CREST penetration testing is a security assessment conducted by a company accredited by the Council of Registered Ethical Security Testers (CREST). CREST accreditation verifies that both the organisation and its individual testers meet rigorous technical standards, follow documented methodologies, and operate under strict professional and ethical guidelines. It is the industry benchmark for penetration testing quality in the UK and internationally.
What is CREST penetration testing?
CREST stands for the Council of Registered Ethical Security Testers. It is an international not-for-profit accreditation body that certifies both penetration testing companies and individual security testers. Over 400 member companies hold CREST accreditation globally as of 2025.
A CREST penetration test is a security engagement delivered by a CREST-accredited company, with testers who hold recognised CREST certifications (CPSA, CRT, CCT, or CCSAS). The accreditation covers the entire operation: how the company scopes work, executes testing, handles sensitive data, reports findings, and supports remediation.
CREST exists because penetration testing is an unregulated field. Anyone can call themselves a penetration tester. CREST solves this by independently assessing companies against a defined standard. In February 2025, CREST released an updated Penetration Testing Accreditation Standard covering six key domains: preparation, scoping, assignment execution, and continuous improvement. Accredited companies must also align their operations with ISO 27001 and ISO 9001.
The result is a clear signal for buyers. When you engage a CREST-accredited provider, you know the company has been independently verified and its testers have passed hands-on technical examinations.
Why does CREST accreditation matter?
CREST accreditation matters because it removes guesswork from procurement. Five factors make it significant.
Quality assurance. CREST conducts independent assessments of member companies. This covers technical capability, operational processes, data handling, and staff vetting. Companies do not self-certify. They are reviewed externally.
Tester qualifications. CREST certifications require practical examinations. A CRT (Registered Tester) must have 6,000 hours of experience and pass an intermediate practical exam. A CCT (Certified Tester) requires 10,000 hours and a six-hour practical exam exploiting real systems. These are not multiple-choice certificates.
Methodology and standards. CREST members follow documented testing methodologies aligned with frameworks such as OWASP, PTES, and CREST's own standards. This ensures consistency and repeatability across engagements.
Regulatory recognition. UK and international regulations increasingly reference CREST. The NCSC recognises the CRT examination for its CHECK scheme. DORA mandates CREST or CHECK-level testing for financial services threat-led penetration testing (TLPT). PPN 014, published in February 2025, requires CREST accreditation for government suppliers.
Insurance and procurement. Cyber insurance underwriters increasingly require penetration tests from accredited providers. Procurement teams at large enterprises and public sector bodies routinely specify CREST accreditation as a minimum requirement.
What are the CREST certification levels?
CREST operates four individual certification levels, each with increasing experience requirements and exam difficulty.
| Certification | Full Title | Experience Required | Exam Format | Key Detail |
|---|---|---|---|---|
| CPSA | Practitioner Security Analyst | 2,500 hours | 120 MCQ questions, 2 hours | Entry-level, 60% pass rate |
| CRT | Registered Tester | 6,000 hours (3+ years) | Intermediate practical exam | Requires CPSA first, recognised for CHECK |
| CCT | Certified Tester | 10,000 hours (5-6 years) | 6-hour practical on real systems | Senior-level, most rigorous CREST exam |
| CCSAS | Certified Simulated Attack Specialist | Specialist level | Practical exam | Red team and adversarial emulation focus |
The CPSA is the entry point. It validates foundational knowledge through a two-hour multiple-choice exam. The CRT builds on this with a practical component, testing the ability to identify and exploit vulnerabilities in controlled environments. The CCT is the most demanding: a six-hour examination against real systems, requiring deep technical expertise across infrastructure and application testing.
The CCSAS is a specialist certification for red team operators, covering adversarial emulation and simulated attack techniques.
Company accreditation pathway
Companies follow a three-stage pathway to full CREST membership:
- Stage 1: Pathway. Baseline entry establishing the company's commitment to the accreditation process.
- Stage 2: Pathway+. Self-assessment against CREST standards, demonstrating operational alignment.
- Stage 3: CREST Member. Full independent review of the company's operations, processes, and technical capabilities.
When evaluating providers, check whether a company holds Stage 3 (full member) status. This represents the highest level of independent verification.
When is CREST penetration testing required?
