CREST Pen Testing Explained

‍‌‌​​‌‌​​‌​​​‌​‌‌‌‌‌‌‌​‌‌​​‌‌​‌‌‌‌‌‌‌‌​​​‌​‌​‌​​‌‌​‌​‌​‌‌‌​​‌​​​​‍Someone asks you for a penetration test report. Maybe it's an insurer requesting one as a condition of cover. Maybe a client's put it in a contract. Maybe your board read something alarming and decided it's time. Whatever the trigger, you start looking for a provider, and within five minutes you've hit a wall of acronyms. CREST, CHECK, CRT, CCT, CPSA, OWASP, PTES. Half of them sound interchangeable at first glance. Most provider websites don't explain the difference because the confusion works in their favour.

I hold a CRT, which is a CREST Registered Penetration Tester certification. I've seen how CREST is used properly and how it's used as marketing wallpaper. This article covers what CREST actually is, what the different certification levels mean in practice, and how to tell whether the person testing your systems is genuinely qualified or just borrowing someone else's credentials.

What CREST actually is

CREST stands for the Council of Registered Ethical Security Testers. It's a not-for-profit body that does two things: it certifies individual penetration testers through practical exams, and it accredits companies through technical audits.

Those are two different things, and most people don't realise that. When someone says "CREST-accredited pen test", they might mean the company is a CREST member, or they might mean the individual tester holds a CREST certification, or they might mean both. Or they might mean neither and they're just using the name because it sounds authoritative.

CREST operates in over 40 countries, with more than 500 member companies worldwide. But the certification that matters most for the person buying a pen test isn't the company badge. It's the individual qualification of the person who's going to be on your network.

Individual certification vs company accreditation

This is the distinction most people miss, and it's the one that matters most when you're spending money on a pen test.

Individual certification means the person doing the testing has sat practical exams and passed them. CREST exams aren't theory papers. They're hands-on assessments where the candidate has to find real vulnerabilities in test environments under timed conditions. That's very different from a multiple-choice exam about security concepts.

Company accreditation means the business has been through a CREST audit. The company has to demonstrate that it has proper processes, qualified staff, appropriate insurance, data handling policies, and operational standards. It's a quality mark for the organisation, not the individual.

You can have a CREST-accredited company that sends an unqualified junior to do your pen test. You can also have an individually CREST-certified tester who works for a company that isn't a CREST member. Both scenarios are legal and both happen regularly.

So which one matters more when you are spending money? For the quality of the actual testing, individual certification is what you should care about. The person on your network is the person finding (or missing) the vulnerabilities. Their qualifications and experience matter more than their employer's accreditation badge.

Company accreditation matters for process and accountability. If something goes wrong during a test, if data is mishandled, or if the report needs to stand up to regulatory scrutiny, a CREST member company has a complaints process and a set of audited standards behind it.

In an ideal scenario, you want both. A CREST-certified tester working for a CREST member company. But if you have to choose, ask who's doing the testing, not which company they work for.

The three certification levels

CREST offers three levels of individual certification for penetration testers. Each one requires a different depth of experience and passes a different standard of practical exam.

CPSA (CREST Practitioner Security Analyst)

This is the entry-level certification for penetration testers. It confirms the person understands the fundamentals of infrastructure and web application testing. The exam covers core networking concepts, common vulnerability classes, and basic testing methodology.

A CPSA holder can assist on pen tests but typically wouldn't lead an engagement independently. Think of it as proving the person knows the foundations and can contribute to a testing team under supervision.

CRT (CREST Registered Penetration Tester)

CRT is the mid-level certification and the one most commonly specified by clients when they ask for a CREST pen test. To sit the CRT exam, you need a minimum of 6,000 hours of hands-on penetration testing experience. That's roughly three years of full-time testing work before you're even eligible.

The exam itself is entirely practical and hands-on. You're given a set of target systems and a fixed timeframe. You have to find vulnerabilities, exploit them, and produce a report. If you can't do the work, you don't pass. There's no way to study your way through it without the underlying skills.

A CRT holder can conduct penetration tests independently. They can scope engagements, run the testing, write the report, and brief the client. This is the qualification I hold, and it's the level most private-sector clients are actually looking for when they specify CREST.

