Offensive Security Learning Center

What is CREST Certification? | Cobalt

Written by Cobalt | Feb 18, 2026 4:05:06 PM

The Council of Registered Ethical Security Testers (CREST), an international nonprofit organization representing the global cybersecurity industry, offers certification for security professionals.

CREST certification requires candidates to meet stringent requirements, making it an industry-leading gold standard for cybersecurity professionals and companies providing or seeking security services. This framework is widely adopted for government and financial security engagements across the UK, Australia, and the Asia-Pacific region.

CISSP

US DoD 8570/8140 (IAM/IAT Level III), many federal contractor roles

CREST CRT/CCT

UK CHECK scheme (government pentesting), UK CBEST (Bank of England), Singapore MAS requirements

OSCP

None - industry preference only

Here’s a brief guide to CREST requirements, the differences between individual and company certification, the benefits of membership for cybersecurity professionals, and the benefits for brands seeking penetration testing (pentesting) services.

CREST Requirements

ASPECT

CRT

OSCP

CISSP

Format

Written + some practical

Fully hands-on practical

Multiple choice only

Focus

Broad security knowledge

Exploitation skills

Security management

Domains

Infrastructure + Web (theory-heavy)

Network pentesting (exploit machines)

8 security domains

Pass Criteria

~60% on written questions

70 points from exploiting machines

700/1000 scaled score

Duration

~4 hours

24 hours

3-6 hours

Proctoring

In-person (Pearson VUE)

Remote

In-person (Pearson VUE

CREST offers certification in several major security specializations, including pentesting, threat intelligence, and incident response, with a variety of certificates available in each category. The CRT exam is approximately 4 hours and combines written questions with practical tasks, covering both infrastructure and web application security. For instance, available pentesting certifications include:

  • CREST Practitioner Security Analyst (CPSA)
  • CREST Registered Penetration Tester (CRT)
  • CREST Certified Tester - Infrastructure (CCT INF)
  • CREST Certified Tester - Application (CCT APP)
  • CREST Certified Red Team Specialist (CCRTS) (formerly CCSAS)
  • CREST Certified Red Team Manager (CCRTM) (formerly CCSAM)

Exact requirements vary for each certification and differ by skill level. Three skill levels are available, with differing experience recommended for each, though not required:

  • CREST Practitioner is an entry-level certification, geared toward candidates with the equivalent of at least 2,500 hours (two years) of experience.
  • CREST Registered is a mid-tier certification for committed information security testers with at least 6,000 hours (three years) of experience.
  • CREST Certified is the highest level of certification, intended as a benchmark for senior security professionals with at least 10,000 hours (five to six years) of experience.

Passing a higher-level exam, such as CPSA certification, is required to take the CRT. Other pentesting certifications do not have prerequisites.

The CRT exam combines written assessment (multiple choice and short answer) with practical demonstration, totaling approximately 4 hours. The CCT exams are primarily practical, requiring candidates to exploit real target systems over approximately 6 hours.

Each certification covers distinct content. For example, the CPSA includes 120 total marks covering:

  • Soft Skills and Assessment Management
  • Core Technical Skills
  • Background Information Gathering and Open Source
  • Networking Equipment
  • Microsoft Windows Security Assessment
  • Unix Security Assessment
  • Web Testing Methodologies
  • Web Testing Techniques
  • Databases

In contrast, the CRT includes 100 marks covering infrastructure topics, such as desktop lockdown and networks, and 60 marks covering web applications.

The minimum passing score for pentesting exams ranges from 60% to 66%. Exams last from two hours for the CPSA exam to six hours for the CCRTS exam. Tests must be taken on-site at selected Pearson VUE Test Centres.

CREST provides a variety of resources to help candidates prepare for tests. These include:

  • Syllabi specific to each test, breaking down the content to be covered
  • Sample questions
  • Test-specific training tips
  • A Kali Virtual Machine to familiarize candidates with the testing environment and tools
  • Training and lab practice opportunities delivered through a network of partners

Some tests allow candidates to upload files via the CRESTDrive uploading platform. Others are closed-book.

