In May 2022, I took the CREST Practitioner Security Analyst exam. This is a multiple choice theory test, which is a pre-requisite to become a CREST Registered Penetration Tester (CRT); the basic idea is to do a theory test and a practical test, similar to getting a driving licence.
There are various organisations offering training courses. However, I used self-study, and this was a tricky exam to prepare for. With most vocational exams, there are study guides and/or Udemy courses available, but that’s not the case here. CREST publish a general reading list, but those books don’t cover everything you need and some of the content is beyond the scope of the exam. This seems to be deliberate, based on the examination FAQs:
“Unlike some areas of academia, CREST exams are usually vocational; they are not designed to be achievable by a candidate whose sole focus is passing them through isolated study. They are designed to measure an individual’s capability to operate within the industry and identify those who can demonstrate the skills required.”
I’m bound by the NDA (like all exams I take), but I’ll try to offer some advice here to help people prepare and judge when they’re ready to take the exam. Each exam attempt costs £275 (+VAT), so it would be a shame to waste your first attempt just to get an idea of what’s involved.
In brief, it took me about 2 weeks to prepare for this exam (in the evenings after work), but that was building on various other exams, training courses, and work experience. It’s described as “entry level”, but I’d say that this is a bit more difficult than PenTest+ (which in turn was more difficult than Security+). Conversely, I found this a lot easier than the OSCP.
The CPSA web page has links to 2 documents:
- Technical syllabus
- Notes for candidates
They both get updated every so often (and then renamed with the new version number), so I’m not linking to them directly here. When I prepared for my exam, the syllabus was on version 2.4 (released in Oct 2021). However, the only change from version 2.3 (released in Oct 2020) was that they fixed a typo; basically, everything in the CPSA exam is “MC” (multiple choice) while everything in the CRT exam is either “P” (practical) or “N/A”.
Make sure that you read the syllabus carefully, because this is the most accurate guide about what you need to know for the exam.
A few weeks before my exam, CREST announced a partnership with Hack The Box:
HTB News | Hack The Box Teams Up with CREST for Cybersecurity Skills Development
“The labs will have content similar to that assessed in CREST exams but not the same and will be provided in HTB’s unrivaled gamified and fully intuitive platform. This means that using Hack The Box will help indicate if someone is at the right level to take and pass the exam but will not assess everything in the exam.”
I think that’s an excellent idea, but it wasn’t available when I was preparing for my exam. In Jan 2023, both organisations issued an update:
Practice labs for CREST exam candidates – CREST (crest-approved.org)
HTB News | Crest and Hack The Box launch Crest certification-aligned penetration testing training labs
Basically, HackTheBox Academy now has a skill path for CREST CPSA/CRT Preparation. This path contains 39 modules, and 35 of them overlap with the Bug Bounty Hunter and/or Penetration Tester job role paths. I’m currently working through all 3 of those paths in parallel.
The CREST skill path costs 2480 cubes, with a reward of 600 cubes. (You earn cubes by completing modules.) That’s a net cost of 1880 cubes.
Adding up the unique modules for all 3 paths, the total cost is 2750 cubes, with a reward of 670 cubes. That’s a net cost of 2080 cubes.
There are different ways to get cubes: basically, you either buy them directly (similar to transferring money from one currency to another), or you can take a monthly/annual subscription. I think the most cost-effective method is to do a Platinum monthly subscription for a couple of months: that costs £53 (+VAT) per month, and gives you 1000 cubes each month.
NB If you’re a student, you can pay £6/month to get access to all the modules in tiers 0-2 (which includes everything in these paths). That’s a really good deal for anyone who’s eligible!
