logo svg
logo

July 1, 2026

Updated: July 1, 2026

Top CREST-Accredited Penetration Testing Companies for 2026 Buyers

A procurement-focused guide to top CREST-accredited penetration testing companies, covering web, API, cloud, mobile, network, red team, CREST verification, pricing, reporting, and retesting.

Mohammed Khalil

Mohammed Khalil

Featured Image

Executive Buyer Brief

This buyer guide reviews the top CREST-accredited penetration testing companies for 2026 using official CREST Marketplace verification first, then procurement fit, technical scope, and delivery model. CREST is a meaningful trust signal for buyers, but CREST status still needs to be checked against the exact legal entity, service category, and region before contract signature. CREST itself positions its marketplace as a way to find accredited providers and explains that it combines company accreditation with individual certification rather than treating them as the same thing.

Executive Summary / TL;DR

Quick answer: What are the top CREST-accredited penetration testing companies?

The strongest shortlist starts with DeepStrike as the #1 provider under this guide’s methodology for manual penetration testing, PTaaS, remediation tracking, retesting support, and realistic attacker-path validation. For buyers that specifically require a CREST-accredited provider, current CREST status must be verified before procurement. CREST-verified providers to compare include LRQA, NCC Group, Accenture, Mandiant, Kroll, KPMG, Pen Test Partners, Bridewell, Cyberis Reply, Dionach, S-RM, and CSA Cyber. The right choice depends on legal entity, service category, tester seniority, delivery region, reporting quality, retesting terms, and whether the buyer needs standard testing, PTaaS, or threat-led assessment.

Why Buyers Search for CREST-Accredited Penetration Testing Companies

Buyers searching for CREST-accredited penetration testing companies are usually not looking for a generic definition of pentesting. They are trying to build a defensible shortlist that internal security, procurement, risk, and compliance teams will accept. In practice, the queries tend to signal one or more of these needs: a verified provider shortlist, evidence for supplier approval, provider acceptance by an internal audit or customer assurance team, a distinction between company accreditation and individual certification, red-team or STAR-related guidance, and realistic expectations on scope, reporting, and cost. CREST itself markets its ecosystem around trust, accountability, certification, and accredited suppliers rather than around undifferentiated vendor listings.

SERP review supports that intent pattern. For the target keyword cluster, results are split across the official CREST Marketplace, vendor service pages, and a smaller number of directory-style roundups. That means the real editorial gap is not another thin directory page. The gap is a procurement-grade article that explains how to verify CREST status, how to compare company accreditation with individual tester credentials, and how to decide whether a global provider, specialist boutique, Big Four firm, or PTaaS-oriented model fits the engagement.

What CREST Accreditation Means for Penetration Testing

CREST is an international not-for-profit body focused on cyber service accreditation and skills certification. CREST says it has more than 500 accredited and quality-assured members, and its public guidance describes accreditation as a mark of quality, professionalism, and assurance for cyber security providers. CREST also says its marketplace is intended to help buyers find accredited providers.

For penetration testing procurement, that matters because CREST’s own defensible testing guidance says accredited penetration testing companies are assessed against stringent criteria, operate under an annual accreditation cycle, sign a Code of Conduct, and are expected to deliver work in line with the methodology assessed during accreditation. The same CREST guidance also makes the limitation clear: accreditation signals governance, methodology, and assurance discipline, but buyers still need to validate scope, deliverables, and competence for the specific engagement.

CREST-Accredited Company vs CREST-Certified Tester

A CREST-accredited or CREST-member company is an organisation-level trust signal. CREST’s public pages distinguish company accreditation from individual certification, and its buyer guidance says member companies delivering CREST-accredited services in specific disciplines must use suitably competent and qualified individuals who are registered and issued with CREST IDs. That makes company accreditation particularly relevant in procurement and vendor acceptance workflows.

A CREST-certified individual tester is different. CREST certifications are individual exams that CREST says indicate knowledge, skills, and competence. A company can employ certified people without the company itself being clearly listed as CREST-accredited for the service you are buying. Procurement teams therefore need to ask both questions: “Is the company accredited for this service?” and “Who will actually perform and sign off the test?”

