100+ Free CREST CCT Practice Questions

Pass your CREST Certified Tester — Infrastructure & Application (CCT INF + CCT APP) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Not officially published Pass Rate

100+ Questions

100% Free

1 / 10

Question 1

Score: 0/0

The CREST Certified Tester (CCT) is positioned at which level within the CREST career pathway?

Entry-level

Intermediate (same as CRT)

Senior / Team Leader (expert)

Non-technical management

to track

2026 Statistics

Key Facts: CREST CCT Exam

6 hours

Practical Duration

CREST CCT

Pass/fail

Scoring

CREST (both practical + workbook)

£650

Exam Fee

CREST (approx.)

3 years

Validity

CREST

Expert

Level

CREST Team Leader standard

INF + APP

Specialisations

CCT Infrastructure + Application

CCT INF and CCT APP are CREST's expert-level penetration testing certifications, recognised as Team Leader standard. Each exam is a 6-hour hands-on practical lab plus a workbook — both must be passed. Fee is approximately £650 per exam. Certification is valid for 3 years. Holders are typically deployed on CBEST / STAR-FS / TIBER-EU intelligence-led testing engagements. Expect depth in AD attack chains (ADCS ESC1-11, coerce + relay, unconstrained/constrained/RBCD delegation), container/Kubernetes escapes, cloud privilege escalation, and advanced web app flaws.

Sample CREST CCT Practice Questions

Try these sample questions to test your CREST CCT exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1The CREST Certified Tester (CCT) is positioned at which level within the CREST career pathway?

A.Entry-level

B.Intermediate (same as CRT)

C.Senior / Team Leader (expert)

D.Non-technical management

Explanation: CCT INF and CCT APP are CREST's senior / expert-level certifications, recognised as equivalent to Team Leader status. They sit above CPSA (practitioner) and CRT (registered), and demonstrate expert depth across infrastructure or application penetration testing.

2The CCT Infrastructure (INF) practical is typically how long?

A.2 hours

B.4 hours

C.6 hours

D.24 hours

Explanation: The CCT INF practical is a 6-hour hands-on lab accompanied by a workbook. Candidates must demonstrate Team Leader competence — enumeration, multi-host exploitation, pivoting, post-exploitation, and concise professional write-up.

3Which CREST certification is the expert-level qualification focused exclusively on web application testing?

A.CCT INF

B.CCT APP

C.CPSA

D.CRT

Explanation: CCT Application (CCT APP) focuses on advanced web application testing. CCT Infrastructure (CCT INF) is the infrastructure-focused counterpart. Both are Team Leader / senior level and combine a practical lab with a workbook.

4Which document sets the mandatory ethical and professional baseline for every CREST-registered individual and member company?

A.OWASP Testing Guide

B.CREST Code of Conduct

C.ISO 27001

D.NIST Cybersecurity Framework

Explanation: The CREST Code of Conduct defines ethical, professional, and technical obligations for members and individuals. It covers confidentiality, objectivity, responsible disclosure, and sits alongside UK law and client contracts.

5An attacker performs an NTLM relay from a coerced Domain Controller to the ADCS Web Enrollment endpoint using ntlmrelayx. Which ESC vulnerability does this exploit?

A.ESC1

B.ESC7

C.ESC8

D.ESC11

Explanation: ESC8 is the classic NTLM relay attack against ADCS HTTP(S) Web Enrollment endpoints. Coercion techniques (PetitPotam, PrinterBug, DFSCoerce) force the target (often a DC) to authenticate via NTLM; relaying this authentication to HTTP /certsrv issues a certificate as the DC machine account, leading to domain compromise.

6Which ADCS abuse scenario allows a low-privileged user to enroll in a certificate template that specifies a Subject Alternative Name of their choice?

A.ESC1

B.ESC2

C.ESC3

D.ESC6

Explanation: ESC1 arises when a template allows low-privileged enrollment (Enroll permission), permits the requester to supply the Subject Alternative Name (ENROLLEE_SUPPLIES_SUBJECT), and is usable for client authentication. Certipy / Certify request a certificate naming any user (including Domain Admin).

7Which ADCS abuse (ESC4) targets what element of the certificate template?

