CREST Cheat Sheet 2026
The 30 highest-yield CREST facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
120 questions
120 min time limit
60.00% to pass
- What does the term 'attack surface' refer to in security architecture? → The sum of all exploitable entry points and vulnerabilities in a system
- What document formally defines the scope, objectives, timeline, and legal permissions for a penetration test engagement? → Statement of Work (SoW) / Rules of Engagement
- Which US government organization operates the National Vulnerability Database (NVD) that stores CVE data? → NIST (National Institute of Standards and Technology)
- What is the Wayback Machine (web.archive.org) primarily used for during OSINT investigations? → Accessing historical archived snapshots of websites to find previously exposed information
- What is the difference between white-hat and black-hat hackers? → White-hat hackers secure systems; black-hat hackers exploit them
- In malware analysis, what is a 'sandbox'? → An isolated virtualized environment for safely executing and observing malware behavior
- What is a key difference between a policy and a procedure in an information security governance framework? → A policy states what must be done; a procedure describes how to do it
- Which CREST code of conduct principle requires members to report discovered vulnerabilities responsibly and not exploit them beyond what is authorized? → Ethical behavior and integrity
- What is the function of a firewall in network security? → It filters network traffic based on security rules
- What is penetration testing? → Simulating attacks on a system to identify vulnerabilities
- What is the primary goal of threat hunting in a security operations context? → Proactively searching for hidden threats that evade automated detection
- During a cloud penetration test, what technique involves querying the AWS metadata service from a compromised EC2 instance to obtain temporary credentials? → Instance Metadata Service (IMDS) credential harvesting
- How can organizations prioritize vulnerabilities? → By assessing impact and exploitability
- What legal doctrine allows security researchers to bypass technical protection measures for good-faith security research under the DMCA? → Section 1201 exemption for good-faith security research
- What is the main goal of web application security? → To protect against malicious attacks targeting web applications
- What is the purpose of encryption in web application security? → It protects data confidentiality by converting it into unreadable format
- In penetration testing methodology, what term describes gathering information about a target exclusively from public sources before active testing begins? → Footprinting
- What is the significance of risk assessments in vulnerability management? → Risk assessments help prioritize vulnerabilities
- Which tool is specifically designed to extract and analyze metadata from publicly available documents to profile organizations? → FOCA (Fingerprinting Organizations with Collected Archives)
- What valuable reconnaissance data can be extracted from Certificate Transparency (CT) logs? → Subdomains and SANs listed in issued SSL/TLS certificates
- Which threat intelligence category focuses on understanding adversary motivations, capabilities, and strategic intentions? → Strategic intelligence
- Which mode of AES operation produces ciphertext blocks that are independent of each other, making it susceptible to block-swapping attacks? → ECB (Electronic Codebook)
- What is the purpose of a Threat Intelligence Report's 'executive summary' section? → To communicate key findings and business risk in non-technical terms for leadership
- What is the Diffie-Hellman key exchange used for? → Establishing a shared secret over an insecure channel without transmitting it
- Which elliptic curve is widely used in TLS 1.3 for key exchange? → X25519
- What is the primary purpose of a Hardware Security Module (HSM) in a cryptographic system? → Generating and protecting cryptographic keys in tamper-resistant hardware
- What is the importance of reporting vulnerabilities after a penetration test? → It helps identify risks and prioritize remediation
- Which encryption approach is most appropriate for protecting data stored in a database column containing credit card numbers? → Column-level encryption with AES
- What is a common tool used for penetration testing? → Metasploit and other exploitation frameworks
- Which framework provides a structured approach for responsible vulnerability disclosure that balances public safety with vendor response time? → Coordinated Vulnerability Disclosure (CVD)
Turn these facts into recall: