Cybersecurity 2026Updated

List of CREST-Certified Penetration Testing Firms

A curated database of penetration testing firms accredited by CREST, including service specializations, compliance frameworks covered, headquarters locations, and certification levels for security procurement teams.

Available Data Fields

Company Name

Headquarters

CREST Accreditation Level

Service Specializations

Compliance Frameworks

Regions Served

Company Size

Year Founded

Testing Methodologies

Industry Focus

Additional Certifications

Website

Data Preview

* Full data requires registration

Company Name	Headquarters	Service Specializations	Regions Served
NCC Group	Manchester, UK	Pen Testing, Red Teaming, Threat Intelligence	Global (35+ offices)
Trustwave SpiderLabs	Chicago, US	Pen Testing, STAR, Vulnerability Assessment	Global (96 countries)
LRQA Nettitude	Birmingham, UK	Pen Testing, SOC, Incident Response	Global (55+ countries)
IOActive	Seattle, US	Pen Testing, Code Review, Hardware Security	Americas, EMEA, APAC
wizlynx group	Switzerland	Pen Testing, Red Teaming, IoT Security	Europe, Asia, North America

300+ records available for download.

* Continue from free preview

Why CREST Certification Matters for Penetration Testing Procurement

CREST is an international not-for-profit accreditation body that sets the standard for cyber security service providers. For organizations subject to regulatory requirements—PCI DSS, SOC 2, ISO 27001, or sector-specific frameworks like CBEST and TIBER-EU—engaging a CREST-accredited firm is often a prerequisite, not a preference.

CREST accreditation verifies that a firm’s testers hold validated qualifications (CRT, CCT, or CCSAS), follow standardized methodologies, and operate under strict data handling and legal protocols. This removes guesswork from vendor evaluation.

How CREST Accreditation Works

Firms undergo a rigorous assessment covering testing methodologies, data protection, legal compliance, and quality assurance. Individual testers must pass technical examinations and demonstrate between 6,000 and 10,000 hours of professional penetration testing experience, depending on certification level. Re-assessment occurs every three years.

Certification Tiers to Know

CREST Pen Test: Core accreditation for infrastructure and application penetration testing.
CREST STAR: Simulated Targeted Attack & Response—intelligence-led red team engagements aligned with frameworks like CBEST and TIBER-EU.
CREST VA: Vulnerability assessment services, often a precursor to full pen testing engagements.
CREST IR: Incident response capability, relevant for firms offering end-to-end security testing and response.

Market Landscape

Approximately 300 firms worldwide hold CREST accreditation for cybersecurity services, though the number specifically accredited for penetration testing is a subset. The market spans from global consultancies like NCC Group and Trustwave with thousands of employees, to specialist boutiques with deep expertise in niche areas such as IoT security, SCADA/ICS testing, or financial sector red teaming.

Key Selection Criteria Beyond CREST

Factor	Why It Matters
Industry experience	Regulated sectors (finance, healthcare, government) have domain-specific requirements
Geographic coverage	On-site testing may require local presence; data sovereignty rules vary by jurisdiction
Complementary certifications	CHECK (UK government), OSCP/OSCE (offensive skills), ISO 27001 (management systems)
Reporting quality	Executive summaries, remediation guidance, and re-testing policies differ significantly

Frequently Asked Questions

Q.How is CREST accreditation different from individual certifications like OSCP?

CREST accredits the firm as a whole—assessing processes, data handling, legal compliance, and quality assurance—in addition to requiring individual testers to pass CREST examinations. OSCP certifies an individual’s technical skills only. A CREST-accredited firm provides organizational accountability that individual certifications cannot.

Q.Does this dataset include each firm’s specific CREST accreditation types?

Yes. Each entry specifies whether the firm holds CREST Pen Test, STAR, VA, IR, or other accreditation types, so you can filter for the exact service level your compliance framework requires.

Q.How current is the accreditation data?

When you request data, our AI crawls public sources including the CREST member directory to retrieve current accreditation status. CREST requires annual resubmission and full re-assessment every three years, so accreditation status can change.

Q.Can I filter for firms that cover specific regulatory frameworks like CBEST or TIBER-EU?

Yes. You can specify compliance frameworks in your request to get only firms with demonstrated experience in CBEST, TIBER-EU, PCI DSS, SOC 2, HIPAA, or other regulatory testing requirements.