> accreditation: CREST —— status: verified —— standard: industry_benchmark<span class="cursor-blink">_</span>_
CREST — the Council of Registered Ethical Security Testers — is an international accreditation body for the cybersecurity industry. A CREST-accredited penetration testing company has been independently audited and verified to meet standards covering technical capability, methodology, data handling, staff qualifications, and quality assurance. It is the closest thing the penetration testing industry has to a regulated quality standard.
In an unregulated market where anyone can call themselves a penetration tester, CREST accreditation provides a meaningful baseline of quality. This article explains what the accreditation involves, why it matters when choosing a provider, and how to verify that a company's CREST status is genuine.
Want to know if your environment has the same weakness? Book a free 30-minute scoping call.
Book a Scoping CallAchieving CREST accreditation is not a simple application process. The company undergoes a comprehensive audit that covers every aspect of how it delivers penetration testing services. This audit is repeated regularly to maintain accreditation.
| Benefit | Detail |
|---|---|
| Quality assurance | CREST accreditation provides independent verification that the provider meets a defined standard. You are not relying solely on the provider's own claims about their capabilities — an external body has audited and confirmed them. |
| Compliance acceptance | Many regulators, compliance frameworks, and enterprise clients specifically require or strongly prefer CREST-accredited testing. The ICO, FCA, PCI SSC, and NHS all recognise CREST as a benchmark for penetration testing quality. A CREST-accredited test report is accepted without question by most compliance assessors. |
| Insurance recognition | Cyber insurance providers increasingly accept penetration test reports from CREST-accredited firms as evidence of due diligence. Some insurers specifically require CREST accreditation from the testing provider. |
| Recourse and complaints | If you are dissatisfied with a CREST-accredited provider's service, you have recourse through CREST's complaints process. This provides a level of consumer protection that does not exist with unaccredited providers. |
| Verified individual competence | CREST individual certifications (CRT, CCT) require practical, hands-on examinations — not just multiple-choice theory tests. A tester holding CCT has demonstrated their ability to identify and exploit real vulnerabilities under examination conditions. |
CREST operates at two levels: company accreditation and individual certification. Both matter, and you should check both before commissioning a test.
| Level | Certification | What It Demonstrates |
|---|---|---|
| Individual | CREST Practitioner Security Analyst (CPSA) | Foundational level — demonstrates knowledge of security testing principles and practices. Entry-level qualification for testing staff. |
| Individual | CREST Registered Tester (CRT) | Intermediate level — demonstrates ability to conduct penetration tests independently. Requires passing a practical examination. |
| Individual | CREST Certified Tester (CCT) — Infrastructure or Web Application | Advanced level — demonstrates expert-level penetration testing capability in infrastructure or web applications. The most rigorous practical examination in the industry. |
| Company | CREST Member Company | The company has been audited and accredited by CREST across methodology, data handling, staff qualifications, and quality assurance. |
A company can hold CREST accreditation while assigning your specific engagement to a tester who holds only entry-level qualifications. When commissioning a test, ask: who specifically will be testing my systems, and what individual CREST certification do they hold? The answer tells you about the quality of your engagement, not just the quality of the company.
CREST maintains a public directory of accredited companies on their website. Any provider claiming CREST accreditation can be verified through this directory. If a provider claims to be CREST-accredited but does not appear in the directory, treat this as a serious red flag.
You can also ask the provider directly for their CREST certificate and verify it against the directory. A reputable provider will share this without hesitation — it is one of their key differentiators and they will be proud to demonstrate it.
CREST is the primary accreditation standard in the UK, but other credentials also indicate quality. CHECK (NCSC) approval is required for government testing. Offensive Security certifications (OSCP, OSCE, OSWE) are rigorous practical examinations that demonstrate genuine exploitation skills. CRIS (Cyber Resilience Intelligence Suite) certification is emerging as a standard for threat intelligence-led testing. A provider who holds CREST accreditation alongside individually certified testers with Offensive Security qualifications represents the highest standard of testing capability.
Our testers hold individual CREST and Offensive Security certifications. We are happy to provide our CREST certificate, name your assigned tester, and share their individual qualifications before you commit.
Want to know if your environment has the same weakness? Book a free 30-minute scoping call.
Book a Scoping Call