A Career as a Penetration Tester: To CREST or Not to CREST

CREST, the Council of Registered Ethical Security Testers, is a globally respected accreditation body dedicated to setting and maintaining the highest standards in technical cybersecurity practices. It plays a pivotal role in defining professional benchmarks, both for cybersecurity consultancies and for individual penetration testers. For anyone considering a career in ethical hacking or red teaming, CREST certification offers a rigorous, credible, and internationally recognised pathway to validating your skills.

At its core, CREST provides a structured progression of certifications that align with increasing levels of skill, experience, and responsibility in penetration testing and offensive security.

1. CREST Practitioner Security Analyst (CPSA)

This is the entry-level certification that evaluates foundational knowledge in cybersecurity and penetration testing. It is designed for individuals who are just beginning their careers, typically after some initial exposure through academic study, internships, or junior roles in IT security.

The CPSA focuses on core topics such as:

• Network and web application architectures

• Common vulnerabilities (e.g., SQL injection, XSS)

• Security controls and risk assessment basics

• Legal and ethical considerations of testing

For example, a junior analyst at Cybergen Security preparing for the CPSA might study Nmap scanning techniques, understand how HTTP protocols function, and learn the OWASP Top 10 vulnerabilities. It’s often the first formal step for graduates or career changers into the penetration testing profession.

2. CREST Registered Penetration Tester (CRT)

The CRT sits at an intermediate level and is perhaps the most recognised CREST certification in the UK and beyond. It is often used by organisations—including government departments and major security consultancies—as a baseline requirement for penetration testers working on client engagements.

This certification assesses a candidate’s ability to conduct full end-to-end penetration tests, including:

• Identifying and exploiting real-world vulnerabilities

• Using manual and automated tools in tandem

• Writing professional-grade reports

• Demonstrating strong time management during assessments

The CRT exam itself is known for being particularly challenging—it simulates a live environment and involves exploiting targets within a limited time. For instance, a test might include pivoting through a compromised web application to enumerate internal network services or uncover credentials.

At Cybergen Security, a CRT-certified tester might lead engagements against enterprise clients' external networks, looking for real-world attack vectors, and reporting on their findings in a professional and actionable manner.

3. CREST Certified Tester (CCT)

The highest level of certification, CCT is aimed at experienced professionals who have several years of hands-on experience in penetration testing and have already passed the CRT. There are two specialisations within CCT:

• Infrastructure

• Web Applications

These exams are incredibly detailed and test not only technical skills but also strategic thinking and advanced exploitation techniques. Candidates are expected to display expert-level capabilities in evading detection, simulating adversarial behaviour, and understanding complex enterprise environments.

A Cybergen Security consultant with a CCT in Infrastructure might be tasked with conducting red team exercises against large financial institutions, attempting to mimic the tactics of real-world threat actors including lateral movement, privilege escalation, and custom payload development.

Why CREST Matters

CREST certifications are recognised and respected globally. In the UK, they are often required for conducting CHECK engagements (government-authorised penetration testing). In other regions, such as Australia and Singapore, CREST is embedded in regulatory frameworks and cyber resilience strategies.

More importantly, these certifications provide assurance to clients and employers that the holder operates with a high level of technical competency and ethical responsibility. Unlike some certifications that rely heavily on multiple-choice exams, CREST emphasises practical, hands-on testing, reflecting real-world complexity and attack scenarios.

In the cybersecurity recruitment space, CREST certifications can differentiate a candidate in a competitive market, often acting as a gatekeeper for roles with high levels of trust and responsibility.

1. Industry Recognition

One of the most immediate and tangible benefits of obtaining a CREST certification is the universal industry recognition it commands. Across the UK and internationally, employers, consultancies, and clients look to CREST as a mark of technical credibility and ethical trust.

For example, at Cybergen Security, hiring managers often use CREST CRT as a baseline qualification when recruiting penetration testers for commercial or government contracts. In particular, public sector organisations working under the NCSC’s CHECK scheme require penetration testers to hold CREST-approved credentials in order to legally perform certain types of security assessments.

This kind of recognition isn’t limited to the UK. Countries such as Australia, Singapore, and Malaysia have embedded CREST standards into their national frameworks, meaning the certification can open global employment opportunities. Being CREST-certified shows you’ve not only passed a test, but that you operate to professional, repeatable, and ethical standards in your work.

2. Enhanced Career Opportunities

With increased recognition comes enhanced career mobility. Penetration testers who hold CREST certifications often command higher salaries, gain quicker access to senior roles, and are entrusted with more complex and sensitive client work.

