100+ Free CRT Practice Questions

Pass your CREST Registered Penetration Tester (CRT) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Not officially published Pass Rate

100+ Questions

100% Free

1 / 10

Question 1

Score: 0/0

Under the UK Computer Misuse Act 1990, what is the primary offence relevant to an unauthorised penetration test?

Unauthorised access to computer material (Section 1)

Tax evasion

Violation of the Official Secrets Act

Breach of contract only

to track

2026 Statistics

Key Facts: CRT Exam

~120

MCQ Questions

CREST CPSA syllabus

60%

Passing Score

CREST

4 hours

Exam Duration

CREST (2h MCQ + 2h practical)

£450

Exam Fee

CREST (approx.)

3 years

Validity

CREST

Intermediate

Level

CREST career pathway

CRT is CREST's flagship intermediate penetration testing certification. The exam has a 2-hour multiple-choice paper plus a 2-hour practical, delivered through CREST / Pearson VUE. The pass mark is 60% and certification is valid for 3 years. Fee is approximately £450. Core syllabus: soft skills and report writing; UK legal and regulatory (Computer Misuse Act 1990, DPA 2018, UK GDPR, Investigatory Powers Act 2016); core technical skills (TCP/IP, routing, common protocols); background information gathering; networking; Windows (NT/AD) security; Unix security; network services; web apps at a recon level; wireless; and databases.

Sample CRT Practice Questions

Try these sample questions to test your CRT exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Under the UK Computer Misuse Act 1990, what is the primary offence relevant to an unauthorised penetration test?

A.Unauthorised access to computer material (Section 1)

B.Tax evasion

C.Violation of the Official Secrets Act

D.Breach of contract only

Explanation: Section 1 of the Computer Misuse Act 1990 criminalises unauthorised access to any program or data held in a computer. CREST-registered testers must obtain explicit written authorisation before any engagement; without it, even benign scanning may constitute a Section 1 offence. Sections 2 and 3 cover unauthorised access with intent and unauthorised acts impairing operation.

2Which UK legislation governs the lawful interception of communications and is most relevant when a penetration tester captures network traffic?

A.Data Protection Act 2018

B.Investigatory Powers Act 2016

C.Freedom of Information Act 2000

D.Equality Act 2010

Explanation: The Investigatory Powers Act 2016 (and earlier RIPA 2000) governs the lawful interception of communications in the UK. Penetration testers capturing live traffic must ensure their written scope covers interception to avoid liability. DPA 2018 governs personal data; the IPA governs interception specifically.

3Which of the following best describes the purpose of the CREST Code of Conduct for registered individuals?

A.To provide marketing material for member companies

B.To define ethical, professional, and technical conduct expected of CREST-registered testers

C.To replace UK legislation for CREST members

D.To mandate specific tooling for every engagement

Explanation: The CREST Code of Conduct outlines ethical, professional, and technical obligations — including confidentiality, integrity, and responsible disclosure. It complements (never replaces) UK law and applies to every CREST-registered individual and member company.

4A client asks you to test a system owned by a third-party cloud provider. What is the CORRECT first action?

A.Start scanning — the client owns the data

B.Obtain written authorisation from the cloud provider per their pentest policy

C.Refuse the engagement outright

D.Use stealth techniques so the provider does not notice

Explanation: Cloud providers (AWS, Azure, GCP) require customers to follow their specific penetration testing policies. Client authorisation alone is insufficient when the underlying infrastructure is owned by a third party. Testing without provider consent can breach the Computer Misuse Act 1990 and the provider's acceptable use policy.

5Which methodology is an open, peer-reviewed security testing methodology that defines operational security metrics such as the Risk Assessment Values (RAVs)?

A.OWASP Testing Guide

B.NIST SP 800-115

C.OSSTMM

D.PTES

Explanation: The Open Source Security Testing Methodology Manual (OSSTMM), maintained by ISECOM, introduces Risk Assessment Values (RAVs) to quantify operational security. OWASP focuses on web, NIST 800-115 provides high-level US guidance, and PTES is the Penetration Testing Execution Standard.

