If a customer, auditor, regulator, board member, or procurement team has asked you for a CREST penetration test, they are usually not asking for “just another pentest.”
They are asking for evidence that your security assessment was delivered by a provider that meets recognized standards for technical quality, professional conduct, data handling, reporting, and service delivery.
CREST penetration testing is commonly requested by organizations preparing for enterprise sales, vendor security reviews, audits such as SOC 2, ISO 27001, PCI DSS, and GDPR-related assurance, financial services due diligence, or public sector procurement.
This guide explains what CREST penetration testing is, when it matters, how it differs from a standard penetration test, what buyers should expect from the process, and how to choose a CREST-accredited penetration testing provider in 2026.
What is CREST penetration testing?
CREST penetration testing is a security assessment delivered by a CREST-accredited provider or by professionals holding relevant CREST certifications.
In practical terms, it means the penetration test is performed by a company that has been assessed against CREST’s standards for cybersecurity service delivery. According to CREST, accredited companies are quality assured, and their staff are expected to be suitably qualified and competent.
A CREST penetration test may assess:
| Test area | What it typically covers |
|---|---|
| Web application security | Authentication, authorization, business logic, session handling, OWASP Top 10, data exposure, file uploads, admin features, and user workflows |
| API security | REST, GraphQL, authentication tokens, object-level access control, rate limits, excessive data exposure, and abuse cases |
| Infrastructure security | External or internal networks, exposed services, misconfigurations, privilege escalation, lateral movement paths, and segmentation weaknesses |
| Cloud security | IAM, storage permissions, public exposure, logging, network controls, Kubernetes, CI/CD, and cloud-native misconfigurations |
| Mobile application security | Android and iOS apps, local storage, API communication, authentication, certificate pinning, reverse engineering, and platform-specific risks |
| Red team or advanced testing | Attack simulation, phishing, privilege escalation, detection gaps, and response validation |
The exact scope should always be agreed upon before testing starts. “CREST penetration testing” does not automatically mean every system is tested. It means the agreed scope is tested using a professional methodology by a qualified provider.
Looking for a pentest provider? Let us challenge your cyber defenses.
Talk to our experts for a custom quote
Why does CREST accreditation matter?
The main value of CREST accreditation is buyer confidence.
Anyone can claim to offer penetration testing services. CREST accreditation gives buyers a way to identify providers that have gone through an external assessment of their processes, standards, and capabilities.
For organizations buying security testing, this matters because a poor-quality pentest can create false confidence. A shallow assessment may miss critical vulnerabilities, yield vague findings, or fail to provide engineering teams with the evidence they need to fix issues.
A good CREST penetration test should give you:
| Buyer need | How CREST helps |
|---|---|
| Confidence in provider quality | CREST-accredited companies are assessed against recognized standards for service delivery |
| Confidence in tester capability | CREST certifications validate professional skill levels for penetration testing roles |
| Better procurement evidence | CREST reports are often easier to defend with auditors, customers, and enterprise security teams |
| More consistent methodology | The assessment should follow a structured approach rather than ad hoc testing |
| Clearer reporting | Findings should include evidence, risk, impact, reproduction steps, and remediation guidance |
| Stronger trust with stakeholders | CREST is recognized by governments, regulators, and major enterprises |
CREST does not guarantee that every vulnerability will be found. No penetration test can do that. What it does provide is a stronger baseline of assurance regarding the provider, the people involved, and how the work is delivered.
CREST-accredited company vs CREST-certified tester
This distinction matters because buyers often use the terms incorrectly.
A company can be CREST-accredited. An individual tester can hold CREST certifications. Ideally, a buyer wants both: a provider with CREST accreditation and a team with relevant technical certifications and real-world experience.
| Term | What it means | Why it matters |
|---|---|---|
| CREST-accredited company | A cybersecurity provider assessed by CREST for relevant service delivery standards | Helps buyers trust the provider’s processes, quality management, data handling, reporting, and professional conduct |
| CREST-certified tester | An individual security professional who has passed relevant CREST examinations | Helps buyers understand the technical capability of the people performing the work |
| CREST penetration testing service | A penetration testing engagement delivered by a CREST-accredited provider or CREST-certified professionals | Gives customers stronger assurance that the engagement follows recognized standards |
Before signing a contract, ask whether the company itself is CREST-accredited, which CREST discipline the accreditation applies to, and who will perform the work.
