CREST CPSA | My Cyber Academy
Module 01 — Appendix A
Soft Skills & Assessment Management
Skills covered: A1 · A2 · A3 · A4 · A5
A1
The Penetration Testing Lifecycle
Every professional pentest follows six phases — and written authorisation must exist before any activity begins, including reconnaissance.
1
1. Pre-Engagement
Scope, RoE, emergency contacts
2
2. Reconnaissance
Passive & active info gathering
3
3. Scanning
Hosts, ports, services
4
4. Exploitation
Compromise in-scope targets
5
5. Post-Exploitation
Escalation, lateral movement
6
6. Reporting
Findings, evidence, remediation
A1
Pre-Engagement Essentials
✅ Signed RoE
Rules of Engagement / Penetration Testing Agreement in place
✅ Scope & Exclusions
Exact IP ranges, domains, and explicitly out-of-scope systems documented
✅ Logistics
Emergency contacts, testing window, engagement type (Black/Grey/White box)
✅ During the Test
Contemporaneous notes with timestamps, record every command, screenshot evidence
A2
UK Legal Framework
Know the Acts — and the exact section numbers. This is a key CREST exam focus.
🎯 Don't just know the Acts exist — know the section numbers and exactly what each section criminalises.
A2
Computer Misuse Act 1990 — The Three Sections
Section 1 — Unauthorised Access
Accessing a computer without permission. Lowest-tier offence. E.g. guessing a password, accessing an unauthorised system.
Section 2 — Access with Intent
S1 access PLUS intent to commit further offences (e.g. accessing a database to steal data for fraud). Heavier penalties.
Section 3 — Unauthorised Modification
Altering, deleting, or impairing data/programs. Covers malware installation, data deletion, system impairment.
🧠 Memory Hack: 1=Access · 2=Access+Intent · 3=Modification — Like a burglar: S1=entered, S2=entered to steal, S3=smashed the place up
A3
Scoping & Engagement Types
Black Box
IP ranges or URLs only — no internal knowledge. Simulates an external attacker.
Grey Box
Limited info — user credentials, architecture overview. Most common engagement type.
White Box
Full documentation: source code, architecture, credentials. Maximum coverage.
🧠 3 Bs: Borders (what's in) · Bans (what's out) · Boxes (Black/Grey/White)
A3
The Cloud Permission Rule
Client permission ≠ Cloud provider permission. Both are required before testing cloud-hosted infrastructure.
⚠️ Ignoring cloud provider policies may constitute unauthorised access under the CMA.
Provider notes: AWS, Azure, and GCP each permit testing within their own guidelines — but prohibited actions still apply regardless of client authorisation.
A4
Risk Management & CVSS
🔴 Critical
9.0 – 10.0 · Immediate remediation
🟠 High
7.0 – 8.9 · Urgent remediation
🟡 Medium
4.0 – 6.9 · Planned remediation
🟢 Low
0.1 – 3.9 · Monitor / accept
⚪ Info
0.0 · No direct risk
Three score types: Base (inherent risk) · Temporal (exploit maturity & patch availability) · Environmental (client's specific context) — Risk = Likelihood × Impact
A4
Applying CVSS in Practice
Example: SQL Injection on a Web App
Why Context Matters
The same vulnerability can be Critical on an internet-facing system and Medium on an isolated internal server.
❌ Common Mistake: Reporting base CVSS scores without environmental context. The board needs the actual risk to their environment.
A5
Professional Reporting
Executive Summary
Business language, no jargon. Overall risk posture, top 3–5 findings, recommended immediate actions — for the Board.
Technical Findings
Each finding: Title + CVSS rating, description, evidence, reproduction steps, and remediation recommendation — for the security/IT team.
❌ Common Mistake: Writing the executive summary with technical language. Board members cannot act on what they cannot understand.
A5
Evidence, Notes & Secure Delivery
Contemporaneous Record Keeping
Tools: CherryTree · Obsidian · Ghostwriter · Notion
Report Delivery
✅ Encrypted email (PGP / password-protected ZIP)
✅ Secure client portal
❌ Never plaintext email — GDPR violation + data breach risk
📁 Retain evidence for minimum 6–12 months post-engagement
Module A
Practice Questions
1
Cloud Testing
Client signed the RoE for their AWS-hosted app. What additional step is required?
✓ B: Submit a penetration testing request to AWS. Failure = potential CMA violation.
✓ B: Submit a penetration testing request to AWS. Failure = potential CMA violation.
2
CMA Section
Which CMA 1990 section covers unauthorised modification?
✓ C: Section 3. S1=access · S2=access+intent · S3=modification
✓ C: Section 3. S1=access · S2=access+intent · S3=modification
3
CVSS Score
A vulnerability scores 7.5 on CVSS. What severity?
✓ B: High (7.0–8.9)
✓ B: High (7.0–8.9)
4
Report Audience
Which section is primarily for the Board of Directors?
✓ B: Executive Summary — business language, no jargon.
✓ B: Executive Summary — business language, no jargon.
5
Report Delivery
How must a pentest report be delivered?
✓ B: Via encrypted channel or secure client portal
✓ B: Via encrypted channel or secure client portal
Module A
Key Takeaways
Written RoE signed before any testing begins — no exceptions
CMA: S1 = Access · S2 = Access + Intent · S3 = Modification
Cloud testing requires client permission AND cloud provider approval
CVSS: Critical 9–10 · High 7–8.9 · Medium 4–6.9 · Low 0.1–3.9
Reports serve two audiences: Executive (business) and Technical (remediation) — delivered encrypted
Next module: Appendix B — Core Technical Skills · My Cyber Academy | mycyberacademy.com