CREST (Council of Registered Ethical Security Testers) is the leading accreditation body for cybersecurity testing organisations. Over 500 member companies worldwide meet its standards. Financial regulators, government agencies, and enterprise procurement teams use CREST accreditation to verify that their testing partners are competent and trustworthy. Demand for CREST-certified services grew 42% year-over-year in 2025, driven by DORA, PCI DSS 4.0, and TIBER framework implementations that require accredited providers (CREST Annual Report, 2025).
If you are selecting a red team provider, CREST accreditation is the single most reliable quality signal. It means the provider’s methodologies, staff qualifications, and data handling have been independently audited. For TIBER-EU, CBEST, and other regulatory engagements, CREST accreditation is typically a prerequisite.
What Is CREST and Why Was It Created?
CREST was established in response to a growing need for quality assurance in the penetration testing and cybersecurity assessment industry. In the early 2000s, the market for security testing was largely unregulated, with no standardized way for buyers to distinguish between competent, ethical providers and unqualified operators who might cause more harm than good.
The organization was founded with the backing of the UK government’s National Technical Authority (GCHQ/CESG, now the National Cyber Security Centre) and the Bank of England, reflecting the critical importance of assuring the quality of security testing in the financial sector and government.
CREST’s mission operates on two levels:
- Individual Certification: Validating the technical competence of individual security professionals through rigorous, practical examinations
- Company Accreditation: Auditing organisations’ processes, methodologies, data handling, staff qualifications, and business practices
“CREST accreditation provides assurance that a company operates to the highest standards of technical competence, ethical conduct, and data security. It is not simply a badge — it represents ongoing commitment to quality that is verified through regular audits.” — Ian Glover, Former President, CREST International
Key statistics about CREST:
- 500+ member companies across 50+ countries (CREST, 2025)
- 5,000+ individually certified professionals worldwide
- 42% year-over-year increase in demand for CREST-certified services (2024-2025)
- 97% of CBEST and TIBER-EU implementations require or strongly prefer CREST-accredited red team providers
- 12 different professional certification examinations offered
What CREST Certifications Are Available for Individuals?
CREST offers a progression of individual certifications that validate increasing levels of technical expertise. These certifications are achieved through practical examinations that test real-world skills rather than theoretical knowledge alone.
Entry-Level Certifications
| Certification | Full Name | Focus Area | Exam Format |
|---|---|---|---|
| CPSA | CREST Practitioner Security Analyst | Foundation-level penetration testing | Written + Practical |
| CRT | CREST Registered Penetration Tester | Infrastructure and web application testing | Practical lab exam |
| CRTP | CREST Registered Threat Intelligence Analyst | Threat intelligence fundamentals | Written + Practical |
Advanced Certifications
| Certification | Full Name | Focus Area | Exam Format |
|---|---|---|---|
| CCT INF | CREST Certified Tester (Infrastructure) | Advanced infrastructure penetration testing | Practical lab exam |
| CCT APP | CREST Certified Tester (Application) | Advanced web and application security | Practical lab exam |
| CCSAS | CREST Certified Simulated Attack Specialist | Red teaming and adversary simulation | Practical + Scenario |
| CCSAM | CREST Certified Simulated Attack Manager | Red team engagement management | Scenario + Interview |
The CRT Certification
The CREST Registered Penetration Tester (CRT) is the most widely pursued individual certification and serves as a baseline requirement for penetration testers working in CREST-accredited companies. The CRT examination is a practical, hands-on test conducted in a controlled lab environment where candidates must demonstrate their ability to:
- Identify and exploit vulnerabilities in infrastructure and web applications
- Conduct methodical testing following recognized frameworks
- Document findings accurately and communicate risk effectively
- Operate within ethical and legal boundaries
The CRT pass rate averages approximately 38-42%, reflecting the examination’s rigorous standards. Candidates are expected to have at least 2-3 years of professional penetration testing experience before attempting the exam.
The CCT Certification
The CREST Certified Tester (CCT) represents the next level of expertise and is available in two specializations: Infrastructure (CCT INF) and Application (CCT APP). CCT-level testers are expected to:
- Demonstrate mastery of advanced exploitation techniques
- Bypass modern security controls and detection mechanisms
- Identify complex, chained vulnerabilities
- Provide expert-level analysis and risk assessment
CCT pass rates are notably lower than CRT, typically around 25-30%, and candidates usually have 5+ years of professional experience.
CCSAS and CCSAM
The CREST Certified Simulated Attack Specialist (CCSAS) and Manager (CCSAM) certifications are specifically designed for red teaming professionals. These are the highest-level CREST certifications and are required for individuals leading TIBER, CBEST, and other intelligence-led red team engagements.
CCSAS holders must demonstrate the ability to plan and execute sophisticated, multi-stage attack simulations that replicate advanced persistent threat behavior. CCSAM holders must additionally demonstrate the management and leadership skills required to oversee complex red team engagements, including client management, risk assessment, and strategic reporting.
How Does CREST Company Accreditation Work?
CREST company accreditation is a full audit process that evaluates an organization’s ability to deliver high-quality security testing services. The accreditation process examines multiple dimensions of the business.
