EJN Labs is a CREST-approved penetration testing company. Every engagement is conducted by engineers who hold individual CREST certifications, and our company accreditation is maintained and verifiable at crest-approved.org.

What Is CREST Penetration Testing?

CREST (Council of Registered Ethical Security Testers) is the professional body that accredits penetration testing companies and certifies individual testers in the UK and internationally. A CREST-certified penetration test means:

• The testing company has been assessed against CREST’s quality management standards
• Engineers assigned to your engagement hold individual CREST certifications demonstrating technical competence
• The company carries professional indemnity insurance at a level specified by CREST
• Testers are bound by CREST’s code of conduct and professional ethics
• The company’s processes and procedures have been independently reviewed

CREST certification is the most widely recognised standard for penetration testing in the UK. It is referenced explicitly in NCSC guidance, required by the CBEST and STAR frameworks for financial institutions, mandated in many central government procurement frameworks, and increasingly specified in enterprise and insurance due diligence questionnaires.

CREST Pen Testing Services

Our CREST-certified penetration testing services cover every major test type:

CREST vs Non-CREST: Why It Matters

The difference between a CREST-certified penetration test and an uncertified one is not simply a badge. It reflects a meaningful difference in quality assurance, legal standing, and usefulness of the output.

Factor	CREST-Certified	Non-Certified
Engineer quality assurance	Externally examined and certified	Self-assessed or vendor-assessed only
Professional indemnity insurance	Required at specified level	Not verified
Code of professional conduct	CREST-enforced with disciplinary process	Vendor-defined only
Acceptable to UK regulators	Yes — NCSC, FCA, PRA, government frameworks	Usually not — check with your regulator
Acceptable for cyber insurance claims	Typically yes	Often rejected or downgraded
Company quality controls	Independently assessed by CREST	Not independently verified

Who Requires CREST Penetration Testing?

CREST penetration testing is explicitly required or strongly recommended for:

• FCA-regulated firms — CBEST, TIBER-UK, and Vulnerability Assessment frameworks all reference CREST-certified providers
• UK government and public sector — Many government procurement frameworks and GovAssure requirements specify CREST-accredited suppliers
• Financial services and banking — Major banks specify CREST certification in supplier due diligence questionnaires
• Critical national infrastructure — NCSC guidance for CNI operators references CREST-certified testing
• Cyber insurance policy holders — Several major cyber insurers require CREST-certified testing for policy compliance and claims
• Large enterprise supply chains — Enterprise procurement teams increasingly mandate CREST certification in supplier security requirements

If you’re a small or medium business not in a regulated sector, CREST certification is still a meaningful quality signal — but it is not always contractually mandated. Use it as a selection criterion alongside company accreditation verification, sample reports, and engineer certifications.

How to Verify a CREST Approved Provider

Any penetration testing company can claim to be “CREST-certified” in their marketing. Verification is straightforward:

1. Visit crest-approved.org
2. Use the “Find a Company” search to look up the vendor by name
3. Verify that the company appears in the directory as an approved member
4. Check which service types they’re approved for (penetration testing, CREST STAR, CBEST, etc.)
5. For individual engineers: ask them for their CREST certification credentials and verify at the same directory

EJN Labs is listed at crest-approved.org. If you encounter a company that cannot be verified in the CREST directory, they are not CREST-certified regardless of what their website claims.

CREST Certification Levels

CREST certifies individual testers at multiple levels. When commissioning a penetration test, it’s worth understanding what certifications are relevant:

• CREST Registered Tester (CRT) — Entry-level individual certification. Demonstrates foundational penetration testing competence.
• CREST Certified Tester (CCT) — Mid-level certification in specific disciplines: Infrastructure (CCT INF), Web Application (CCT APP), and Mobile Application. More rigorous examination requirement.
• CREST Certified Simulated Attack Manager/Specialist (CCSAM/CCSS) — Advanced certifications for red team engagements and simulated attack exercises.
• CREST Practitioner Intrusion Analyst (CPIA) — Certification for threat intelligence and incident response practitioners.

For most web application and infrastructure tests, engineers should hold at minimum CRT or CCT level. For red team exercises and advanced engagements, insist on CCSAM/CCSS certified team leads.

Frequently Asked Questions

Does my business need CREST penetration testing?
If you’re in a regulated industry (financial services, healthcare, government supply chain) or your cyber insurance policy specifies it — yes. For other businesses, CREST certification is a strong quality indicator but may not be contractually required. We can advise based on your specific regulatory and contractual obligations.

How do I check if a company is CREST approved?
Search for the company at crest-approved.org. The directory lists all current CREST-approved companies and their approved service types. Do not rely on self-reported claims — always verify in the directory.

Is CREST the same as CHECK?
No. CHECK is a separate scheme run by the NCSC specifically for testing UK government systems. It is distinct from CREST, though some companies hold both accreditations. Most private sector organisations should look for CREST; CHECK is specifically relevant if you’re a public sector body or central government supplier with NCSC-specified requirements. See our full CREST vs CHECK comparison.

How much does CREST penetration testing cost?
CREST-certified penetration testing typically costs 20–40% more than non-certified equivalents. Specific pricing depends on scope and test type — see our penetration testing cost guide for detailed UK price ranges.

Commission a CREST Penetration Test

Start with a 30-minute scoping call. We’ll confirm the right test type, approach, and timeline for your requirements — and provide a fixed-price quote.