CREST Registered Penetration Tester (CRT)

If you have booked the hotel-based CRT exam, only available until 30 November 2023, please refer to the appropriate syllabus on this page. 

The CREST Registered Penetration Tester (CRT) exam syllabus defines the areas that are assessed within the CRT exam. 

Candidates will be expected to find known vulnerabilities across common networks, applications, infrastructure and databases. CRT validates a practitioner’s ability to conduct vulnerability scans using commonly available tools and to interpret the results.  

Successful CRT candidates will be able to demonstrate that they are qualified for hands on Pen Test Roles (indicative of 3+ years of experience) with respect to: 

Core Technical Skills 

The candidate will demonstrate the use of prescribed tools to interpret output and be able to conduct fingerprinting. 

Internet Information Gathering and Reconnaissance 

The candidate will have a good understanding of DNS, including SOA, NS, MX, A, AAAA, CNAME, PTR, TXT, HINFO, SVT, as well as DNS queries, passive DNS monitoring and dangling DNS entries and their vulnerabilities. 

Networks 

The candidate will demonstrate a good understanding of network connections, VLAN Tagging, IPv4, network mapping, devices and filtering, traffic analysis (intercept and monitor (PCAP)), TCP, UDP, Service Identification and Host Discovery. 

Network Services 

The candidate will have a good understanding of the concepts of Unencrypted Services (Telnet, FTP, SNMP, HTTP), TLS/SSL, Name Resolution Services (DNS, NetBIOS/WINS, LLMNR, mDNS),  Management Services, (Telnet, Cisco Reverse Talent), SSH, HTTP, Remote Powershell, WMI, WinRM, RDP, VNC, X), Desktop Access, IPsec, FTP, TFTP. SNMP. SSH, NFS and its security attributes, SMB including Win File shares and Samba, LDAP, Berkely R* Services and trust relationships, Finger, RPC Services, NTP and SMTP and Mail Servers. 

Microsoft Windows Security 

The candidate will demonstrate a good understanding of Windows reconnaissance, network and active directory enumeration, Windows passwords, processes and file permissions, registry, Windows remote and local exploitation, post exploitation, patch management, Windows desktop lockdown and common Windows applications. 

Linux/UNIX Security Assessment 

The candidate will have a good understanding of Linux/Unix reconnaissance, Linux/Unix network enumeration, Linux/Unix passwords, Linux/Unix file permissions and Linux/Unix processes. 

Web Technologies 

The candidate will have a good understanding of web servers, web app frameworks (including .NET, J2EE, Coldfusion, Ruby on Rails, NodeJS, Django, Flask), common web applications, web protocols, mark up languages, web app reconnaissance, information gathering, web authentication and authorisation, input validation, XSS, SQL, mail and OS command injection, sessions, cookies, session hijacking, XS request forgery, web cryptography, parameter manipulation, directory traversal, file uploads and web app logic flaws.    

Databases 

The candidate will have a good understanding of SQL relational databases, MS SQL servers, Oracle RDBMS, MySQL and PostgreSQL, understand user enumeration of usernames, Unix vulnerabilities, FTP, SMTP, NFS, R* Services, X11, RPC services and SSH.

The full syllabus is available here.

CREST Registered Penetration Tester (CRT) – Notes for Candidates

The notes for candidates gathers essential information about the CRT exam and intends to support CREST candidates on their preparation increasing their chances of success. It is split into 6 sections:

1. Exam overview: explains the new CRT exam and its general scope

2. Exam structure: information on format, duration, materials allowed

3. Exam preparation: list of resources to help you prepare and practice ahead of your exam

4. Exam content: details the content structure of the exam and what to expect

5. Exam grading: information on marking structure and pass mark

5. Exam booking and logistics: information on exam policies and logistics

1. Exam overview

CREST Registered Penetration Tester (CRT) exam

The CRT exam is an intermediate level examination that tests a candidate’s knowledge in assessing operating systems and common network services. It includes web app security testing and methods to identify common web app and infrastructure security vulnerabilities.

IMPORTANT: new CRT exam

This new CRT exam has been introduced in November 2023 including a revised syllabus. Please ensure you refer to the appropriate syllabus available on CREST website when preparing for the exam.

The new CRT exam will be exclusively available at selected Pearson VUE Test Centres globally.

The hotel-based CRT exam, only available in the UK, Australia and Singapore, will continue to run until 30 November 2023. From 1 December 2023, the CRT exam will be exclusively delivered via Pearson VUE Centres.

