I passed the CREST CPSA

I am happy to share that I recently passed the CREST CPSA exam! As I already have the OffSec Certified Professional (OSCP) certification, I was able to use CREST’s Certification Equivalency Recognition Programme to simultaneously obtain the Registered Penetration Tester (CRT) certifictation.


The Exam Link to heading

According to CREST’s website:

The CREST Practitioner Security Analyst (CPSA) is an entry level exam that tests a candidate’s knowledge in assessing operating systems and common network services.

Topics Link to heading

The examination covers a common set of core skills and knowledge. The candidate must demonstrate that they have the knowledge to perform basic infrastructure and web application vulnerability scans using commonly available tools and to interpret the results to locate security vulnerabilities.

Successful CPSA candidates will be able to demonstrate that they are qualified for hands on Pen Test Roles (indicative of 2 years experience) with respect to:

– Soft Skills and Assessment Management – Core Technical Skills – Background Information Gathering and Open Source – Networking Equipment – Microsoft Windows Security Assessment – Unix Security Assessment – Web Testing Methodologies – Web Testing Techniques – Databases

Practical Information Link to heading

The CREST Practitioner Security Analyst exam is a 120-mark, 2 hour long exam that can be taken globally in Pearson VUE centres.

My Experience Link to heading

Preparation Link to heading

The exam syllabus spans a significant number of topics, as seen in the list above. Unfortunately, there is no official, monolithic resource for exam preparation. The CREST website recommends the following books:

  • Network Security Assessment (by O’Reilly, 3rd edition)
  • Hacking Exposed Linux
  • Red Team Field Manual (RTFM) (by Ben Clarke)
  • Nmap Network Scanning: The Official Nmap Project (by Gordon Lyon)
  • Grey Hat Hacking (by Allen Harper, Shon Harris & Jonathan Ness)

There is an additional mention of “supplementary” preparation resources available through third-party providers. Among them is (Hack The Box’s Academy Path for CPSA/CRT Preparation)[https://academy.hackthebox.com/path/preview/crest-cpsacrt-preparation]. While I did not personally pursue this path as such (though I have incedentally completed many of the consistuent modules), my overwhelmingly positive experience with other Hack The Box Academy content leads me to recommend this resource.

In addition to the resources mentioned above, I purchased several unofficial practice tests on Udemy. Despite being incredibly outdated (and fairly low effort/quality), these were moderately helpful in preparation for the exam, as being able to answer the questions (which are similarly difficult to those encountered on the real test) was generally indicative of having sufficient subject-area knowledge to be successful. The format of the questions, as well, mimics some of those that you encounter on exam day. Thus, I maintain that resources are helpful - but you should certainly be prepared to expand your knowledge beyond them.

Exam Impressions Link to heading

As mentioned in the exam details, the only method for sitting this examination is to do so at designated Pearson VUE facilities. Despite living in a major metropolitan area, I was only able to book my exam late on a Friday afternoon at a location approximately an hour away. Needless to say, having to navigate the stress of traffic and attempt to perform at my best in an uncomfortable testing facility made for a fairly unpleasant experience.

Luckily, I didn’t have to endure the experience for too long, as I was able to successfully complete the exam in fairly short order (approximately half of the allotted time). I am grateful that I decided to prepare sufficiently and won’t need an additional attempt at this one.

Unlike my previous cybersecurity exam experiences, this exam was a theoretical knowledge test without a practical component. I was never terribly excited about the idea of taking this exam, but my employer requested that I do so. While I can’t say that I learned anything that has been practically useful (in the immediate sense) within the scope of my professional activites as a penetration tester, the depth of knowledge required by the exam pushed me to expand my knowledge of a variety of fundamental cybersecurity topics.