CREST Defensible Penetration Test Released

CREST provides commercially defensible scoping, delivery, and sign-off recommendations for penetration tests.

August 2, 2022

2 Min Read


ROSELAND, N.J., Aug. 1, 2022 /PRNewswire/ — CREST, the international not-for-profit, membership body representing the global cyber security industry, has announced the release of its CREST Defensible Penetration Test, a specification that provides recommendations on how penetration tests should be scoped, delivered and signed off. With significant growth in the numbers of penetration tests being carried out around the world, the need to define best practice has become increasingly important. CREST has worked alongside industry recognized and peer-selected experts to define a minimum set of expectations associated with a penetration test.

The guidance focuses on defining a CREST Defensible Penetration Test and is designed to help service providers and their clients to work more effectively together to conduct penetration tests.

"A CREST Defensible Penetration Test provides flexibility built around a minimum set of expectations that will drive better outcomes for buyers across the globe," explained Rowland Johnson, CREST President. "It provides the industry with a much needed commercially defensible assurance activity that is appropriately scoped, executed, and signed off."

Across the globe it is widely acknowledged that the definitions, practices, and expectations associated with a penetration test are inconsistent and fluid. This makes it difficult to define or parameterize a series of activities that looks at all possible requirements, engagements or scenarios. For example, a penetration test may need to assess a mobile phone at one end of the spectrum or an aircraft carrier at the other.

This new CREST guidance provides a best practice framework for penetration test defensibility and an assurance of penetration tester competence. It will help organizations that are looking to procure penetration testing services and organizations that deliver penetration testing services.

Only when the following three elements are satisfied will the CREST Defensible Penetration Test be commercially defensible:

— The need for penetration testing service providers to have appropriate policies, procedures, practices and methodologies
— The need for all individuals involved in a penetration test to have appropriate levels of skills, experience and competency
— The need for penetration testing service providers and the individuals conducting the assessment to work towards a defined and agreed test specification

More information on the CREST Defensible Penetration Test is available at: Implementation & Procurement Guides — CREST (


CREST is an international not-for-profit, membership body representing the global cyber security industry. Its goal is to help create a secure digital world for all by quality assuring its members and delivering professional certifications to the cyber security industry.

CREST accredits almost 300 member companies, operating across dozens of countries, and certifies thousands of professionals worldwide. It works with governments, regulators, academe, training partners, professional bodies and other stakeholders around the world.

CREST members undergo a rigorous quality assurance process and employ competent professionals. Organizations buying their cyber security services from CREST members do so with confidence.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights