CREST CPSA 2026 CORE EXAMS SET QUESTIONS AND
ANSWERS GUARANTEE A+
✔✔Why are accurate timescales important? - ✔✔To identify the cost of the test and
book in time for on-site visits.
✔✔What does resources planning entail? - ✔✔Ensuring appropriate testers and QA is
in place.
✔✔What are 4 risks associated with pen testing? - ✔✔1. Loss of data
2. Denial of service
3. Damage to hardware
4. Compromise of infrastructure/application
✔✔What are three ways organisations can mitigate risks of pentesting? - ✔✔1.
Business Continuity Plans
2. Regular backups
3. Ensuring testers are qualified
✔✔What are the 4 stages of pen test report writing? - ✔✔1. Planning
2. Collecting Information
3. First Draft
4. Review and Finalising
✔✔Why is keeping records and writing an accurate report important? - ✔✔To ensure
the client has clarity on the risks they face.
✔✔Why is IPv4 being replaced by IPv6? - ✔✔Unique addresses are running out. 2^128
as opposed to 2^32.
✔✔In an IPv6 address, what does :: represent? - ✔✔Consecutive 0s.
✔✔Why is this IPv6 address valid? 2001:db8:0:b::1A - ✔✔Because you cannot have
two double colons, the singular 0 is left there to represent consecutive 0s.
✔✔What is TCP protocol? - ✔✔Transmission Control Protocol is reliable, ordered, error-
checked delivery of bytes between applications. It is connection-oriented.
✔✔What does connection-oriented mean? - ✔✔A connection between two nodes must
first be established before you can exchange data.
✔✔What does TCP prioritise? - ✔✔Reliability over speed.
✔✔Which network layer does TCP exist in? - ✔✔Layer 4 - the transport layer.
,✔✔What are the steps in the TCP three-way handshake? - ✔✔1. Client sends SYN
2. Server responds with SYN+ACK
3. Client sends ACK
✔✔What is the point of SYN and ACK? - ✔✔Keeping track of data being successfully
received, or if it was lost / sent twice.
✔✔How does a TCP connection end? - ✔✔Either computer sends a FIN.
✔✔What is RTO? - ✔✔Retransmission Timeout. After a packet is sent, it's put in a
queue and a timer started. If an ACK isn't received by the timer finishing, it resends.
✔✔What is UDP? - ✔✔User Datagram Protocol. Connectionless and unreliable.
✔✔What sort of data should be sent over UDP? - ✔✔That which can afford to be lost, or
requiring fast transfer.
✔✔What's the size of the TCP header? - ✔✔20 to 60 bytes.
✔✔What's the size of the UDP header? - ✔✔8 bytes.
✔✔What are some services that use TCP? - ✔✔HTTP, HTTPS, FTP, SMTP.
✔✔What are some services that use UDP? - ✔✔DNS, DHCP, VoIP.
✔✔What is ICMP? - ✔✔Internet Control Message Protocol. It is connectionless. Used
by network devices to diagnose communication issues.
✔✔What is ICMP mainly for? - ✔✔Determining if data is reaching it's intended
destination in a timely manner.
✔✔How does ICMP differ from TCP and UDP? - ✔✔It's not for exchanging data
between systems.
✔✔What is Cat 5? And what speeds can it provide? - ✔✔A twisted pair (balanced line)
networking cable used for data transmission. Providing speeds up to 100Mhz.
✔✔What is 10/100/1000baseT? - ✔✔An ethernet standard from IEEE. Base means
only ethernet signals. T means twisted pair.
✔✔What is Token ring? - ✔✔IEEE 802.5 - it connects all devices in a circular closed-
loop way. "Token" means a segment of data that's sent through the network.
, ✔✔Why was Token ring replaced by ethernet? - ✔✔It was too expensive, complex, and
slow.
✔✔What is 802.11? - ✔✔A LAN standard, specifying MAC and PHY protocols for
implementing a WLAN. (Basically Wi-Fi).
✔✔What is an "open" port? - ✔✔The application on it is accepting TCP/UDP/SCTP
connections. Meaning there could be an attack vector here.
✔✔What is a "closed" port? - ✔✔There is no application listening on that port.
✔✔What is a "filtered" port? - ✔✔The port scanner can't determine if the port is open or
closed. Packet filtering is stopping the probes from reaching the port.
✔✔What is an "unfiltered" port? - ✔✔A port is accessible but can't determine if it's open
or closed. Only arises from an ACK scan.
✔✔What is an "Open | filtered" port? - ✔✔Unable to determine whether the port is open
or filtered.
✔✔What is a "Closed | filtered" port? - ✔✔Unable to determine if the port is closed or
filtered.
✔✔What is ICMP sweeping? - ✔✔Also called ping sweeping, this scans a range of IPs
and returns which of them are live hosts. (Live hosts return an ICMP echo reply).
✔✔What does "Nmap -sn" do? - ✔✔Ping Scan. Disables port scanning. Just host
discovery.
✔✔What does "Nmap -Pn" do? - ✔✔Treats all hosts as online (skipping host discovery).
✔✔What does "Nmap -sL" do? - ✔✔Enumerates IPs and tries to resolve them through
reverse DNS lookup.
✔✔What does default "Nmap" scan do? - ✔✔Port scans the target. A TCP port scan of
the top 1000 most popular ports.
✔✔What does "Nmap -sV" do? - ✔✔Version enumeration.
✔✔What does "Nmap -sC" do? - ✔✔Default scripts, for more discovery.