6In the Penetration Testing Execution Standard (PTES), which phase immediately precedes Exploitation?

A.Pre-engagement Interactions

B.Intelligence Gathering

C.Vulnerability Analysis

D.Post Exploitation

Explanation: PTES defines seven phases in order: Pre-engagement Interactions, Intelligence Gathering, Threat Modelling, Vulnerability Analysis, Exploitation, Post Exploitation, and Reporting. Vulnerability Analysis feeds the Exploitation phase with validated attack candidates.

7Which NIST publication provides the Technical Guide to Information Security Testing and Assessment?

A.NIST SP 800-53

B.NIST SP 800-115

C.NIST SP 800-171

D.NIST SP 800-30

Explanation: NIST SP 800-115 is the Technical Guide to Information Security Testing and Assessment and is referenced in the CREST CRT syllabus. 800-53 lists security controls, 800-171 covers CUI, and 800-30 covers risk assessment.

8What is the difference between a vulnerability assessment and a penetration test?

A.Vulnerability assessments confirm exploitability; penetration tests only scan

B.Vulnerability assessments identify weaknesses; penetration tests actively exploit to confirm impact

C.They are synonymous

D.Only penetration tests use automated tools

Explanation: Vulnerability assessments identify and prioritise weaknesses (often via scanning and checks). Penetration testing goes further by attempting to actively exploit findings to validate impact and demonstrate real business risk.

9Which document should you insist on before starting any engagement?

A.An NDA only

B.A signed rules of engagement / authorisation letter

C.Marketing brochure

D.The client's last penetration test report

Explanation: A signed Rules of Engagement / authorisation letter (often a 'Get out of Jail Free' letter) is essential. It defines scope, in-scope IP ranges, allowed techniques, time windows, emergency contacts, and provides legal cover against the Computer Misuse Act 1990.

10Which Nmap option performs a TCP SYN (half-open) scan?

A.-sT

B.-sS

C.-sU

D.-sA

Explanation: -sS is the TCP SYN scan, often called a half-open scan because the three-way handshake is not completed. -sT is a full TCP connect scan, -sU is UDP, and -sA is an ACK scan used to map firewall rulesets.

About the CRT Exam

The CREST Registered Penetration Tester (CRT) certification validates intermediate penetration testing competence. It combines a multiple-choice paper aligned with the CREST Practitioner Security Analyst (CPSA) syllabus and a practical element covering infrastructure and basic application testing. CRT holders are recognised by CREST as qualified to lead technical engagements within CREST member companies.

Questions

120 scored questions

Time Limit

4 hours (2h MCQ + 2h practical)

Passing Score

60%

Exam Fee

£450 (CREST / Pearson VUE)

CRT Exam Content Outline

~15%

Soft Skills and Assessment Management

Engagement lifecycle, scoping, rules of engagement, client communication, and professional report writing (exec summary, findings, CVSS, remediation)

~15%

Core Technical Skills

IP protocols, TCP/IP three-way handshake, routing, common protocols (DNS, HTTP, SMB, Kerberos, LDAP), and interpreting Nmap/Wireshark output

~10%

Background Information Gathering & Open Source

OSINT (WHOIS, DNS reconnaissance, Google dorking, Shodan), employee/email enumeration, and metadata analysis

~20%

Networking Equipment & Assessment

Switch/router security, VLAN hopping, SNMP enumeration, weak management protocols (Telnet, unencrypted SNMPv1/v2c), and network device fingerprinting

~15%

Microsoft Windows / Active Directory Security

AD enumeration (BloodHound, SharpHound), Kerberos attacks (AS-REP roasting, Kerberoasting, Golden/Silver tickets), NTLM relay, LLMNR/WPAD poisoning, and privilege escalation

~10%

Unix Security

Linux privilege escalation (SUID, sudo, capabilities, cron, PATH hijacking, LD_PRELOAD), GTFOBins, and kernel exploits

