PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free CREST CPSA Practice Questions

Pass your CREST Practitioner Security Analyst (CPSA) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

What is the primary difference between symmetric and asymmetric encryption?

A
B
C
D
to track
Same family resources

Explore More CREST Penetration Testing Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

CREST Registered Penetration Tester (CRT)

Practice Questions1 video1 blog

CREST Certified Red Team Specialist (CCRTS)

Practice Questions

CREST Certified Tester (CCT INF + CCT APP)

Practice Questions

More From This Family

Videos and articles for deeper review.

VideoCRT/RRT Exam Guide 2026ArticleCRT/RRT Exam Guide 202611 min read
2026 Statistics

Key Facts: CREST CPSA Exam

120 MCQ

Exam Questions

CREST

60% (72/120)

Passing Score

CREST

2 hours

Exam Duration

CREST

Pearson VUE

Test Delivery

CREST

V2.5

Current Syllabus Version

CREST

Not published

Pass Rate

CREST

The CPSA is a 120-question closed-book MCQ exam delivered at Pearson VUE. Candidates have 2 hours and must score 60% (72/120) to pass. The syllabus covers ten domains from soft skills and UK legal context through to core TCP/IP, cryptography, Nmap, OSINT, Windows/Unix internals, and web/database security basics.

Sample CREST CPSA Practice Questions

Try these sample questions to test your CREST CPSA exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which TCP flag combination is used in a SYN scan performed by Nmap (-sS)?
A.SYN only
B.SYN and ACK
C.SYN and FIN
D.SYN, ACK, and RST
Explanation: A SYN scan (also called a half-open scan) sends a single SYN packet to the target port. An open port responds with SYN-ACK, after which Nmap sends a RST to tear down the connection before it completes. Only the initial SYN is sent by the scanning host, making the scan stealthy because no full TCP connection is established.
2What is the default port used by the Simple Network Management Protocol (SNMP) for polling requests?
A.UDP 161
B.UDP 123
C.TCP 162
D.UDP 514
Explanation: SNMP uses UDP port 161 for agent polling (queries from the management station to the agent). Port 162 is used for SNMP traps — unsolicited notifications sent from agent to manager. UDP is used because SNMP prioritises low overhead over reliable delivery.
3The AES encryption algorithm operates on a fixed block size. What is that block size in bits?
A.128 bits
B.64 bits
C.192 bits
D.256 bits
Explanation: AES (Advanced Encryption Standard) always uses a 128-bit (16-byte) block size, regardless of the key length chosen (128, 192, or 256 bits). The key length determines the number of encryption rounds (10, 12, or 14 respectively), but the block size is always fixed at 128 bits per the Rijndael specification.
4Which DNS record type is used to map a hostname to an IPv6 address?
A.AAAA
B.A
C.PTR
D.CNAME
Explanation: The AAAA (quad-A) record maps a hostname to a 128-bit IPv6 address. The A record maps a hostname to a 32-bit IPv4 address. PTR records provide reverse DNS lookups (IP to hostname), and CNAME creates an alias from one hostname to another.
5Under the UK Computer Misuse Act 1990, what offence covers unauthorised access to a computer with intent to commit or facilitate further offences?
A.Section 2 — Unauthorised access with intent to commit further offences
B.Section 1 — Unauthorised access
C.Section 3 — Unauthorised acts with intent to impair
D.Section 3ZA — Unauthorised acts causing serious damage
Explanation: Section 2 of the Computer Misuse Act 1990 creates the offence of unauthorised access with intent to commit or facilitate further offences (such as fraud or theft). Section 1 covers basic unauthorised access, Section 3 covers impairing the operation of computers, and Section 3ZA (added by the Serious Crime Act 2015) covers attacks causing serious damage.
6Which Nmap flag enables operating system detection?
A.-O
B.-sV
C.-A
D.-p-
Explanation: The -O flag instructs Nmap to perform OS detection using TCP/IP stack fingerprinting. Nmap analyses quirks in how the target responds to specially crafted probes and compares them against its OS database. -sV enables version/service detection. -A enables aggressive scanning (OS + version + scripts + traceroute). -p- scans all 65535 ports.
7What is the effective key length of Triple DES (3DES) when three independent 56-bit keys are used?
A.112 bits
B.128 bits
C.168 bits
D.192 bits
Explanation: 3DES with three independent 56-bit DES keys (keying option 1) produces 3 × 56 = 168 bits of key material. However, due to the meet-in-the-middle attack, the effective security is reduced to approximately 112 bits in practice. The nominal key length — the value most commonly cited in CPSA contexts — is 168 bits.
8An Nmap Xmas scan (-sX) sets which combination of TCP flags?
A.FIN, PSH, URG
B.SYN, ACK, FIN
C.SYN, FIN, RST
D.ACK, PSH, URG
Explanation: An Nmap Xmas scan sets the FIN, PSH, and URG flags simultaneously — sometimes described as 'lighting the packet up like a Christmas tree.' Per RFC 793, a closed port should respond with RST, while an open port drops the packet silently. This makes it useful for firewall evasion on stateless packet filters.
9Which hashing algorithm produces a 160-bit (20-byte) digest?
A.SHA-1
B.MD5
C.SHA-256
D.RIPEMD-128
Explanation: SHA-1 (Secure Hash Algorithm 1) produces a 160-bit (20-byte) hash digest. MD5 produces a 128-bit digest. SHA-256 produces a 256-bit digest. RIPEMD-128 produces a 128-bit digest. SHA-1 is no longer considered collision-resistant and has been deprecated for certificate signing.
10What DNS query type requests a complete copy of a zone's records from an authoritative name server?
A.A record query
B.SOA query
C.AXFR (zone transfer)
D.NSEC walk
Explanation: An AXFR (Authoritative Transfer) request asks a DNS server to send the entire contents of a zone — all resource records. Zone transfers are intended for replication between primary and secondary name servers. If a server permits AXFR to arbitrary clients it leaks the full zone, revealing internal hostnames and IP addresses.

