Choosing a cybersecurity provider, particularly for CREST cyber security services, often requires more trust than evidence. Similar service lists and polished claims reveal little about a company’s technical competence, ethical conduct, data protection controls, or ability to produce reports your team can act on.
That uncertainty is growing. Recent research found that 79% of organisations struggle to judge new cyber security partners, while 62% face the same difficulty with providers they already use. As convincing but unreliable vendors become easier to create, independent scrutiny carries greater weight.
CREST cyber security provides that scrutiny through an international not-for-profit body that assesses service providers and examines individual professionals. CREST accreditation does not promise complete protection. It gives you something equally valuable when selecting a supplier: independently assessed evidence of capability and responsible delivery.
Key Takeaways
- CREST gives buyers independent evidence when assessing cybersecurity providers.
- Company accreditation and individual certification should be reviewed separately.
- Approval applies only to the service areas listed for that provider.
- Penetration testing must include a clear scope, controlled testing, useful reporting, and retesting.
- CREST strengthens due diligence, but it does not replace checks on experience, scope, reporting quality and remediation support.
What Is CREST in Cyber Security?
CREST cyber security refers to the accreditation and professional CREST certification standards managed by CREST, an international not-for-profit cyber security body. It assesses service providers and examines individual professionals across areas such as penetration testing, incident response, security operations, threat intelligence and red teaming.
CREST supports the industry through four main activities:
- Accrediting cyber security companies for specific service areas
- Certifying individual professionals through role-based examinations
- Publishing procurement guidance, maturity tools and industry resources
- Working with governments, regulators and industry bodies
You can use the official CREST Marketplace to find CREST-approved companies and confirm which services each provider is accredited to deliver.
CREST is not a government regulator, a complete security programme or one universal CREST penetration testing methodology. Accreditation also does not mean a company is approved for every service CREST covers.
Its wider aim is to improve capability, capacity, consistency and collaboration across the global cybersecurity sector.
Why CREST Matters in Modern Cyber Defence
Cyber security services are difficult to assess before purchase because quality depends on the consultants, procedures and controls behind the work. Buyers may struggle to confirm whether findings will be manually validated, sensitive evidence will be protected, subcontractors will be disclosed, or urgent risks will be escalated correctly.
Independent accreditation reduces this uncertainty by giving you an external assurance signal for procurement and third-party risk reviews. It does not remove the need for due diligence, but it provides stronger evidence than supplier claims alone.
Independent Assessment of Providers
Accreditation requires a provider to demonstrate its capability against defined requirements. The review considers whether the company has suitable technical expertise, delivery processes and safeguards for the accredited service area.
Stronger Service Governance
Effective crest security services rely on controls covering information security, quality management, staff vetting, project oversight, ethical conduct, data handling, technical review, complaints, insurance and continuous improvement.
These measures help you assess how consistently a provider manages engagements, not only how well it markets its technical skills.
Safer Technical Testing
Poorly controlled testing can disrupt live systems, expose confidential data or introduce additional risk. A structured provider should define written authorisation, scope limits, rules of engagement, emergency contacts, restricted techniques, stop conditions, evidence retention and protections for production systems.
CREST acts as a trust and quality layer. It supports safer, more accountable delivery, but it cannot promise that testing will carry no risk.
Which Cyber Security Services Does CREST Cover?

CREST covers services across the cyber defence lifecycle, including weakness identification, resilience testing, threat monitoring and incident response.
1. Penetration Testing
Penetration testing is an authorised simulation of real attack techniques used to identify and confirm exploitable weaknesses. Common scopes include:
- Web applications and APIs
- Mobile applications
- Internal and external networks
- Cloud environments
- Wireless networks
- Identity and access controls
- Network segmentation
- Security configuration
Effective testing combines automated tools with manual investigation, attack path analysis and controlled exploitation. The final report should contain validated findings, clear evidence and practical remediation guidance, not a raw vulnerability scanner export.
2. Vulnerability Assessment
A vulnerability assessment identifies and prioritises weaknesses across an agreed environment. It is useful for gaining broad visibility into recurring security exposure.
Common findings include:
- Missing patches
- Unsupported software
- Exposed services
- Default credentials
- Weak encryption
- Known vulnerabilities
- Misconfigurations
- Unnecessary access
This type of assessment works well for regular security checks and ongoing exposure management.
3. Application Security Testing
Application testing should look beyond common technical flaws and examine how users, roles, and transactions work together. Key areas include:
- Authentication and account recovery
- Authorisation and privilege escalation
- Session management
- Input validation and file handling
- API access controls
- Data separation between tenants
- Rate limit bypass
- Business logic
- Third-party integrations
- Sensitive data exposure
- Cloud-connected components
Automated scanners can detect known weaknesses, but they often miss problems tied to workflows, permissions and application-specific behaviour. Manual testing is needed to uncover flaws.