~10%

Web Technologies & Databases (Recon Level)

OWASP Top 10 awareness, HTTP methods, common authentication weaknesses, and database enumeration (MSSQL, MySQL, Oracle TNS, PostgreSQL)

~5%

Wireless, Legal & Regulatory

WPA2 4-way handshake capture, WPS/Pixie Dust, evil twin; UK Computer Misuse Act 1990, DPA 2018, UK GDPR, Investigatory Powers Act 2016, and CREST Code of Conduct

How to Pass the CRT Exam

What You Need to Know

Passing score: 60%
Exam length: 120 questions
Time limit: 4 hours (2h MCQ + 2h practical)
Exam fee: £450

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

CRT Study Tips from Top Performers

1Read the CREST CRT/CPSA syllabus end to end and mark every topic you cannot explain in 60 seconds

2Memorise default ports: 21 FTP, 22 SSH, 23 Telnet, 25 SMTP, 53 DNS, 88 Kerberos, 135/139/445 SMB, 389/636 LDAP/LDAPS, 1433 MSSQL, 1521 Oracle, 3306 MySQL, 3389 RDP, 5985 WinRM

3Practise Kerberos attacks until you can explain AS-REP roasting, Kerberoasting, Golden/Silver/Diamond tickets, unconstrained/constrained delegation end to end

4Drill Linux privilege escalation via SUID, sudo, capabilities, cron, PATH hijacking, LD_PRELOAD — use linPEAS and GTFOBins in labs

5Know the UK legal triad: Computer Misuse Act 1990, Data Protection Act 2018 / UK GDPR, Investigatory Powers Act 2016

6Practise report writing: executive summary, methodology, findings with CVSS v3.1 scoring, evidence, and remediation

7Run timed mock practicals — CRT's practical is only 2 hours, so pace and note-taking matter

8Use CrackMapExec / NetExec for Windows post-exploitation drills against AD labs

Frequently Asked Questions

What is the CREST CRT exam?

The CREST Registered Penetration Tester (CRT) is an intermediate certification for penetration testers. The examination consists of a 2-hour multiple-choice paper aligned with the CREST Practitioner Security Analyst (CPSA) syllabus and a 2-hour practical element covering infrastructure and basic application testing. It is administered through CREST / Pearson VUE test centres and is valid for 3 years.

How many questions are on the CRT multiple-choice paper?

The CRT multiple-choice element follows the CPSA syllabus and typically contains around 120 questions covering UK legal and regulatory framework, networking, Windows and Unix security, common network services, web app reconnaissance, wireless, and soft skills. The pass mark is 60% and the practical must also be passed.

How much does the CREST CRT exam cost?

The CRT exam fee is approximately £450 (exclusive of VAT, subject to periodic CREST review). Fees are payable directly to CREST or the CREST member company facilitating the exam. This covers both the multiple-choice paper and the practical element on the same day.

How long does CRT certification last?

CREST CRT certification is valid for 3 years. Renewal requires continuing professional development (CPD) submissions and, where applicable, re-examination. CREST publishes current CPD requirements on crest-approved.org.

What prerequisites exist for CRT?

There are no formal prerequisites, but CREST strongly recommends holding the CREST Practitioner Security Analyst (CPSA) qualification first, or equivalent knowledge. Candidates should have 2-4 years of hands-on penetration testing experience with infrastructure assessments before attempting CRT.

How should I prepare for CRT?

Study the CREST CRT/CPSA syllabus, practise extensively on HackTheBox/TryHackMe infrastructure labs, and master tools such as Nmap, Nessus, Metasploit, CrackMapExec/NetExec, Impacket, Responder, and BloodHound. Cover UK legal framework (Computer Misuse Act 1990, DPA 2018, UK GDPR, Investigatory Powers Act 2016), Kerberos attacks, Linux privilege escalation, and reporting. Aim for 200-400 hours of focused study.