The CREST website lists 5 companies (CREST approved training providers) who run courses for this exam:
- Cyberskills Training Ltd (5 days, price on application)
- ICSI Ltd (40 hours of material, £750 for 1 year of access, not including the exam voucher)
- PGI Cyber Academy (4 days, price on application)
- QA (5 days, from £3560+VAT, including the exam voucher)
- Telefónica Cybersecurity & Cloud Tech SL (nothing on their own website)
The CREST website also shows which areas of the syllabus are approved for each course, and it’s interesting to note that none of the training companies cover the entire syllabus.
|B1, B2, B4, B5||Y||Y||N||Y||Y|
|B12, B13, B14||Y||N||N||Y||Y|
|D1, D2, D3||Y||Y||Y||Y||Y|
|D4, D5, D6, D7||Y||N||Y||Y||Y|
|E1, E2, E3, E4, E5||Y||Y||Y||Y||Y|
|E6, E7, E8, E9||Y||N||Y||Y||Y|
|F1, F2, F3, F4, F5||Y||Y||Y||Y||Y|
|F6, F7, F8||Y||Y||N||Y||Y|
|G6, G7, G8, G9||N||N||N||N||N|
|H11, H12, H13||Y||N||Y||Y||Y|
|I1, I2, I3, I6||N||N||N||N||N|
|J1, J2, J3||Y||Y||Y||Y||Y|
NB The syllabus has some gaps in the number sequence: B3, B7, H7, I4, and I5 don’t exist, so that’s why they’re not listed in the table above. By contrast, A3 does exist but none of the courses cover it.
More generally, these areas aren’t covered by any of the courses:
- A3 (Scoping)
- G6 (Web Programming Languages)
- G7 (Web Application Servers)
- G8 (Web APIs)
- G9 (Web Sub-Components)
- H1 (Web Application Reconnaissance)
- H2 (Threat Modelling and Attack Vectors)
- I1 (Web Site Structure Discovery)
- I2 (Cross Site Scripting Attacks)
- I3 (SQL Injection)
- I6 (Parameter Manipulation)
(As a side note, the Cyberskills and ICSI websites claim that they cover additional areas, but my table is based on the CREST website, which should be the more authoritative source.)
That’s probably why the QA website says:
“The CPSA examination also includes an intermediate level of web application security testing and methods to identify common web application security vulnerabilities.”
I.e. you need to get to that intermediate level on your own, separately from this course. I recommend TryHackMe (£8/month) and HackTheBox Academy (see above) as a good place to start, especially if you’re on a tight budget. I’ve also been doing the PEN-100 and PEN-200 training via OffSec.
I noticed that the QA website recommended CISMP as a pre-requisite. So, I took that exam a couple of months earlier, but I don’t think it was particularly relevant.
Looking at the Cyberskills website, it says “97.7% Certification Success in First Attempt”. I don’t know what the pass rate is like for the other courses.
The CPSA web page currently has this list:
Network Security Assessment (by O’Reilly, 2nd edition)
Hacking Exposed Linux
Red Team Field Manual (RTFM) (by Ben Clarke)
Nmap Network Scanning: The Official Nmap Project (by Gordon Lyon)
Guide to Network Discovery and Security Scanning
Grey Hat Hacking (by Allen Harper, Shon Harris & Jonathan Ness)
(The same reading list also applies to the CRT exam.)
NB I initially interpreted that as 6 books, but it’s actually 5; the full title of the Nmap book is “Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning”. Also, the correct title for the final book is “Gray Hat Hacking” (i.e. “Gray” with an “a” rather than “Grey” with an “e”).
Prior to the exam, I read the first 7 chapters of “Network Security Assessment” (3rd edition rather than 2nd edition) and the first 2 chapters of “Gray Hat Hacking” (6th edition). I also skimmed through the RTFM book, but I view that as more of a reference guide; it would be useful in an open book exam, but I’m not going to memorise all of it for a closed book exam.
For Nmap, I’ve read most of the documentation on the website (roughly half of the book), but I haven’t read the book itself. I haven’t looked at the “Hacking Exposed Linux” book at all, but the Amazon reviews suggest that the 2nd edition (from 2002) is more relevant than the 3rd edition (from 2008).
The key point here is that none of these books were specifically written with the CREST syllabus in mind. The CREST website simply says that they have been “cited as helpful preparation for this examination by previous candidates”. So, you need to compare these against the syllabus. Also, bear in mind that the CPSA was originally an open book exam, so that might be why some people recommended the RTFM book.
