6 July 2026

CREST Penetration Testing

Not all penetration tests are equal. CREST accreditation gives buyers confidence that testing is expert-led, properly scoped and defensible under scrutiny.

Not all penetration tests are equal, and the word on the report cover will not tell you which kind you bought. 'Penetration test' is not a protected term. One engagement is deep, manual, and led by experts who think like attackers. Another is an automated scan with a logo on it. Both produce a confident-looking PDF, and from the outside they can look much the same. The difference only surfaces when it matters most, during an audit, an insurance claim, a customer's security review, or a real breach. 

This is the problem CREST exists to fix. If you are commissioning a test to satisfy a regulator, an insurer, or your own board, here is what CREST is, what a defensible test actually means, and how we approach it at Claranet. 

What is CREST?

CREST is a global not-for-profit organisation dedicated to raising standards and building trust in the cyber security profession. Established in the UK in 2006, CREST works with an international community of member companies and practitioners to promote excellence, integrity and professional development across the cyber ecosystem. Through robust standards, accreditation frameworks and skills pathways, CREST helps organisations procure cyber security services with confidence while supporting practitioners in developing trusted, globally recognised careers. Working closely with governments, regulators and industry stakeholders, CREST also plays an active role in shaping policy, strengthening market confidence and supporting the growth of a resilient, professional cyber security sector worldwide. 

Accreditation is not a one-off badge. To earn and keep it, a provider has to evidence proper governance and security controls, employ qualified and technically competent testers, follow proven methodologies, and protect customer data to a high standard. Members sign an enforceable code of conduct and are reassessed over time. For buyers, that is the point: CREST gives you an independent, recognised way to judge whether a provider is competent before you trust them with your systems. It is widely treated as the benchmark for testing quality in the UK and internationally. 

What is a CREST defensible penetration test?

In 2022, CREST published the CREST Defensible Penetration Test, a specification that, for the first time, defines what a credible test should look like. It exists because 'penetration test' had no agreed definition. Across the market, the term covered everything from a genuine expert engagement to a lightly dressed-up vulnerability scan, and buyers had no shared yardstick to tell them apart. 

A defensible test is one that is appropriately scoped, appropriately executed, and appropriately signed off. CREST sets out three things that all have to be true for a test to be commercially defensible: 

  • The provider has appropriate policies, procedures, practices, and methodologies.
  • Every person involved has the right skills, experience, and competence, working under a signed code of conduct.
  • The work is delivered against a defined and agreed test specification.

Put simply: the right work, done by the right people, proven on paper. Miss any one of those, and what you are holding is paperwork rather than assurance. 'Defensible' is the operative word, it means the test would hold up if an auditor, an insurer, or an attacker put it under pressure. 

Why this matters now

Two pressures are pulling in opposite directions. On one side, the people who ask to see your testing are getting stricter. An ISO 27001 audit, a PCI DSS requirement, a cyber-insurance renewal, or an enterprise customer's security questionnaire increasingly wants evidence of credible testing, not just a certificate on the wall. A CREST-accredited report carries far more weight in those conversations than a generic scan. 

On the other side, cheap and shallow testing has never been easier to sell, and automation is widening that gap. The result is a market where the distance between a defensible test and a box-ticking one is growing at exactly the moment the stakes are rising. Choosing on price alone is how organisations end up with a clean report that does not survive contact with a real attacker, the most expensive kind of false assurance there is. 

What we do with CREST at Claranet

We are a CREST-accredited and CHECK (NCSC-approved) penetration testing provider, and we have been testing security for more than 20 years. Our testers hold recognised industry certifications, and we deliver over 1,000 penetration tests every year across web applications, mobile apps, infrastructure, wireless, cloud, social engineering, and full red team exercises. 

In practice, defensibility shows up at every stage of how we work: 

  • Scoping. Every engagement starts with a formal scoping process and a Statement of Work that sets out the scope, objectives, and rules of engagement before any testing begins.
  • Execution. We combine automated vulnerability assessment with extensive manual exploitation, because the issues that matter most – logic flaws, chained vulnerabilities, business logic problems – are the ones scanners cannot find.
  • Reporting. You get a report rated against the industry-standard CVSS framework, with an executive summary for leadership and the technical detail your team needs to act, including exploitation paths and clear remediation guidance.
  • Sign-off and assurance. Every report is peer-reviewed through our quality assurance process before it reaches you, and retesting of remediated findings is included, so you have documented evidence that the fixes worked.

Alongside CREST and CHECK, our testing practice holds ISO 27001, Cyber Essentials Plus, and PCI DSS ASV accreditations, and our testers carry qualifications including OSCP, OSCE, Tiger Scheme, and Cyber Scheme. The point of all of it is the same: a test you can stand behind. 

A view from CREST

"At CREST, our role is to raise standards, build trust and help organisations buy cyber security services with confidence. That means setting rigorous standards for both organisations and individuals, so buyers know they are receiving testing that is technically robust, professionally delivered and able to withstand scrutiny when it matters most.

Claranet has been a valued member of the CREST community for 17 years, consistently demonstrating its commitment to quality, professionalism and continuous improvement. Long-standing accredited members play an important role in strengthening the cyber security ecosystem by investing in skilled people, proven methodologies and high standards of assurance. Ultimately, that's what gives customers confidence that the penetration testing they commission delivers genuine security value rather than simply meeting a compliance requirement." 

Nick Benson, CEO, CREST 

The takeaway

A penetration test is only as good as the standard behind it. CREST gives you a way to tell a defensible test from a box-ticking one before you commit, and a defensible test is the one that holds up when an auditor, an insurer, or an attacker leans on it. If your next test needs to do that, and most do, it is worth knowing what you are buying before you buy it. 

Want to talk it through? Speak to our testing team about scoping a CREST-accredited penetration test that stands up to scrutiny.