CREST CCT APP Practice Test
Prepare for the CREST Certified Tester — Application exam with free practice tests covering all five major syllabus domains. Each test has 20 questions timed at 1 minute per question to match the real CCT APP written exam pace.
Mixed Set — CREST CCT APP Practice Tests
Questions distributed across all five CCT APP syllabus domains according to the official CREST exam blueprint. Web application attack techniques, reconnaissance, and modern platform security feature heavily — reflecting the advanced depth expected from candidates with 5 to 6 years of application security experience.
Domain Wise — CREST CCT APP Mock Tests
Target each CCT APP syllabus area with focused domain tests. The updated CCT APP syllabus includes deep coverage of web application attack techniques, modern platform security, API testing, containerisation, cloud, and human-layer attack surfaces — use these mock tests to build expert-level depth across every assessed area.
About the CREST CCT APP Certification Exam
Everything you need to know about the CREST Certified Tester — Application exam: its three-component structure, what it tests beyond the CRT, and why it is the gold standard credential for expert web application security professionals.
What Is the CREST CCT APP?
The CREST Certified Tester — Application (CCT APP) is an advanced-level certification from CREST that validates a practitioner's expert ability to assess the security of web applications, APIs, and modern application platforms. Positioned at the top of the CREST web application testing pathway — above the CRT — the CCT APP is designed for professionals with approximately 5 to 6 years of hands-on application security experience. The revised CCT APP syllabus has been significantly expanded to include cloud-hosted application testing, containerisation (Docker and Kubernetes), API security (REST, GraphQL, SOAP), mobile application assessment, and macOS, in addition to deep coverage of all traditional web application vulnerability classes.
Like its infrastructure counterpart, the CCT APP is recognised by the UK National Cyber Security Centre (NCSC) for the CHECK scheme — CCT APP holders qualify for CHECK Team Leader status (subject to NCSC approval), enabling them to lead web application penetration testing engagements on UK government and critical national infrastructure systems. CCT APP-certified professionals are in high demand at specialist security consultancies, financial institutions, and technology companies, with typical salaries in the UK ranging from £65,000 to £100,000+. The certification carries no formal prerequisites and is valid for 3 years.
Exam Format (2026)
Components: Three separate assessment stages — a multiple-choice written exam, a written scenario, and a hands-on practical assessment.
Written exam: 60 multiple-choice questions completed in 2.5 hours (1 minute per question) at a Pearson VUE test centre. Closed book — no notes, internet access, or devices permitted.
Written scenario: A build-review and report-writing exercise requiring candidates to identify security issues and document findings for a specified audience. Tests professional communication alongside technical depth.
Practical assessment: Hands-on web application penetration testing against a reference environment using a provided Kali Linux setup (personal laptops not permitted). Duration is 3 hours plus 15 minutes of reading time.
Passing score: At least 66% (two-thirds) must be achieved in each component independently. Passing one or two components while failing another results in an overall fail.
Exam fee: Approximately £800 for CCT-level exams (varies by region). Check the CREST pricing page or Pearson VUE for current rates.
Eligibility Requirements
Prerequisites: None. There are no formal prerequisites for the CCT APP exam — any candidate may register and sit it. However, the exam is calibrated to approximately 5 to 6 years of hands-on application security testing experience.
Recommended background: Expert-level familiarity with Burp Suite Professional, OWASP testing methodology, web application attack techniques (injection, authentication bypass, session attacks, logic flaws), and modern application platforms is essential. Increasingly, cloud-hosted application testing and API security knowledge is critical given syllabus updates.
Natural progression: Most successful candidates have previously passed CRT, as the CRT web application stage provides the foundational practical baseline. The CCT APP tests substantially more breadth and depth than the CRT's web component.
CHECK Team Leader: CCT APP confers CHECK Team Leader status (subject to NCSC approval), authorising holders to lead web application testing engagements on UK government systems.
Certification validity: 3 years from the date of passing. Renewal requires re-examination.