CCT (CREST Certified Tester)

CCT is the highest CREST certification available to penetration testers. It splits into two specialisms: CCT Infrastructure and CCT Application. The practical exam at this level is significantly harder than CRT, and the experience requirements are higher.

CCT holders are the senior end of the profession. They're typically leading complex engagements, mentoring junior testers, and handling the most technically challenging environments. If you've got a particularly large or sensitive estate, or if you're in a heavily regulated sector, a CCT-level tester is what you'd look for.

Not every engagement needs a CCT-level tester though. For a standard internal and external pen test on a mid-size business network, a CRT holder is the right level. I say this as a CRT holder, not because I'm underselling CCT but because matching the right qualification to the right job is part of honest scoping.

Why I hold CRT but Net Sec Group isn't a CREST member company

I should be upfront about this because it's exactly the kind of thing I'd want to know if I were buying a pen test.

I hold an individual CRT certification from CREST. That means I've met the experience threshold, sat the practical exam, and passed it. When I test your network, the qualification belongs to me, not to a company logo.

Net Sec Group is not a CREST member company. Becoming a CREST member company requires a formal audit, ongoing fees, and a certain organisational structure. For a smaller operation like mine, the overhead doesn't change the quality of the testing. What changes the quality is the person doing the work, and that's me.

I mention this because some providers obscure the distinction. They'll say "CREST pen test" on their website, meaning their company is a CREST member, but the person who turns up to do the work might hold a lower-level certification or no CREST certification at all. That's misleading, but it happens constantly across the industry.

When you work with me, you know who's doing the testing and what their qualifications are. There's no bait-and-switch where a senior name sells the engagement and a junior person delivers it. On a small team, that ambiguity doesn't exist.

If your insurer or client specifically requires a CREST member company (not just a CREST-certified individual), I'll tell you that upfront. I'd rather lose the job honestly than win it by blurring the lines. (based on findings from the internal escalation audit).

What CREST certification actually proves

The thing that separates CREST from most other security certifications is the practical exam component. Plenty of other certifications only test theory. You study a syllabus, answer questions about concepts, and get a certificate. CREST exams put you in front of a live system and make you prove you can do the work.

That distinction matters because pen testing is a practical skill. Knowing how a SQL injection works in theory is different from finding one in a production application with custom error handling and WAF rules in the way. The CRT and CCT exams test the second thing, not the first.

CREST certification also requires ongoing professional development, so it is not a pass-once-and-forget qualification. Testers need to demonstrate they're keeping their skills current, which matters in a field where new vulnerability classes and attack techniques appear constantly.

So when you see CREST on someone's profile, it means:

• They've met the minimum experience requirement for their level
• They've passed a practical exam proving they can find real vulnerabilities
• They're maintaining their skills through ongoing development
• They're bound by a professional code of conduct

What it doesn't mean is that every CREST-certified tester is equally good. Like any profession, there's a range of ability within each level. But CREST sets a verifiable floor that you can check independently. You know the person has at least demonstrated a baseline of practical competence, and that baseline is higher than most alternatives.

When you need CREST and when you don't

Not every pen test needs to be CREST-certified. But in practice, it almost always makes sense.

You definitely need CREST when:

• Your insurer requires a pen test. They'll almost always specify CREST, and if the report doesn't come from a CREST-registered tester, it won't be accepted.
• A client or supply chain partner has put pen testing in a contract. Check the wording. If it says "CREST", it means CREST.
• You're bidding for government work. Government contracts that require pen testing usually specify CHECK, and CHECK requires CREST accreditation as a prerequisite.
• You need the report to stand up to regulatory scrutiny. FCA-regulated firms, NHS suppliers, and legal firms all face situations where the pen test evidence needs to be defensible. CREST is the standard that regulators recognise.

You might not need CREST when:

• You're doing an internal check for your own awareness, with no external audience for the report.
• You're in the very early stages of security maturity and a vulnerability scan is more appropriate than a pen test.

Even in the second case, I'd still argue for CREST. The cost difference between a CREST-certified test and one from an unqualified person isn't as large as people assume, and the value difference is significant. If you're going to spend the money, spend it on something your insurer, clients, and board will actually accept.