A.Vulnerable template ACL allowing attacker to edit the template

B.Enrollment agent

C.Weak RSA key size

D.Expired CRL

Explanation: ESC4 occurs when a template has overly permissive ACLs (e.g., Write, WriteDACL, FullControl) granted to attacker-controlled principals. The attacker rewrites the template (enabling ENROLLEE_SUPPLIES_SUBJECT, allowing low-privileged enrollment) to trigger ESC1 conditions.

8Unconstrained delegation on a compromised server allows an attacker to do what?

A.Read SAM hashes

B.Collect Kerberos TGTs of users who authenticate to the server

C.Reset the KRBTGT account

D.Create new child domains

Explanation: Unconstrained delegation causes a server to receive and cache a copy of each authenticating user's TGT. An attacker with SYSTEM on such a server can extract TGTs with Mimikatz (sekurlsa::tickets) and impersonate those users — including Domain Admins if coerced to authenticate.

9Resource-Based Constrained Delegation (RBCD) abuse typically requires control over which attribute on the target computer object?

A.servicePrincipalName

B.msDS-AllowedToActOnBehalfOfOtherIdentity

C.userAccountControl

D.primaryGroupID

Explanation: RBCD abuse requires write access to msDS-AllowedToActOnBehalfOfOtherIdentity on the target computer object. An attacker populates it with a controlled computer account (often created by abusing the default MachineAccountQuota of 10), then impersonates any user on the target via S4U2self/S4U2proxy.

10A 'Diamond Ticket' attack differs from a Golden Ticket in that it:

A.Forges a TGS instead of a TGT

B.Modifies an existing legitimate TGT instead of forging from KRBTGT

C.Requires local admin rather than the KRBTGT hash

D.Uses RC4 exclusively

Explanation: A Diamond Ticket modifies a legitimately issued TGT (decrypting it with KRBTGT, altering the PAC, re-encrypting) rather than forging a ticket from scratch. It still requires KRBTGT but is more evasive because ticket fields match real KDC behaviour more closely.

About the CREST CCT Exam

The CREST Certified Tester (CCT) is CREST's senior / Team Leader level qualification. CCT Infrastructure (CCT INF) covers advanced infrastructure penetration testing — deep Active Directory abuse, Kerberos chains, pivoting, container and Kubernetes escapes, and cloud (AWS, Azure, GCP). CCT Application (CCT APP) covers advanced web app testing including HTTP request smuggling, SSTI, insecure deserialization, prototype pollution, OAuth/JWT, GraphQL, cache deception, and mobile. Both exams combine a 6-hour practical lab with a written workbook.

Questions

1 scored questions

Time Limit

6 hours practical + workbook

Passing Score

Pass/fail (practical + workbook both required)

Exam Fee

£650 (CREST / Pearson VUE)

CREST CCT Exam Content Outline

~25%

Advanced Windows / Active Directory (CCT INF)

Kerberos attack chains (AS-REP, Kerberoasting, Golden/Silver/Diamond/Sapphire), NTLM relay with coerce (PetitPotam, PrinterBug, DFSCoerce), ADCS ESC1-11, unconstrained/constrained/RBCD delegation, noPac, DCSync, LSA Protection bypass, Credential Guard considerations

~15%

Advanced Unix / Linux + Pivoting (CCT INF)

Kernel exploits, capabilities abuse, sudo wildcards, PATH hijack, LD_PRELOAD, container escapes, ligolo-ng / chisel / SSH -D pivoting and proxychains routing

~15%

Cloud + Container Pentesting (CCT INF)

AWS IAM privilege escalation paths + PMapper / Stratus Red Team; Azure / Entra ID AzureHound + Graph abuse; GCP service account chaining; Kubernetes BadPods, SA token abuse, hostPath; Docker socket + privileged container escapes

~25%

Advanced Web Application (CCT APP)

HTTP request smuggling (CL.TE, TE.CL, TE.TE, HTTP/2 downgrade), SSTI, insecure deserialization (Java, .NET, Node, PHP), prototype pollution, OAuth/OIDC (redirect_uri, PKCE), JWT attacks, GraphQL abuse, cache deception and poisoning, blind SSRF

~10%

Cryptography Attacks (CCT APP / INF)