A third bucket is CREST STAR or threat-led testing. CREST describes threat-led penetration testing and STAR-FS as red-team style, intelligence-led assurance for critical functions likely to face sophisticated and persistent attackers. That is materially different from a standard web, API, mobile, or network pentest. Buyers in financial services, critical national infrastructure, or advanced resilience programs should verify whether they need a standard penetration test, an objective-led red-team exercise, or a formal STAR / CBEST / TIBER-style engagement.

Ranking Methodology and Shortlist

How We Ranked the Top CREST-Accredited Penetration Testing Companies

This ranking places DeepStrike first under the guide’s methodology for manual testing depth, PTaaS fit, remediation tracking, retesting support, and realistic attacker-path validation. The CREST-accredited provider shortlist after DeepStrike is based on verified official CREST Marketplace status first, then procurement and technical fit rather than brand familiarity alone. Candidate CREST providers were prioritized where the current CREST profile clearly showed Penetration Testing and, where relevant, additional specialisms such as Vulnerability Assessment, Application Security Testing, Mobile Application Security Testing, Threat Led Penetration Testing, STAR-FS Threat Led Penetration Testing, or related red-team and incident capabilities.

The evaluation criteria in this guide were: verified CREST accreditation or membership status; verified penetration testing scope; manual exploitation depth; web, API, cloud, mobile, network, and red-team coverage; disclosed CREST-certified tester availability or equivalent evidence where public; reporting quality expectations; proof-of-exploitation standard; remediation guidance; retesting clarity; threat-led or STAR capability where relevant; compliance-supportive reporting; pricing transparency; enterprise readiness; SMB accessibility; regional delivery fit; public trust signals; buyer fit by use case; and willingness to state limitations clearly. CREST’s procurement and accreditation guidance, together with NIST, OWASP, PTES, PCI SSC, ISO 27001, and MITRE ATT&CK, informed the technical and procurement lens used here.

DeepStrike is the publisher of this article and is ranked #1 under this guide’s methodology for manual penetration testing, PTaaS, remediation tracking, retesting support, and realistic attacker-path validation. This placement should not be read as an independent third-party award or as a claim that DeepStrike is universally best for every organization.

CREST status note: buyers requiring a CREST-accredited provider should verify DeepStrike’s current CREST directory status before procurement. If current CREST status cannot be verified, DeepStrike should be described as a manual penetration testing provider to compare with CREST-accredited firms, not as a CREST-accredited provider.

“No ranking should replace buyer due diligence. Security teams should verify current CREST directory status, service scope, tester seniority, deliverables, retesting terms, sample reports, legal entity, regional delivery model, and data-handling requirements before selecting a provider.”

What Most CREST Vendor Lists Miss

Most CREST vendor roundups fail in predictable ways. They copy provider names without confirming the current official CREST listing. They blur the line between a company that is CREST-accredited and a company that merely employs CREST-certified individuals. They often skip the distinction between standard pentesting, vulnerability assessment, red team, and CREST STAR. They rarely explain what a buyer should expect in a report, how retesting should be handled, how regional legal entities matter, or why a provider can be strong for governance or broader consulting while not being the best fit for a fast, hands-on web or API test. The official CREST materials themselves put far more emphasis on service category, buyer verification, and accountable delivery than most comparison pages do.

Quick Comparison Table

RankProviderCREST StatusBest ForKey Limitation
1DeepStrikeVerify before publication; do not claim CREST unless verifiedManual pentest + PTaaSCREST status must be checked
2LRQAVerified: PT, VA, AppSec, Mobile, STAR/TLPT, IR/SOCRegulated global programsHeavy for small scopes
3NCC GroupVerified: PT, VA, STAR/TLPT, IR/SOCGlobal offensive securityHigh procurement overhead
4AccentureVerified: PT, VA, STAR/TLPT, IR/SOCLarge transformation programsVerify delivery team/entity
5MandiantVerified: PT, STAR/TLPT, IR; CBEST/TIBER itemsThreat-informed testingLess simple for SMBs
6KrollVerified: PT, IR, SOCRisk-led enterprise validationBroad for narrow scopes
7KPMGVerified: PT, VA, STAR/TLPT, IRBig Four procurementConsulting-heavy model
8Pen Test PartnersVerified: PT, VA, AppSec, Mobile, STAR/TLPT, IRHands-on specialist testingNarrower global delivery
9BridewellVerified: PT, VA, TLPT, IR, SOCUK regulated sectorsLess global reach
10Cyberis ReplyVerified: PT, VA, STAR/TLPT, IRHigh-assurance specialist workSmaller bench
11DionachVerified: PT, VA, TLPT, IRPractical enterprise testingVerify large-program staffing
12S-RMVerified: PT, IR, incident exercisingCyber + business riskBroader than app-only scopes
13CSA CyberVerified: PT, VA, TLPT, IR, SOCContinuous validation / PTaaSNot for low-cost scan-only needs

