What is CREST penetration testing? A 2026 buyer’s guide

CREST penetration testing blog cover

SHARE

If a customer, auditor, regulator, board member, or procurement team has asked you for a CREST penetration test, they are usually not asking for “just another pentest.”

They are asking for evidence that your security assessment was delivered by a provider that meets recognized standards for technical quality, professional conduct, data handling, reporting, and service delivery.

CREST penetration testing is commonly requested by organizations preparing for enterprise sales, vendor security reviews, audits such as SOC 2, ISO 27001, PCI DSS, and GDPR-related assurance, financial services due diligence, or public sector procurement.

This guide explains what CREST penetration testing is, when it matters, how it differs from a standard penetration test, what buyers should expect from the process, and how to choose a CREST-accredited penetration testing provider in 2026.

What is CREST penetration testing?

CREST penetration testing is a security assessment delivered by a CREST-accredited provider or by professionals holding relevant CREST certifications.

In practical terms, it means the penetration test is performed by a company that has been assessed against CREST’s standards for cybersecurity service delivery. According to CREST, accredited companies are quality assured, and their staff are expected to be suitably qualified and competent.

A CREST penetration test may assess:

Test area What it typically covers
Web application security Authentication, authorization, business logic, session handling, OWASP Top 10, data exposure, file uploads, admin features, and user workflows
API security REST, GraphQL, authentication tokens, object-level access control, rate limits, excessive data exposure, and abuse cases
Infrastructure security External or internal networks, exposed services, misconfigurations, privilege escalation, lateral movement paths, and segmentation weaknesses
Cloud security IAM, storage permissions, public exposure, logging, network controls, Kubernetes, CI/CD, and cloud-native misconfigurations
Mobile application security Android and iOS apps, local storage, API communication, authentication, certificate pinning, reverse engineering, and platform-specific risks
Red team or advanced testing Attack simulation, phishing, privilege escalation, detection gaps, and response validation

The exact scope should always be agreed upon before testing starts. “CREST penetration testing” does not automatically mean every system is tested. It means the agreed scope is tested using a professional methodology by a qualified provider.

Looking for a pentest provider? Let us challenge your cyber defenses.

Talk to our experts for a custom quote

Why does CREST accreditation matter?

The main value of CREST accreditation is buyer confidence.

Anyone can claim to offer penetration testing services. CREST accreditation gives buyers a way to identify providers that have gone through an external assessment of their processes, standards, and capabilities.

For organizations buying security testing, this matters because a poor-quality pentest can create false confidence. A shallow assessment may miss critical vulnerabilities, yield vague findings, or fail to provide engineering teams with the evidence they need to fix issues.

A good CREST penetration test should give you:

Buyer need How CREST helps
Confidence in provider quality CREST-accredited companies are assessed against recognized standards for service delivery
Confidence in tester capability CREST certifications validate professional skill levels for penetration testing roles
Better procurement evidence CREST reports are often easier to defend with auditors, customers, and enterprise security teams
More consistent methodology The assessment should follow a structured approach rather than ad hoc testing
Clearer reporting Findings should include evidence, risk, impact, reproduction steps, and remediation guidance
Stronger trust with stakeholders CREST is recognized by governments, regulators, and major enterprises

CREST does not guarantee that every vulnerability will be found. No penetration test can do that. What it does provide is a stronger baseline of assurance regarding the provider, the people involved, and how the work is delivered.

CREST-accredited company vs CREST-certified tester

This distinction matters because buyers often use the terms incorrectly.

A company can be CREST-accredited. An individual tester can hold CREST certifications. Ideally, a buyer wants both: a provider with CREST accreditation and a team with relevant technical certifications and real-world experience.

Term What it means Why it matters
CREST-accredited company A cybersecurity provider assessed by CREST for relevant service delivery standards Helps buyers trust the provider’s processes, quality management, data handling, reporting, and professional conduct
CREST-certified tester An individual security professional who has passed relevant CREST examinations Helps buyers understand the technical capability of the people performing the work
CREST penetration testing service A penetration testing engagement delivered by a CREST-accredited provider or CREST-certified professionals Gives customers stronger assurance that the engagement follows recognized standards

Before signing a contract, ask whether the company itself is CREST-accredited, which CREST discipline the accreditation applies to, and who will perform the work.