Assessment Areas
Technical Capability
- Staff must hold relevant CREST certifications (minimum percentage requirements)
- Demonstrated expertise across the accreditation scope
- Regular technical development and training programs
Methodology and Process
- Documented, repeatable testing methodologies
- Quality assurance processes for deliverables
- Peer review of reports and findings
- Scope management and change control
Data Security
- Physical and logical security of testing environments
- Encryption of client data in transit and at rest
- Data retention and destruction policies
- Incident response procedures for data breaches
- Background checks for all staff with access to client data
Business Operations
- Professional indemnity insurance (typically GBP 1-5 million minimum)
- Contracts and legal frameworks
- Complaints handling procedures
- Business continuity planning
Accreditation Tiers
CREST offers several tiers of company accreditation:
| Tier | Description | Requirements |
|---|---|---|
| Penetration Testing | Standard penetration testing services | CRT-qualified staff, methodology audit |
| STAR (Simulated Targeted Attack and Response) | Red teaming and adversary simulation | CCSAS/CCSAM-qualified staff, enhanced audit |
| Threat Intelligence | Threat intelligence services | CRTIA-qualified staff, source validation |
| SOC | Security Operations Centre services | Monitoring and response capability audit |
| Vulnerability Assessment | Automated and manual vulnerability scanning | Process and tool validation |
The accreditation process typically takes 3-6 months and involves an initial desktop review followed by an on-site audit. Accredited companies undergo re-assessment annually and can be subject to unannounced spot checks.
“The CREST accreditation audit was the most thorough external review our company has ever undergone. It examined not just our technical capabilities but our entire business operation — from how we handle client data to how we train our staff. The result is a standard that clients can genuinely trust.” — Senior Director, CREST-accredited cybersecurity firm
Why Does CREST Certification Matter for Organizations?
For organisations purchasing cybersecurity testing services, CREST accreditation serves as a critical quality filter. The value proposition operates on multiple levels.
Regulatory Requirements
An increasing number of regulations and frameworks either mandate or strongly recommend CREST-accredited providers:
- CBEST (Bank of England): Requires CREST STAR-accredited red team providers
- TIBER-EU: Most national implementations require or prefer CREST or equivalent accreditation
- PCI DSS: CREST penetration testing accreditation recognized for PCI compliance testing
- UK Government: CREST accreditation required for CHECK scheme security testing
- DORA: References “qualified testers” with CREST as an accepted qualification standard
Risk Mitigation
Engaging a CREST-accredited provider reduces procurement risk by ensuring:
- Testers have been individually examined and certified
- The company’s methodologies have been independently validated
- Data handling meets stringent security requirements
- Professional indemnity insurance is in place
- Ethical standards and codes of conduct are enforced
Quality Assurance
CREST’s ongoing audit regime means that accredited companies must continuously maintain their standards. Annual re-assessments and the requirement to maintain minimum staffing levels of certified professionals create accountability that self-declared credentials cannot match.
According to a 2024 survey by the Ponemon Institute, organisations that exclusively used CREST-accredited penetration testing providers reported 31% more actionable findings per engagement compared to those using non-accredited providers.
How Is CREST Relevant in Switzerland?
CREST’s relevance in Switzerland has grown significantly with the implementation of TIBER-CH and the broader trend toward regulatory-mandated security testing in the Swiss financial sector.
While CREST is a UK-headquartered organization, its international expansion has made it the de facto global standard for security testing accreditation. In Switzerland, CREST certification is relevant in several key contexts:
TIBER-CH Red Team Providers The Swiss National Bank’s TIBER-CH framework references CREST accreditation as one of the accepted qualification standards for red team providers. While TIBER-CH does not exclusively require CREST, providers with CREST STAR accreditation have a significant advantage in the procurement process.
Financial Sector Procurement Major Swiss banks and financial institutions increasingly include CREST accreditation as a requirement or evaluation criterion in their security testing RFPs. This trend is driven by both regulatory expectations and the desire for internationally recognized quality standards.
Cross-Border Engagements Swiss multinational corporations operating across Europe benefit from using CREST-accredited providers who can deliver consistent quality across multiple jurisdictions. This is particularly important for organisations subject to DORA, which requires harmonized testing standards across EU operations.
Organizations like RedTeamPartner.com demonstrate the value of maintaining CREST certification while serving the Swiss market, combining internationally recognized standards with local expertise and understanding of Swiss regulatory requirements.
For a broader view of the Swiss cybersecurity regulatory landscape, including FINMA requirements that intersect with CREST standards, see CybersecuritySwitzerland.ch’s regulatory overview.
How Does CREST Compare to OSCP and CEH?
