Pressure test
Adam Boileau, pen tester for Insomnia Security and board member of CREST New Zealand is one of the few in Australia and New Zealand to have road-tested the CREST Certified Tester exam. “The technical level of them is not that high,” he says. “What it really tests is your ability to work under time pressure and without internet access, which isn’t something many testers are used to and most people will fail the first time around.”
It was this race against the clock, coupled with a lack of internet access for half the exam that saw the respected veteran pen tester flunk. And NGS Secure’s Alcorn says others have too. “These were skilled testers, really experienced guys,” he says.
Pen testers are rarely pressured for time during professional tests. Their work is thorough and considered, and they have online access to download tools and access information as it is needed. Moreover, penetration testing is anything but an exact science, and the industry is composed of professionals who vary as much in experience as they do in their approach to hacking.
The CREST Certification Examinations are billed as placing pen testers “recognisably at the top of [their] game”. Certifications are divided into two tracks, with the Infrastructure Certification Examination assessing “capabilities in the field of general infrastructure and operating system security assessments” and the Web Application Certification Examination assessing testers’ ability to find vulnerabilities in bespoke web applications.
Both tracks contain essential written components including 90 multiple choice questions answered closed-book and offline, and three long form questions conducted open book and online. Written and practical components of the examinations are sat consecutively, lasting a day.
Boileau and Alcorn back the certification, warning that the exam environment is something that candidates will need to prepare for. They note the preparation might come at a cost. “The preparation time for some of these exams could be two or three weeks and if you’re taking that out of your consultancy every few years, that’s a reasonable amount of cash for a boutique,” Boileau says.
Those weeks, however long study may take, are worth the cost, McKitrick says. “I think many will see it as a cost of doing business and it has benefits to the tester and the company they work for.”
Next: Commendations and critiques
.png&h=140&w=231&c=1&s=0)
.png&h=140&w=231&c=1&s=0)
_page-0001.jpg&w=100&c=1&s=0)
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