You can also verify accredited suppliers through the CREST Marketplace.

When do you need CREST penetration testing?

Not every organization strictly needs a CREST-accredited pentest. For some early-stage companies, a well-scoped manual pentest from a reputable provider may be enough.

However, CREST penetration testing becomes more important when the report needs to withstand external scrutiny.

Scenario Is CREST useful? Why
Enterprise customer security review Yes Large customers often prefer reports from recognized providers
SOC 2 or ISO 27001 readiness Yes A CREST report can support evidence of independent security testing
PCI DSS environment Yes Useful when testing payment-related systems or cardholder data environments
Healthcare or sensitive data systems Yes Helps demonstrate stronger third-party assurance for systems handling regulated or sensitive data
Financial services or fintech Yes Security assurance is often reviewed by risk, compliance, and procurement teams
M&A due diligence Yes Buyers and investors may want independent evidence of security posture
UK public sector or CNI work Sometimes CHECK may be required for some UK public sector and critical national infrastructure engagements
Early product MVP with no external compliance pressure Maybe A standard manual pentest may be sufficient if external assurance is not yet required

The simplest way to decide is to ask: who needs to trust this report?

If the answer is only your internal engineering team, CREST may be helpful, but not always mandatory. If the answer includes enterprise customers, auditors, regulators, public sector buyers, banks, insurers, or investors, CREST accreditation becomes much more valuable.

CREST penetration testing vs standard penetration testing

The difference between CREST penetration testing and standard penetration testing is not that one uses completely different hacking techniques. The difference is mainly in assurance, governance, provider validation, and report credibility.

Area Standard penetration test CREST penetration test
Provider assurance Depends entirely on the vendor Provider has been assessed against CREST standards
Tester qualifications May vary widely Testers may hold recognized CREST certifications
Methodology Can be strong or weak depending on the provider Expected to follow a structured and professional testing methodology
Reporting quality Highly variable Expected to provide clear, evidence-based reporting
Procurement value May be accepted for internal use Often stronger for customers, auditors, and regulated buyers
External credibility Depends on brand reputation Supported by a recognized accreditation
Cost Can be cheaper May cost more due to quality, experience, and assurance requirements

A non-CREST pentest can still be excellent if delivered by a strong provider. A CREST pentest is valuable because it reduces buyer uncertainty and gives external stakeholders more confidence in the work.

CREST vs CHECK penetration testing

In the UK, buyers often confuse CREST and CHECK. They are related within the broader assurance ecosystem, but they are not the same.

CHECK is the UK National Cyber Security Centre scheme under which NCSC-assured companies conduct penetration tests of public sector and critical national infrastructure systems and networks.

Area CREST CHECK
Who runs it? CREST, an international accreditation and certification body UK National Cyber Security Centre
Main purpose Assure cybersecurity service providers and certify professionals Assure penetration testing for the UK public sector and critical national infrastructure
Common buyer Private sector, enterprise, SaaS, fintech, healthcare, regulated companies, global buyers UK government, public sector bodies, and CNI organizations
Geographic relevance International Primarily, the UK public sector and CNI
When it matters When customers, auditors, procurement, or compliance teams ask for recognized assurance When a UK public sector or CNI engagement requires CHECK testing

If a commercial customer asks for a “CREST pentest,” they usually mean they want a test from a CREST-accredited provider. If a UK government or CNI buyer asks for CHECK, you should confirm whether a CHECK-approved provider and CHECK-specific process are required.

What is included in a CREST penetration test?

A CREST penetration test should be scoped around the systems, applications, APIs, networks, or cloud environments that matter most to the buyer.

Most engagements include the following stages.

1. Scoping and rules of engagement

The provider defines what will be tested, what is out of scope, which accounts or roles are required, when testing will occur, which techniques are allowed, and who should be contacted if a serious issue is found.

Good scoping prevents confusion later. It also helps avoid under-testing critical areas such as admin portals, APIs, integrations, SSO flows, or multi-tenant access controls.

2. Reconnaissance and mapping

The testing team maps the target environment, identifies exposed services, reviews application flows, studies authentication and authorization logic, and builds an understanding of how the system works.

