CREST Practitioner exam — oral vs written, which part is actually harder?
Sitting my first CREST exam in about 10 weeks and I'm trying to figure out how to split prep time between the written knowledge component and the practical oral assessment. Everything I've read says the oral section is where candidates get eliminated, but personally I find the written questions harder because of how granular the technical depth gets.
Background: 4 years in pentesting, mostly web app and infrastructure work. I hold CEH and OSCP and have done a fair number of CTFs. The CREST syllabus feels more focused on depth of explanation than those — they want you to articulate methodology and reasoning out loud, not just prove you can execute a technique on a box.
Right now I'm doing 1.5 hours daily on written prep and one mock verbal walkthrough per week with a colleague who's already CREST certified. Is that enough, or am I underweighting the oral component? Any sense of which topic areas assessors tend to probe hardest?
Mock orals with a certified colleague is the best prep you can do by far. My colleague grilled me for 45 minutes twice a week for a month and it made a bigger difference than any amount of written study. Being able to explain things clearly under pressure is a distinct skill.
Passed CREST Practitioner last year. The written section has specific questions on protocols and vulnerabilities that go deeper than OSCP material — make sure you know your TCP/IP stack and web fundamentals at a granular level, not just a working level.
The oral section trips people up mainly because pentesters are used to doing the work, not explaining it in real time. Practice talking through your methodology out loud even during solo prep — it feels awkward but it's exactly what the assessment tests.
10 weeks is workable but tight given the breadth of the CREST syllabus. If you can stretch to 12–14 weeks you'll go in significantly less stressed. The preparation you're doing sounds solid though.
Honestly, I almost bailed three weeks before mine. The written questions were killing my confidence and I kept second-guessing whether I'd ever actually pass. But here's the thing nobody tells you upfront: the written section rewards grinding. I found free crest security vulnerability management practice questions and just hammered them until the patterns clicked. It's repetitive but it works.
The oral threw me at first because I wasn't used to thinking out loud under pressure. You know the concepts, but articulating your methodology to an examiner who's actively probing your reasoning is a different skill. What helped me was doing mock walkthroughs with a colleague, just narrating my thought process on random scenarios until it felt natural. Don't neglect the written though -- I've seen people underestimate it and get caught out. They're both passable, you just need to respect each one differently.