About the CREST CPSA Exam

The CREST Practitioner Security Analyst (CPSA) is the entry-level CREST certification for penetration testers. It validates core knowledge of IP protocols, cryptography, network mapping, OS security assessment, and web application vulnerability identification — and is a prerequisite path to the CREST Registered Tester (CRT).

Questions

120 scored questions

Time Limit

2 hours

Passing Score

72/120 (60%)

Exam Fee

Varies by region; check crest-approved.org for current pricing (CREST)

CREST CPSA Exam Content Outline

~10%

Soft Skills and Assessment Management

Engagement lifecycle, UK Computer Misuse Act, scoping, risk management, and professional reporting standards

~20%

Core Technical Skills

IPv4/IPv6 addressing, TCP/UDP/ICMP, network architecture, OS fingerprinting, and file-system permissions

~10%

Cryptography

AES, 3DES, RSA, RC4, MD5, SHA-1, HMAC, SSL/TLS, IPsec, SSH, and PGP

~8%

Background Information Gathering

WHOIS, DNS record types and zone transfers, Google dorking, OSINT, and mail-header analysis

~10%

Networking Equipment

SNMP, DHCP, NTP, ARP, CDP, STP, VTP, HSRP, VRRP, TACACS+, IPsec, SIP/VoIP, and 802.11 wireless

~8%

Network Mapping and Target Identification

Nmap scan types and flags, service enumeration, banner grabbing, and network topology analysis

~10%

Vulnerability Identification

CVE referencing, patch assessment, CVSS-based prioritisation, and vulnerability confirmation techniques

~10%

Microsoft Windows Security Assessment

Domain/user enumeration, Active Directory basics, password attacks, patch management, and Exchange

~8%

Unix and Linux Security Assessment

User enumeration, FTP, Sendmail/SMTP, NFS, R-services, X11, RPC, and SSH assessment

~6%

Web Testing and Databases

OWASP Top 10 basics, SQL injection, XSS, CSRF, session attacks, database port enumeration, and stored procedures

How to Pass the CREST CPSA Exam

What You Need to Know

  • Passing score: 72/120 (60%)
  • Exam length: 120 questions
  • Time limit: 2 hours
  • Exam fee: Varies by region; check crest-approved.org for current pricing

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

CREST CPSA Study Tips from Top Performers

1Download and work through every skill point in the CREST CPSA Technical Syllabus V2.5 — it defines exactly what is tested
2Memorise exact port numbers: FTP 21, SSH 22, SMTP 25, DNS 53, HTTP 80, HTTPS 443, SMB 445, RDP 3389, MySQL 3306, MSSQL 1433
3Know cryptographic key sizes and modes: AES-128/192/256, RSA-1024/2048, 3DES-168-bit effective, MD5 128-bit, SHA-1 160-bit
4Learn all Nmap scan types: -sS (SYN), -sT (connect), -sU (UDP), -sN (null), -sF (FIN), -sX (Xmas), -sA (ACK), -O (OS detect), -sV (version)
5Understand DNS record types: A, AAAA, MX, NS, PTR, SOA, TXT, CNAME, HINFO — and when zone transfers (AXFR) are possible
6Practice with Wireshark and tcpdump to recognise TCP handshakes, ICMP types, and common protocol signatures

Frequently Asked Questions

What is the CREST CPSA exam format?

The CPSA is a 120-question closed-book multiple-choice exam with a 2-hour time limit. It is delivered at a Pearson VUE test centre. Each question has multiple answer options, one correct answer scores 1 mark, and there is no negative marking. Candidates need 72 correct answers (60%) to pass.

Is CREST CPSA good for beginners?

Yes, the CPSA is positioned as the entry-level CREST qualification for aspiring penetration testers. It tests foundational knowledge of networking, cryptography, OS internals, and web vulnerabilities. Candidates with a solid CompTIA Network+ or Security+ background typically find the theoretical content accessible.

What are the hardest topics on the CPSA exam?

Cryptographic algorithm details (key sizes, modes, hash output lengths), precise port numbers and protocol behaviors, Nmap flag specifics, and DNS record type distinctions tend to trip up candidates. Memorising exact values — not just general concepts — is essential for this closed-book exam.

Does passing CPSA qualify me for CREST CRT?

No — passing CPSA demonstrates the knowledge component but the CREST Registered Tester (CRT) is a separate, more advanced practical-plus-written exam. CPSA is a recommended stepping stone and shares syllabus overlap with CRT, making it valuable preparation.

Can I take the CPSA online?

No. The CPSA is a closed-book exam and is only available at Pearson VUE test centres. Online proctoring is not an option for this exam.

How long should I study for the CPSA?

Most candidates need 80-120 hours depending on prior experience. Focus heavily on Core Technical Skills (the largest domain), cryptography specifics, Nmap flags, DNS record types, and Windows/Unix enumeration techniques. The official CREST CPSA Technical Syllabus V2.5 is the definitive study guide.