For web applications and APIs, this stage is especially important. Many serious vulnerabilities are not obvious from scanning alone. They appear only when testers understand the business logic and how users, roles, permissions, workflows, and data objects interact.

3. Manual vulnerability testing

The provider tests for vulnerabilities using a combination of manual techniques, specialist tooling, and professional judgment.

This may include testing for:

Category Example issues
Access control Broken object-level authorization, privilege escalation, insecure direct object references and tenant isolation failures
Authentication Weak login controls, insecure password reset, MFA bypass, SSO misconfiguration
Session management Token leakage, insecure cookies, weak session invalidation
Injection SQL injection, command injection, template injection, LDAP injection
API security Excessive data exposure, weak rate limiting, mass assignment, broken function-level authorization
Business logic Workflow bypass, pricing manipulation, approval bypass, abuse of intended functionality
Cloud security Public storage, excessive IAM permissions, exposed keys, logging gaps, insecure network paths
Infrastructure Exposed services, missing patches, weak configurations, unsafe protocols and lateral movement risks

For API-heavy products, it is worth reading our guide to preparing for an API penetration test before the engagement starts.

4. Exploitation and risk validation

A strong penetration test does not stop at listing theoretical issues. Where safe and agreed, testers validate whether a vulnerability can actually be exploited and what the business impact could be.

This is where manual testing is valuable. A scanner might detect a generic weakness. A skilled tester can explain whether the issue allows customer data access, privilege escalation, account takeover, payment manipulation, or compromise of internal systems.

5. Reporting and remediation guidance

The final report should be useful for both executives and engineers.

A good CREST penetration testing report should include:

Report section What it should contain
Executive summary Plain-English summary of business risk, overall posture, and key themes
Scope Systems, applications, roles, environments, dates, and testing constraints
Methodology High-level explanation of how the test was performed
Findings Severity, affected assets, evidence, impact, reproduction steps, and remediation guidance
Risk ratings Clear severity model and rationale
Remediation priorities What should be fixed first, and why
Positive observations Controls that worked accordingly
Retesting results Confirmation of fixed issues if retesting is included
Attestation letter Optional evidence for customers or auditors

The report should not be a raw vulnerability scan export. It should help your team understand what matters, why it matters, and how to fix it.

6. Retesting and closure

Many buyers need evidence that vulnerabilities were fixed. Retesting verifies whether the agreed-upon fixes have been implemented correctly.

This is particularly useful for SOC 2, ISO 27001, PCI DSS, vendor security reviews, and enterprise customer requirements where an unresolved critical or high finding can delay a deal or audit milestone.

How much does CREST penetration testing cost?

CREST penetration testing cost depends on scope, complexity, test type, environment readiness, number of user roles, and reporting requirements.

The biggest pricing factors are:

Cost factor Why does it affect the price
Number of assets More applications, APIs, IPs, cloud accounts, or environments require more testing time
Application complexity Complex workflows, multi-tenant logic, payments, integrations, and custom roles increase effort
Test type Web, API, cloud, infrastructure, mobile, and red team assessments require different skill sets
Number of user roles Admin, manager, support, customer, partner, and guest roles add authorization testing effort
Compliance requirements Audits and customer reviews may require stronger documentation and formal reporting
Retesting Fix validation adds time after the initial report
Timeline Urgent start dates or compressed delivery windows may increase cost
Reporting depth Executive summaries, debrief calls, attestation letters, and custom evidence may add effort

A small, well-prepared web application or API test will usually cost less than a complex multi-surface assessment covering web, API, cloud, infrastructure, and multiple user roles.

For a broader pricing context, see the UK government’s marketplace or our guide on how much penetration testing costs.

The best way to get an accurate price is to provide the vendor with a clear scope: URLs, APIs, IP ranges, cloud environments, user roles, test objectives, compliance drivers, deadlines, and any previous test reports.

How long does a CREST penetration test take?

A typical CREST penetration test may take from a few days to several weeks, depending on the scope.

Scope type Typical effort pattern
Small web application or API Several testing days plus reporting
Medium SaaS application with multiple roles One to two weeks, depending on complexity
Infrastructure assessment Depends on the number of IPs, segmentation, and internal/external scope
Cloud security review Depends on cloud accounts, services, IAM complexity, and architecture
Red team assessment Usually longer due to planning, execution, stealth, and reporting requirements

Buyers should also account for preparation time, access setup, kickoff, reporting, remediation, and retesting.