If you have any queries related to the hotel-based CRT exam and syllabus, please contact CREST on [email protected]

2. Exam structure

Exam format

The CRT exam remains a practical assessment consisting of multiple choice, flags and short form answers. The main difference is that candidates will not be able to use their own laptops and therefore will not able to access their own tooling. A version of Kali Linux will be available within the exam environment to address the practical assessment.

Exam duration

The exam duration is 2.5 hours and candidates will be given an additional 15 minutes for reading time prior to the start of the exam. The questions can be answered in any order.

Pre-requisites

A valid CREST Practitioner Security Analyst (CPSA) certification is required before you can book and sit the CRT exam.

Exam notes

The CRT is a closed book exam. Therefore, no books, written notes, internet access or other electronic devices will be allowed.

Although this might not be ideal for some candidates, CREST has set up a link where candidates can access the Kali Virtual Machine and familiarise themselves with the tools that will be available during the exam. We also recommend candidates to read the Exam Top Tips which provides guided suggestions on areas to focus when preparing for the CRT exam. 

The investigation phase has been completed and we are now working on the development of the notes/files functionality which will be incorporated to the CRT exam in the future. The next update on this matter will be provided in May and will include details on the timeframes.

3. Exam preparation and practice

In order to allow candidates to familiarise themselves with the tooling available in the exam environment, a virtual machine is available here. The virtual machine will host a version of Kali Linux that can be used to perform all required tasks within the exam. This machine has a large number of tools installed, including licensed versions of Nessus Professional and BurpSuite Professional.

The CRT Amazon image is the exact copy of the exam machine but Burp Suite and Nessus do not have licenses. These are fully licensed in the exam environment in Pearson VUE.

Image of exam layout

Please note that:

• It is not possible to copy and paste information from Kali to the answer sheet so care must be taken when typing answers.
• You will be provided with full instructions on how to access Kali.
• During the exam, the NEXT button will end the exam, but a warning message will appear.

Additional resources to help with your preparation: 

Sample questions 

Examples of questions that help candidates to understand what to expect from the examination environment. You’ll find our sample questions here.

Top tips 

This document offers some useful tips to help prepare for the exam. 

4. Exam content

New areas being covered in the CRT exam are Routing Manipulation and Networks.

This practical exam contains infrastructure that would typically be found in a real-world test of a medium to large-size organisation. Candidates will be expected to demonstrate their capabilities and competence in:

• Assessing network devices such as switches and routers
• Assessing hosts running Windows operating systems
• Assessing hosts running Unix and Linux (both commercial and open source) operating systems
• Assessing locked-down desktop environments.

Assessing IP networks

Candidates will need to demonstrate a good understanding of the technologies in use and their implications, as well as simply being able to run tools and scripts.

For further information on the skills being assessed, consult the exam Syllabus.

The subsections covered in the infrastructure stage are as follows:

Network awareness

Candidates will be required to identify hosts and services on an IP network, to enumerate basic information, and to interact with basic services.

Vulnerability assessment

Candidates will be required to find vulnerabilities that might typically be identified by vulnerability scanners and exploit them to extract related information.

Simple exploitation

Candidates will be required to exploit systems and services in order to obtain key pieces of data, such as emails, passwords, or data from a database.

Desktop lockdown

Candidates will be given access to a restricted desktop environment. They will be required to bypass the restrictions in order to collect specific data.

Routing manipulation

Candidates will be required to understand and interact with IP networks in order to access systems and services that would otherwise be inaccessible.

Web application assessment details

The application assessment consists of multiple simple web applications. The web applications will be based on common web application technologies hosted on Windows and Unix platforms.

Pages have been designed to provide the candidate with a series of generic vulnerabilities to find, assess and exploit.

5. Exam grading

Mark allocation

The exam breakdown consists of 160 marks split between Infrastructure (100 marks) and Applications (60 marks). The detailed breakdown is available on the following table:

Pass mark

Candidates must achieve at least 60% in both Infrastructure and Web Application to achieve a pass. Passing one of the sections but failing the other one will result in a failure overall.

Feedback

Unsuccessful candidates will be informed about their scores in the Infrastructure and Web Application components where they achieved a lower mark than 60%. The scores will not be disclosed for components where they were successful and have achieved 60% or more.

6. Exam booking and logistics

Exam location

The new CRT exam is delivered at a wide number of Pearson VUE centres that meet the technical requirements for this examination. Please visit the Pearson VUE website and follow the on-screen instructions to schedule your examination.

