replace the previously unsecured portal. Host: 10.0.1.180 Port: 8080
Attempt to gain access and provide the trophy value presented upon successful authentication.
The correct answer is “trophy-11122”.
Download the sample questions here.
The CRT exam is available in selected Pearson VUE Test Centres across the globe. You can book your CRT exam now via the Pearson VUE website.
Candidates must hold a valid CREST Practitioner Security Analyst (CPSA) certification to be able to book the CREST Registered Penetration Tester (CRT) exam.
CREST Pearson VUE vouchers
Pearson VUE exam vouchers are available from CREST for companies and individuals who either have an account with CREST or need an alternative payment method. These vouchers will be sent on receipt of a paid invoice. For more information please contact [email protected]
Special accommodations
Candidates must contact the CREST support team at least 2 weeks before the potential exam date with a formal medical report from a qualified medical practitioner specialising in the particular condition. Candidates should register an account with Pearson VUE but not book an exam date until the accommodation request has been processed. For more information please contact [email protected]
How to cancel, postpone or reschedule
This is done through your own Pearson VUE registration and exam booking page and must be done at least 24hrs before your exam date.
Looking for more info on our CRT exam? Check out our handy CRT FAQs page.
“I really like that CREST moved the CRT exam to the regular testing centers, as it makes the certification more accessible than ever. The exam is straightforward and tests the knowledge in several networking and web application testing categories. Exam tasks are well-defined and easy to follow. Shouldn’t be a problem for people working on penetration testing engagements to pass the exam on the first attempt if they manage the time the right way (read the CRT top tips pdf!). For the beginners in this area, you should learn the processes and tools usage based on the syllabus and you should be able to pass. Careful though, the exam is closed book, as opposed to the previous version, and it is only 2.5 hours in duration, so one must manage time the right way (I would love to have additional 45 minutes on my exam day). Honestly, it was a pure enjoyment to play with the exam infrastructure that was stable, fast, and easy to use.”
Robert Petrunic, Eduron
“The updated CRT certification provides a great way for testers to demonstrate that they possess the necessary practical and technical skills, which is required in conducting both infrastructure as well as web application penetration test engagements. The updated CRT exam is also a breeze to book and intuitive to take. The exam can now be taken at a huge number of regionally based exam centres, is also a very welcome change.”
Guy Liu, Head of Cyber Security, Air IT
Check out these handy resources to help you on your cyber security career pathway
Watch on YouTube