CREST pen testing certifications

JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+Surf City, USAAdmin Posts: 12,253 Admin
Does anyone have any experience with the CREST (Council of Registered Ethical Security Testers) pen testing certs? Are they certs specific to courses offered by a training provider, or are they aimed at being vendor-neutral, industry-neutral in scope? I'm looking to discover if CREST is more like the (ISC)2 or the EC-Council in their approach.


  • SephStormSephStorm Member Posts: 1,732
    It looks like there are a few threads on Heres one that may help.

    The Ethical Hacker Network - CREST Information

    From that thread:

    "There is indeed no "official" reading or training for the CREST certification. I know a few people whom have performed the CCT level certifications and they have confirmed that as long as you know the information on the syllabus and have a few years experience pen testng you should be ok. It certainly IS NOT an easy certification and is very far from CEH level."
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 12,253 Admin
    It appears to be a UK-based organization and not well-known in the USA.
  • murkmurk Registered Users Posts: 2 ■□□□□□□□□□
    JDMurray wrote: »
    It appears to be a UK-based organization and not well-known in the USA.

    Yes, this is exactly the case.
  • z3mmsz3mms Member Posts: 8 ■□□□□□□□□□
    I've gone through CREST CCT (Infrastructure) and passed it last year. Definitely NOT an easy exam. I even thought I've failed it when I handed out the exam USB sticks by the end of the day. CREST is born in the UK but now it has expanded to Australia. The founding members of CREST are trying hard to internationalize the program and I won't be surprised if it becomes big in a couple of years time.

    The exam consists of both theory and hands-on, thus putting it on a different level than CEH, as CEH exam is purely multiple-choice. It's also not comparable to ISC2 as it is a pentesting qualification more than it is a general infosec one. I would say CREST is more comparable to OSCP, where the practical exam involves cracking multiple platforms of servers, workstations, and routers and switches, based on a set of questions. The main thing about CREST is that certifications expire after 3 years and there is no way to maintain the qualification without having to retake the exam.

    CREST also has different flavours in their certifications. The CCT (CREST Certified Tester) has either 'Infrastructure' or 'Application'. Exam takers can choose which they prefer. Then they also have an entry-level certification called the CRT (CREST Registered Tester), also have both theory and hands-on requirement, except that it's probably not as hard as the CCT and all are multiple-choice, including the hands-on element of the exam.
  • Chivalry1Chivalry1 Member Posts: 569
    Interesting....I have never heard of this certification organization CREST until yesterday. Seems to be popular in the UK.
    "The recipe for perpetual ignorance is: be satisfied with your opinions and
    content with your knowledge. " Elbert Hubbard (1856 - 1915)
  • retrokindretrokind Member Posts: 15 ■□□□□□□□□□
    Anyone planning on any exams with crest or taken any?
  • chopstickschopsticks Member Posts: 389
    I also have not heard of it before, but thanks for sharing.
Sign In or Register to comment.