Padding oracle (CBC bit-flipping), length extension, RSA common modulus / PKCS#1 v1.5 (Bleichenbacher / ROBOT), Heartbleed / CRIME / BREACH / Logjam legacy knowledge, PKI weaknesses

~5%

Mobile & Web Services (CCT APP)

Android reverse with apktool / jadx, iOS with class-dump / Frida, Objection SSL-pinning bypass, SOAP / WS-Security, XML Signature Wrapping

~5%

Red Team TTPs, CI/CD, Reporting

Cobalt Strike beacons + Malleable C2, Sliver / Havoc / Mythic, indirect syscalls and OPSEC, GitHub Actions / Jenkins / Azure DevOps abuse, Team Leader-level report writing and responsible disclosure

How to Pass the CREST CCT Exam

What You Need to Know

Passing score: Pass/fail (practical + workbook both required)
Exam length: 1 questions
Time limit: 6 hours practical + workbook
Exam fee: £650

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

CREST CCT Study Tips from Top Performers

1Master Kerberos end-to-end: AS-REQ/AS-REP, TGS-REQ/TGS-REP, S4U2self/S4U2proxy, PAC structure — most advanced AD attacks relate to these fundamentals

2Drill ADCS ESC1-11 with Certipy until template abuse is instinctive — ESC1, ESC4, ESC6, ESC8 are high-value

3Practise NTLM relay chains: coerce (PetitPotam, PrinterBug, DFSCoerce) + ntlmrelayx to LDAP/ADCS/SMB

4For web: practise HTTP request smuggling (CL.TE, TE.CL, TE.TE, HTTP/2) in PortSwigger labs until you can recognise smuggling headers in 30 seconds

5Study real deserialization gadget chains (ysoserial, ysoserial.net, phpggc) rather than surface-level tooling

6Rehearse 6-hour mock practicals with full workbook under timed conditions — note-taking quality materially affects the workbook score

7Memorise default ports, syscalls, and tool flags cold — hesitation in a 6-hour practical kills progress

8Keep your reporting muscle strong: executive summary at Team Leader level, technical findings with CVSS v3.1, remediation that respects the client's operating context

Frequently Asked Questions

What is the CREST CCT exam?

The CREST Certified Tester (CCT) is CREST's expert / Team Leader level penetration testing certification. There are two specialisations: CCT Infrastructure (CCT INF) and CCT Application (CCT APP). Each exam is structured as a 6-hour hands-on practical lab plus a workbook; both must be passed. It is administered through CREST-approved test centres and Pearson VUE.

How hard is the CCT exam?

CCT is designed to validate senior / Team Leader competence. Candidates are expected to have 5+ years of hands-on penetration testing experience, CRT or equivalent, and deep fluency with the full attack surface relevant to their specialisation. The 6-hour practical is time-pressured and requires methodical enumeration, multi-step exploitation, and concise professional reporting.

How much does the CCT exam cost?

The CCT fee is approximately £650 per attempt (exclusive of VAT), subject to CREST's published pricing. This covers the practical lab and workbook. Training, lab subscriptions, and employer time typically add to total cost.

How long is CCT certification valid?

CCT certification is valid for 3 years. Renewal requires continuing professional development (CPD) submissions and, depending on CREST policy at the time, re-examination. Always check crest-approved.org for current renewal requirements.

What is the difference between CCT INF and CCT APP?

CCT Infrastructure (CCT INF) focuses on advanced infrastructure testing — Active Directory abuse, Kerberos attack chains, pivoting, container and Kubernetes escapes, and cloud pentesting. CCT Application (CCT APP) focuses on advanced web application testing — HTTP request smuggling, SSTI, insecure deserialization, prototype pollution, OAuth/JWT, GraphQL, cache deception, and mobile testing.

How should I prepare for CCT?

Read the CREST CCT syllabus end to end and identify gaps. For CCT INF: practise AD labs (HackTheBox Pro Labs, TryHackMe, GOAD), cloud pentesting labs (CloudGoat, Stratus Red Team), and container escape labs. For CCT APP: PortSwigger Web Security Academy, HackerOne CTFs, and deep study of deserialization and HTTP smuggling. Plan 400-800 hours over several months; run timed 6-hour mock practicals to build stamina.