CREST pen testing certifications

Does anyone have any experience with the CREST (Council of Registered Ethical Security Testers) pen testing certs? Are they certs specific to courses offered by a training provider, or are they aimed at being vendor-neutral, industry-neutral in scope? I'm looking to discover if CREST is more like the (ISC)2 or the EC-Council in their approach.

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

SephStorm

It looks like there are a few threads on EH.net. Heres one that may help.

The Ethical Hacker Network - CREST Information

From that thread:

"There is indeed no "official" reading or training for the CREST certification. I know a few people whom have performed the CCT level certifications and they have confirmed that as long as you know the information on the syllabus and have a few years experience pen testng you should be ok. It certainly IS NOT an easy certification and is very far from CEH level."

JDMurray

It appears to be a UK-based organization and not well-known in the USA.

murk

JDMurray wrote: »

It appears to be a UK-based organization and not well-known in the USA.

Yes, this is exactly the case.

z3mms

I've gone through CREST CCT (Infrastructure) and passed it last year. Definitely NOT an easy exam. I even thought I've failed it when I handed out the exam USB sticks by the end of the day. CREST is born in the UK but now it has expanded to Australia. The founding members of CREST are trying hard to internationalize the program and I won't be surprised if it becomes big in a couple of years time.

The exam consists of both theory and hands-on, thus putting it on a different level than CEH, as CEH exam is purely multiple-choice. It's also not comparable to ISC2 as it is a pentesting qualification more than it is a general infosec one. I would say CREST is more comparable to OSCP, where the practical exam involves cracking multiple platforms of servers, workstations, and routers and switches, based on a set of questions. The main thing about CREST is that certifications expire after 3 years and there is no way to maintain the qualification without having to retake the exam.

CREST also has different flavours in their certifications. The CCT (CREST Certified Tester) has either 'Infrastructure' or 'Application'. Exam takers can choose which they prefer. Then they also have an entry-level certification called the CRT (CREST Registered Tester), also have both theory and hands-on requirement, except that it's probably not as hard as the CCT and all are multiple-choice, including the hands-on element of the exam.

Chivalry1

Interesting....I have never heard of this certification organization CREST until yesterday. Seems to be popular in the UK.

retrokind

Anyone planning on any exams with crest or taken any?

chopsticks

I also have not heard of it before, but thanks for sharing.