CREST penetration testing
CHECK, OVS, STAR, and the defensible engagement

CREST: an accreditation body, a quality standard, and a family of testing schemes

CREST (the Council of Registered Ethical Security Testers, now CREST International) is a not for profit body that accredits cybersecurity service providers and individual practitioners. CREST operates a range of testing schemes including CHECK (UK government), OVS (the OWASP Verification Standard), STAR and STAR FS (intelligence led red team), and the Certified Tester and Simulated Attack Specialist certifications for individuals. CREST member firms commit to an organisational standard covering processes, complaint handling, data protection, and quality assurance, and the people delivering the engagement hold individual certifications appropriate to the scope.

CREST sits comfortably alongside the methodology specifications most testers reach for. The Penetration Testing Execution Standard (PTES) gives the engagement scaffold from pre engagement through reporting. The OWASP Top 10 and OWASP Testing Guide cover the web application phase in depth. OWASP ASVS and MASVS are the underlying standards for CREST OVS engagements. The MITRE ATT&CK framework is the language CREST STAR engagements use to tag what attackers do, and compliance frameworks like ISO 27001, PCI DSS, and NIS2 commonly accept a CREST aligned penetration test as evidence for their technical testing controls.

The CREST testing schemes at a glance

CREST operates several distinct schemes. They are not interchangeable: the scheme governs the scope, the required individual certifications, and the reporting expectations. Pick the scheme first, then build the engagement against it.

CREST individual certifications: who is allowed to lead what

CREST accreditation rests on the people who deliver the engagement, not just the firm. The practitioner certifications below define who is qualified to lead each scope and which scheme each certification gates.

Tracking the certifications held by each tester on the engagement is operationally important. Customers commissioning a CHECK or STAR engagement need to verify the test team holds the required accreditations on the day of the engagement, and the report should cite the lead tester credentials alongside the methodology. The team management capability records the role of each member of the engagement team so this verification is a click rather than an email thread.

The CREST Defensible Penetration Test specification

CREST publishes the Defensible Penetration Test specification as a buyer side guide for what a credible engagement looks like, independent of which scheme the test is delivered under. The specification is short on purpose: it is a checklist of the things a buyer should be able to verify before, during, and after the engagement, and it sets the floor for any CREST aligned delivery.

For a longer form treatment of the engagement scope and the contractual mechanics that operate the defensible test, see the penetration testing scope of work template and choosing a security testing provider.

CREST OVS verification levels: pick the level on purpose

CREST OVS engagements declare a verification level drawn from OWASP ASVS or MASVS. The level is a contractual decision: a Level 1 engagement reported as Level 3 is a scope breach, and a Level 3 engagement reported as Level 1 is a value gap. Decide the level during pre engagement, name it in the rules of engagement, and reflect it on every page of the verification report.

OVS verification depends on traceability between the test cases performed and the ASVS or MASVS requirements they evidence. Findings management with CVSS 3.1 scoring and 300+ templates gives every finding a structured place to live, and OWASP and CWE tags can be carried alongside the finding so the verification report maps cleanly to the requirement set rather than to a generic vulnerability list. The web application testing use case captures the operational mechanics for an OVS aligned web application engagement.

CREST STAR and STAR FS: intelligence led red team for regulated entities

STAR and STAR FS engagements are run as joint exercises with a white team representing the commissioning organisation, a red team executing the scenario, and a blue team observing and responding. STAR FS is the financial services variant operated alongside the Bank of England CBEST programme and the Financial Conduct Authority, and is closely aligned with the ECB TIBER EU framework used elsewhere in Europe. Track the threat intelligence input, the scenario, the rules of engagement, the white team contacts, the red team operators, the blue team observations, and the joint debrief on the same record so the engagement deliverable is a structured workflow rather than a wrapped narrative document.

For the operational shape of an intelligence led engagement on the same platform, see the red team reporting use case and the purple team operations use case for the post engagement detection calibration step. Financial entities operating under DORA threat led penetration testing requirements typically use STAR FS, CBEST, or TIBER EU as the delivery framework, and the same engagement record covers all three with the appropriate evidence retained.

Reporting expectations: the deliverable, not an export

A CREST aligned report is a structured deliverable, not a wrap up. The report is the artefact the buyer pays for, the assessor reviews, and the auditor cites, so its structure and evidence density determine whether the engagement was actually useful.

For a deeper write up on report structure, see how to write a pentest report and the matching penetration testing report template. The AI report generation feature composes the executive summary, technical body, and remediation roadmap from the underlying engagement, intelligence, findings, and exploitation evidence rather than a blank template, so the report cites the methodology and the evidence it actually rests on.

Retests, closure, and the assessor evidence pack

The CREST Defensible Penetration Test specification is explicit that retests are part of the engagement, not a follow on procurement. A retest mechanism that is built into the contract keeps the engagement aligned with verified closure rather than a list of issues, and it gives the assessor a defensible record at audit time. For the operational shape of a closure ready retest workflow, see how to retest vulnerabilities and the remediation tracking use case.

The assessor evidence pack is the bundle a buyer side compliance team or an external auditor needs to see after the engagement closes. It is usually requested months later, often in a hurry, and the operational test of a CREST aligned engagement is whether the evidence pack can be assembled on demand. Engagement records that retain the authorisation, rules of engagement, scanner output, finding history, retest evidence, and the final report inside one workflow pass that test without scrambling.

How CREST compares to PTES, OWASP, NIST SP 800-115, and ISO 27001

CREST is rarely used in isolation. It is the accreditation and quality wrapper around a methodology, a technical reference, and a compliance context. The contrast below is a working view, not a buyer comparison: the practitioner question is which standards to pair CREST with, not which to pick instead of it.

Where SecPortal fits in a CREST aligned engagement

SecPortal is the operating layer for a CREST aligned engagement. The platform handles scope, team accreditation, intelligence and reconnaissance, vulnerability analysis, exploitation evidence, retests, and the final deliverable so the engagement runs as a single workflow rather than a long email thread with attachments. For consultancies running CREST engagements on behalf of multiple clients, the security consultants workspace bundles that with branded client portals, and cybersecurity firms and MSSPs get the same record with team and client scaling for larger delivery footprints.

Looking for the engagement workflow itself, end to end? The penetration testing use case and the pentest project management use case capture how SecPortal turns a CREST shaped engagement into a structured record covering scope, methodology, findings, retests, and the deliverable.

For deeper context on the procurement side, including how buyers should compare CREST aligned proposals on effective day rate, retest policy, reporting depth, and methodology citation, see the pentest pricing models research and the penetration testing methodology guide.