How to Verify CREST Accreditation Before Procurement

CREST’s public buyer guidance, certificate verification tooling, marketplace, and defensible testing guidance all point in the same direction: verify the company, the service category, and the individuals involved, then recheck those facts before signing the contract. One particularly important regional caveat is CREST International’s statement that former CREST ANZ membership alone is not equivalent to CREST International accreditation.

Verification StepWhy It MattersWhat to Check
Search the official CREST member directoryConfirms official public listingMarketplace profile exists and is current
Confirm the company or legal entity nameSubsidiary names can differ from brand namesContracting entity matches the CREST listing
Confirm the service categoryA firm may hold one CREST service, not allPenetration Testing appears on the profile
Confirm the relevant region or officeAccreditation can be entity- or region-specificListing region aligns to delivery location
Ask the provider for current CREST evidenceSupports procurement recordsCurrent membership proof and scope
Ask whether assigned testers hold relevant CREST certificationsCompany accreditation and tester competence are differentNamed team members, CREST IDs, role split
Confirm whether the specific test is CREST-scopedNot every engagement is the sameScope, methodology, sign-off conditions
Verify whether CREST STAR or threat-led requirements applyStandard pentesting and threat-led testing differ materiallySTAR-FS, CBEST, TIBER-EU, or other program need
Keep evidence for procurement and audit filesReduces rework laterScreenshots, proposal statements, evidence trail
Recheck status before contract signingAccreditation can changeRepeat the directory check before signature

How to Choose a CREST-Accredited Penetration Testing Company

Start with the legal and accreditation basics. Verify CREST status, verify the exact legal entity that will contract with you, and verify that the service shown on the official profile matches what you are buying. Buyers with operations in multiple regions should also verify whether the delivery team and the accredited entity are the same, especially where a global brand operates through several legal entities.

Then move to scope fit. Your decision criteria should cover web application penetration testing, API penetration testing, cloud penetration testing, mobile application penetration testing, network and infrastructure testing, remote versus onsite delivery, black-box versus gray-box versus white-box assumptions, senior tester assignment, evidence of exploit validation, sample reporting, remediation guidance, retesting terms, and whether the same provider can handle adjacent needs such as red team assessment or continuous penetration testing. CREST’s CDPT guidance and OWASP/NIST/PTES references all reinforce that scoping, coverage, and reporting quality matter as much as the brand name on the proposal. Related internal content that usually helps here includes penetration testing services, web application penetration testing, API penetration testing, cloud penetration testing, mobile application penetration testing, and red team assessment.

Ranked Providers

The provider section starts with DeepStrike as the #1 provider under this guide’s methodology, followed by CREST-verified providers with official current CREST Marketplace profiles showing Penetration Testing accreditation at the time of review. The order reflects DeepStrike’s editorial positioning, then breadth of verified CREST coverage, procurement fit, and technical-service range. Buyers should still verify current official CREST status before procurement.

DeepStrike

DeepStrike

Best for: manual penetration testing, PTaaS, remediation tracking, retesting support, and realistic attacker-path validation.

CREST status: buyers should verify current CREST directory status before describing DeepStrike as CREST-accredited.

Provider type: manual penetration testing and PTaaS-led validation provider.

Headquarters: buyers should verify the contracting entity and delivery route during procurement.

Founded: verify from current company materials if needed for vendor approval.

Company size: not stated here as a procurement claim.

Primary services: web application penetration testing, API penetration testing, cloud penetration testing, mobile application penetration testing, network penetration testing, red team assessment, continuous penetration testing, remediation tracking, and retesting support.