A common mistake is to book a pentest too close to an audit, enterprise deal deadline, or product launch. If the test finds serious vulnerabilities, your team will need time to fix them and complete retesting.

How to choose a CREST-accredited penetration testing provider

Choosing the right provider is not only about checking whether the company has a CREST badge.

Use the questions below before signing a statement of work.

Buyer question Why it matters
Is the company currently CREST-accredited for penetration testing? Accreditation should be current and relevant to the service you are buying
Can I verify the provider on the CREST Marketplace? The CREST Marketplace helps buyers search, compare, and connect with accredited providers
Who will perform the test? You want experienced testers, not only a recognized company logo
Has the team tested similar systems before? SaaS, fintech, healthcare, cloud, APIs, mobile, and infrastructure require different expertise
What methodology will be used? The provider should explain the process in plain language
Will testing be manual or mostly automated? Automated scans are useful, but they are not a replacement for expert manual testing
What will the report include? Buyers need evidence, impact, reproduction steps, and practical remediation guidance
Is retesting included? Fix validation is often essential for audits and customer assurance
How quickly can serious findings be escalated? Critical issues should not wait until the final report
Can you provide a redacted sample report? This is one of the fastest ways to judge quality

A strong provider should be able to explain their approach clearly before the test starts. If the sales process is vague, the report may be vague too.

Common mistakes when buying CREST penetration testing

Mistake 1: Buying only by price

A cheap pentest can become expensive if it misses serious vulnerabilities or produces a report that customers and auditors do not accept.

Price matters, but it should be compared against scope, experience, methodology, reporting quality, retesting, and communication.

Mistake 2: Treating CREST as a simple checkbox

CREST accreditation is valuable, but it does not replace good scoping. A narrow test of the wrong assets will not give you meaningful assurance.

Before testing starts, make sure the provider understands your highest-risk systems, user roles, sensitive data flows, integrations, and compliance deadlines.

Mistake 3: Leaving no time for remediation

A penetration test is not finished when the report is delivered. Your team still needs to triage findings, fix vulnerabilities, test changes, and complete retesting.

Plan backward from your audit, procurement, or customer deadline.

How Blaze can help

Blaze Information Security is a CREST-accredited penetration testing company and offensive security firm trusted by 350 organizations across 25 countries.

Our team performs manual penetration testing for web applications and APIs, cloud environments, network infrastructure, mobile applications, and other complex business-critical systems.

If you need a CREST penetration test for an audit, customer requirement, product launch, or enterprise deal, our team can help you define the right scope and deliver a report that is practical for engineers and useful for stakeholders.

FAQ

What is CREST penetration testing?

CREST penetration testing is a professional security assessment delivered by a CREST-accredited provider or CREST-certified professionals. It gives buyers greater assurance that the provider adheres to recognized standards for technical quality, service delivery, and professional conduct.

Is CREST penetration testing mandatory?

CREST penetration testing is not mandatory for every organization. It is often requested by enterprise customers, auditors, procurement teams, financial services firms, regulated companies, and organizations that need stronger independent assurance. For some UK public sector and CNI work, CHECK requirements may also apply.

What is the difference between CREST and CHECK?

CREST is an international accreditation and certification body for cybersecurity providers and professionals. CHECK is a UK NCSC scheme for authorized penetration testing of government, public sector, and critical national infrastructure systems. Private companies often ask for CREST; UK public sector and CNI buyers may require CHECK.

How do I verify that a provider is CREST-accredited?

You can verify a provider using the CREST Marketplace. Buyers should check that the provider is currently listed, that the accreditation applies to the service being purchased, and that the testing team has relevant experience for the target environment.

About the author

Picture of Ewelina Baran

Ewelina Baran

Ewelina is a SEO copywriter specialized in technology, more specifically in cybersecurity. She holds a masters degree in English Philology from Jagiellonian University, Krakow.

RELATED POSTS

Ready to take your security
to the next level?

We are! Let’s discuss how we can work together to create strong defenses against real-life cyber threats.

Stay informed, stay secure

Subscribe to our monthly newsletter

Get notified about new articles, industry insights and cybersecurity news