For many cybersecurity professionals, earning a CREST certification is a defining career milestone. It represents far more than passing notoriously challenging exams – it signifies discipline, technical mastery, and deep commitment to ethical, high-quality security testing.
At AMATAS, CREST-certified penetration testers play an essential role in our offensive security practice. We’re proud to share that our team continues to grow in this direction, with our colleague Lyuben Petrov recently completing the full CREST certification path. His achievement reflects both personal dedication and the high standard we consistently pursue as a company.
In this article, we look inside the journey to CREST certification – what it involves, why it’s so challenging, and how it elevates the penetration testing services delivered by AMATAS.
What Is CREST Certification – And Why the Journey Matters
CREST certifications are globally recognized benchmarks for validating the real-world competence of penetration testers. While previous AMATAS blogs break down the importance of CREST penetration testing, and SOC accreditation, here we focus on something different: the personal development path that leads to becoming a CREST-accredited penetration tester, and what that means for our clients.
And we’ll explore this path through the real experience of our recently certified penetration tester, Lyuben, whose achievement offers valuable insight into the dedication and skill behind CREST-certified work.
Traditionally, the CREST Registered Tester (CRT) qualification is achieved by passing two key exams:
- CPSA (theoretical, foundation-level knowledge)
- CRT (hands-on, practical exploitation exam under time pressure)
However, CREST also recognizes that there are multiple valid paths to demonstrating practical penetration testing competence. In Lyuben’s case, the journey followed a slightly different route. Through the CREST Equivalency Programme, CREST recognizes certifications such as OSCP and OSCP+ as meeting the practical requirements typically assessed through the CRT exam.
Lyuben already held the OSCP certification, which validated his hands-on penetration testing skills in realistic, high-pressure environments. This allowed him to gain recognition toward the CRT qualification through equivalency. The remaining milestone on his CREST roadmap was CPSA.
Understanding the CREST Requirements: CPSA, CRT, and the OSCP Equivalency Path
CPSA: Building a Solid Foundation
The CREST Practitioner Security Analyst (CPSA) exam validates a penetration tester’s understanding of core security concepts and testing methodology. It focuses on:
- network protocols and architectures
- common application vulnerabilities
- attacker techniques and methodologies
- reconnaissance and enumeration fundamentals
For many candidates, CPSA is the point where theory gets tested in a structured, unforgiving way. It requires not just knowing what attackers do, but why and how.
The CREST Equivalency Programme: Recognizing OSCP
The OSCP certification is a fully hands-on, practical exam that requires candidates to exploit real systems within strict time limits. It assesses:
- real-world exploitation techniques
- persistence and problem-solving under pressure
- structured attack methodology
- clear documentation of findings
“OSCP is very demanding and forces you to think and act under constant pressure. Once I completed it, pursuing CPSA made complete sense – it gave structure and clarity to the techniques I was already using in practice.”
Lyuben Petrov, Penetration Tester at AMATAS
Lyuben completed his OSCP earlier this year, demonstrating the practical, adversarial skills expected at the CREST Registered Tester level. This equivalency route does not lower the standard – it recognizes that OSCP and CRT assess similar real-world capabilities through different, but equally rigorous, practical formats.
The Path to Becoming CREST Certified: Inside the Journey
Before diving into the specifics of the CREST certification process, it’s important to introduce the person behind this achievement. Lyuben has been part of AMATAS for almost 2 years, and during this time he has become known for his strong passion for penetration testing, his curiosity, and his hands-on approach to improving his technical craft.
He is also an active contributor to our CyberBites podcast, where he breaks down complex security topics in simple, practical language. You can listen to one of his recent episodes about SQL Injection.
Like many offensive security specialists, Lyuben saw CREST as a way to validate his skills in an internationally recognized, rigorous format. For him, it wasn’t just about passing an exam – it was about demonstrating mastery, discipline, and a growth mindset.
“CREST is widely recognized as a gold standard in penetration testing. It allowed me to formally validate my expertise while contributing to the strong quality framework we maintain as a team and organization.”
The Preparation Process
Lyuben’s preparation for CREST certification built on years of hands-on experience in penetration testing. Before pursuing CREST, he had already developed a strong technical foundation through his practical work at AMATAS, previous certifications, and his academic studies in the Netherlands.
He spent several months preparing for the OSCP, focusing on fully hands-on, practical exams that simulated real attack scenarios under pressure. Once the OSCP was completed, preparing for CPSA took a few focused weeks, as it aligned naturally with the methodology and theory he was already applying in practice.
“My preparation combined structured self-study with practical exams and extensive use of AMATAS’ internal lab resources. Keeping everything closely tied to real-world testing was key.”
Today, Lyuben is building on this experience by developing internal training lab resources to support the growth of the penetration testing team.
The Most Challenging Parts
While technical depth is expected, the real challenge often lies in:
- balancing speed with accuracy in the OSCP
- staying calm under pressure
- deciding which attack paths are dead ends and which are promising
- writing clear, actionable findings after hours of intense exploitation
These experiences help shape testers into methodical, disciplined professionals – qualities our clients rely on.
“The most important thing was persistence – not getting discouraged when things were difficult and continuing to work through problems step by step. The key was treating challenges as part of the process, not as failures.”
What CREST Means for Him as a Pentester
For Lyuben, earning CREST certification goes beyond adding another credential to his profile. It represents a clear benchmark for how penetration testing should be performed – responsibly, effectively, and to the highest professional standards.
“CREST validates my expertise, but more importantly, it confirms that the way I apply attacker techniques is responsible, structured, and effective. It motivates me to keep learning, to share knowledge with others, and to make sure that the work I deliver at AMATAS meets the highest global standards.”
How CREST Strengthens Penetration Testing at AMATAS
Adding another CREST-certified penetration tester strengthens the internal capabilities of the AMATAS team and reinforces the quality of the penetration testing services we deliver to our clients. CREST certification provides independent validation that our penetration testing follows globally recognized best practices and meets the highest professional standards.
For our clients, this translates into penetration tests performed according to a recognized gold standard – with proven expertise, structured methodology, and consistent quality across every engagement.
1. More Rigorous Methodology
CREST-certified testers follow well-defined, disciplined testing approaches that reduce blind spots and ensure comprehensive coverage of systems and attack surfaces.
2. Higher Exploitation Precision
The combination of deep technical knowledge and hands-on, high-pressure practical validation leads to more accurate identification and confirmation of vulnerabilities.
3. Stronger Reporting Quality
CREST places strong emphasis on clarity, professionalism, and actionable recommendations – principles that are already core to how penetration testing is delivered at AMATAS.
4. Improved Peer Learning and Team Growth
Lyuben’s certification supports knowledge sharing within the team, encouraging continuous learning and raising the overall technical standard of our penetration testing practice.
“CREST certification doesn’t just validate individual skills – it helps support other penetration testers when they go through the same journey. These certifications confirm in-depth knowledge across multiple fields and technologies, which allows us to deliver comprehensive assessments and gives clients confidence in every part of their systems.”
Real Business Value for Clients
Working with a CREST-certified penetration tester gives clients:
- confidence in the technical quality of the assessment
- assurance that tests reflect real adversarial behaviors
- more reliable findings, fewer false positives
- better guidance for remediation
Conclusion
The journey to CREST certification is demanding, technical, and transformative – and that’s exactly why it matters. By having CREST-certified professionals like Lyuben on our team, AMATAS strengthens its position as a trusted penetration testing partner. This certification, along with our existing CREST accreditation, reinforces our commitment to excellence and ensures that every penetration test we deliver is aligned with globally recognized standards.