CREST-relevant services: penetration testing services should be compared against CREST-accredited provider requirements where applicable.

Industries served: SaaS, fintech, technology, healthcare, cloud-first companies, and regulated buyers where scope and procurement requirements fit.

Testing Depth Model: manual exploit validation and PTaaS-led remediation workflow.

Why buyers consider this provider: DeepStrike is positioned first in this guide because its buyer fit is strongest where organizations want manual testing depth, practical exploit evidence, remediation guidance, retesting support, and a continuous validation workflow rather than scanner-only output.

Key strengths: manual-first testing, API/web/cloud/mobile/network coverage, PTaaS workflow, remediation tracking, retesting support, and reporting suitable for technical and executive stakeholders.

Potential limitations: buyers requiring a CREST-accredited provider must verify current CREST status before procurement; buyers requiring CREST STAR, CBEST, TIBER-EU, or sector-specific threat-led testing should verify exact service scope; final pricing depends on asset count, testing depth, reporting needs, retesting, and delivery model.

Pricing signal: quote-led; public fixed pricing is not listed here.

Best-fit buyer: organizations that want DeepStrike as a manual-testing-led provider and are willing to verify whether CREST accreditation is required for their procurement process.

What to ask before buying: confirm CREST status, delivery model, assigned tester seniority, sample report quality, retesting terms, data handling, and whether the engagement satisfies internal procurement requirements.

LRQA

LRQA

Best for: regulated, multinational, and high-assurance buying teams.

CREST status: CREST Marketplace lists Penetration Testing, Vulnerability Assessment, Application Security Testing, Mobile Application Security Testing, STAR-FS Threat Intelligence, STAR-FS Threat Led Penetration Testing, Threat Led Penetration Testing, Incident Response, Incident Exercising, and SOC.

Provider type: global assurance and cyber provider.

Headquarters: United Kingdom.

Founded: Nettitude founded in 2003; LRQA later integrated the brand.

Company size: CREST Marketplace profile lists 100–499 employees, while LRQA says the wider group operates in more than 150 countries with more than 5,000 people.

Primary services: penetration testing, app/mobile testing, vulnerability services, threat-led testing, incident response, threat intelligence, SOC.

CREST-relevant services: broadest coverage in this ranking.

Industries served: especially strong for financial services, payments, critical infrastructure, and regulated programs.

Testing Depth Model: manual testing, compliance-linked assurance, and formal threat-led programs.

Why buyers consider this provider: unusually broad verified CREST coverage and obvious fit for buyers that need one supplier to cover standard pentests, OVS-style application work, incident support, and threat-led or regulator-facing programs.

Key strengths: breadth, regulated-sector depth, app and mobile specialisms, global delivery, and strong fit for enterprise procurement.

Potential limitations: the delivery model may be heavier than needed for a small one-off app test, and smaller teams may pay for capability breadth they do not use.

Pricing signal: quote-led; public pricing not clearly listed during review.

Best-fit buyer: a mature enterprise that needs a defensible longlist reduction.

What to ask before buying: which legal entity will contract, which testers will deliver, whether retesting is included, and whether the scope is standard CREST pentesting or formal threat-led testing.

NCC Group

NCC Group

Best for: large-scale enterprise offensive security programs and buyers that want strong attack simulation depth.

CREST status: CREST Marketplace lists Penetration Testing, Vulnerability Assessment, Incident Response, Incident Exercising, SOC, STAR-FS Threat Intelligence, STAR-FS Threat Led Penetration Testing, and related threat-intelligence coverage.

Provider type: global cyber security specialist.

Headquarters: United Kingdom.

Founded: 1999.

Company size: CREST Marketplace profile lists 1,000–4,999 employees.

Primary services: penetration testing, attack simulation, incident response, threat intelligence, compliance testing.

CREST-relevant services: broad security-testing and threat-led coverage.

Industries served: cross-sector global enterprise and government buyers.

Testing Depth Model: manual exploitation plus structured offensive programs.

Why buyers consider this provider: it combines a large offensive bench with explicit threat-led and compliance-linked services.

