CREST CPSA Exam
This post aims to give a rough guide on how to attain CPSA status for OSCP takers.
What is CPSA?
CREST is a not-for-profit (contra non-profit) organization that provides accreditation and certification related to information security. If you’re a pentester, chances are you’ve come by a role/job that desires certifications from CREST. Most notable are CRT and CPSA.
CREST Registered Penetration Tester or CRT is basically the equivalent of OSCP as it assesses the hands-on, technical skills of an individual. CREST Practitioner Security Analyst or CPSA is the counterpart that tests for knowledgeability. Having both CRT and CPSA grants you Full CREST Equivalency. You can check out their website for more info.
Why get Full CREST Equivalency?
This is a good cert to go after as it is widely-known and it’s actually cheaper for OSCP holders: Normally it would cost around £645 (CRT is £395 and CPSA is £250, without VAT). You can also check out why to get certified from this page.
How do you get Full Equivalency?
If you took OSCP first before possessing any CREST-related certs, you have the opportunity to get CRT and CPSA certified or Full equivalency.
Process
- Send an email to CREST at exambookings@crest-approved.org requesting Full CREST equivalency. Include the following:
- Updated CV
- Proof of your OSCP attainment: Include your OSID and a scan of your certificate.
- A signed copy of the CREST Code of Conduct. (You may need to get an updated copy from them first.)
- Send your billing details. These will be used to send the CRT cert* and the billing for the CPSA exam. (It took about two weeks for my certificate to be delivered):
- Contact name
- Email address (kind of redundant but you know)
- Postal address
- Pay the Administration fee (£350)**. After payment you will receive instructions to update your profile and submit your application in their portal.
- Schedule the exam. You will receive an email containing the voucher code and instructions for setting-up an your exam schedule.
Note:
*The CRT cert you receive will only be valid for six months after which it will be revoked. By passing the CPSA exam, you will be granted with Full CREST equivalency extending the validity to 3 years after attainment of OSCP.
**If you failed your attempt, you have to pay again.
In order to minimize procrastination, I scheduled the exam as early as a month ahead. In this way, I have some time to comfortably prepare while keeping a reasonable deadline.
Preparation
The topics covered in the exam can be found in the CPSA syllabus. As of this writing there are ten knowledge groups which can be condensed roughly into:
- Soft skills
- Pentesting methodology
- Networking Security
- Web Security
- OS & Database Security
The syllabus contains everything you need to pass the exam. I say “pass” as getting down the basics of all the knowledge groups will probably net you the minimum needed to pass the exam.
Some important things to note:
- The exam has 120 Multiple Choice items to be answered within 2 hours. The passing mark is 60%(72 items).
- It is closed book, no notes and references can be used while taking the exam.
- Additionally, there’s the
dreadedNDA to be signed before taking the exam. Breaching it will revoke your CREST certification.
Prep work can be straightforward, but the difficulty lies in investing time and effort. As the syllabus is the only yardstick you have, it’s hard to know the depth for each topic in each knowledge group. It’s easy to think that overpreparation is a good approach. But it is far better to focus on getting the gist rather than going deep, especially in areas you are lacking. Aim for a good spread: more basics nailed down, more improvement to your chances to pass. I encountered some “Gotcha!” questions in the exam, questions I thought required a certain amount of experience to answer, and some which were somewhat esoteric. But in hindsight, a good foundation was key in helping me to pass.
With regards to study materials, there’s no better way than to google for them. You should only include materials you have some “confidence” in. If a material is too difficult, it probably won’t stick. If it’s too shallow, there might be better alternatives. Keep them concise and organized to make them more digestible. If some topics are your weak areas, always remember to include only the basics. For general references, you can rely on OWASP and Wikipedia.
CREST also recommends some books and courses for prep work. If you can spare the money, go for the courses. Having options and alternative studying methods are always great. Having said that, I can’t make any personal recommendation of the courses as I am always trying to keep my expenses down. For books, I own Red Team Field Manual & Cryptography Engineering. Having partially read both of them, these are books I can recommend. I also read Attacking Network Protocols by James Forshaw which covers a lot of the topics related to network and web protocols, cryptography, and related vulnerabilities.
Studying for the exam took about a month, but I wasn’t studying everyday. I incorporated “Spaced Repetition” due to the amount of material to be absorbed. My approach was to intensely study as much of the reviewer as I could for the first week, and then study again a week before my exam and cram on the day before. For those two weeks in between, I would do other stuff. I found this to be a great approach as it takes advantage of how the brain operates when it has some unfinished task, when it’s forgetting and it’s trying to remember stuff etc. It may seem stressful but overall the experience was actually pleasant.
Exam Day
The exam took an hour to finish. The remaining time was used to review and tally the items I was confident to be correct. This helped me assess the likelihood of passing. The final tally ended up being really close to the score I got in the end. After the exam, the results were given right away.
Final Thoughts
Taking CPSA was a perplexing experience. Preparing for the exam felt like guesswork even if a syllabus was provided. It feels as if I took it again, I would be facing a different beast. It didn’t really feel like it was a test of knowledge and experience. Rather, it felt like a test of how much trivia I can fit in my head. Perhaps I have some misplaced expecations from the exam. Despite these misgivings, I can still recommend this cert for any aspiring candidates. It’s a good cert that can open doors for professionals who have taken OSCP, especially for those who recently passed and looking for their next challenge and a boost to their profile. Give it a try if you’re interested.
If you have further questions feel free to contact me. Good luck!