Multiple regulatory frameworks and industry standards either mandate or strongly recommend CREST-accredited penetration testing.
| Regulation / Standard | CREST Requirement |
|---|---|
| GDPR / DPA 2018 | Expected for demonstrating security due diligence |
| PCI DSS | Required for payment card environment testing |
| DORA (EU 2022/2554) | Mandates CREST/CHECK for financial services TLPT |
| NIS Regulations | Required for operators of essential services |
| PPN 014 (Feb 2025) | Required for UK government suppliers |
| ISO 27001 | Expected as supplier qualification for testing providers |
| NHS DTAC / DSPT | Expected for digital health technology suppliers |
| Cyber Insurance | Increasingly specified by underwriters |
Government procurement. PPN 014, published in February 2025, makes CREST accreditation a requirement for suppliers providing penetration testing to the UK government. This affects any organisation selling into the public sector.
Financial services. DORA (the Digital Operational Resilience Act) requires financial entities to use CREST or CHECK-accredited providers for threat-led penetration testing. This applies across the EU and impacts UK-based firms operating in European markets.
Cyber insurance. Underwriters are tightening requirements around penetration testing evidence. Policies increasingly specify that tests must be conducted by accredited providers. A vulnerability assessment is not a penetration test, and insurers know the difference.
Supply chain requirements. ISO 27001-certified organisations often require their penetration testing suppliers to hold CREST accreditation as part of supplier due diligence. This creates a cascading requirement through supply chains.
What is the difference between CREST and CHECK?
CREST and CHECK serve different purposes, and knowing which applies to your organisation prevents procurement errors.
CHECK is the NCSC's assurance scheme for penetration testing of UK government departments, public sector bodies handling data classified at OFFICIAL or above, and critical national infrastructure (CNI). CHECK is governed by the National Cyber Security Centre, which sits within GCHQ. CHECK team leaders must hold a UK Cyber Security Council Professional Title at Principal level or above, and all CHECK team members must hold SC security clearance due to the sensitive nature of the systems they test.
CHECK is specifically required when testing: - Central government departments and agencies - Public sector bodies that store, process, or handle data classified at OFFICIAL or above - Critical national infrastructure operators (energy generators, water companies, telecoms providers, transport operators) - Systems subject to the Minimum Cyber Security Standard (MCSS)
CHECK is not required for private sector organisations, most NHS Trusts (which use CREST for DSPT compliance), most local authorities (unless handling classified data), or commercial entities.
CREST is the broader industry accreditation recognised across the private and public sectors. It covers the widest range of testing types and applies to commercial organisations, regulated industries, NHS, education, and any entity that wants independently verified testing quality. For the majority of UK organisations, CREST accreditation is the appropriate standard to specify when procuring penetration testing.
Some organisations operate across both sectors. Government contractors with both public and private sector systems may need a provider that holds CREST accreditation and CHECK approval. For organisations requiring NCSC IT Health Check (ITHC) services, a CREST-approved provider is necessary.
| CREST | CHECK | |
|---|---|---|
| Governed by | CREST (independent not-for-profit) | NCSC (part of GCHQ) |
| Scope | Private sector, commercial, NHS, regulated industries | UK government, CNI, OFFICIAL+ data |
| Tester requirements | CPSA, CRT, or CCT certification | UK CSC Professional Title + SC clearance |
| International recognition | Yes, recognised globally | UK only |
| Who needs it | Any organisation buying penetration testing | Government departments, CNI operators |
What does a CREST penetration test include?
A CREST penetration test follows a structured methodology from scoping through to remediation support. The exact process varies by engagement type, but the framework is consistent.
Scoping and pre-engagement. The testing provider works with you to define the scope: which systems, networks, or applications are in scope, what testing approach (black box, grey box, or white box) applies, and what rules of engagement govern the test. CREST standards require documented scoping before any testing begins.
Testing methodology. CREST testers follow recognised frameworks including OWASP (for web applications), PTES (Penetration Testing Execution Standard), and CREST's own testing guidelines. The 2025 accreditation standard requires companies to demonstrate alignment across six domains, ensuring consistent execution regardless of which tester is assigned.
Types of testing. CREST accreditation covers the full range of penetration testing disciplines including:
- Web application penetration testing: testing web apps, APIs, and authentication mechanisms against OWASP methodologies
- External network penetration testing: assessing internet-facing infrastructure for exploitable vulnerabilities
- Internal network penetration testing: simulating an attacker with internal network access, testing Active Directory, lateral movement paths, and privilege escalation
Cloud infrastructure, mobile applications, and wireless testing are also covered under the CREST umbrella. Understanding the difference between internal and external penetration testing helps determine which engagement type fits your risk profile.
