CREST Registered Penetration Tester (CRT) Certification: The Ultimate 2026 Guide

If you’re serious about penetration testing, the CREST Registered Penetration Tester (CRT) certification is a powerful way to prove you can deliver real, professional‑grade testing. This ultimate guide breaks down everything you need to know about the CRT certification—from prerequisites and exam structure to fees, a 90‑day study plan, and exam‑day strategy. It’s written for students and early‑career testers who want clear steps, credible resources, and motivational guidance.

Along the way, we’ll link you to the latest official pages so you’re working with current information, including how CRT ties into the UK government’s CHECK scheme and what changed with Pearson VUE delivery.

Let’s get you ready to pass.

What Is the CREST CRT and Why It Matters

The CREST Registered Penetration Tester (CRT) is CREST’s intermediate, hands‑on certification for penetration testers. It validates your ability to assess both infrastructure and web applications in a time‑boxed, realistic environment. The exam is delivered in selected Pearson VUE test centres and runs on a provided, locked‑down Kali Linux virtual machine with professional tools. You can learn more on the official CRT page (syllabus, tools, pass criteria, and FAQs) on CREST’s site:

• CRT official page: crest-approved.org/skills-certifications-careers/crest-registered-penetration-tester/

• CRT FAQs: crest-approved.org/skills-certifications-careers/crt-faqs/

• Penetration Testing Examinations delivery via Pearson VUE: crest-approved.org/skills-certifications-careers/penetration-testing-examinations/

Why employers value it:

• It’s mapped to real delivery work—rapid enumeration, vulnerability triage, straightforward exploitation, core web app testing, and evidence capture—under exam constraints that simulate client engagements.

• It’s recognized internationally and supports public‑sector routes in the UK via NCSC’s CHECK scheme. See: crest-approved.org/membership/ncsc-check/

Actionable takeaway: Bookmark the official CRT page and FAQs now. All your exam‑specific details—policies, tools, pass marks, retakes, and updates—live there and should guide your preparation.

How CRT Fits Into the CREST Pathway

CREST’s penetration testing track typically follows a progression:

• Practitioner level (foundations)

• Registered level (intermediate) → CRT

• Certified level (advanced) → CCT INF/APP

You can see CREST’s pathway and certification descriptions here: crest-approved.org/skills-certifications-careers/crest-certifications/

For UK public‑sector work, the NCSC CHECK scheme aligns CRT to Team Member routes when you also hold the appropriate UK Cyber Security Council (UK CSC) professional title. Team Leads typically require CCT. Details: crest-approved.org/membership/ncsc-check/

Actionable takeaway: Map your career goals to the right certification tier. If you’re targeting CHECK Team Member roles, CRT is the practical milestone to aim for.

Eligibility and Prerequisites

The essential prerequisite for CRT is a valid CPSA (CREST Practitioner Security Analyst) certification. CPSA itself has no strict prerequisites, but it covers foundational knowledge that CRT builds on. CPSA page: crest-approved.org/skills-certifications-careers/crest-practitioner-security-analyst/

Experience guidance: CREST positions CRT for hands‑on practitioners—roughly 3+ years of relevant testing experience is a sensible benchmark to feel comfortable with the exam’s pace and depth (not a hard rule, but a helpful guideline noted by CREST on the CRT page).

Equivalency route (OSCP to CRT): CREST operates an equivalency program that lets candidates with a valid OSCP/OSCP+ plus CPSA apply for CRT by equivalency (with an admin fee). However, the equivalency route is not accepted for UK CHECK Team Member or UK CSC Security Testing professional titles—you must sit and pass the CRT exam itself for those. See: crest-approved.org/skills-certifications-careers/certification-equivalency-recognition-programmes/

Actionable takeaway: If CHECK CTM or UK CSC titles are part of your plan, take the full CRT exam (don’t rely on equivalency). If they aren’t, and you already hold OSCP + CPSA, the equivalency route can save time.

Exam Format, Environment, and Scoring

Here’s what to expect—straight from CREST’s current guidance.