You can also verify accredited suppliers through the CREST Marketplace.
When do you need CREST penetration testing?
Not every organization strictly needs a CREST-accredited pentest. For some early-stage companies, a well-scoped manual pentest from a reputable provider may be enough.
However, CREST penetration testing becomes more important when the report needs to withstand external scrutiny.
| Scenario | Is CREST useful? | Why |
|---|---|---|
| Enterprise customer security review | Yes | Large customers often prefer reports from recognized providers |
| SOC 2 or ISO 27001 readiness | Yes | A CREST report can support evidence of independent security testing |
| PCI DSS environment | Yes | Useful when testing payment-related systems or cardholder data environments |
| Healthcare or sensitive data systems | Yes | Helps demonstrate stronger third-party assurance for systems handling regulated or sensitive data |
| Financial services or fintech | Yes | Security assurance is often reviewed by risk, compliance, and procurement teams |
| M&A due diligence | Yes | Buyers and investors may want independent evidence of security posture |
| UK public sector or CNI work | Sometimes | CHECK may be required for some UK public sector and critical national infrastructure engagements |
| Early product MVP with no external compliance pressure | Maybe | A standard manual pentest may be sufficient if external assurance is not yet required |
The simplest way to decide is to ask: who needs to trust this report?
If the answer is only your internal engineering team, CREST may be helpful, but not always mandatory. If the answer includes enterprise customers, auditors, regulators, public sector buyers, banks, insurers, or investors, CREST accreditation becomes much more valuable.
CREST penetration testing vs standard penetration testing
The difference between CREST penetration testing and standard penetration testing is not that one uses completely different hacking techniques. The difference is mainly in assurance, governance, provider validation, and report credibility.
| Area | Standard penetration test | CREST penetration test |
|---|---|---|
| Provider assurance | Depends entirely on the vendor | Provider has been assessed against CREST standards |
| Tester qualifications | May vary widely | Testers may hold recognized CREST certifications |
| Methodology | Can be strong or weak depending on the provider | Expected to follow a structured and professional testing methodology |
| Reporting quality | Highly variable | Expected to provide clear, evidence-based reporting |
| Procurement value | May be accepted for internal use | Often stronger for customers, auditors, and regulated buyers |
| External credibility | Depends on brand reputation | Supported by a recognized accreditation |
| Cost | Can be cheaper | May cost more due to quality, experience, and assurance requirements |
A non-CREST pentest can still be excellent if delivered by a strong provider. A CREST pentest is valuable because it reduces buyer uncertainty and gives external stakeholders more confidence in the work.
CREST vs CHECK penetration testing
In the UK, buyers often confuse CREST and CHECK. They are related within the broader assurance ecosystem, but they are not the same.
CHECK is the UK National Cyber Security Centre scheme under which NCSC-assured companies conduct penetration tests of public sector and critical national infrastructure systems and networks.
| Area | CREST | CHECK |
|---|---|---|
| Who runs it? | CREST, an international accreditation and certification body | UK National Cyber Security Centre |
| Main purpose | Assure cybersecurity service providers and certify professionals | Assure penetration testing for the UK public sector and critical national infrastructure |
| Common buyer | Private sector, enterprise, SaaS, fintech, healthcare, regulated companies, global buyers | UK government, public sector bodies, and CNI organizations |
| Geographic relevance | International | Primarily, the UK public sector and CNI |
| When it matters | When customers, auditors, procurement, or compliance teams ask for recognized assurance | When a UK public sector or CNI engagement requires CHECK testing |
If a commercial customer asks for a “CREST pentest,” they usually mean they want a test from a CREST-accredited provider. If a UK government or CNI buyer asks for CHECK, you should confirm whether a CHECK-approved provider and CHECK-specific process are required.
What is included in a CREST penetration test?
A CREST penetration test should be scoped around the systems, applications, APIs, networks, or cloud environments that matter most to the buyer.
Most engagements include the following stages.
1. Scoping and rules of engagement
The provider defines what will be tested, what is out of scope, which accounts or roles are required, when testing will occur, which techniques are allowed, and who should be contacted if a serious issue is found.
Good scoping prevents confusion later. It also helps avoid under-testing critical areas such as admin portals, APIs, integrations, SSO flows, or multi-tenant access controls.
