CREST Cheat Sheet 2026

The 30 highest-yield CREST facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

120 questions
120 min time limit
60.00% to pass
  1. What does the term 'attack surface' refer to in security architecture? The sum of all exploitable entry points and vulnerabilities in a system
  2. What document formally defines the scope, objectives, timeline, and legal permissions for a penetration test engagement? Statement of Work (SoW) / Rules of Engagement
  3. Which US government organization operates the National Vulnerability Database (NVD) that stores CVE data? NIST (National Institute of Standards and Technology)
  4. What is the Wayback Machine (web.archive.org) primarily used for during OSINT investigations? Accessing historical archived snapshots of websites to find previously exposed information
  5. What is the difference between white-hat and black-hat hackers? White-hat hackers secure systems; black-hat hackers exploit them
  6. In malware analysis, what is a 'sandbox'? An isolated virtualized environment for safely executing and observing malware behavior
  7. What is a key difference between a policy and a procedure in an information security governance framework? A policy states what must be done; a procedure describes how to do it
  8. Which CREST code of conduct principle requires members to report discovered vulnerabilities responsibly and not exploit them beyond what is authorized? Ethical behavior and integrity
  9. What is the function of a firewall in network security? It filters network traffic based on security rules
  10. What is penetration testing? Simulating attacks on a system to identify vulnerabilities
  11. What is the primary goal of threat hunting in a security operations context? Proactively searching for hidden threats that evade automated detection
  12. During a cloud penetration test, what technique involves querying the AWS metadata service from a compromised EC2 instance to obtain temporary credentials? Instance Metadata Service (IMDS) credential harvesting
  13. How can organizations prioritize vulnerabilities? By assessing impact and exploitability
  14. What legal doctrine allows security researchers to bypass technical protection measures for good-faith security research under the DMCA? Section 1201 exemption for good-faith security research
  15. What is the main goal of web application security? To protect against malicious attacks targeting web applications
  16. What is the purpose of encryption in web application security? It protects data confidentiality by converting it into unreadable format
  17. In penetration testing methodology, what term describes gathering information about a target exclusively from public sources before active testing begins? Footprinting
  18. What is the significance of risk assessments in vulnerability management? Risk assessments help prioritize vulnerabilities
  19. Which tool is specifically designed to extract and analyze metadata from publicly available documents to profile organizations? FOCA (Fingerprinting Organizations with Collected Archives)
  20. What valuable reconnaissance data can be extracted from Certificate Transparency (CT) logs? Subdomains and SANs listed in issued SSL/TLS certificates
  21. Which threat intelligence category focuses on understanding adversary motivations, capabilities, and strategic intentions? Strategic intelligence
  22. Which mode of AES operation produces ciphertext blocks that are independent of each other, making it susceptible to block-swapping attacks? ECB (Electronic Codebook)
  23. What is the purpose of a Threat Intelligence Report's 'executive summary' section? To communicate key findings and business risk in non-technical terms for leadership
  24. What is the Diffie-Hellman key exchange used for? Establishing a shared secret over an insecure channel without transmitting it
  25. Which elliptic curve is widely used in TLS 1.3 for key exchange? X25519
  26. What is the primary purpose of a Hardware Security Module (HSM) in a cryptographic system? Generating and protecting cryptographic keys in tamper-resistant hardware
  27. What is the importance of reporting vulnerabilities after a penetration test? It helps identify risks and prioritize remediation
  28. Which encryption approach is most appropriate for protecting data stored in a database column containing credit card numbers? Column-level encryption with AES
  29. What is a common tool used for penetration testing? Metasploit and other exploitation frameworks
  30. Which framework provides a structured approach for responsible vulnerability disclosure that balances public safety with vendor response time? Coordinated Vulnerability Disclosure (CVD)
Turn these facts into recall: