Learn about the journey to CREST certification directly from our offensive security consultants. CREST certification is an accreditation that establishes professional standards for penetration testing. 
This Q&A between NetSPI EMEA Services Director Sam Kirkman and Senior Security Consultant Tyler Sullivan takes you through the process to achieve the CREST Certified Tester (CCT) qualification and how it enables NetSPI to better serve clients across the globe. 

Watch the video below or read along with the Q&A.

Tyler, why don’t you start off with a bit of an intro about yourself?

“I first got into cybersecurity while I was at university doing computer science and found it to be really interesting and had a real passion for it. So, I did my dissertation on cybersecurity. And after university, I was lucky enough to land a graduate job as a consultant. And this was sort of where my journey really began. I did a lot of web application testing and a lot of infrastructure testing, but particularly enjoyed web testing […] And so that led me down the route of getting some qualifications in web security. And I went for and have achieved the CREST certification.” 

Why is it important to achieve CREST certification?

In the UK in particular, CREST is a respected and well-known organisation. They accredit a lot of companies and certify a lot of individuals, so it’s a logical path for penetration testers to go down. Traditionally, individuals start out with the CREST Practitioner Security Examination Analyst (CPSA) examination.  

For a security consultant just starting out, it’s useful to have that first goal of passing the CPSA examination. When consultants start learning more about cybersecurity, then they can do the CREST registered tester (CRT) exam.  

“What really drove me towards those exams initially was that it made sense logically and had a progression. But also, they’re well respected and challenging exams. If it’s difficult to get [these certifications], they’re going to come with a lot of respect and really showcase your web skills.” 

What is the journey like to pass the CPSA exam? Is it challenging right from the start?

When you’re working toward CPSA, it can seem a bit daunting as your first qualification in the industry. At first, there are a lot of simple fundamentals to learn but at the same time, it can be challenging as a new professional in the industry. The timeline between the exams is well laid out, which makes it manageable.  

The CPSA is helpful because it teaches the necessary fundamentals, and the CRT is more of a little bit of everything and covers a lot more about web infrastructure. At the time, when preparing for these exams, you should be at least a mid-level tester.

When you get to the specific specialties, either application testing (CCT App) or infrastructure testing (CCT Inf), that’s when you put your head down and focus. The final section is broken into two additional parts. So, you have this multiple choice, which is kind of like CPSA, but much harder, and a lot more information. And then you come to the practical exam, where you have an assault course and a scenario, which lasts about a day.  

“I found the exam really tough, but really rewarding […] By the end of it, your brain is fried, because it’s just a really tough exam. But yeah, I passed in February last year and it’s probably my best achievement in the industry so far.” 

Does being CREST-certified change the way you can have conversations with customers and the way that they look at you as well?

CREST is well known in the UK especially because a lot of companies and clients do look for CREST certification and accreditation. One thing that is useful is that when you’re speaking with a client, you can be introduced as a CREST-certified tester. When clients look it up, they’ll see that it’s one of the best, most comprehensive web exams in the UK and one of the best in the world if you’re looking globally.  

Overall, being CREST-certified makes it easier because clients can see that you’re knowledgeable. If you have this qualification, it shows that not only do you have theory knowledge, but also practical real-world cybersecurity experience and pentesting experience. 

Do the skills developed during CREST exams help in the real world and in your day-to-day job as a penetration tester?

Knowledge from the exam is useful in day-to-day job scenarios. The exam teaches you how to deal with problems and unexpected inputs and scenarios, which is basically what penetration testing is. It’s seeing something you haven’t seen before and knowing how to apply certain theories that you’ve learned in different ways. And it’s not always the same formula, it’s very different each time.

The exam also has an element of reporting in there, which is obviously very important. At the end of the day, the report is what the client sees. And if you can’t communicate the results properly, then the client is not able to fix what is shown in the results.  

The CREST certification provides a great base and advanced knowledge and enables you to venture out into very niche parts of cybersecurity. However, it’s important to always continue learning.  

“A lot of my learning happens outside of the qualifications as well. Being on the team here at NetSPI, there are a lot of talented people, not just talented in web security, but we have really good cloud people. It’s hardware hackers, I don’t think I’ve ever been in an environment where there are just so many specialists. And it’s really good, because everything that you learn from even people that are doing hardware, hacking something so different. Being on the NetSPI team is a constant learning experience, I think in cybersecurity and penetration testing it’s impossible to ever stop learning.”  

Qualifications provide structure and a sense of achievement. And in the cybersecurity industry, continual learning is always important as the threat landscape continues to evolve. You mentioned that you never stop learning, have you decided what comes next for you?

“I think at the moment, I’m really enjoying just being able to have the freedom to go investigate something, or potentially go develop something. So, I think as a cyber professional, you do have to be able to do a little bit of everything. So, I’ve done a lot of development work recently and I’ve been enjoying writing some plugins and things that helped me become a better tester and more efficient tester. For the time being, I’ll keep doing this for another two years, then I’ll have to renew my credit certification.” 

Is NetSPI CREST-accredited?

Yes, NetSPI is a CREST member organisation and a CREST-accredited penetration testing service provider. You can find our profile online here

Does NetSPI have CREST-certified consultants?

Yes, NetSPI employs multiple CREST-registered and -certified penetration testers. CREST Registered Tester (CRT) is a mid-level qualification. CREST Certified Tester (CCT) is the higher level qualification, earned for either application testing (CCT App) or infrastructure testing (CCT Inf). 

Partner with NetSPI’s team of expert pentesters

NetSPI’s team of expert pentesters is available to provide always-on security, whether you need to scope a new engagement, parse real-time vulnerability reports, prioritise remediation, or ensure compliance. Learn more about NetSPI’s penetration testing as a service (PTaaS) or schedule a demo to speak with our team directly.