CREST certification

CREST certification is an internationally recognised accreditation for organisations that deliver penetration testing, vulnerability assessment, cyber incident response, and threat intelligence services. Managed by the Council of Registered Ethical Security Testers (CREST), it verifies that a provider meets rigorous standards for technical capability, data handling, and professional conduct.

For security decision-makers evaluating penetration testing providers, CREST certification is one of the most reliable indicators of quality. It means the company’s testers have been individually examined and its processes independently audited, giving you confidence that your engagement will be thorough, methodical, and handled with the sensitivity your data requires.

Field	Detail
Full name	CREST (Council of Registered Ethical Security Testers)
Type	Accreditation
Maintained by	CREST International
Founded	2006
Applies to	Organisations and individuals delivering penetration testing, vulnerability assessment, incident response, and threat intelligence
UK relevance	Recognised by the NCSC; required or preferred for G-Cloud, Crown Commercial Service, and public sector procurement
Wikipedia	No dedicated article
Wikidata	No dedicated entry

Why CREST certification matters

Not all penetration testing delivers the same value. The difference between a CREST-certified assessment and an uncertified one often comes down to methodology, depth, and the expertise behind the findings.

CREST-certified organisations must demonstrate qualified testers who hold individual CREST examinations (CRT, CCT) proving hands-on technical skill, not just theoretical knowledge. Their testing methodologies are audited against CREST’s standards for consistency, thoroughness, and repeatability. Strict controls govern how sensitive findings and client data are handled, stored, and transmitted. And enforceable ethical standards, insurance requirements, and accountability structures protect you throughout the engagement.

For organisations in regulated sectors, financial services, defence, government, critical national infrastructure, CREST certification is frequently a procurement requirement, not a preference. If you’re buying penetration testing for a regulated environment, CREST is the baseline you should expect.

CREST and UK government security

In the UK, CREST works alongside the National Cyber Security Centre (NCSC) and is the recognised standard for penetration testing quality. Many government frameworks, including G-Cloud and Crown Commercial Service supplier lists, require or strongly prefer CREST-certified providers.

The NCSC’s CHECK scheme, which approves penetration testing firms for government systems, draws from the same pool of CREST-qualified testers. If you’re procuring security services through public sector frameworks, you’ll encounter CREST at every stage. Blue Light Commercial and JOSCAR (the defence supply chain accreditation) also reference CREST membership as a qualifying criterion.

Organisation and individual certifications

CREST operates at two levels. At the organisation level, a CREST Member Company has been audited for processes, data handling, and professional standards. A CREST Accredited Company meets a higher tier with additional scrutiny of technical delivery.

At the individual level, a CRT (CREST Registered Tester) holds a foundational penetration testing certification. A CCT (CREST Certified Tester) holds an advanced certification in infrastructure or application testing. And a CSIR (CREST Certified Simulated Attack Specialist) specialises in red team operations and incident response.

When you commission testing from a CREST-certified provider, you can expect defined scope and methodology, testers with individual certifications appropriate to the engagement type, risk-rated findings with practical remediation guidance, and post-test support including re-testing and verification of fixes.

How we deliver CREST-certified testing

We are a CREST member company. Our penetration testers hold individual CREST certifications (CRT, CCT), and our testing methodology is built on CREST’s standards for scope, execution, and reporting.

As one of only 24 NCSC Assured Cyber Security Consultancies in the UK, we combine CREST-certified penetration testing with the broader context of risk assessment, threat modelling, and security strategy. The result is testing that doesn’t just find vulnerabilities, it helps you understand your exposure and prioritise what matters.

Our penetration testing covers infrastructure and network testing, web application and API testing, cloud security assessments, red team exercises, and AI and LLM security testing. Every engagement is delivered by CREST-qualified testers with the experience to go beyond automated findings.

Learn more about our penetration testing services →

Related glossary terms

• Threat modelling – structured threat analysis that informs penetration testing scope
• MITRE ATT&CK – adversary tactics framework used to structure CREST-certified red team engagements
• NCSC CAF – UK government cyber assessment framework that references CREST-certified testing

External references

• CREST International – official website and member register
• NCSC: About CREST – NCSC overview of CREST and its role

Frequently asked questions