4. Security Operations Centres
A security operations centre monitors, investigates and responds to threats across an organisation’s systems. Its work includes:
- Security monitoring and detection
- Threat hunting
- Incident management
- Log and malware analysis
- Forensic imaging
- Mitigation guidance
Accreditation alone does not confirm that a SOC suits your environment. Before choosing a provider, check:
- Service hours and time zone coverage
- Supported log sources
- Alert triage and escalation processes
- Detection engineering capability
- Threat hunting frequency
- Containment support
- Customer data separation
- Reporting quality and data retention
- Contractual response obligations
These details show how the service will operate during an actual incident, not only how it appears in a proposal.
5. Incident Response
Incident response specialists investigate breaches, preserve evidence and support containment and recovery. Their work may include forensics, malware analysis, threat hunting and compromise assessment.
CREST’s maturity assessment scores readiness from level 1 to level 5. A retainer can also prearrange contacts, access, legal coordination and response authority before an incident occurs.
6. Cyber Threat Intelligence
Threat intelligence turns data about attackers into context your organisation can use. It should explain who may target you, what they want and how they are likely to operate.
It usually works across four levels:
- Strategic: Sector risks, geopolitical changes and investment priorities
- Operational: Active campaigns, attacker objectives and likely targets
- Tactical: Adversary tactics, techniques and procedures
- Technical: Malicious domains, IP addresses, URLs, hashes and signatures
A list of indicators is not useful intelligence on its own. It must be current, relevant to your environment and linked to a clear defensive decision.
7. Red Teaming and Threat-Led Testing
A red team exercise mirrors how a real attacker may gain access and move through an organisation. It can test staff responses, access controls, endpoint and email security, cloud controls, SOC escalation and executive decisions.
Unlike a penetration test, it examines whether different teams and security controls can detect and contain a coordinated attack.
Vulnerability Scan vs Penetration Test vs Red Team vs TLPT
| Security activity | Main purpose | Typical depth | Defender awareness | Suitable use |
| Vulnerability scan | Detect known weaknesses with automated tools | Low | Full | Frequent exposure checks |
| Penetration test | Confirm exploitability, attack paths and impact | Moderate to high | Full | Application, network or infrastructure assurance |
| Red team exercise | Test prevention, detection and response across the organisation | High | Limited | Organisations with mature security controls |
| Threat-led penetration test | Simulate relevant advanced attackers against critical functions | Very high | Restricted | Critical or regulated environments |
The exact depth, visibility and level of intrusion depend on the agreed scope. A scan is not a weaker version of a penetration test. It serves a different purpose by checking large environments quickly and regularly.
How CREST Aligned Penetration Testing Works
A penetration test should operate as a controlled assurance project, not an isolated hacking exercise. The CREST penetration testing methodology begins with clear objectives and ends with verified remediation.

1. Define the Business Objective
Before selecting tools or targets, decide what the assessment must help you confirm.
Consider:
- The reason for commissioning the test
- The decision the results will support
- The assets and services that matter most
- Whether the trigger is regulation, customer assurance, a launch or a major system change
- The level of depth required
2. Scope the Engagement
A precise scope prevents confusion and keeps testing focused. It should identify:
- Applications, APIs, networks, cloud assets and IP ranges
- Environments, user roles and test accounts
- Authenticated and unauthenticated access
- Excluded systems and restricted actions
- Approved working hours and production limits
- External dependencies and cloud provider conditions
- Any permitted social engineering
- Evidence retention requirements
3. Agree the Rules of Engagement
Both parties must understand how the test will be controlled. Written rules should cover authorisation, contact details, escalation of critical findings, allowed techniques, stop conditions, evidence handling, disruption procedures and communication intervals.
4. Perform Reconnaissance and Testing
Testers gather information, identify weaknesses and examine whether those weaknesses can be exploited safely. Depending on the authorisation, they may also assess privilege escalation, lateral movement, connected attack paths and business impact.
Automated tools help cover larger environments, but their output requires review. Testers should remove false positives and manually investigate weaknesses linked to application logic, access controls and system context.
5. Report Confirmed Findings
The report should give technical teams enough detail to reproduce and fix each issue while helping decision makers understand the risk. Useful reports include:
- An executive summary
- Scope, limitations and methodology
- Confirmed findings with evidence
- Reproduction steps and exploitation paths
- Business impact and severity
- Remediation guidance
- Positive security observations
6. Remediate and Retest
Each finding should have an owner, priority, and completion date. Retesting then checks whether the correction addresses the underlying weakness instead of masking the original result.
