CREST Vulnerability Assessment
CREST vulnerability assessment is the independently audited standard for identifying and classifying exploitable weaknesses in your environment. Required for Cyber Essentials Plus, PCI DSS quarterly scanning, and NHS DSPT compliance. Precursor Security holds CREST company accreditation for vulnerability assessment. Findings are manually validated, CVSS v3.1 scored, and delivered in a board-ready report with remediation roadmap within five business days.
Precursor Security delivers CREST-certified vulnerability assessments across external perimeter, internal network, web applications, and cloud environments. Findings are manually validated by qualified assessors, scored to CVSS v3.1, and delivered in a board-ready report with prioritised remediation roadmap - satisfying Cyber Essentials Plus, PCI DSS, NHS DSPT, and ISO 27001 audit requirements.
Why CREST Vulnerability
Assessment.
Independently audited, manually validated, annually renewed. Four structural differences between CREST-certified vulnerability assessment and uncertified scanner reports.
Required Across Regulated Frameworks
CREST vulnerability assessment satisfies technical testing requirements across Cyber Essentials Plus, PCI DSS Requirement 11.3 (quarterly external VA and internal scans after significant changes), NHS DSPT Data Security Protection requirements, ISO 27001 Annex A.8.8 (technical vulnerability management), and NIS Regulations. Most cyber insurance underwriters require evidence of regular CREST-assessed vulnerability scanning as a condition of coverage. For organisations subject to regulatory oversight, a CREST VA is the defensible evidence standard - not a plain scanner report from an uncertified provider.
Manual Validation vs Raw Scanner Output
Automated scanners produce lists of potential vulnerabilities - many are false positives, version-based assumptions, or low-priority noise that burden remediation teams without enabling confident decisions. CREST VA requires qualified assessors to manually validate high-confidence findings, contextualise severity against your environment, and eliminate scanner artefacts before findings reach your team. The difference between a CREST report and raw scanner output is the difference between actionable intelligence and unfiltered data.
Qualified Assessors, Defined Methodology
CREST VA assessors hold individual certifications examined against defined technical standards. The methodology covers authenticated and unauthenticated scanning, service enumeration, CVE identification, manual verification of high-confidence findings, and CVSS v3.1 scoring against consistent severity criteria. Assessor qualifications are not self-declared - they are independently examined and renewed. CREST company accreditation requires annual audit of methodology, tooling currency, and assessor competence ratios.
Accreditation That Expires, Not Self-Declared
Any organisation can label a Nessus scan as a vulnerability assessment. CREST company accreditation requires annual audit of methodology, tooling, and assessor competence - the credential is reissued only when the organisation passes re-assessment. An uncertified provider's report carries no independently verified quality standard. When your auditor, board, or insurer asks for evidence of vulnerability testing, a CREST-certified report from an accredited organisation is the defensible standard. A raw scan from an uncertified provider is not.
What Your Assessment Delivers.
The concrete outputs of a CREST vulnerability assessment - validated findings, prioritised remediation, and compliance-ready documentation.
CVEs Checked Per Assessment
Authenticated and unauthenticated scanning against current CVE databases, vendor advisories, and configuration benchmarks.
Portal Delivery
Results delivered live via our penetration testing portal as findings are identified, with executive summary and technical annex on completion.
Remediation Guidance
Prioritised remediation guidance for every finding, with specific configuration fixes and patch references.
Board-Ready, Audit-Proven Reports
Every assessment delivers a structured report meeting CREST reporting standards - readable at board level and rigorous enough for technical remediation. Findings are manually validated before inclusion; no scanner artefacts reach your remediation backlog.
Audit-Ready Documentation
The CREST certificate and compliance mapping included in every report are accepted as evidence by regulators, auditors, and cyber insurers. No additional documentation required for submission.
Independently verified.
Publicly listed.
Precursor Security holds CREST company accreditation for vulnerability assessment services. Verify our accreditation directly on the CREST public register - no self-declaration.
Frameworks
Precursor Security - CREST Accredited Company
Listed on the CREST public register. Vulnerability assessment accreditation verified, not self-declared.
Ready to commission your
CREST vulnerability assessment?
Our CREST-accredited team delivers vulnerability assessments across external, internal, web application, and cloud environments. Fixed-price quotes, results delivered live via our penetration testing portal, and retesting within the assessment window included.