CREST Vulnerability Assessment

The CREST VA Standard

Why CREST Vulnerability
Assessment.

Independently audited, manually validated, annually renewed. Four structural differences between CREST-certified vulnerability assessment and uncertified scanner reports.

Compliance Mandate

Required Across Regulated Frameworks

CREST vulnerability assessment satisfies technical testing requirements across Cyber Essentials Plus, PCI DSS Requirement 11.3 (quarterly external VA and internal scans after significant changes), NHS DSPT Data Security Protection requirements, ISO 27001 Annex A.8.8 (technical vulnerability management), and NIS Regulations. Most cyber insurance underwriters require evidence of regular CREST-assessed vulnerability scanning as a condition of coverage. For organisations subject to regulatory oversight, a CREST VA is the defensible evidence standard - not a plain scanner report from an uncertified provider.

Beyond Automated Scanning

Manual Validation vs Raw Scanner Output

Automated scanners produce lists of potential vulnerabilities - many are false positives, version-based assumptions, or low-priority noise that burden remediation teams without enabling confident decisions. CREST VA requires qualified assessors to manually validate high-confidence findings, contextualise severity against your environment, and eliminate scanner artefacts before findings reach your team. The difference between a CREST report and raw scanner output is the difference between actionable intelligence and unfiltered data.

CREST Methodology

Qualified Assessors, Defined Methodology

CREST VA assessors hold individual certifications examined against defined technical standards. The methodology covers authenticated and unauthenticated scanning, service enumeration, CVE identification, manual verification of high-confidence findings, and CVSS v3.1 scoring against consistent severity criteria. Assessor qualifications are not self-declared - they are independently examined and renewed. CREST company accreditation requires annual audit of methodology, tooling currency, and assessor competence ratios.

Ongoing Validity

Accreditation That Expires, Not Self-Declared

Any organisation can label a Nessus scan as a vulnerability assessment. CREST company accreditation requires annual audit of methodology, tooling, and assessor competence - the credential is reissued only when the organisation passes re-assessment. An uncertified provider's report carries no independently verified quality standard. When your auditor, board, or insurer asks for evidence of vulnerability testing, a CREST-certified report from an accredited organisation is the defensible standard. A raw scan from an uncertified provider is not.

Assessment Deliverables

What Your Assessment Delivers.

The concrete outputs of a CREST vulnerability assessment - validated findings, prioritised remediation, and compliance-ready documentation.

CVE Coverage

300K+

CVEs Checked Per Assessment

Authenticated and unauthenticated scanning against current CVE databases, vendor advisories, and configuration benchmarks.

Delivery

Live

Portal Delivery

Results delivered live via our penetration testing portal as findings are identified, with executive summary and technical annex on completion.

Included

Retesting Included

Retesting of remediated findings is available within the assessment window at no additional cost.

Report Quality

Board-Ready, Audit-Proven Reports

Every assessment delivers a structured report meeting CREST reporting standards - readable at board level and rigorous enough for technical remediation. Findings are manually validated before inclusion; no scanner artefacts reach your remediation backlog.

Executive summary with overall risk posture for board presentation

CVSS v3.1 scored findings with affected assets and reproduction steps

Prioritised remediation roadmap by severity (critical through informational)

Compliance framework mapping (CE+, PCI DSS, NHS DSPT, ISO 27001)

Signed CREST certificate of assessment for auditor submission

Optional CSV export for import into your remediation tracking system

Compliance Evidence

Audit-Ready Documentation

The CREST certificate and compliance mapping included in every report are accepted as evidence by regulators, auditors, and cyber insurers. No additional documentation required for submission.

CREST certificate of assessment (signed)

PCI DSS Req 11.3 quarterly scan evidence

NHS DSPT vulnerability testing evidence

CE+ and ISO 27001 Annex A.8.8 mapping

Verify Accreditation

Independently verified.
Publicly listed.

Precursor Security holds CREST company accreditation for vulnerability assessment services. Verify our accreditation directly on the CREST public register - no self-declaration.

Accepted
Frameworks

CREST VAAccredited

Cyber Essentials+CE+ Scan Req.

PCI DSSReq 11.3

NHS DSPTHealthcare

CREST

Precursor Security - CREST Accredited Company

Listed on the CREST public register. Vulnerability assessment accreditation verified, not self-declared.

Verify on CREST Register

CREST VA Services

Ready to commission your
CREST vulnerability assessment?

Our CREST-accredited team delivers vulnerability assessments across external, internal, web application, and cloud environments. Fixed-price quotes, results delivered live via our penetration testing portal, and retesting within the assessment window included.

Request Vulnerability Assessment

View All Security Services

Web Application Penetration Test Infrastructure Penetration Testing NCSC IT Health Check (ITHC)About Our Accreditations

Why CREST Vulnerability Assessment.