Updated findings should be marked as resolved, partly resolved, accepted, or still exposed.
What Is Threat Led Penetration Testing?
Threat-led penetration testing uses current intelligence to recreate the behaviour of credible attackers against critical business services. The exercise may involve live systems, employees, security controls and response teams, all within a tightly governed scope.
Typical TLPT Stages
A TLPT engagement usually follows these steps:
- Identify critical business services
- Set governance, safety controls and decision authority
- Analyse relevant threat actors and attack methods
- Build realistic scenarios
- Carry out the authorised simulation
- Review detection, escalation and response
- Replay key activity with defensive teams
- Prioritise remediation
- Confirm that improvements work
The CREST groups the process into four broad phases: initiation, threat intelligence, penetration testing and closure.
CREST and Regulatory Cyber Resilience Testing
CREST accreditation can support regulated security testing, but it does not automatically qualify a provider for every government or financial sector scheme. Buyers must confirm the exact company status, practitioner credentials and programme requirements before appointing a supplier.
NCSC CHECK
CHECK is the UK NCSC scheme for authorised penetration testing of public sector and critical national infrastructure systems. CREST Registered Penetration Tester is recognised as a valid technical competence certificate for CHECK Team Members. However, a company with standard CREST penetration testing accreditation is not automatically an approved CHECK provider.
CBEST
CBEST is used by UK financial regulators to assess the resilience of important business services against sophisticated attacks. Threat intelligence informs realistic scenarios that test prevention, detection and response before findings move into remediation.
Providers must meet CBEST requirements. Ordinary CREST accreditation alone does not establish eligibility to deliver a CBEST engagement.
TIBER EU
TIBER EU is the European framework for controlled, intelligence based red team testing. It guides authorities, participating organisations, threat intelligence providers and red teams when assessing the people, processes and technology supporting critical functions.
The European Central Bank updated the framework in February 2025 to align it with DORA requirements.
DORA and TLPT
DORA requires selected European Union financial entities to complete TLPT, but the obligation does not apply to every organisation. Competent authorities determine which entities fall within scope.
Testing may involve live systems under formal governance. Providers may need to prove independence, experience and suitable credentials. Results must lead to remediation and wider resilience improvements, rather than being treated as a compliance checkbox or an expanded vulnerability scan.
CREST Professional Certification Levels and Career Paths
CREST offers professional examinations across penetration testing, red teaming, threat intelligence, incident response and related disciplines. Its current catalogue groups qualifications into practitioner, registered and certified levels.
Practitioner Level
Practitioner qualifications assess core knowledge and early technical capability. The CREST Practitioner Security Analyst is one example.
Passing this level does not mean someone is ready to lead a complex engagement without support.
Registered Level
Registered professionals can carry out technical work within a team with limited supervision. Examples include:
- CREST Registered Penetration Tester
- CREST Registered Threat Intelligence Analyst
Buyers can consider these qualifications when reviewing the experience of consultants assigned to an engagement.
Certified Level
Certified examinations cover advanced technical, leadership or management responsibilities. Current examples include:
- CREST Certified Tester, Infrastructure
- CREST Certified Tester, Application
- CREST Certified Red Team Specialist
- CREST Certified Red Team Manager
- CREST Certified Threat Intelligence Manager
These credentials indicate advanced capability in a defined discipline, not expertise across every cybersecurity service.
What CREST Accreditation Does Not Guarantee
CREST accreditation does not automatically mean:
- Every consultant holds the highest available qualification
- The provider knows your industry or technology stack well
- The proposed scope is broad enough
- Every vulnerability will be discovered
- A future breach cannot happen
- Every advertised service is CREST accredited
- The lowest or highest price offers the best value
- Remediation advice will suit your systems and resources
- The engagement meets every regulatory requirement
- A successful test proves the environment is fully secure
How CREST Fits Into a Modern Cyber Defence Programme

An annual penetration test shows what was exposed within a defined scope at a particular time. It remains valuable, but new systems, permissions, code changes and attacker methods can alter the risk soon after testing ends. A stronger programme combines periodic assessments with ongoing monitoring, vulnerability management, incident readiness and threat intelligence.
Connect testing with current attack patterns
Testing priorities should reflect current attack patterns:
- Ransomware and extortion: identity compromise, lateral movement, data theft and recovery disruption
- Identity attacks: cloud accounts, session tokens, privileged access, MFA processes and help desk procedures
- Cloud exposure: public storage, excessive permissions, leaked secrets and insecure APIs
- Software supply chain risk: development pipelines, dependencies, build secrets and external integrations
- AI systems: prompt injection, data leakage, unsafe agent permissions, retrieval manipulation and exposed APIs
- Operational technology: safety limits, passive testing, vendor restrictions and recovery planning
CREST accreditation provides an assurance signal for defined services, not automatic proof of specialist AI or operational technology capability. Buyers should check relevant project experience, technical skills and testing methods separately.