Let’s take a practical example. A tester with only basic qualifications may be assigned small-scale assessments such as internal vulnerability scans. However, a CREST CRT holder at Cybergen Security might be deployed to conduct external infrastructure testing for critical infrastructure clients, or support red team simulations involving lateral movement and domain compromise—areas where trust and skill are paramount.

This enhanced responsibility and technical scope typically lead to accelerated career growth. Within consultancy environments, CREST-certified testers are often first in line for team lead roles, technical architect positions, or client-facing delivery leadership.

3. Access to a Professional Network

Beyond certifications and exams, CREST opens the door to a thriving professional ecosystem. Certified individuals gain access to forums, working groups, and special interest sessions with some of the most experienced cyber professionals in the world.

This network is particularly valuable for collaboration, mentorship, and ongoing education. For instance, testers at Cybergen Security routinely engage with CREST community events, sharing threat intelligence, testing techniques, and updates on regulatory changes. These peer-led learning opportunities can often be more valuable than textbooks or formal courses, providing direct insights from practitioners in the field.

This sense of community also encourages ethical accountability. CREST members operate under a formal Code of Conduct, which ensures professionalism and integrity across all engagements a key differentiator in an industry plagued by grey-market operators and inconsistent standards.

4. Alignment with Regulatory Standards

Finally, CREST certification is a strategic asset for regulatory alignment. As governments and regulators tighten cybersecurity rules particularly in sectors such as finance, health, and telecoms there is increasing demand for proof that penetration tests and security assessments are conducted by qualified professionals.

For example, in the UK, the Cyber Essentials Plus certification requires penetration testing by certified testers. Similarly, the Financial Conduct Authority (FCA) may expect regulated firms to demonstrate that security testing is aligned with best practices often validated by CREST membership.

At Cybergen Security, our clients regularly request assurance that our consultants hold CREST credentials, especially when testing involves sensitive data, cross-border infrastructure, or compliance audits. By holding CREST qualifications, our testers help reduce client risk and facilitate faster regulatory sign-off.

While the advantages of CREST certification are clear and compelling, it’s important to approach the decision with realistic expectations. Gaining a CREST credential is a serious professional undertaking and should be treated as such. Prospective candidates must weigh a number of practical considerations academic, financial, and strategic before committing to the process.

At Cybergen Security, we often advise junior and mid-level professionals to reflect honestly on their readiness, both technically and personally. The certification opens many doors, but it also requires sustained effort and investment.

First and foremost, the level of preparation required for CREST certifications particularly CRT and CCT is not to be underestimated. These are not entry-level multiple-choice exams.

The assessments are hands-on, performance-based, and designed to simulate real-world penetration testing engagements.

Candidates will be expected to:

Demonstrate knowledge of complex network infrastructure
Identify and exploit both common and obscure vulnerabilities
Work under time constraints with minimal guidance
Produce professional reports that communicate findings clearly

For example, a candidate preparing for the CREST Registered Tester (CRT) exam may need to master tools such as Burp Suite, Nmap, Metasploit, and custom scripting in Python or Bash. They must also be able to pivot through compromised machines, bypass firewalls, and maintain stealth where necessary skills that take months, if not years, to develop with confidence.

Many candidates underestimate the mental stamina required during the exam itself. A typical CRT practical assessment lasts several hours and can be mentally exhausting. At Cybergen Security, we encourage aspiring CRT testers to simulate real assessments regularly in lab environments to build both skill and resilience.

Pursuing a CREST certification also comes with significant financial implications. Candidates should factor in more than just the cost of the exam itself. The full journey may include:

Professional study guides and CREST-authorised materials
Online courses or instructor-led bootcamps
Subscription to practical testing platforms such as Hack The Box or TryHackMe
Retake fees (in the event of an unsuccessful attempt)
Travel costs for in-person exams at approved centres

As of 2025, the CREST CRT exam costs over £500, with additional expenses depending on your preferred learning style. For early-career professionals or self-funded learners, these costs can be a barrier.

It’s worth noting, however, that many employers including Cybergen Security will sponsor CREST certification for their employees, recognising the long-term value it brings to both parties. If you’re in employment, explore whether your company offers learning and development budgets or certification reimbursement.

While CREST is highly respected, it is not the only route into a successful career in penetration testing. Depending on your specific interests, geography, or job role, alternative certifications may offer a more accessible or aligned starting point.

