8

I hope this question is direct enough for the stackexchange format, my apologies if it is not, please feel free to downvote to close.

I'm interested in pursuing a CREST certification, however it looks to be a a chicken and egg problem - without certification it seems unlikely i'll be able to land professional experience, without professional experience it's unlikely i'll be able to be certified.

Is it possible to gain industry experience without certification, and the corollary to this - is it possible to become CREST certified without industry experience?

To be more direct, is having industry experience the most direct pathway to CREST certification?

AlexH
  • 371
  • 3
  • 9
  • Sorry Alex, this really doesn't seem like a good question or even one that has room here. Have you tried asking in the DMZ, though ? – Stephane Feb 16 '15 at 17:03
  • Reviewing similar questions it also appears i have confused CREST and CHECK (check being the one requiring security clearance), i've amended the question to reflect this. – AlexH Feb 16 '15 at 17:03
  • 2
    @Stephane there are similar questions regarding how to approach certification as well as which certifications are appropriate for particular pathways. I agree it is maybe a bit subjective however i feel the Q&A format supports asking questions specific to the industry, not just the field. Edit: i do feel that the title is very poor and not a question at all, i will correct this. – AlexH Feb 16 '15 at 17:06
  • Does CREST require professional experience? I'm not seeing evidence of this on their site. – schroeder Feb 16 '15 at 18:32
  • @schroeder the use of the word "unlikely" in my question is there because there is not a requirement explicitly, however it seems very unlikely, as wireghoul and paj28 have expanded on below. – AlexH Feb 17 '15 at 10:28

3 Answers3

4

You can pass the CREST exam on skill and knowledge alone. It is however very unlikely that someone without practical experience will be able to do so in the limited time allocated for the exam.

wireghoul
  • 5,745
  • 2
  • 17
  • 26
3

Wireghoul's answer is spot on. There is no formal requirement for industry experience, but in practice, the only way to get good enough is to do it for a job.

A number of pen testing companies may offer you a junior position without certification. They would typically be looking for an IT background - either a degree, or experience as a developer, sys-admin, or similar role. In addition, they would want to see evidence of a personal interest in security, including that you have taught yourself to do basic pen testing. Most companies have a technical "assault course" - although for a junior role you'd only need to show basic skills. My employer (Pentest) have hired a number of people on this basis, who have gone on to become professional testers.

CREST comes in two levels: registered tester and senior tester. As a rough rule of thumb I'd say you need 1 year experience to do the registered tester, and 3-4 years to do the senior tester. People learn at different speeds though. The senior exams comes in two flavors (application & infrastructure) and it is pretty difficult - I've known several good testers fail.

paj28
  • 32,736
  • 8
  • 92
  • 130
  • Thank you very much for the depth of your answer, that's really given me a lot to consider. Also, I guess my question should also contain "what qualifies as appropriate experience?" – AlexH Feb 17 '15 at 10:26
  • @AlexH - CREST is a pen testing qualification; the only appropriate experience is pen testing. Working in sec ops, policy & governance, or anything else won't help you. If you'd like to talk more about how Pentest select candidates, you can get me at paul.johnston@pentest.co.uk – paj28 Feb 17 '15 at 10:45
1

I wouldn't say you actually need industry experience, just experience and practise of pen testing itself.

For example, Offensive Security offer the Penetration Testing with Kali Linux course that gives you access to a simulated company network lab comprising of many machines to practise on and hone your skills. If you can root them all and then attempt and pass the exam, this will give you a good grounding.

The Offensive Security course alone won't mean you can pass CREST, but combine this with hacking Metasploitable 2 which includes the Damn Vulnerable Web App to practise web security assessments and I'd say you were most of the way there. The items on the CREST syllabus you would need to research in order to pass the written section of the entry level CREST exam, however a lot of them are general to IT so if you have a lot of technical knowledge already you should be able to pass it.

I also agree with wireghoul's answer in that the limited time available is the major barrier to passing.

Community
  • 1
SilverlightFox
  • 33,408
  • 6
  • 67
  • 178