Key strengths: global reach, offensive depth, strong public positioning around attack simulation, and fit for enterprises that want a long-term partner.

Potential limitations: for smaller companies or highly focused scopes, NCC can be more operationally heavy than a smaller boutique.

Pricing signal: quote-led, enterprise-oriented.

Best-fit buyer: enterprise teams that need repeat programs across multiple assets or regions.

What to ask before buying: which delivery team will own the engagement, whether the work will be standard pen testing or attack simulation, and how retesting and program continuity are handled.

Accenture

Accenture

Best for: global organizations that want testing integrated with wider cyber transformation or regulatory programs.

CREST status: CREST Marketplace lists Penetration Testing, Vulnerability Assessment, Incident Response, Incident Exercising, SOC, STAR-FS Threat Intelligence, STAR-FS Threat Led Penetration Testing, Threat Intelligence for Simulated Attacks, and Threat Led Penetration Testing.

Provider type: global consulting and managed services firm.

Headquarters: CREST member profile lists United Kingdom for the accredited entry; buyers should verify the contracting entity.

Founded: Not publicly disclosed in the reviewed CREST profile.

Company size: 20,000 or more employees in the CREST profile; Accenture also reports 799,000 employees worldwide.

Primary services: penetration testing, red teaming, SOC, threat intelligence, broader cyber and risk programs.

CREST-relevant services: very strong threat-led and cross-region coverage.

Industries served: broad multi-sector enterprise base.

Testing Depth Model: manual testing within large multi-phase programs.

Why buyers consider this provider: few providers in this list show comparably broad CREST and aligned threat-led coverage across regions.

Key strengths: global scale, enterprise reporting discipline, TLPT alignment, and board-level program integration.

Potential limitations: the strongest value proposition is usually in larger programs, not small tactical tests; buyers should verify the exact delivery team rather than rely on the parent brand.

Pricing signal: enterprise quote-led; CREST project profiles point toward mid-five-figure to six-figure work.

Best-fit buyer: large enterprises with formal procurement and governance layers.

What to ask before buying: who the delivery lead is, whether the engagement will be delivered by a specialist offensive team, and what evidence standards apply to exploit validation and sign-off.

Mandiant

Mandiant

Best for: threat-informed offensive assessments, red teaming, and buyers that want incident-response-informed testing.

CREST status: CREST Marketplace lists Penetration Testing, Incident Response, STAR-FS Threat Led Penetration Testing, Threat Led Penetration Testing, and shows CBEST and TIBER-EU aligned items on the profile.

Provider type: global cyber consulting firm within Google Cloud.

Headquarters: CREST member profile lists Ireland for the accredited entry; buyers should verify the exact contracting entity for their region.

Founded: 2004.

Company size: CREST Marketplace profile lists 1,000–4,999 employees.

Primary services: penetration testing, red teaming, incident response, assessments, managed detection and response, training.

CREST-relevant services: particularly strong in threat-led and red-team style work.

Industries served: enterprise and large regulated organizations.

Testing Depth Model: threat-intelligence-informed manual testing.

Why buyers consider this provider: Mandiant’s public positioning emphasizes attacker behavior, TTP realism, and frontline incident-response insight.

Key strengths: strong red-team orientation, threat-led credibility, and fit for buyers who want realistic attacker-path validation rather than a compliance-only exercise.

Potential limitations: it may not be the simplest fit for lower-budget, narrow-scope, or SMB procurement.

Pricing signal: quote-led and likely premium for advanced scopes.

Best-fit buyer: large enterprises, cyber-resiliency programs, and incident-mature teams.

What to ask before buying: what level of red-team realism is in scope, which threat-intelligence inputs will inform the test, and whether standard retesting is included or separately quoted.

Kroll

Kroll

Best for: risk-focused enterprise buyers, cyber-insurance-oriented environments, and programs that combine testing with broader incident and exposure management.

CREST status: CREST Marketplace lists Penetration Testing, Incident Response, and SOC.

Provider type: global risk and cyber advisory firm.

Headquarters: New York, United States.

Founded: Not publicly disclosed in the reviewed sources.

Company size: CREST Marketplace profile lists 5,000–9,999 employees.

Primary services: penetration testing, application security, cloud testing, threat exposure management, IR, MDR.

