CREST Registered Tester (CRT) Exam Review

Recently I sat the CREST Registered Tester exam and passed.

I had a look on Google and couldn’t actually find anyone who had written a review of this exam. The only ones I could find said it was a review, but then gave a one liner about how they paid for CRT/OSCP equivalency and didn’t actually take the exam.

This is a review of the exam. The exam consists of two parts, infrastructure (worth 100 marks) and web applications (worth 60 marks). You need at least 60% in each area to pass.

tl;dr

The exam is low quality and don’t take it unless you need it for CHECK purposes in the UK.

Criticisms

There are three main criticisms I have with the exam: 1) Time constraints 2) No internet connectivity 3) Bad questions

Critique 1: Time constraints

The 2 hours 45 minutes is not enough time to do the exam, especially considering there is no internet connectivity, you’re not using your own VM and the lab is slow. I needed time to think of commands and exploits that I couldn’t easily Google in 2 seconds, some of my tools were not available on the Kali distro either (I did realise after the fact that you can upload your tools to the CRESTDrive, but still it would take time, and what if a tool has dependencies? If you miss one dependency, you’re screwed because there’s no internet access!). I am usually fairly quick at exams, I often have at least 20 minutes at the end to check over my questions again. So I was surprised that I actually ran out of time in this exam and couldn’t finish all the questions. I imagine if you’re slower at exams, then this will be a serious issue for you.

Critique 2: No internet connectivity

A pentesting exam without internet connectivity is absolutely ridiculous.

Critique 3: Bad questions

Some of the questions are really easy, to the point where you wonder why they are even on the exam. Some of the questions were a bit vague, and I was left confused as to what exactly they wanted. Some of the questions were about things that you wouldn’t even find in the real world anymore, these were the ones that annoyed me the most. There were also a couple of grammatical errors and inconsistencies in the questions, which makes me wonder who did the QA for this exam. To be fair though, there were challenging questions too and I couldn’t answer them all.

CRT Study Guide

Similar to OSCP here, just do HackTheBox. Depending on your experience will determine how many machines you should do, but stick to easy and medium machines. Also, there is a CREST track on HackTheBox which you can work through. For me, I did about 4 machines from the CREST pathway before taking the exam, but I’ve already got a few certs and experience. Also, you should go through the CREST syllabus and make sure you understand all of the concepts for each item, and relevant commands.

Exam Tips

Uploading Your Notes to CRESTDrive

CREST recently introduced a secure note taking share so that you can bring notes into the exam because there’s no internet connection. It’s not a bad system and it’s easy to use. I just exported all my notes from Gitbook in PDF format and uploaded it to CRESTDrive. You have 100MB to use and I only used 9MB, and I think my notes are quite comprehensive too. In hindsight, I would also upload notes from across the internet for different sections of the syllabus.

Time Management

I would recommend spending 1 minute per mark, so if the question is 5 marks, spend 5 minutes doing it. If you can’t do it within that timeframe, skip it and come back to it at the end. I think I spent too long on some of the 1 or 2 mark questions. Remember you need 60% in each area of the exam, so don’t spend too long on the infrastructure section and neglect the web application section, or vice versa.

Should I take OSCP or CRT?

OSCP is way better than CRT. In the UK, CRT is useful for CHECK accreditation. If you don’t need CHECK accreditation, then don’t do CRT. It is a much worse exam than OSCP.

Final Thoughts

I do not rate CREST at all and I will not be renewing any CREST certs unless I am forced to by my employer. Maybe their more advanced certs are better? I hope so, but if CPSA and CRT are indicative then it’s not looking good.