CREST CCT APP Syllabus Areas — Exam Coverage
The revised CCT APP syllabus spans five broad domain groupings. All three exam components draw from these areas at different depths — the written MCQ tests breadth across all domains, the written scenario tests professional communication of findings, and the practical tests hands-on exploitation skill.
| Domain | Topic | Coverage |
|---|---|---|
| Areas A & B | Assessment Management and Core Security Skills | High |
| Areas C, D & G | Reconnaissance, Web, and Application Technologies | Very High |
| Areas E, F & J | Infrastructure, Network, and Operating System Security | Moderate |
| Areas H & I | Modern Platforms and Secure Engineering | High |
| Areas K & N | Human and Physical Attack Surface | Moderate |
How Our Practice Tests Are Designed
Advanced MCQ calibrated to CCT-level depth — Our practice tests target the CCT APP multiple-choice written component, where 60 scenario-based questions must be answered in 60 minutes. Questions are designed to require applied analysis and expert-level knowledge — the kind of thinking that distinguishes CCT APP holders from CRT-level candidates who know the basics but have not tested across the full modern application stack.
Full coverage of the expanded syllabus — The revised CCT APP syllabus added meaningful new ground: cloud-hosted application vulnerabilities (AWS, Azure, GCP app contexts), container security (Docker, Kubernetes), API security testing (REST, GraphQL, SOAP), mobile application assessment, and expanded law and compliance requirements. Our practice tests cover all five domain groupings including these newer areas that older study materials frequently omit.
Proportional timer — The real CCT APP written exam allows exactly 1 minute per question across 60 questions (2.5 hours total). Each 20-question practice test is timed at 20 minutes, building the decisive pace and answer confidence required under strict time pressure across a technically demanding application security syllabus.
Domain tests for maximum targeted preparation — Reconnaissance, Web, and Application Technologies is the most question-dense domain in the CCT APP syllabus. Modern Platforms and Secure Engineering is the area where candidates with traditional web app backgrounds most often have gaps. Use the domain-wise tests to address both before moving to mixed-set practice.
CREST CCT APP Exam Preparation Tips
Study Strategy
Go beyond OWASP Top 10: The CCT APP tests a much deeper and broader application security syllabus than the CRT web component. Beyond the classic OWASP vulnerability classes, candidates must understand authentication protocol attacks, OAuth and SAML flaws, GraphQL-specific vulnerabilities, container escape techniques, and cloud IAM misconfigurations affecting web applications.
Master Burp Suite at professional level: Burp Suite Professional is the primary tool in the practical assessment. At CCT level, basic interception and scanning are not enough — candidates must be proficient in advanced Intruder payloads, custom macros, CSRF PoC generation, Collaborator for out-of-band testing, and efficient session handling rules for complex authenticated testing scenarios.
Prepare all three components deliberately: The written scenario (report writing) is frequently underestimated. At CCT level, the scenario tests your ability to communicate advanced findings clearly to a defined audience — a technical peer versus a non-technical executive requires very different framing. Practise writing structured findings with impact, evidence, and remediation detail under timed conditions.
Test-Taking Strategy
Flag and pace the written MCQ: CREST's official guidance recommends flagging uncertain questions and returning to them — the ability to answer questions in any order is a key feature of the written exam interface. Do not spend more than 60 seconds on any single question. Build your score from high-confidence answers first, then revisit flagged items with remaining time.
Target the written scenario at your audience: The scenario question specifies who will read the output. Read the brief carefully before writing anything. A management-level finding summary should avoid technical jargon and focus on business impact; a technical finding entry should include precise evidence, affected parameters, and specific remediation steps. Matching tone and detail to the stated audience is explicitly assessed.
Use the 15 minutes of practical reading time strategically: Scan the full task list before touching the keyboard. Identify quick wins — straightforward vulnerabilities with clear exploitation paths — and tackle those first to build a mark buffer. Complex chained exploitation tasks should be deprioritised until high-confidence marks are secured, reducing the risk of a time-out with no score.
Frequently Asked Questions
Ready to Test Your CREST CCT APP Knowledge?
Start with a mixed set to assess your coverage across all five syllabus domains, then use domain-wise tests to build expert depth in the areas that matter most.
Start CREST CCT APP Practice Test 1 →