CREST-relevant services: strong verified penetration testing paired with broad cyber operations support.

Industries served: cross-sector enterprise.

Testing Depth Model: manual testing inside a larger risk and cyber program model.

Why buyers consider this provider: Kroll’s official materials stress frontline intelligence, high assessment volume, and strong incident-response integration.

Key strengths: enterprise delivery maturity, broad cyber-risk support, and fit where penetration testing is part of a larger resilience program.

Potential limitations: buyers seeking a narrow specialist boutique may find the offer broader than required.

Pricing signal: quote-led; public pricing not clearly listed during review.

Best-fit buyer: enterprise teams that value risk context and continuity beyond the report.

What to ask before buying: whether the test will be led by dedicated offensive specialists, how findings are prioritized, and how handoff to remediation or IR support works.

KPMG

KPMG

Best for: procurement-heavy enterprises, audit-sensitive organizations, and buyers that prefer a Big Four delivery model.

CREST status: CREST Marketplace lists Penetration Testing, Vulnerability Assessment, Incident Response, Incident Exercising, STAR-FS Threat Led Penetration Testing, and Threat Led Penetration Testing.

Provider type: global professional services network.

Headquarters: CREST member profile lists United Kingdom for the accredited entry; buyers should verify the contracting KPMG entity.

Founded: KPMG says the current global network was formed in 1987.

Company size: 20,000 or more employees in the CREST profile.

Primary services: penetration testing, vulnerability assessment, threat-led programs, broader cyber defense and response.

CREST-relevant services: strong fit for large regulated programs.

Industries served: multi-sector global enterprise.

Testing Depth Model: programmatic testing within broader risk and advisory structures.

Why buyers consider this provider: KPMG is often selected where procurement, governance, and board reporting carry as much weight as the technical work itself.

Key strengths: enterprise credibility, broad geography, and fit for large, documented programs.

Potential limitations: the model can be more consulting-led than buyers who want a highly direct tester-boutique relationship may prefer.

Pricing signal: CREST project profile indicates many engagements in higher enterprise bands; public list pricing not disclosed.

Best-fit buyer: large enterprises with formal vendor-approval and audit demands.

What to ask before buying: who will do the hands-on testing, how much of the fee funds delivery versus governance overhead, and how technical detail will be preserved in executive reporting.

Pen Test Partners

Pen Test Partners

Best for: buyers who want specialist-led manual testing, especially across APIs, web, mobile, infrastructure, connected devices, and scenario-based work.

CREST status: CREST Marketplace lists Penetration Testing, Vulnerability Assessment, Application Security Testing, Mobile Application Security Testing, STAR-FS Threat Led Penetration Testing, Threat Led Penetration Testing, and Incident Response.

Provider type: specialist independent testing consultancy.

Headquarters: United Kingdom.

Founded: 2010.

Company size: CREST Marketplace profile lists 100–499 employees.

Primary services: API, web, code review, mobile, architecture reviews, red team, wireless, physical and social engineering, DFIR.

CREST-relevant services: one of the most specialist testing-first profiles on the list.

Industries served: broad, including critical assets, transport, finance, and connected environments.

Testing Depth Model: strongly manual and scenario-driven.

Why buyers consider this provider: its public profile is explicit about breadth inside security testing and about large volumes of hands-on specialist work.

Key strengths: specialist tester identity, strong application and mobile coverage, threat-led support, and good fit for buyers that want direct technical engagement.

Potential limitations: it does not have the same broader managed-services footprint as the biggest global firms.

Pricing signal: quote-led; platform and retainer models may be available depending on scope.

Best-fit buyer: organizations that care more about testing depth than large-consultancy packaging.

What to ask before buying: who the lead tester is, how much testing will be manual, whether exploit evidence will be included, and whether mobile/API scope gets dedicated specialists.

Bridewell

Bridewell

Best for: UK regulated sectors, critical-infrastructure-adjacent organizations, and buyers that want a strong independent UK cyber firm.

CREST status: CREST Marketplace lists Penetration Testing, Vulnerability Assessment, Incident Response, Incident Exercising, SOC, and Threat Led Penetration Testing.

Provider type: independent cyber security services provider.

