CREST(Council for Registered Ethical Security Testers)-
- According to the official website, "CREST is the not-for-profit certification body representing the technical information security industry. CREST provides internationally recognized accreditation for organizations and individuals providing penetration testing, cyber-incident response, and threat intelligence services."
- Working as a security consultant, I have observed that organizations mainly from the UK, Australia, and Singapore prefer assessments conducted by a CREST-accredited provider because they say they are highly professional and technical & meet the requirement to become crest certified. Without CREST certification, these organizations would not let you audit anything.
CREST for Consulting Firms-
As clients want to be audited by CREST-accredited organizations, you need to up your game to avoid missing potential clients. On top of that, you will get international credibility and customer confidence, demonstrating a level of assurance.
If you want your company to be CREST certified, then at least two of your consultants need to be CREST certified. After that, you can apply for a crest membership and get listed in the CREST Service Selection Platform.
CREST for Individual Security Consultant-
If you are a security consultant applying for a job in the UK, AUS, or Singapore, you can see that CREST is a mandatory requirement. After the project completion, the report must be signed by a CREST-certified consultant, and a certification number needs to be provided. Also, if you freelance, then CREST is beneficial in getting projects.
Now, how do you get the certification?
- If you or your organization perform pentest, the most widely used certification is CREST Registered Penetration Tester (CRT), and you must clear both the theory MCQ test and practical hands-on exam to pass this exam.
- The CREST Registered Penetration Tester examination costs £395 + VAT.
My Tips & Tricks to get certified-
- If you have cleared OSCP or EC-council ECSA within three years, you don't have to give a practical exam according to their equivalence program. In this case, you only need to pass the CPSA exam and then get your CRT certification.
- Next, if you have cleared OSCP or EC-council ECSA within three years, you can get the certification without an exam from the date of applying for the equivalence program and paying for the certification cost. After this, you will get a certificate with three months expiry period; if you clear the exam within three months, they will renew your certification.
How To Prepare for the exam?
- There is no official course, and you have to self-study according to the syllabus.https://www.crest-approved.org/wp-content/uploads/crest-crt-cpsa-technical-syllabus-2.3.pdf.
- There are many questions about full forms and port numbers in the exam. You must remember them. The trick is to read the flash card https://quizlet.com/gb/393672211/crest-cpsa-flash-cards/ and practice yourself.
- Complete the book "Network Security Assessment- 3rd edition", as I found it quite helpful while preparing for the exam.