• Delivery: Selected Pearson VUE test centres, using a locked‑down Kali VM provided at the centre (no internet, no personal devices). See: crest-approved.org/skills-certifications-careers/penetration-testing-examinations/

• Duration: 2.5 hours + 15 minutes reading time. See: CRT official page.

• Structure: A mix of “flags,” short answers, and some multiple‑choice. It’s practical and evidence‑driven; copy/paste into the answer sheet is disabled, so you must transcribe carefully. See: CRT official page and CRT FAQs.

• Tooling: Burp Suite Professional and Nessus Professional are licensed within the exam environment. The practice VM image available publicly has unlicensed tools, so expect some differences in features. See: CRT official page and CRT FAQs.

• Scoring: 160 marks total split across two sections—Infrastructure (100) and Web Applications (60). You must score at least 60% in each section to pass. See: CRT official page.

• Results and retakes: Expect results in about 5 working days; you must wait 8 weeks before retaking if you don’t pass. See: CRT official page and CRT FAQs.

Actionable takeaway: Practice with a local/offline setup and simulate “no internet, no copy/paste” conditions. This one tweak improves accuracy and pacing dramatically.

Syllabus Deep‑Dive: What You’ll Be Tested On

CREST publishes a syllabus and “Top Tips” for candidates on the CRT page—read these in full and use them to build your plan. Below is a concise breakdown that aligns with how marks are allocated.

Infrastructure (100 marks)

• Desktop lockdown and host enumeration

• Network discovery, service identification, and versioning

• Vuln triage with and without scanners (Nessus is available in exam)

• Simple exploitation and privilege basics (Windows/Linux)

• Routing manipulation/pivoting to reach segmented services

• Evidence capture and clear, concise reporting of findings

Exam‑day reality: You won’t need novel 0‑days; think “consultancy‑grade” effectiveness—prioritize exploitable findings and clear documentation under time pressure.

Actionable practice: Timebox discovery and triage. For example, give yourself 25 minutes to enumerate a subnet, shortlist likely wins, and queue a targeted scan while manually validating one high‑value service.

Web Applications (60 marks)

• Core OWASP‑style issues: auth/session management, input validation, injection (SQLi, command injection), file upload and traversal, insecure direct object references, and logic flaws

• Practical Burp Suite usage under exam constraints

• Capturing proof of vulnerability and explaining exploit paths succinctly

Actionable practice: Work through targeted modules in PortSwigger’s Web Security Academy with a “no Google” rule for 60–90 minutes at a time. Focus on writing a two‑sentence exploit explanation for each finding—this speeds up answer entry in the exam.

Tip: The CRT page references the web syllabus scope (Appendix G). Use that as your checklist.

Fees, Discounts, and Booking (2025)

• Fee level: Registered‑level certifications (which include CRT) are listed at £600 per exam on CREST’s pricing page. Certified level is £800; Practitioner (e.g., CPIA) is £275. Check the live table before you pay. See: crest-approved.org/skills-certifications-careers/certifications-pricing-booking/

• Promotions: CREST periodically runs member promotions (for example, around 30% in past promos). Offers vary—verify current discounts here: crest-approved.org/promotions/

• Booking: You’ll schedule through CREST to a Pearson VUE test centre; confirm ID requirements and any local policies (arrive early; store electronics). See: Penetration Testing Examinations page.

Actionable takeaway: Check the promotions page before you book—you might reduce your out‑of‑pocket cost significantly.

A 90‑Day Study Plan You Can Stick To

This plan assumes you already hold CPSA (required) and can dedicate 8–12 hours per week. Adjust up or down based on your experience.

Weeks 1–2: Get oriented

• Read the entire CRT page (syllabus, Top Tips, FAQs). Note pass criteria and retake rules.

• Build your offline lab: local Kali VM, common services (Windows/Linux targets), web apps to test. Also download CREST’s exam practice Kali image for familiarity (note: unlicensed tools on the public image).

• Set up one “no internet” practice session to feel the constraint.

Weeks 3–5: Infrastructure focus

• Drills: nmap/naabu + service fingerprinting; Null sessions; SMB, RDP, SSH basics; quick Windows/Linux post‑enum; creds reuse; simple password attacks; and pivoting/routing manipulation.