For instance, chapter 2 of “Gray Hat Hacking” and chapter 3 of “Network Security Assessment” both go into detail about assembly language, including the contents of registers. However, the CPSA syllabus doesn’t mention this at all. This information will be useful if you’re coding a buffer overflow attack (e.g. for the OSED), but you don’t need to know it for this exam, so you could skip those chapters and come back to them later.
Conversely, chapter 5 of “Network Security Assessment” says that 802.11 WiFi is “beyond the scope of this book”. However, this is included in the CPSA syllabus (areas B2, B12, and D6), so you need to learn about it. In my case, the OSWP course gave me more than enough preparation to cover those areas.
Similarly, none of the books listed above cover appendix A of the syllabus. In particular, area A2 is “Law & Compliance”, which mentions the following UK legislation:
- Computer Misuse Act 1990
- Human Rights Act 1998
- Data Protection Act 1998
- Police and Justice Act 2006
So, you’ll need to read up on them separately. I’m not a lawyer, and I’m emphatically not qualified to offer legal advice. However, I found that these 2 blog posts gave a useful summary:
- Elusive Thoughts: Pentesting Laws In UK (securityhorror.blogspot.com)
- rewt dance: Relevant Penetration Testing Legislation in the UK
In particular, the Police and Justice Act 2006 made some changes to the Computer Misuse Act 1990.
Area A2 of the syllabus also mentions “Awareness of sector-specific regulatory issues”, so I recommend reading up on PCI-DSS, in case you ever do a penetration test for a company that stores payment card data.
When I arrived at the test centre, I had to store my personal belongings in a locker (except for my ID) and show that I didn’t have anything in my pockets etc. That’s all fairly standard. They also needed to take a photo of my face; pre-pandemic, that wouldn’t have been an issue, but it meant that I had to remove my mask for a few seconds (and show them the inside of the mask to prove that there was nothing hidden inside).
NB There was no requirement to wear a mask at all, and most people didn’t.
I’m aware that some people have strong feelings for and against masks, and I don’t want to debate that here. I’m just mentioning this topic so that people can make an informed choice. (This wouldn’t be an issue if I did the exam via online proctoring, but the CPSA has to be done at a test centre.)
I mentioned the NDA above, and you have to agree to this before you can start the exam. The invigilators told me that I’d have 10 minutes to do this, which seemed like plenty of time. However, you also have to agree to the code of conduct, which is quite long. I didn’t see a timer on the screen for this, but I was worried that I’d run out of time.
NB This is similar to the codes of conduct on the CREST website, but not identical. One interesting point is that I agreed not to publish any article that is defamatory towards CREST; if I break that rule, I could lose all existing CREST certifications and be banned from re-taking their exams for 5 years.
The exam lasts for 120 minutes and it has 120 questions, i.e. that’s an average of 1 minute per question. In my case, it took me 60 minutes for my first pass and another 20 minutes to review my answers, so I still had 40 minutes left over.
Broadly, there are 3 types of questions in the exam:
- Memory tests, where you hopefully know the answer without the multiple choices. (E.g. “Which city is the capital of England?”)
- Evaluation, where you need to compare all the choices. (E.g. “Which of these cities is in England?”)
NB These questions might have options like “All of them” or “None of them”, so it’s not quite as simple as eliminating possibilities.
- Analysis, where you need to look very carefully at the question and the choices. (E.g. “If a train leaves London at 1pm, travelling at 40 miles per hour, what time will it arrive in Penzance?”)
NB You might need to write on the scratch pad to help you work out the answer. You will need to know extra information which isn’t stated explicitly in the question (e.g. the distance from London to Penzance). Also, make sure you double-check the units (e.g. “miles per hour” vs “meters per second”).
Just to state the obvious, I’ve substituted geography questions for the real exam content; this should give you an idea of the style without breaking confidentiality.
The first type (memory test) was straightforward, so I whizzed through them pretty quickly. Basically, you either know the answer or you don’t. There are 3 key areas to know about:
- HTTP response codes (as per area G4 in the technical syllabus). These are all listed in RFC7231.
