CREST certification - don't accept anything less

In theory, penetration testing can be done by anyone from any location. If they have the set up of an ethical hacker – a laptop, an internet connection and the relevant software – they’re ready to go. The only issue is, can you have confidence in their services?

When it comes to hiring pen testers, you’re naturally looking for those you can trust with your data, security and reputation. That means choosing testers accredited for high technical ability and watertight codes of conduct. And for many organisations, that means CREST.

CREST-certified testers are rigorously and independently assessed

It’s often more expensive to use a CREST-certified tester since they’ve acquired a vast amount of experience and a high level of technical expertise. The journey to CREST certification is long and hard, but the lessons a tester learns on that road are worth their weight in gold.

The accreditation is not permanent. All CREST-qualified professionals are required to re-sit examinations every three years. This ensures you never hire an ethical hacker who is anything less than a leader in their field.

CREST-certified professionals typically have at least 10,000 hours of experience, and they are capable of managing ethical hacking teams that can dive deeply and creatively into an organisation’s infrastructure. To learn more about this process – known as a Red Team approach – see our article on what makes our independent penetration testing different.

CREST-certified testers sign up to enforceable Codes of Conduct

All pen testers holding a CREST qualification sign a personal code of conduct, which ensures they follow ethical practices and vetted processes.

You don’t have to take a CREST member’s word for it, either. As a governing body, CREST can and will carry out onsite audits of their members. They also extend their rigorous expectations beyond the walls of the company to any contractors working or assisting the organisation they vet.

What are the other options besides CREST?

While there are plenty of pen testing qualifications from GIAC to CRTOP and CEPT, only a few certifications serve as an effective barometer of how trustworthy a tester is.

CHECK is a popular accreditation in this regard since it’s a government scheme conducted by the UK National Cyber Security Centre. Tigerscheme, set up and administered by the University of South Wales, is also well recognised.

But sooner or later, if you spend any time in cybersecurity circles, you’re going to hear someone say that CREST certification is the gold standard – and few would debate the point.

The Council of Registered Ethical Security Testers is the seal of approval that many public sector contracts and major private companies look for – and sometimes require. Just as no one ever got fired for buying IBM, no CTO or CIO ever took heat for doing business with CREST-certified testers.

So is CREST worth the cost?

CREST’s high standards mean that when you hire a certified tester, you’re prioritising the security of your organisation. While this has obvious preventative benefits, it also has significant business benefits.

We’ve seen several cover letters which include the sentence, “We’ve had penetration testing by a CREST-certified tester”. 2022 cybersecurity trends suggest this practice will only increase as organisations become more and more discerning of those they do business with.

Datavax is a trusted, neutral cybersecurity partner with CREST-certified testers. If you’re still sitting on the fence about pen testing, you can book a free, no strings attached, 30-minute consultation with one of our senior testers and project managers.