2. Reconnaissance and mapping
The testing team maps the target environment, identifies exposed services, reviews application flows, studies authentication and authorization logic, and builds an understanding of how the system works.
For web applications and APIs, this stage is especially important. Many serious vulnerabilities are not obvious from scanning alone. They appear only when testers understand the business logic and how users, roles, permissions, workflows, and data objects interact.
3. Manual vulnerability testing
The provider tests for vulnerabilities using a combination of manual techniques, specialist tooling, and professional judgment.
This may include testing for:
| Category | Example issues |
|---|---|
| Access control | Broken object-level authorization, privilege escalation, insecure direct object references and tenant isolation failures |
| Authentication | Weak login controls, insecure password reset, MFA bypass, SSO misconfiguration |
| Session management | Token leakage, insecure cookies, weak session invalidation |
| Injection | SQL injection, command injection, template injection, LDAP injection |
| API security | Excessive data exposure, weak rate limiting, mass assignment, broken function-level authorization |
| Business logic | Workflow bypass, pricing manipulation, approval bypass, abuse of intended functionality |
| Cloud security | Public storage, excessive IAM permissions, exposed keys, logging gaps, insecure network paths |
| Infrastructure | Exposed services, missing patches, weak configurations, unsafe protocols and lateral movement risks |
For API-heavy products, it is worth reading our guide to preparing for an API penetration test before the engagement starts.
4. Exploitation and risk validation
A strong penetration test does not stop at listing theoretical issues. Where safe and agreed, testers validate whether a vulnerability can actually be exploited and what the business impact could be.
This is where manual testing is valuable. A scanner might detect a generic weakness. A skilled tester can explain whether the issue allows customer data access, privilege escalation, account takeover, payment manipulation, or compromise of internal systems.
5. Reporting and remediation guidance
The final report should be useful for both executives and engineers.
A good CREST penetration testing report should include:
| Report section | What it should contain |
|---|---|
| Executive summary | Plain-English summary of business risk, overall posture, and key themes |
| Scope | Systems, applications, roles, environments, dates, and testing constraints |
| Methodology | High-level explanation of how the test was performed |
| Findings | Severity, affected assets, evidence, impact, reproduction steps, and remediation guidance |
| Risk ratings | Clear severity model and rationale |
| Remediation priorities | What should be fixed first, and why |
| Positive observations | Controls that worked accordingly |
| Retesting results | Confirmation of fixed issues if retesting is included |
| Attestation letter | Optional evidence for customers or auditors |
The report should not be a raw vulnerability scan export. It should help your team understand what matters, why it matters, and how to fix it.
6. Retesting and closure
Many buyers need evidence that vulnerabilities were fixed. Retesting verifies whether the agreed-upon fixes have been implemented correctly.
This is particularly useful for SOC 2, ISO 27001, PCI DSS, vendor security reviews, and enterprise customer requirements where an unresolved critical or high finding can delay a deal or audit milestone.
How much does CREST penetration testing cost?
CREST penetration testing cost depends on scope, complexity, test type, environment readiness, number of user roles, and reporting requirements.
The biggest pricing factors are:
| Cost factor | Why does it affect the price |
|---|---|
| Number of assets | More applications, APIs, IPs, cloud accounts, or environments require more testing time |
| Application complexity | Complex workflows, multi-tenant logic, payments, integrations, and custom roles increase effort |
| Test type | Web, API, cloud, infrastructure, mobile, and red team assessments require different skill sets |
| Number of user roles | Admin, manager, support, customer, partner, and guest roles add authorization testing effort |
| Compliance requirements | Audits and customer reviews may require stronger documentation and formal reporting |
| Retesting | Fix validation adds time after the initial report |
| Timeline | Urgent start dates or compressed delivery windows may increase cost |
| Reporting depth | Executive summaries, debrief calls, attestation letters, and custom evidence may add effort |
A small, well-prepared web application or API test will usually cost less than a complex multi-surface assessment covering web, API, cloud, infrastructure, and multiple user roles.
For a broader pricing context, see the UK government’s marketplace or our guide on how much penetration testing costs.
The best way to get an accurate price is to provide the vendor with a clear scope: URLs, APIs, IP ranges, cloud environments, user roles, test objectives, compliance drivers, deadlines, and any previous test reports.
How long does a CREST penetration test take?
