Regions icon
Membership icon
Certification icon

CREST Registered Security Analyst (Penetration Testing)

The CREST Registered Security Analyst (CRSA) examination tests candidates’ knowledge in assessing operating systems and common network services for intermediate level below that of the main CREST Certified level qualifications.

The CRSA examination includes an intermediate level of web application security testing and methods to identify common web application security vulnerabilities and covers a common set of core skills and knowledge.  The candidate must demonstrate that they can perform an infrastructure and web application vulnerability scan using commonly available tools; and interpret the results.

Examination format
All skills will be assessed by a practical assault course.

During the exam candidates will be provided with desktop access to a virtual machine running Kali Linux that can be used to perform the required tasks. This machine has a large number of tools installed including licensed versions of Nessus Professional and BurpSuite Professional.

A version of this virtual machine without the commercial licenses can be downloaded by candidates so they can familiarise themselves with the platform prior to the exam.  This can be downloaded from the following location:

You can download the following documents from the links below:

Syllabus for the Registered tester examination
Notes for Candidates to aid examination preparation

In order to book to take the examination, the candidate must hold a valid CPSA pass.  Success, combined with valid CPSA certification, will confer CREST Registered Security Analyst (CRSA) status to the individual.

Due to the additional technical requirements of the practical exams, only a subset of Pearson Vue centres are able to run them.  While this subset is more restrictive it still includes over 300 locations worldwide.  When booking an exam through the Pearson Vue website, candidates will be presented with a choice of suitable locations nearest to them.

For costs and availability please refer to individual country booking.  The examination is delivered at Pearson Vue test centres.

Recommended Preparation Material
The CREST Assessors panel regularly identifies common themes and consolidates common questions and answers from candidates and from the industry in relation to the CREST certification examinations. Candidates are advised to familiarise themselves with these, although they are free to disregard them if they wish. The latest information can be accessed at

CREST recommends that candidates familiarise themselves with the content on our FAQS page which has been created specifically for those attempting a practical examination.

The following material and media has been cited as helpful preparation for this examination by previous candidates:

Reading Material:
Network Security Assessment (by O’Reilly, 2nd edition)
Hacking Exposed Linux
Red Team Field Manual (RTFM) (by Ben Clarke)
Nmap Network Scanning: The Official Nmap Project (by Gordon Lyon)
Guide to Network Discovery and Security Scanning
Grey Hat Hacking (by Allen Harper, Shon Harris & Jonathan Ness)

6point6 – CREST Approved Training Provider
Cyberskills Training – CREST Approved Training Provider
ICSI Ltd – CREST Approved Training Provider
Immersive Labs – CREST Approved Training Provider
PGI Cyber Academy – CREST Approved Training Provider
QA – CREST Approved Training Provider
Telefonica Cybersecurity & Cloud Tech SL – CREST Approved Training Provider

Offensive Security
Certified Ethical Hacker Passport

Useful Information for Candidates
How to book
Details of the Logistics and Timings of CREST examinations can be found in the Examination Preparation pages for your country of choice
CREST’s Policy for Candidates requiring special arrangements, including additional time to accommodate a medical condition (including examinations delivered at Pearson Vue centres)
Terms and Conditions for CREST Examinations (includes hard disk drive wiping policy)