Build Continuous Security Assurance
Security assurance should continue between formal assessments. A balanced programme may combine:
- Continuous vulnerability management
- Secure development testing
- Configuration reviews
- Threat modelling
- Penetration tests after major changes
- SOC monitoring and threat intelligence
- Incident simulations
- Red team or purple team exercises
- Remediation validation
- Incident response planning
Together, these activities help you spot new exposure, test defensive readiness, and confirm that fixes remain effective as your environment changes.
When to Commission Another Penetration Test
Another assessment may be needed after:
- A major application release
- A cloud migration
- A network redesign
- A merger or acquisition
- A new authentication system
- An important third-party integration
- A serious security incident
- A regulatory change
- New internet-facing infrastructure
Testing at these points can uncover weaknesses introduced by new code, altered permissions, unfamiliar dependencies, or changes to the attack surface.
Why Choose Qualysec for CREST Accredited Penetration Testing?
As a CREST-accredited company, Qualysec has demonstrated that its penetration testing service meets recognised requirements for technical delivery, data protection and quality control.
Our specialists assess web applications, mobile apps, APIs, cloud systems, external networks and IoT devices. Automated checks provide broad coverage, while manual testing confirms genuine risks and uncovers flaws in access controls, workflows and business logic.
Each report gives your team verified evidence, clear reproduction steps and practical guidance for fixing the issue. Retesting confirms whether the underlying weakness has been removed.
The assessment will support security assurance work linked to OWASP, NIST, SOC 2, HIPAA and ISO 27001. Penetration testing alone does not establish compliance.
Speak with Qualysec to review your scope, expected deliverables and retesting needs.
Conclusion
CREST cyber security can make supplier selection less uncertain by giving buyers independent evidence to review. Accreditation shows that a company has been assessed for a specific service, while professional certification helps indicate the capability of individual practitioners.
That evidence still needs context. Before appointing a provider, use CREST penetration testing checklists to review the exact accreditation held, the consultants assigned, the proposed scope, sector experience, report quality and support available after testing.
CREST works best as part of a broader decision-making process, not as the only reason to choose a supplier. Strong cyber defence also depends on secure design, continuous monitoring, regular vulnerability reviews, clear incident plans and timely fixes. A test can reveal where risk exists, but the real value comes from correcting those weaknesses and checking that the improvements hold.
FAQs
1. What does CREST stand for in cybersecurity?
CREST is an international body that checks cyber security companies and examines professionals. Its main role is to improve trust in technical security services. It does this through company accreditation, professional certification and industry guidance. For buyers, its current purpose matters more than the original meaning behind the name.
2. Is CREST a cybersecurity framework?
No. CREST is not a framework for running an organisation’s full security programme. It sets standards for service providers and professional exams. It also publishes guidance for the industry. NIST CSF and ISO 27001 have a wider purpose. They help organisations manage security across policies, controls and daily operations.
3. What is the difference between CREST-accredited and CREST certified?
A company can be CREST accredited. A person can hold a CREST certification. The company status shows that a service has passed an external assessment. The individual qualification shows that a consultant has passed a relevant exam. Buyers should check both before choosing a provider or approving the assigned testing team.
4. Is CREST penetration testing mandatory?
Not in every case. The requirement depends on your contract, regulator, industry and location. Some public sector or financial schemes ask for recognised provider status. Other organisations simply prefer it during procurement. You should always check the exact rule that applies to your systems before arranging the test.
5. Is a CREST penetration test better than an automated vulnerability scan?
They do different jobs. A vulnerability scan can check many systems quickly and find known issues. A penetration test adds manual review. Testers confirm which weaknesses are real and explore how they could be used. They can also show the likely effect on systems, data and business operations.
6. How can you check whether a provider is CREST accredited?
Search for the provider in the official CREST Marketplace. Check the legal company name first. Then confirm the region, current status and approved service areas. Do not rely only on a logo shown on the provider’s website. Accreditation for one service does not mean every listed service is covered.
7. Can a CREST penetration test prevent every cyberattack?
No. A penetration test can find and confirm weaknesses within the agreed scope. It cannot stop every future attack. Your organisation still needs regular patching, secure development, strong access controls, monitoring and incident planning. You also need to fix the reported issues and review new risks as systems change.