- Port numbers.
For acronyms, think of physical windows (not the operating system). The frames are typically made out of either timber or uPVC. uPVC is short for “unplasticised polyvinyl chloride”; you don’t really need to know that in order to tell them apart, but you’d probably pick it up if you were working in the industry.
For port numbers, you need to know about specific applications, not just common protocols. For instance, HTTPS normally uses port 443, but if you connect to Dell OpenManage Server Administrator (OMSA) then it uses port 1311 by default. I’ve chosen that example because it wasn’t in my exam, but it demonstrates how you’d benefit from practical experience.
Looking at the evaluation questions, you need to know the inherent strengths/weaknesses of different protocols. For instance, compare Telnet and SSH. Which is more secure, and why? You should also be comfortable with subnetting and the 7 layer OSI model; if you’ve passed Network+ then you’ll be fine with this.
The analysis questions are intended to reflect real-world scenarios, and they could refer to anything in the syllabus. This raises the question of how much detail you need to go into during your studying. For instance, area B11 (Cryptography) mentions the RSA encryption algorithm. Quoting from chapter 7 of “Network Security Assessment” (p170), it says:
An RSA public key consists of two integers: an exponent e, and modulus n. The modulus is the product of two chosen prime numbers (p and q). The private key is the decryption exponent d, as follows:
d = e-1 mod (p – 1)(q – 1)
That’s interesting from an academic point of view, but I don’t think you’d ever use this formula during a penetration test. During my MSc, one of my textbooks was Applied Cryptography (by Bruce Schneier), which goes into even more detail, describing Euclid’s algorithm and the Chinese Remainder Theorem; again, it’s interesting, but more than you need for the CPSA.
On the other hand, if I was doing a penetration test and I found a list of password hashes, the first thing I’d do is look at the length of each hash to figure out which algorithm was used to generate it. So, it’s useful to know that SHA-256 produces a 256 bit hash value, etc. I think that the PEN-100 course (from OffSec) goes into about the right amount of detail for this.
As per the CREST FAQs:
“Candidates will be expected to be aware of technologies and operating systems which are in use in the industry, regardless of age.”
In practical terms, that means that you’ll have an advantage if you’ve been working in IT for a while. As an analogy, suppose that the exam asked “In what year did the Spice Girls release their first single?” If you remember listening to that song during your A levels, this will help you to pin down the answer. Similarly, if you remember that you dealt with vulnerability X while you were working for employer Y, this might help you to figure out which software versions were in use at the time.
After the main exam was over, I did a short survey. In other exams, this has been anonymous, asking questions like “How long did it take you to prepare for this?” or “Who paid for this exam, you or your employer?” In this case, I had to submit my name, email address, and the date/title of the exam, then they asked for my opinion on the exam experience.
NB Although I had plenty of time for the main exam, I finished the survey with 30 seconds left on the timer! The survey is free text rather than multiple choice, so it takes longer to answer each question.
I didn’t see my results displayed on screen, but a member of staff gave me a print-out when I returned my locker key. This included my overall score, and my score in 10 different subject areas (corresponding to the 10 appendices in the syllabus). I then received an email from CREST the following week (3 working days later), which included pdf versions of my certificate and a covering letter. As far as I can tell, CREST don’t issue digital badges (e.g. via Credly), but the pdf contains a digital signature.
Here are a few blog posts etc. that I found useful while I was preparing for the exam, in no particular order:
- CREST CPSA Exam : AskNetsec (reddit.com)
- CREST Practitioner Security Analyst (CPSA) Exam – Study Guide | LinkedIn
- Taking the CPSA (Crest Practitioner Security Analyst) Exam (rothe.uk)
- Studying for and taking the CREST CPSA Exam – Necurity
- CREST CPSA Review (limbenjamin.com)
- How to get CREST certification | by Nitesh Shilpkar | Medium
- Review: CREST Practitioner Security Analyst (CPSA) & CREST Registered Tester (CRT) – Amin Bohio
- Thoughts on the CREST CPSA | Alex Lomas