Popular alternatives include:

Offensive Security Certified Professional (OSCP) – Known for its practical, hands-on exam format and global recognition. OSCP is particularly favoured in red teaming and private-sector consulting roles.
eLearnSecurity (eCPPT, eJPT) – More affordable and flexible options, ideal for remote learners or those looking to build foundational skills before attempting CREST.
GIAC Certifications (e.g., GPEN) – These offer structured training and are often used in enterprise or government roles in the US and Europe.

Each certification has its own strengths and limitations, and what suits one person may not suit another. For example, a penetration tester working with North American clients may find the OSCP more directly relevant, while someone working under UK government contracts will likely need to pursue CREST CRT or higher to meet CHECK scheme requirements.

At Cybergen Security, we encourage team members to take a hybrid approach: start with an alternative like OSCP to build core skills, then pursue CREST to demonstrate advanced competency and regulatory alignment.

Pursuing a CREST certification is a commendable goal that requires careful planning, consistent effort, and strategic learning. At Cybergen Security, we support our consultants through each stage of the journey, as we understand how demanding but also how professionally rewarding this process can be. Below is a detailed breakdown of the key steps involved in becoming CREST-certified, especially for those targeting the Practitioner (CPSA), Registered Tester (CRT), or Certified Tester (CCT) levels.

1. Assess Prerequisites

Before enrolling in any CREST certification exam, it’s crucial to evaluate whether you meet the baseline knowledge and experience requirements for your desired certification level. While CPSA is aimed at those beginning their penetration testing careers, CRT and CCT demand substantial hands-on experience and deep technical proficiency.

Ask yourself:

Have I mastered the fundamentals of networking, operating systems, and common vulnerabilities?
Can I effectively use tools like Nmap, Burp Suite, Metasploit, and Wireshark?
Do I understand web app architecture, Active Directory, and secure coding principles?

For example, a candidate aiming for CRT should already be confident in their ability to perform real-world network and web application assessments, with a portfolio of self-directed labs or client-facing engagements to prove it.

2. Structured Learning

Once you’ve confirmed your readiness, the next step is to follow a structured and comprehensive learning path. CREST does not mandate formal training, but it is highly recommended—particularly for those aiming to pass on the first attempt.

Some recommended resources include:

Official CREST syllabuses for CPSA, CRT, and CCT
Cyber security academies and bootcamps, such as Immersive Labs, Offensive Security, or Coding Dojo
Online learning platforms like TryHackMe, Hack The Box, and PortSwigger Web Security Academy
CREST-aligned preparation courses offered by training providers such as 7Safe and QA

Structured study ensures you build proficiency across both theory and practice. Be sure to include report writing and time management as part of your study plan—both are essential in passing CREST practical exams.

3. Hands-On Practice

CREST places a strong emphasis on practical, real-world testing scenarios. To succeed, you need more than textbook knowledge—you must demonstrate operational skill.

Create or join lab environments that simulate target networks, vulnerable applications, and restricted environments. Platforms like Hack The Box and TryHackMe are ideal for sharpening your skills through realistic challenges.

If you’re early in your career, seek internships or junior roles where you can shadow experienced penetration testers. At Cybergen Security, we support early-career professionals with mentorship and sandbox environments to safely experiment and learn.

The goal here is not just competence, but confidence under pressure.

4. Exam Registration

When you’re ready, register your exam through a CREST-authorised testing centre. The registration process includes identity checks, payment, and scheduling your slot—so don’t leave this to the last minute.

Make sure you understand the format of your exam:

CPSA is a multiple-choice theory paper.
CRT and CCT are hands-on practical exams requiring on-the-fly analysis and exploitation under strict time constraints.

Prepare your equipment and documentation in advance. If your exam is in person, ensure you’re familiar with travel logistics and test conditions.

5. Continuous Development

Achieving CREST certification is a major milestone but it’s not the end of the journey. In fact, it marks the beginning of your commitment to lifelong learning in a constantly evolving threat landscape.

Stay active by:

Participating in CTF (Capture the Flag) competitions
Attending CREST conferences, webinars, and community meetups
Reading industry blogs, whitepapers, and vulnerability databases (e.g., CVE, NVD)
Experimenting with new tools and scripting your own payloads

At Cybergen Security, we encourage our team to mentor others, lead internal red team drills, and contribute to open-source tools as a way of maintaining and expanding their skills.

White car's front grill close-up, other car blurred in background, showroom setting, warm light.

Smart Grids and Cybersecurity: Risks and Countermeasures

September 18, 2025

Learn about smart grid cybersecurity risks and practical countermeasures. Cybergen explains threats, vulnerabilities, and steps to strengthen resilience today.

Close-up of a white car's front, with a blurred silver car in the background, inside a brightly lit showroom.