Retake policy

Unsuccessful candidates may retake the CRT exam 8 weeks after the original exam date.

Invigilation 

A test centre administrator/invigilator will be present throughout the examination to answer any procedural questions that candidates may have and assist in troubleshooting. The invigilator will not provide any support or advice related to the exam content.

If an issue does occur, a case will be filed. Every effort will be made to accommodate the continuation of your exam and all cases will be investigated and resolved within 3-5 business days. Pearson VUE should provide you with a case ID number. Please ensure you retain this information as this may be required at a later date.

Communication of results

Examination results will be emailed to the candidate within 5 working days of the examination. Digitally signed certificates, where appropriate, will be emailed to candidates

Special accommodations

Candidates must contact the CREST support team at least 2 weeks before the potential exam date with a formal medical report from a qualified medical practitioner specialising in the particular condition. Candidates should register an account with Pearson VUE but not book an exam date until the accommodation request has been processed. Please check CREST Special Accommodations policy for more information

In order to allow candidates to familiarise themselves with the tooling available in the exam environment, a virtual machine is available here. The virtual machine will host a version of Kali Linux that can be used to perform all required tasks within the exam. This machine has a large number of tools installed, including licensed versions of Nessus Professional and BurpSuite Professional.  

The CRT Amazon image is the exact copy of the exam machine but Burp Suite and Nessus do not have licenses. These are fully licensed in the exam environment in Pearson VUE.

Image above shows exam layout.

Additional resources to help with your preparation: 

Sample questions 

Examples of questions that help candidates to understand what to expect from the examination environment.

Available training 

There are a number of CREST Training Providers offering CRT training. Lab Based training is also available. Following the launch of our new CRT exam, CREST Training Providers are in the process of updating their course material.

Top tips 

This document offers some useful tips to help prepare for the exam. 

Below are some official sample questions and answers that will help familiarise you with the exam structure and wording as well as some of the key terms and definitions. 

Example Network Awareness   

• Question (2 Marks)   

Find the box named jaguar and identify what domain it resides in. Provide the NetBIOS domain name.   

• Answer   

The correct answer is “bigcats”.   

Example Vulnerability Assessment   

• Question (2 Marks)  

Identify a valid user on the host named monkey that is also in the /home/kali/Desktop/Candidate/wordlist.txt file.  

• Answer   

The correct answer is “janet”.   

Example Simple Exploitation   

• Question (5 Marks)   

Exploit 10.0.1.27 and provide the trophy value from a file with ‘trophy’ or ‘secret’ in its name.  

• Answer   

The correct answer is “trophy-12345”.   

Example Desktop Lockdown   

• Question (10 Marks)   

Find the ‘zenicarna’ file and provide the trophy value.   

• Answer   

The correct answer is “trophy-54321”.   

Example Routing   

• Question (10 Marks)   

Attempt to access the telnet server on 172.20.31.10 via 172.17.89.254 and obtain the value in the service banner.  

• Answer   

The correct answer is “trophy-98765”.   

Example Web Application   

• Question (10 Marks)   

Zenicarna has deployed a new authentication mechanism to replace the previously unsecured portal. Host: 10.0.1.180 Port: 8080   

Attempt to gain access and provide the trophy value presented upon successful authentication.   

• Answer   

The correct answer is “trophy-11122”.  

Download the sample questions here.

The new CRT exam is available in selected Pearson VUE Test Centres across the globe. You can book your CRT exam now via the Pearson VUE website.

Candidates must hold a valid CREST Practitioner Security Analyst (CPSA) certification to be able to book the CREST Registered Penetration Tester (CRT) exam.

CREST Pearson VUE vouchers

Pearson VUE exam vouchers are available from CREST for companies and individuals who either have an account with CREST or need an alternative payment method. These vouchers will be sent on receipt of a paid invoice. For more information please contact [email protected]

Special accommodations 

Candidates must contact the CREST support team at least 2 weeks before the potential exam date with a formal medical report from a qualified medical practitioner specialising in the particular condition. Candidates should register an account with Pearson VUE but not book an exam date until the accommodation request has been processed. For more information please contact [email protected]

How to cancel, postpone or reschedule 

This is done through your own Pearson VUE registration and exam booking page and must be done at least 24hrs before your exam date. 

The table below summarises key differences between the two exams:

The new syllabus has been updated and restructured adding greater depth to the exam.

The exam duration has been extensively assessed to ensure that the time allocated is appropriate to answer all questions.

Looking for more info on our CRT exam? Check out our handy CRT FAQs page.