Reporting. CREST-accredited providers deliver structured reports that include an executive summary for senior stakeholders, detailed technical findings with evidence, risk ratings aligned to recognised frameworks (typically CVSS), and prioritised remediation guidance.
Remediation support. The report is not the end. CREST standards expect providers to support clients through remediation, answer technical questions, and offer retesting to validate fixes.
How much does CREST penetration testing cost?
CREST penetration testing costs more than non-accredited alternatives. The premium pays for verified quality, certified testers, and regulatory compliance.
Day rates. CREST-accredited testers typically charge between £950 and £1,400 per day. Specialist engagements (red team, complex application testing) can reach £2,000 or more per day.
Engagement costs by type:
| Test Type | Typical Cost Range |
|---|---|
| Basic external network test | £2,000 to £5,000+ |
| Web application test | £3,500 to £8,000+ |
| Internal infrastructure test | £5,000 to £15,000+ |
| Red team engagement | £25,000 to £50,000+ |
Factors affecting price. Scope is the primary driver. A single web application with ten pages costs less than a complex platform with multiple APIs, authentication flows, and integrations. The number of IP addresses, the testing approach (black box vs grey box), and the depth of post-test support all influence the final cost.
What the premium buys. Non-accredited providers may charge less, but CREST accreditation guarantees that testers hold verified certifications, the company follows audited processes, findings are reported to a consistent standard, and the engagement meets regulatory requirements. For organisations bound by PCI DSS, DORA, PPN 014, or cyber insurance terms, non-accredited testing may not satisfy compliance requirements, making the apparent saving a false economy.
View our full range of penetration testing services for scoping guidance.
How to choose a CREST accredited penetration testing provider
Selecting the right provider requires more than confirming accreditation status. Six criteria separate competent providers from exceptional ones.
Verify accreditation. Check the provider's status on the CREST member directory. Confirm they hold full Stage 3 membership, not just Pathway status.
Check the scope of accreditation. CREST accreditation can cover different testing disciplines. Verify that the provider is accredited for the specific type of testing you need (eg Penetration Testing, Vulnerability Assessment, SOC).
Review sample reports. Request a redacted sample report before committing. Evaluate the clarity of the executive summary, the depth of technical findings, and the quality of remediation guidance.
Check for additional capabilities. Providers with SOC capabilities, incident response services, or Cyber Essentials certification body status offer broader security coverage beyond testing alone.
Consider the closed-loop advantage. Most penetration testing firms find vulnerabilities and hand you a report. A closed-loop provider combines offensive testing with defensive security operations: a SOC that monitors your environment, managed detection and response (MDR), and incident response capability. When the team that finds your vulnerabilities also defends your network, remediation is faster and more effective.
Precursor Security is a CREST-accredited penetration testing and managed security firm. We operate a UK-sovereign SOC and deliver offensive and defensive security under one roof. When the team that finds your vulnerabilities also defends your network, remediation is faster and more effective. View our CREST accreditation details or get in touch to scope your next engagement.
Frequently asked questions
What does CREST stand for?
CREST stands for the Council of Registered Ethical Security Testers. It is an international not-for-profit body that accredits penetration testing companies and certifies individual security testers.
Is CREST penetration testing mandatory?
CREST penetration testing is not universally mandatory, but several regulations require or strongly recommend it. PCI DSS, DORA, PPN 014, and NIS Regulations all reference CREST or equivalent accreditation. Cyber insurance policies increasingly specify CREST-accredited testing.
How long does a CREST penetration test take?
The duration depends on scope. A basic external network test typically takes two to five days. A comprehensive web application test takes five to ten days. Internal infrastructure assessments range from five to fifteen days. Red team engagements may run for several weeks.
What is the difference between CREST and CISA?
CREST is a UK-originated international accreditation body for penetration testing companies and testers. CISA (Certified Information Systems Auditor) is an individual certification from ISACA focused on information systems auditing and governance. They serve different purposes: CREST validates offensive security capability, while CISA validates audit and assurance competence.
Can a non-CREST provider perform a penetration test?
Yes, but non-accredited providers cannot demonstrate independent verification of their processes, tester qualifications, or methodology. For regulated industries, government contracts, or cyber insurance compliance, non-CREST testing may not satisfy requirements.
How often should CREST penetration testing be conducted?
Most frameworks recommend at least annual penetration testing. PCI DSS requires testing after significant infrastructure changes and at least annually. Organisations with frequent releases, high-risk profiles, or regulatory obligations often test quarterly or after each major deployment.