How Automotive Companies Are Securing Connected Vehicles

September 15, 2025

Learn how automotive companies are protecting connected vehicles against cyber threats. Explore risks, strategies, regulations, and expert advice from Cybergen.

When Cyberattack Meets Industry: The JLR Case and What It Means for UK’s Auto Sector

September 15, 2025

When Jaguar Land Rover (JLR) was hit by a cyberattack, the ripple effects were immediate—not only shutting down its own production, but dragging much of its supply chain into uncertainty and putting thousands of jobs at risk. The story has raised important questions about how the UK protects key industries, supports workers, and builds resilience to digital threats. What Happened JLR had to halt production because its vital systems were compromised by the cyberattack. Sky News reports the shutdown has already lasted 12 days. The disruption isn’t confined to its own factories; many smaller suppliers (in JLR’s upstream and downstream networks) are also severely affected. Some suppliers have temporarily laid off around 6,000 staff . Workers at JLR itself (around 34,000 in the UK) remain off-work while the company restores systems. Key unions and the Business & Trade Committee (a group of MPs) are pushing for government intervention, calling for COVID-style financial support to help the supply chain and prevent loss of jobs. Why This Matters Supply Chain Fragility The incident underscores how tightly interwoven modern manufacturing is. Even when only one big firm is attacked, the effect cascades across dozens of smaller suppliers. Cashflow disruption in these smaller firms can lead to layoffs, insolvency, and loss of skills. Digital Risk Is Industrial Risk Cyberattacks aren’t just an IT problem. When companies rely on digital systems for production scheduling, hardware control, robotics, cross-site networks or cloud services, any breakdown can stop physical manufacturing altogether. Workers at the Brink Employees in smaller firms, often with fewer resources and less buffer capital, are particularly vulnerable. With no production and no income, many are under immediate financial stress. Policy & Government Role The calls from MPs for emergency schemes are reminiscent of measures used during COVID-19, meant to protect workers and businesses through unprecedented disruption. Such interventions are costly and complex, but may be essential to preserve industrial capacity in critical sectors. Reputation, Trust & Resilience Disruption of this kind damages not just immediate output, but also long-term trust with suppliers, investors, and customers. How fast a firm recovers—and how transparently it handles the attack—matters. What’s Being Proposed The Business & Trade Committee has asked Chancellor Rachel Reeves what kind of support is being offered to JLR’s suppliers to “mitigate the risk of significant long-term commercial damage.” Trade union Unite has suggested introducing a temporary furlough-style scheme specifically for workers in the supply chain. The idea is to preserve jobs while production is down. What Questions Remain How extensive is the damage to JLR’s systems, and how long will recovery take? The longer downtime goes on, the greater the economic risk. Which suppliers are most exposed, and how many might not survive prolonged cashflow disruption? What legal/regulatory obligations does JLR have to its suppliers versus its employees during such an attack? What kind of support package will the government realistically offer—will it be reactive, or will it structure something that gives industry confidence there’s a safety net? How will this event change how other companies plan for cyber resilience and business continuity? Lessons & Takeaways for Industry Prepare for Worst-Case Downtime : Firms need robust continuity plans. Not just backup of data, but plans for restoring production safely, fallback procurement options, etc. Ensure Adequate Cyber Defences : This includes not only perimeter protection but also rapid detection, segmentation (so problems in one system don’t immediately spread), and patching. Supply Chain Visibility : Know your suppliers well: their vulnerabilities, financial health, and contingency plans. If many small suppliers go under, the big OEMs feel the pain. Insurance & Risk Sharing : Evaluate whether cyber risk insurance can cover parts of the losses; maybe explore contractual risk sharing in the supply chain. Advocacy & Policy Engagement : Businesses need to work with government to design support mechanisms that can be deployed in these kinds of emergencies—both to protect industry and the workforce. What This Means Going Forward The JLR incident is likely to be a wake-up call. It shines a light on how modern industrial strength depends heavily on digital stability and resilient supply chains. For workers and smaller suppliers, the stakes are very high. The government’s response will test how well policy keeps up with the new kinds of risk in a tech-infused manufacturing age. For Jaguar Land Rover and its partners, this could bring into sharper focus investment in cyber resiliency, revisiting insurance, revising contracts with suppliers, and being proactive with contingency planning. Summary Jaguar Land Rover’s cyberattack is more than a headline; it’s a case study in how digital vulnerabilities can threaten real-world operations, jobs, and economic stability. As the UK grapples with how best to support its industrial base, it must weigh up not just the immediate financial aid, but the wider architecture of resilience: legal, technological, and economic.