CREST Registered Intrusion Analyst (CRIA)

The Intrusion Analysis and Incident Management syllabus defines at a high level the technical skills and knowledge that CREST expects candidates to possess for the Certification examinations in this area. 

The CRIA exam tests a candidate’s knowledge across all three subject areas of network intrusion, host intrusion, and malware reverse engineering. 

Successful CRIA candidates will be able to demonstrate their knowledge with respect to: 

The full syllabus is available here. 

Our ‘Notes for candidates’ section provides essential information about the exam and intends to support CREST candidates on their preparation to increase their chances of success. 

Exam overview

Passing this exam awards the candidate ‘CREST Registered’ status, demonstrating a candidate’s intermediate level of knowledge of incident response, to a high standard and in accordance with legal and ethical guidelines.  

A CREST Registered Intrusion Analyst will be able to carry out operational tasks safely and effectively, with minimal supervision. 

The exam assesses a candidate’s knowledge to competently perform network and host intrusion, and malware analysis. A candidate is expected to be able to demonstrate that they are qualified to lead hands-on incident response engagements, taking management and ownership of investigations.  

Stages and tasks in the exam are designed to assess a candidate’s fundamental intrusion analyst testing skills, including being able to acquire or derive information from files CREST provides.  

Exam structure

This CREST Registered-level practical based exam comprises one multiple-choice assessment, with answers weighted according to difficulty.  

This Registered-level exam/qualification is: 

• An invigilated, multiple-choice assessment 
• Comprised of 150 questions, which all need to be attempted 
• Achieved when an overall pass of 60% or 54 marks is secured 
• Valid for three (3) years 
• Available to book at a Pearson Vue Testing Centre – Book your exam today! 

Exam duration

The exam duration is 2.5 hours.

Pre-requisites

Candidates wishing to sit this Registered examination should ideally have at least 6,000 hours (three years or more) of relevant and frequent experience in incident response, digital forensics, or security operations services and are required to hold the ‘CREST Practitioner’ status by having successfully undertaken and passed the CREST Practitioner Intrusion Analyst exam. 

Exam notes

Candidates cannot use their own laptops and, therefore, are not able to access their own tooling. A version of Kali Linux and Windows will be available within the exam environment to address the practical assessment.  

Please note that: 

• It is not possible to copy and paste information from Kali to the answer sheet so care must be taken when typing answers. 

• You will be provided with full instructions on how to access Kali. 

• During the exam, the NEXT button will end the exam, but a warning message will appear. 

This multiple-choice assessment consists of 150 questions, where each question has one correct answer out of multiple options. No marks are deducted for incorrect answers.  

To support candidates in familiarising themselves with the tooling available in the exam environment, a virtual machine is available. The virtual machine will host a version of Kali Linux that can be used to perform all required tasks within the exam. This machine has a large number of tools installed, including licensed versions of IDA Free License, Wireshark, and a wide variety of IR tools. For a full list, please use the official exam AMIs. 

Please access the Kali Virtual Machine here.

Please access the Windows Virtual Machine here. 

To aid preparation for taking your exam, recommended reading materials are listed below: 

• Hacking Exposed – Scanning and Enumeration 

• The ART of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory (by Michael Hale Ligh/Andrew Case/Jamie Levy/Aaron Walters) 

• Malware Forensic Field Guide for Windows Systems (by Syngress) 

• Practical Malware Analysis 

• Network Fundamentals: CCNA Exploration Companion Guide 

• Real Digital Forensics (particularly Chapter 1, Windows Live Response) 

• TCP/IP Illustrated 

• OverAPI.com 

Available training 

We have also partnered with numerous Training Providers to supplement your knowledge of the topic areas detailed in the syllabus. CREST Training Providers or training courses can be found using our dedicated search tool. 

The CREST Registered Intrusion Analyst (CRIA) exam is available in selected Pearson VUE Test Centres across the globe.  You can book your CRIA exam now via the Pearson VUE website. Candidates must hold a valid CREST Practitioner Intrusion Analyst certification to be able to book their CRIA exam.  

CREST Pearson VUE vouchers 

Pearson VUE vouchers are available from CREST for companies and individuals who either have an account with CREST or need an alternative payment method. These vouchers will be sent on receipt of a paid invoice; check if your company is a CREST member to see if you can benefit from member pricing. For more information, please contact [email protected]. 

Special accommodations 

Candidates must contact the CREST Support team at least 2 weeks before the potential exam date with a formal medical report from a qualified medical practitioner specialising in the particular condition. Candidates should register an account with Pearson VUE but not book an exam until the accommodation request has been processed. For more information, please contact [email protected]. 

How to cancel, postpone or reschedule  

Please use your own Pearson VUE registration and exam booking page, and must be notified at least 24 hours before your exam date.