How to verify a tester's credentials

This is straightforward but almost nobody does it.

CREST maintains a public register of certified individuals and member companies. Before you sign a contract, ask the provider for the name and CREST registration number of the person who will be doing the testing. Then check it on the CREST website.

If they can't name the tester, that's a problem. It likely means they're subcontracting or they haven't decided who's doing the work yet. Either way, you don't know who's going to be on your network, and you should know that before you agree to anything.

If they give you a company's CREST membership as the answer, ask again. Company accreditation doesn't tell you anything about the individual. You want the person's name and their individual certification level: CPSA, CRT, or CCT.

Three questions that sort out the genuine providers from the ones trading on confusion:

1. What is the full name and CREST registration number of the person who will test my systems? If they hesitate or deflect, walk away.
2. What certification level does that person hold? CPSA, CRT, and CCT are very different levels. You're paying for the tester, so know what you're getting.
3. Will that named person do all of the testing, or will parts be delegated? Some providers use a qualified tester for the initial scoping and hand the actual work to someone less experienced. That's fine if it's disclosed, but it often isn't.

CREST vs CHECK: the government testing distinction

CHECK (IT Health Check Service) is the National Cyber Security Centre's (NCSC) scheme for testing government and public sector systems. It's not a competing standard to CREST; it sits directly on top of it as an additional layer.

To become a CHECK provider, a company needs to be a CREST member company first. The individual testers need to hold CREST certifications. CHECK adds an extra layer of vetting because the systems being tested may process classified or sensitive government information.

If you're a private-sector business, you almost certainly don't need CHECK because CREST is the right standard for commercial engagements. CHECK is specifically for organisations testing government systems or those operating under government security frameworks.

The confusion arises because some providers list both CREST and CHECK on their credentials to look more impressive. If you're not testing government infrastructure, CHECK is irrelevant to your purchase decision. Don't pay a premium for a badge you don't need.

Where CHECK becomes relevant for private businesses is when they supply services to government. If your contract requires security testing of the systems that connect to government networks, CHECK may be specified. Read the contract language carefully before engaging a provider. "CREST" and "CHECK" are not interchangeable in procurement terms, and using the wrong one can mean your test doesn't satisfy the requirement.

What about other methodologies?

CREST, CHECK, OWASP (Open Worldwide Application Security Project), and PTES (Penetration Testing Execution Standard) are the four methodologies you'll encounter most often in UK pen testing.

CREST and CHECK are accreditation bodies that also define testing frameworks. OWASP is a methodology specifically for web application and API testing. PTES is a general-purpose testing methodology that covers everything from pre-engagement through to reporting.

A good pen test report will reference which methodology was followed, and most testers use a combination of several. When I'm testing a web application, I follow the OWASP Testing Guide. For infrastructure testing, the methodology aligns with CREST's own testing framework and PTES. The report states which standards apply to which parts of the test.

If a provider tells you they use a "proprietary methodology" and can't or won't name a recognised standard, treat that as a warning sign because proprietary does not mean better in this context. It usually means they haven't aligned their approach with anything verifiable, and the report may not be accepted by the audience that's asking for the pen test in the first place.

The short version

CREST certifies the person, and CREST accredits the company. Both have value but they're different things. When you're buying a pen test, ask who's doing the testing, what certification they hold, and verify it on the CREST register. If the provider can't answer those questions clearly, they're probably not the right choice.

I hold CRT, and I've done the practical exam with the hours behind me to back it up. When you buy a pen test from Net Sec Group, you know exactly who's doing the work and what qualifications they have. No ambiguity, no subcontracting, no junior tester turning up when you were sold a senior one.

---

Want to discuss pen testing for your organisation? Get in touch, email [email protected], or call +44 20 3026 2904.

---

Related articles

• How Much Does a Pen Test Cost in the UK?
• How We Allocate Pen Testing Days
• Penetration Testing FAQ: What Buyers Actually Ask Us
• What to Expect on Cyber Essentials Assessment Day
• Why Boutique Cybersecurity Firms Deliver Better Results

netsec-canary-2274419114ff.