• Add tool‑assisted triage: schedule a minimal Nessus scan while manually validating two prioritized services. Practice rapid hypothesis → validate → document.

• Two 90‑minute mocks per week: one discovery‑heavy, one exploitation‑heavy. Track how long each step actually takes.

Weeks 6–7: Web application focus

• Burp Suite: master intercepting, repeater workflows, intruder strategies you can run without external cheat sheets.

• Vulnerability reps: SQLi, auth bypass, session fixation, file upload filters, path traversal, SSRF basics. Use appendix items as your checklist.

• One 120‑minute mock per week: aim to find at least three distinct issues and write concise “what/why/how to fix” notes.

Week 8: Full timed simulations

• Run two full CRT‑style mocks (2.5 hours each). Enforce: offline only, no copy/paste into your notes, write “answer‑style” entries for flags and short answers. Identify top three friction points.

Week 9: Close gaps

• Fix the friction: if flag transcription accuracy is a problem, create a simple template for answers; if Burp workflows are clunky, script your shortcuts; if routing is slow, pre‑write iptables/route commands.

• Revisit CRT “Top Tips” and sample questions on the official page.

Weeks 10–12: Book and polish

• Book your Pearson VUE slot; confirm ID and travel plans; check promotions before paying.

• Alternate “Infra‑lean” and “Web‑lean” short mocks to keep both sections fresh.

• Final week: one light review session (don’t cram), with a focus on accuracy and neat notes.

Actionable takeaway: Keep a “mistake log.” If you mistype flags or forget a step in a pivot, record it and write a tiny checklist item to prevent it happening again.

Tools and Techniques to Master

You’ll use professional tools in the exam environment; practicing their core workflows pays off.

• Burp Suite Professional: Intercept → map → probe → exploit flows; payload crafting; quick macros; decoder; and exporting clear evidence.

• Nessus Professional: Targeted scans that support manual validation; avoid “scan and hope”—pair findings with manual checks.

• Kali core: nmap, ffuf/dirb/dirsearch, gobuster, sqlmap (where appropriate), responder, impacket basics, chisel/sshuttle or similar for pivoting, and familiar Linux utilities (grep, awk, sed, tmux).

Actionable takeaway: Build a minimal “offline help” notes file with command snippets and common parameter combinations. Rehearse using only this file, man pages, and tool help.

Building a Practical Lab Without Breaking the Bank

• Local VMs: One Kali VM, one Windows Server or Windows client VM, and one Linux server VM are enough to simulate most CRT tasks.

• Web apps: Deliberately vulnerable apps (DVWA, OWASP Juice Shop), plus custom minimal apps to practice file uploads, auth flows, and traversal.

• Network segments: Use VirtualBox/VMware host‑only networks to create a pivot scenario (e.g., Kali can reach A; A can route to B; you must pivot to reach B).

• Third‑party training: HTB Academy’s CPSA/CRT path maps to the syllabus and can accelerate your practice (academy.hackthebox.com/path/preview/crest-cpsacrt-preparation).

Actionable takeaway: Script your lab reset (snapshots or cloud-init). Fast resets mean more reps, which means better exam pacing.

Exam‑Day Strategy: How to Maximize Marks

• Use reading time wisely: Scan the tasks and mark anything “quick win.” Plan to collect those first to build a safety buffer.

• Score‑per‑minute thinking: If a step stalls, set a five‑minute timer and switch tracks rather than sink time. Return later with fresh eyes.

• Capture evidence early: When you validate a vuln or pop a low‑impact shell, grab proof immediately. Don’t rely on memory under time pressure.

• Transcribe slowly to type quickly: Since there’s no copy/paste into the answer sheet, slow down for 30 seconds per flag to avoid typos. It’s faster than rechecking everything in a rush.

Actionable takeaway: Create a 4‑line “answer snippet” you reuse for every finding: Issue, Evidence, Impact, Next Step. It speeds up clear, consistent answer entries.