Headquarters: United Kingdom.

Founded: 2013.

Company size: CREST Marketplace profile lists 100–499 employees.

Primary services: penetration testing, MDR, cyber consulting, public-cloud-focused work, incident support.

CREST-relevant services: strong UK-focused breadth across testing and managed services.

Industries served: highly regulated and enterprise organizations.

Testing Depth Model: manual testing backed by managed operational services.

Why buyers consider this provider: it balances specialist cyber identity with enough scale for enterprise procurement without becoming a global services conglomerate.

Key strengths: UK regulated-sector fit, credible cloud depth, and independent positioning.

Potential limitations: compared with the biggest global firms, international coverage is narrower and formal threat-intelligence capabilities are less expansive in public materials.

Pricing signal: quote-led.

Best-fit buyer: UK enterprises, public sector, utilities, and regulated mid-market buyers.

What to ask before buying: whether the engagement will be delivered by Bridewell staff directly, how cloud and network scope are split, and whether post-test remediation tracking is included.

Cyberis Reply

Cyberis Reply

Best for: tailored specialist engagements, adversary simulation, and buyers that want an experienced boutique-style team.

CREST status: CREST Marketplace lists Penetration Testing, Vulnerability Assessment, Incident Response, STAR-FS Threat Led Penetration Testing, and Threat Led Penetration Testing.

Provider type: specialist cyber consultancy.

Headquarters: Tewkesbury, United Kingdom.

Founded: 2011.

Company size: CREST Marketplace profile lists 10–49 employees.

Primary services: penetration testing, technical assurance, red teaming and adversary simulation, continuous vulnerability assessment, incident response.

CREST-relevant services: strong combination of point-in-time testing and ongoing validation.

Industries served: cross-sector.

Testing Depth Model: bespoke manual testing and targeted attack simulation.

Why buyers consider this provider: Cyberis has one of the clearest specialist profiles for buyers that want senior attention rather than a scaled delivery factory.

Key strengths: bespoke testing, threat-led capability, continuous VA, and clear boutique positioning.

Potential limitations: a smaller bench can be a positive for ownership, but buyers with large multi-region programs should check capacity and scheduling.

Pricing signal: quote-led.

Best-fit buyer: mid-market and enterprise teams that want a technical specialist.

What to ask before buying: who will deliver the work, whether the same team will handle retesting, and how ongoing validation differs from scanner-only vulnerability management.

Dionach

Dionach

Best for: buyers that want practical manual testing plus broader assurance and consultancy support.

CREST status: CREST Marketplace lists Penetration Testing, Vulnerability Assessment, Incident Response, and Threat Led Penetration Testing.

Provider type: cybersecurity consultancy.

Headquarters: Oxford, United Kingdom.

Founded: Not publicly disclosed exactly; Dionach says it has over 25 years of experience.

Company size: CREST Marketplace profile lists 50–99 employees.

Primary services: penetration testing, IT security auditing, information security consultancy, red-team and assumed-breach style work.

CREST-relevant services: strong practical testing profile with regulated and enterprise relevance.

Industries served: public and private sector organizations globally.

Testing Depth Model: manual testing with hybrid onsite and remote delivery.

Why buyers consider this provider: its public materials emphasize practical recommendations, manual testing, and global delivery support without the procurement weight of the largest firms.

Key strengths: clear penetration-testing focus, pragmatic reporting, and useful fit for organizations that want consultancy support around the test.

Potential limitations: on very large programs, buyers should verify staffing model and specialist allocation.

Pricing signal: quote-led.

Best-fit buyer: mid-market and enterprise buyers wanting a credible specialist with enough range for wider assurance work.

What to ask before buying: how findings are evidenced, whether developer-facing remediation support is included, and which individuals will sign off the final report.

S-RM

S-RM

Best for: buyers who want cyber testing combined with broader intelligence, crisis, and corporate-risk support.

CREST status: CREST Marketplace lists Penetration Testing, Incident Response, and Incident Exercising.

Provider type: global risk and intelligence consultancy.

Headquarters: London, United Kingdom.

Founded: 2005.

Company size: CREST Marketplace profile lists 100–499 employees.