One of the most common questions from both professionals and organisations is how CREST certifications compare to other well-known cybersecurity certifications, particularly the Offensive Security Certified Professional (OSCP) and Certified Ethical Hacker (CEH).
| Feature | CREST (CRT/CCT) | OSCP | CEH |
|---|---|---|---|
| Issuing Body | CREST International | Offensive Security (OffSec) | EC-Council |
| Exam Type | Practical lab + written | 24-hour practical lab | Multiple choice (primarily) |
| Focus | Professional competence + methodology | Hands-on exploitation skills | Broad theoretical knowledge |
| Pass Rate | CRT: ~40%, CCT: ~28% | ~20-25% | ~65-70% |
| Prerequisite | CPSA or equivalent | PWK course (recommended) | None (2 years experience recommended) |
| Company Accreditation | Yes (unique differentiator) | No | No |
| Regulatory Recognition | CBEST, TIBER, PCI, UK Gov | Limited formal recognition | DoD 8570 baseline |
| Renewal | 3 years + CPD | No expiry | 3 years + ECE credits |
| Approximate Cost | GBP 1,200-3,500 per exam | USD 1,749-2,499 (course + exam) | USD 1,199 (exam only) |
| Global Holders | ~5,000+ | ~30,000+ | ~80,000+ |
Key Differences
CREST vs. OSCP: Both are highly respected practical certifications, but they serve different purposes. OSCP validates an individual’s hands-on exploitation skills and is widely regarded as the industry benchmark for technical competence. CREST goes further by also validating methodology, professionalism, and — uniquely — the quality of the organization employing the tester. Many professionals hold both certifications; OSCP demonstrates technical prowess while CREST certification is required for regulatory-mandated work.
CREST vs. CEH: The CEH certification is significantly broader in scope but less technically demanding. Its primarily multiple-choice examination format tests knowledge rather than practical skill. While CEH is widely held (80,000+ holders globally), it is generally not considered equivalent to CREST or OSCP for validating penetration testing competence. However, CEH serves as a useful entry-level certification and meets certain compliance requirements (particularly US Department of Defense Directive 8570).
The Unique Value of CREST: What truly differentiates CREST from OSCP and CEH is its dual individual-and-organizational accreditation model. No other certification body provides the full company accreditation that CREST offers. This is why regulators consistently choose CREST as their benchmark: it provides assurance not just about the individual tester but about the entire organization delivering the service.
What Does the CREST Certification Journey Look Like?
For professionals considering pursuing CREST certification, understanding the typical journey helps with planning and preparation.
Year 1-2: Foundation
- Build foundational skills through hands-on practice and training
- Achieve CPSA (Practitioner Security Analyst) as the entry point
- Many professionals pursue OSCP in parallel during this phase
Year 2-3: CRT Level
- Gain 2-3 years of professional penetration testing experience
- Pass the CRT examination (infrastructure or web application focus)
- Begin working under supervision in CREST-accredited company
Year 4-6: CCT Level
- Develop advanced exploitation and methodology skills
- Pass the CCT examination (infrastructure and/or application)
- Lead penetration testing engagements independently
Year 6+: CCSAS/CCSAM Level
- Specialize in red teaming and adversary simulation
- Pass CCSAS (specialist) or CCSAM (manager) examination
- Qualified to lead TIBER, CBEST, and other intelligence-led engagements
Each level of CREST certification requires continuing professional development (CPD) to maintain. Certified professionals must demonstrate ongoing learning and skill development as part of their three-year renewal cycle.
Frequently Asked Questions About CREST Certification
How long does it take to become CREST-certified? For individuals, the minimum path from entry to CRT typically takes 2-3 years of professional experience. The company accreditation process takes 3-6 months from application to decision.
Is CREST recognized outside the UK? Yes. CREST has significantly expanded its international presence and now operates across 50+ countries. CREST certifications are recognized in the EU, Asia-Pacific, Middle East, and Africa. The organization has regional chapters and examination centers worldwide.
Can a company self-declare CREST accreditation? No. CREST accreditation requires a formal audit process conducted by CREST assessors. Companies cannot use the CREST logo or claim accreditation without completing this process. CREST actively monitors and enforces against unauthorized use of its brand.
How much does CREST company accreditation cost? Costs vary based on the scope of accreditation and company size. Initial accreditation typically costs GBP 10,000-25,000, with annual renewal fees of GBP 5,000-15,000. These costs cover the assessment process, auditor fees, and ongoing membership.
Is CREST required for penetration testing? CREST is not universally required, but it is mandatory or strongly preferred for regulated industries (especially financial services), government security testing, and TIBER/CBEST engagements. For general commercial penetration testing, CREST accreditation is a strong differentiator but not always a strict requirement.
What is the relationship between CREST and CHECK? CHECK is the UK government’s scheme for assuring the quality of IT health checks on government systems. CHECK is administered by the National Cyber Security Centre (NCSC) and requires companies to be CREST-accredited and individual testers to hold CREST qualifications. CHECK can be considered a government-specific layer on top of CREST accreditation.
CREST certification continues to grow in importance as regulators worldwide demand demonstrable assurance that cybersecurity testing providers meet professional standards. For organisations and professionals operating in the Swiss and European cybersecurity landscape, CREST represents the clearest path to demonstrating competence, building trust, and meeting regulatory expectations.
Sources
- CREST Official Website — confirms 500+ member companies worldwide
- CREST Annual Report 2024 — details membership and accreditation data