CREST pentesting certifications are valid for three years after their test date. In the case of the CCRTS exam, each part is valid for 12 months. After the expiry date, to maintain certification, candidates must retake the test or an equivalent exam and must put in the required professional experience hours.

CREST certificate holders must sign and adhere to a code of conduct. The code stipulates requirements such as adherence to good practices, professional representation of the CREST brand, proper handling of CREST assignments, and compliance with applicable regulations. Failure to abide by the code of conduct can result in revocation of CREST certification, banning of future exam eligibility, notification of third parties, and legal action.

Certification fees currently range from 275 GBP (about $368 USD in January 2026) for the Practitioner level to 800 GDP (about $1,072 USD) for the Certified level.

CREST Accredited Company: Individual Certification vs. Company Accreditation

CREST offers both certification for individuals and accreditation for companies. To receive CREST accreditation, companies must have staff with CREST certification and meet additional requirements.

CREST offers a three-step pathway to accreditation. Each stage has its own requirements:

  • Stage One: Pathway: baseline for organizations in early stages of cybersecurity maturity, provides initial entry into CREST’s register of providers with Pathway status, representing an agreement to work toward meeting CREST accreditation standards. Pathway organizations must advance to Stage Two within two years.
  • Stage Two: Pathway+: Builds on the Pathway stage by undergoing a self-assessment against CREST standards and at least one other cybersecurity standard. CREST assists Pathway+ organizations by providing a development tool for self-assessment and a mechanism to prepare for Stage Three.
  • Stage Three: CREST Member: Completes the accreditation pathway by meeting independent reviews of company processes, service methodologies, and data security practices. Members must subscribe to at least one of the global regions CREST designates.

CREST offers accreditation for the following cybersecurity services:

  • Penetration Testing
  • Vulnerability Assessment
  • Intelligence Led Penetration Testing (Security Trust Assurance and Risk STAR framework)
  • Threat Intelligence for Simulated Attack (STAR)
  • Incident Response
  • Security Operations Centers

The first two stages require an annual fee, while Stage Three requires fees for application and joining, as well as annual membership subscription fees. Application fees are 1,200 GDP ($1,500 USD) for most certifications. Joining fees vary by organizational size, from 1,500 GDP ($1,850 USD) for organizations with annual revenue under a million GDP to 25,000 GDP ($30,500 USD) for those earning 50 million GDP and up. Annual fees range from 7,500 GDP ($9,250 USD) for regional fees to 26,500 GDP ($32,250 USD) for global fees. Some specific accreditations require additional annual fees.

Benefits of CREST Membership

CREST membership offers benefits for both individuals and organizations. For individuals, CREST certification provides:

  • Promotion of a career pathway through structured training and partnership with cybersecurity providers
  • Industry-leading certification recognized by businesses, regulators, and governments
  • Cybersecurity industry networking and employment opportunities

For organizations, CREST accreditation offers:

  • Ability to demonstrate independent quality assurance to customers
  • Support for business growth through listing in the CREST database
  • Development resources such as guides, self-assessment tools, and mentoring
  • Access to the CREST community
  • Input into CREST global standards
  • Discount opportunities

For accredited businesses with CREST-certified workers, both the organization and individuals enjoy membership benefits.

Why Choose a CREST-accredited Penetration Testing Provider?

CREST accreditation also benefits organizations seeking cybersecurity services. Working with a CREST-accredited security consultant or provider offers organizations:

  • Quality assurance backed by rigorous testing
  • Demonstrated expertise in security procedures, compliance, and professional practices
  • Buying confidence based on transparent standards
  • Access to the CREST network of specialized cybersecurity experts with proven skills matching organizational needs

These benefits help account for the growing importance of CREST as a standard for cybersecurity customers, providers, and specialists.

Read More about Cybersecurity Certifications in the Cobalt Learning Center

CREST represents one of a growing number of cybersecurity certifications and accreditations that play an increasingly important role in today’s security landscape. Some offer more specialized testing than CREST, while CREST provides opportunities to test advanced technical knowledge as well as hands-on skills for certain certifications. Which certification or accreditation is appropriate for you or your organization depends on your needs. Learn more about other security certifications and their requirements, benefits, and other security topics by visiting the Cobalt Offensive Security Learning Center.
View full post