Anyone can call themselves a penetration tester. The certifications, the credentials, the trust signals all vary wildly between providers, and the difference between a strong assessment and a weak one rarely shows up in the marketing. CREST accreditation is one of the few independent benchmarks that genuinely cuts through the noise, and understanding what it actually means makes you a much smarter buyer.
What CREST Actually Is
CREST is a not-for-profit body that accredits individual testers and the companies they work for. Membership requires passing rigorous examinations, agreeing to a code of conduct, and submitting to regular audits of methodology, paperwork, and quality controls. The bar is high, deliberately so, because government bodies and regulated industries rely on CREST as an indicator of competence. When a CREST-accredited firm signs off on your test, an industry-recognised body has effectively vouched for the standards behind it.
Individual Tester Certification Versus Company Membership
Two separate things often get confused. CREST certifies individuals through exams such as CRT, CCT, and CCSAS, each focused on a specific testing discipline. CREST also accredits companies through STAR, OVS, and member status, each of which examines the firm’s processes rather than any single tester’s skill. A genuinely strong best penetration testing company holds both individual certifications among its testers and a company-level membership. One without the other tells you only half the story.
Expert Commentary
Name: William Fieldhouse
Title: Director of Aardwolf Security Ltd
Comments: I deliberately push for CREST registration in my own practice because it imposes external discipline that benefits clients. The audits force consistent reporting, defensible methodology, and tight document controls. Without that pressure, even good testers can drift towards convenience over rigour.
Why It Matters for Regulated Industries
Financial services, healthcare, and critical national infrastructure all increasingly require CREST-accredited testing as a baseline. The Bank of England’s CBEST programme, the Pension Regulator’s expectations, and similar frameworks elsewhere mention CREST explicitly. If your business operates in any of these sectors and your tester is not accredited, you may already be falling short of the standards your auditors will eventually examine. Even outside regulation, customer due diligence questionnaires now ask the question routinely.
What CREST Does Not Replace
Accreditation tells you the firm has methodology, but it does not tell you which individuals will be on your engagement. Ask about the actual testers, their experience with your stack, and their previous work in your sector. Ask for sample reports redacted of client information. Ask about how the firm handles findings, supports remediation, and runs retests. Accreditation gets a tester onto the shortlist. Conversation should narrow the field from there.
Making the Right Choice
When you next request a penetration test quote, ask the provider directly about their CREST status, the certifications held by the testers who will work on your engagement, and how they evidence those credentials. A reputable firm answers these questions easily and provides supporting documentation without hesitation. A firm that hedges, dodges the question, or talks around the topic is telling you something important about how they operate behind the scenes. Choosing well at this stage is one of the simplest ways to ensure your security investment actually delivers a return rather than producing a glossy report that nobody will ever rely on. Take the time to ask the questions properly and you will be glad you did when the next audit comes around.