A typical CREST penetration test may take from a few days to several weeks, depending on the scope.
| Scope type | Typical effort pattern |
|---|---|
| Small web application or API | Several testing days plus reporting |
| Medium SaaS application with multiple roles | One to two weeks, depending on complexity |
| Infrastructure assessment | Depends on the number of IPs, segmentation, and internal/external scope |
| Cloud security review | Depends on cloud accounts, services, IAM complexity, and architecture |
| Red team assessment | Usually longer due to planning, execution, stealth, and reporting requirements |
Buyers should also account for preparation time, access setup, kickoff, reporting, remediation, and retesting.
A common mistake is to book a pentest too close to an audit, enterprise deal deadline, or product launch. If the test finds serious vulnerabilities, your team will need time to fix them and complete retesting.
How to choose a CREST-accredited penetration testing provider
Choosing the right provider is not only about checking whether the company has a CREST badge.
Use the questions below before signing a statement of work.
| Buyer question | Why it matters |
|---|---|
| Is the company currently CREST-accredited for penetration testing? | Accreditation should be current and relevant to the service you are buying |
| Can I verify the provider on the CREST Marketplace? | The CREST Marketplace helps buyers search, compare, and connect with accredited providers |
| Who will perform the test? | You want experienced testers, not only a recognized company logo |
| Has the team tested similar systems before? | SaaS, fintech, healthcare, cloud, APIs, mobile, and infrastructure require different expertise |
| What methodology will be used? | The provider should explain the process in plain language |
| Will testing be manual or mostly automated? | Automated scans are useful, but they are not a replacement for expert manual testing |
| What will the report include? | Buyers need evidence, impact, reproduction steps, and practical remediation guidance |
| Is retesting included? | Fix validation is often essential for audits and customer assurance |
| How quickly can serious findings be escalated? | Critical issues should not wait until the final report |
| Can you provide a redacted sample report? | This is one of the fastest ways to judge quality |
A strong provider should be able to explain their approach clearly before the test starts. If the sales process is vague, the report may be vague too.
Common mistakes when buying CREST penetration testing
Mistake 1: Buying only by price
A cheap pentest can become expensive if it misses serious vulnerabilities or produces a report that customers and auditors do not accept.
Price matters, but it should be compared against scope, experience, methodology, reporting quality, retesting, and communication.
Mistake 2: Treating CREST as a simple checkbox
CREST accreditation is valuable, but it does not replace good scoping. A narrow test of the wrong assets will not give you meaningful assurance.
Before testing starts, make sure the provider understands your highest-risk systems, user roles, sensitive data flows, integrations, and compliance deadlines.
Mistake 3: Leaving no time for remediation
A penetration test is not finished when the report is delivered. Your team still needs to triage findings, fix vulnerabilities, test changes, and complete retesting.
Plan backward from your audit, procurement, or customer deadline.
How Blaze can help
Blaze Information Security is a CREST-accredited penetration testing company and offensive security firm trusted by 350 organizations across 25 countries.
Our team performs manual penetration testing for web applications and APIs, cloud environments, network infrastructure, mobile applications, and other complex business-critical systems.
If you need a CREST penetration test for an audit, customer requirement, product launch, or enterprise deal, our team can help you define the right scope and deliver a report that is practical for engineers and useful for stakeholders.
FAQ
What is CREST penetration testing?
CREST penetration testing is a professional security assessment delivered by a CREST-accredited provider or CREST-certified professionals. It gives buyers greater assurance that the provider adheres to recognized standards for technical quality, service delivery, and professional conduct.
Is CREST penetration testing mandatory?
CREST penetration testing is not mandatory for every organization. It is often requested by enterprise customers, auditors, procurement teams, financial services firms, regulated companies, and organizations that need stronger independent assurance. For some UK public sector and CNI work, CHECK requirements may also apply.
What is the difference between CREST and CHECK?
CREST is an international accreditation and certification body for cybersecurity providers and professionals. CHECK is a UK NCSC scheme for authorized penetration testing of government, public sector, and critical national infrastructure systems. Private companies often ask for CREST; UK public sector and CNI buyers may require CHECK.
How do I verify that a provider is CREST-accredited?
You can verify a provider using the CREST Marketplace. Buyers should check that the provider is currently listed, that the accreditation applies to the service being purchased, and that the testing team has relevant experience for the target environment.