✔✔What does "Nmap -T" do? - ✔✔Sets a timing template, higher is faster. The default
is T3
ANSWERS GUARANTEE A+
✔✔Why are accurate timescales important? - ✔✔To identify the cost of the test and
book in time for on-site visits.
✔✔What does resources planning entail? - ✔✔Ensuring appropriate testers and QA is
in place.
✔✔What are 4 risks associated with pen testing? - ✔✔1. Loss of data
2. Denial of service
3. Damage to hardware
4. Compromise of infrastructure/application
✔✔What are three ways organisations can mitigate risks of pentesting? - ✔✔1.
Business Continuity Plans
2. Regular backups
3. Ensuring testers are qualified
✔✔What are the 4 stages of pen test report writing? - ✔✔1. Planning
2. Collecting Information
3. First Draft
4. Review and Finalising
✔✔Why is keeping records and writing an accurate report important? - ✔✔To ensure
the client has clarity on the risks they face.
✔✔Why is IPv4 being replaced by IPv6? - ✔✔Unique addresses are running out. 2^128
as opposed to 2^32.
✔✔In an IPv6 address, what does :: represent? - ✔✔Consecutive 0s.
✔✔Why is this IPv6 address valid? 2001:db8:0:b::1A - ✔✔Because you cannot have
two double colons, the singular 0 is left there to represent consecutive 0s.
✔✔What is TCP protocol? - ✔✔Transmission Control Protocol is reliable, ordered, error-
checked delivery of bytes between applications. It is connection-oriented.
✔✔What does connection-oriented mean? - ✔✔A connection between two nodes must
first be established before you can exchange data.
✔✔What does TCP prioritise? - ✔✔Reliability over speed.
✔✔Which network layer does TCP exist in? - ✔✔Layer 4 - the transport layer.
,✔✔What are the steps in the TCP three-way handshake? - ✔✔1. Client sends SYN
2. Server responds with SYN+ACK
3. Client sends ACK
✔✔What is the point of SYN and ACK? - ✔✔Keeping track of data being successfully
received, or if it was lost / sent twice.
✔✔How does a TCP connection end? - ✔✔Either computer sends a FIN.
✔✔What is RTO? - ✔✔Retransmission Timeout. After a packet is sent, it's put in a
queue and a timer started. If an ACK isn't received by the timer finishing, it resends.
✔✔What is UDP? - ✔✔User Datagram Protocol. Connectionless and unreliable.
✔✔What sort of data should be sent over UDP? - ✔✔That which can afford to be lost, or
requiring fast transfer.
✔✔What's the size of the TCP header? - ✔✔20 to 60 bytes.
✔✔What's the size of the UDP header? - ✔✔8 bytes.
✔✔What are some services that use TCP? - ✔✔HTTP, HTTPS, FTP, SMTP.
✔✔What are some services that use UDP? - ✔✔DNS, DHCP, VoIP.
✔✔What is ICMP? - ✔✔Internet Control Message Protocol. It is connectionless. Used
by network devices to diagnose communication issues.
✔✔What is ICMP mainly for? - ✔✔Determining if data is reaching it's intended
destination in a timely manner.
✔✔How does ICMP differ from TCP and UDP? - ✔✔It's not for exchanging data
between systems.
✔✔What is Cat 5? And what speeds can it provide? - ✔✔A twisted pair (balanced line)
networking cable used for data transmission. Providing speeds up to 100Mhz.
✔✔What is 10/100/1000baseT? - ✔✔An ethernet standard from IEEE. Base means
only ethernet signals. T means twisted pair.
✔✔What is Token ring? - ✔✔IEEE 802.5 - it connects all devices in a circular closed-
loop way. "Token" means a segment of data that's sent through the network.
, ✔✔Why was Token ring replaced by ethernet? - ✔✔It was too expensive, complex, and
slow.
✔✔What is 802.11? - ✔✔A LAN standard, specifying MAC and PHY protocols for
implementing a WLAN. (Basically Wi-Fi).
✔✔What is an "open" port? - ✔✔The application on it is accepting TCP/UDP/SCTP
connections. Meaning there could be an attack vector here.
✔✔What is a "closed" port? - ✔✔There is no application listening on that port.
✔✔What is a "filtered" port? - ✔✔The port scanner can't determine if the port is open or
closed. Packet filtering is stopping the probes from reaching the port.
✔✔What is an "unfiltered" port? - ✔✔A port is accessible but can't determine if it's open
or closed. Only arises from an ACK scan.
✔✔What is an "Open | filtered" port? - ✔✔Unable to determine whether the port is open
or filtered.
✔✔What is a "Closed | filtered" port? - ✔✔Unable to determine if the port is closed or
filtered.
✔✔What is ICMP sweeping? - ✔✔Also called ping sweeping, this scans a range of IPs
and returns which of them are live hosts. (Live hosts return an ICMP echo reply).
✔✔What does "Nmap -sn" do? - ✔✔Ping Scan. Disables port scanning. Just host
discovery.
✔✔What does "Nmap -Pn" do? - ✔✔Treats all hosts as online (skipping host discovery).
✔✔What does "Nmap -sL" do? - ✔✔Enumerates IPs and tries to resolve them through
reverse DNS lookup.
✔✔What does default "Nmap" scan do? - ✔✔Port scans the target. A TCP port scan of
the top 1000 most popular ports.
✔✔What does "Nmap -sV" do? - ✔✔Version enumeration.
✔✔What does "Nmap -sC" do? - ✔✔Default scripts, for more discovery.
✔✔What does "Nmap -T" do? - ✔✔Sets a timing template, higher is faster. The default
is T3