After the Exam: Results, Retakes, and Revalidation

• Results: Expect them within about five working days (you’ll be notified via CREST). See: CRT official page / FAQs.

• If you didn’t pass: Reflect with your mistake log and wait 8 weeks before a retake. Keep your muscle memory fresh with one short mock per week. See: CRT official page.

• Validity and revalidation: CRT is valid for 3 years. If you entered via OSCP + CPSA equivalency, you can revalidate via CPSA + OSCP/OSCP+ again or by re‑taking CRT. If you earned CRT through the exam, re‑take the exam or follow CREST’s current revalidation policy when your expiry approaches. See: CRT FAQs and Equivalency programme.

Actionable takeaway: Set a calendar reminder for 30 months after you pass; plan revalidation early so you can align it with work cycles and budget windows.

Career Outcomes and CHECK Alignment

• CHECK Team Member: CRT supports CHECK CTM routes when combined with the appropriate UK Cyber Security Council Security Testing professional title at Practitioner level (the UK CSC title and “Competence A” certificate—such as CRT—run together). See: crest-approved.org/membership/ncsc-check/

• CHECK Team Leader: Typically requires CCT INF/APP and the relevant UK CSC title at higher level (see the same CHECK guidance page).

• Consultancy and regulated sectors: Even outside CHECK work, CRT signals practical, client‑ready skills—often used as a hiring benchmark for penetration testers, red teamers (junior/intermediate), and security consultants.

Actionable takeaway: If your organization delivers or plans to deliver CHECK testing, position CRT in your professional development plan now—and discuss UK CSC titles with your manager to map your route.

Common Mistakes to Avoid

• Over‑reliance on internet search: The exam is offline—practice that way.

• Tool‑only triage: Combine scanner results with manual validation for faster, more accurate marks.

• Ignoring routing: Pivoting and route manipulation turn “invisible” services into reachable targets—don’t leave these marks on the table.

• Rushing answer entry: Typos in flags cost easy points; slow is smooth, smooth is fast.

Actionable takeaway: In your mocks, reserve the last 10 minutes for answer review only. Many candidates pick up 5–10% just by catching transcription errors.

Budgeting and Administrative Tips

• Fees and promotions: Confirm the registered‑level price (listed as £600) and check the live promotions page before paying—member discounts can be substantial. See: crest-approved.org/skills-certifications-careers/certifications-pricing-booking/ and crest-approved.org/promotions/

• Location and ID: Pearson VUE test centres vary by region; book early if your area fills up. Double‑check acceptable ID documents the week before your exam. See: Penetration Testing Examinations page.

• Accessibility and accommodations: If you require accommodations, contact CREST and the test centre ahead of time to arrange support in line with policy. See: details via the CRT page and booking process.

Actionable takeaway: Print (or save offline) your booking confirmation and ID requirements. Test centres can be strict—avoid last‑minute surprises.

FAQs

Q1: Is the CRT exam remote or online?

A1: No. CRT is delivered only in selected Pearson VUE test centres on a locked‑down Kali VM provided by the centre. See CREST’s Penetration Testing Examinations page.

Q2: Is the exam open book?

A2: It’s closed book: no internet access and no personal devices. You must work within the provided Kali VM. See the CRT official page and FAQs.

Q3: How long until I get results?

A3: Typically within 5 working days after your exam. See the CRT official page / FAQs.

Q4: How long is the certification valid?

A4: 3 years from the date of passing. See the CRT FAQs.

Q5: Can OSCP replace CRT?

A5: You can earn CRT by equivalency if you hold OSCP/OSCP+ plus CPSA, but that route is not accepted for UK CHECK CTM or UK CSC Security Testing titles. For those, you must pass the CRT exam. See the Equivalency programme page.

Conclusion: You don’t need exotic exploits or months of grinding to pass CRT. You need a focused plan built around the syllabus, realistic offline practice, and sharp time management. Start with the official CRT page and FAQs, build an offline lab that mirrors the exam environment, and follow the 90‑day study plan to develop reliable habits. Whether you’re targeting CHECK Team Member roles or leveling up as a consultant, CRT is a practical, respected milestone that opens doors.