As of 2024, I have worked as a business consultant and hacker for five years. A contract stipulation for one of my recent clients mandated that I earn my CREST Registered Penetration Tester (CRT) certification. Thankfully, CREST offers an equivalency program for folks who’ve passed their Offensive Security Certified Professional (OSCP) certification within the past three years.
The caveat: you must have a CREST Practitioner Security Analyst (CPSA) certification to apply for the CRT Equivalency. Thus began my 30-day CPSA bender!
Some Basic Info About CPSA
Your first and best resource for everything CPSA is CREST’s own website and the CPSA Syllabus. Honestly, it is the only training document provided by CREST (as of yet) and you should treat it with extreme regard. Version current as of this post is 2.5.
The exam is 120 multiple choice questions long and you have 2 hours to take the exam. This breaks down to about 1 minute per question — so keep a time-budget in mind. Depending on your testing center, you’ll either be provided a piece of note paper for note-taking during the exam, or be able to leave comments on exam questions for your review before submission. You are also able to flag exam questions for review. In order to pass the exam, you must get 72/120 questions correct, a 60% grade.
If you fail the exam, you have a 7-day cool-down before you can retake. Depending on your industry experience and job history, you might expect to have to take this exam twice.
Multiple Choice Exam Strategy and General Exam Strategy
I’ll break down my strategy for the exam. With only 1 minute to budget for each of the 120 questions, my initial strategy was to work steadily but quickly through the exam, answering as many as I could, flagging any question I was unsure of, and flagging any question where I had no idea. This initial pass took me an entire hour.
With multiple-choice it is important to read the question carefully, and fully. Pay attention to words like “not” or “always”, as they significantly change the meaning of the question. Once read, try to think of the correct answer before reading the available answers. Next, read the answers, carefully, one-by-one. Are any answers obvious?
Use the process of elimination to rule out the clearly wrong answers. Sometimes answer options themselves will rule each-other out. Sometimes answers to questions could appear in other questions. On your first pass, take your best guess, flag, make a note, keep going.
I spent the next 45 minutes of my exam time carefully reviewing all my answers, flagged or unflagged, answering my best guess on any, and correcting answers I may have figured out from other questions.
I found this guide to multiple-choice exams a good strategy refresher.
My Study Resources
Hard truth, that I feel I must disclose: I earned my Security+ CompTIA certification some years back. I genuinely felt that a lot of the study material overlapped, and I could have easily used all my Sec+ flashcards to help me study for CPSA. In my opinion, if you’ve taken Sec+, you can pass CPSA.
My hopes were that between the knowledge I had gained from five years on the job, the knowledge I can memorize for the exam, and the process of elimination, I could get a passing grade. This turned out true for me.
If you haven’t taken Sec+, you’re going to need to study with much greater intensity than I did. In fact, I specifically recommend reading my Sec+ Study Guide and using those materials to supplement your studying. I would also expand my studying timeline by another 15–30 days, and buy a few of the Sec+ study guide books.
Specific to the CPSA, though, these were my top study resources, in ranked order:
- CPSA Syllabus — Reading front to back, familiarize yourself with every topic, know every acronym, know every protocol, OS, device, etc.
- The CREST CPSA Website — Lots of reading material, make sure you read it all.
- Network Security Assessment, 3rd Ed. — Don’t know something on the syllabus? Find it here.
- Usama Azad’s Exam Preparation Tips — This was really where I started my journey and found some of the resources I mention here. Thanks, sir!
- This Quizlet Flashcard Set — These were helpful in Port and Protocol memorization, and cramming in the days leading up.
- CREST CPSA UNOFFICIAL Practice Tests on Udemy — I honestly don’t think there were any overlapping questions on the exam, but you’ll get a feel for the depth and complexity of the knowledge you need.
- My Security+ Flashcards — These were a set of 200+ flashcards I made while studying for Sec+ covering OSI, TCP/IP, Cryptography, Ports, Protocols, and all that good stuff.
CPSA Training
Shortly after I passed the exam, I received an email from CREST stating that they are rolling out approved CPSA training soon. If you have an employer supporting your certification, I highly recommend looking into these upcoming options, as it can no doubt save you time and money.
And don’t forget: Please Do Not Throw Sausage Pizza Away, and GOOD LUCK!