Primary services: penetration testing, incident response, crisis support, intelligence-led risk services.

CREST-relevant services: verified pen testing plus strong adjacent incident capability.

Industries served: global cross-sector clients.

Testing Depth Model: manual testing carried inside a broader resilience model.

Why buyers consider this provider: S-RM can be a strong fit where the buying problem is not just “test this application” but “help us understand cyber risk in a broader operational context.”

Key strengths: mature risk lens, cyber plus crisis capability, and credible penetration-testing accreditation.

Potential limitations: if the requirement is a pure, highly specialized application pentest, some buyers may prefer a more testing-centric boutique.

Pricing signal: quote-led.

Best-fit buyer: board-sensitive organizations, private-equity portfolios, and crisis-conscious enterprises.

What to ask before buying: how specialized the assigned testers are for your specific stack and whether the engagement will be run primarily as technical testing or as part of a wider risk program.

CSA Cyber

CSA Cyber

Best for: buyers that want operational follow-through, PTaaS-style delivery, and continuous validation rather than one report every 12 months.

CREST status: CREST Marketplace lists Penetration Testing, Vulnerability Assessment, Incident Response, SOC, and Threat Led Penetration Testing.

Provider type: specialist cyber consultancy within the FluidOne group.

Headquarters: Gloucester, United Kingdom.

Founded: 2013.

Company size: CREST Marketplace profile lists 50–99 employees.

Primary services: penetration testing, VMaaS, PTaaS-style delivery, cloud security, infrastructure security, AI security, red teaming and cyber readiness.

CREST-relevant services: strong public emphasis on the full test life cycle and post-test follow-through.

Industries served: financial services, IT, healthcare, public sector, manufacturing.

Testing Depth Model: manual testing supported by platform workflow.

Why buyers consider this provider: CSA Cyber’s CREST listing is unusually explicit about helping clients operationalize findings across scoping, discovery, remediation, and ongoing management.

Key strengths: PTaaS-style delivery, VMaaS support, and useful fit for teams that need repeated testing and remediation tracking.

Potential limitations: buyers that need only a very simple low-cost scan or a single narrow test may not need the broader workflow model.

Pricing signal: CREST project profile suggests many mid-market engagements in lower five-figure bands, but public pricing is not fixed.

Best-fit buyer: mid-market and growth-stage teams with repeat validation needs.

What to ask before buying: how the platform supports remediation, whether retests are bundled, and how manual depth is preserved as cadence increases.

Which Provider Fits Your Testing Scope?

Testing ScopeBest-Fit Provider TypeWhat to Verify
Web application penetration testingSpecialist testing boutique or enterprise appsec teamBusiness-logic coverage, auth flows, report depth
API penetration testingAppSec-focused provider with API-specific testersAuth models, role abuse, object-level authorization testing
Cloud penetration testingProvider with explicit cloud and hybrid coverageCloud account scope, IAM testing, shared-responsibility assumptions
Mobile application penetration testingProvider with mobile specialism or CREST mobile-related coverageiOS/Android depth, backend/API linkage, device assumptions
Network penetration testingInfrastructure-focused testing teamInternal vs external split, segmentation validation, lateral movement testing
Internal infrastructure testingManual infrastructure specialistCredentials, assumed-breach model, safety controls
External infrastructure testingTesting provider with perimeter and exposure focusFirewall, VPN, remote access, exposed services
Red team assessmentThreat-led or adversary-simulation providerObjectives, detection testing, deconfliction, legal approvals
CREST STAR or threat-led testingFormal STAR/TLPT providerIf STAR-FS, CBEST, TIBER-EU, or equivalent is required
PTaaS or continuous testingProvider with operational workflow and retesting supportWhat is manual, what is automated, and how remediation is tracked
Vulnerability assessmentVA-capable provider or managed scanning teamFalse-positive handling and prioritization process
Compliance-supportive testingProvider experienced in mapping findings to frameworksWhether the test actually satisfies the audit evidence need

Delivery Quality, Pricing, and Procurement

What Should a CREST-Quality Penetration Test Include?

CREST’s Defensible Penetration Test framework is useful here because it is more specific than a generic “we do pentesting” claim. CREST says the scoping phase should define what is being assessed and under what conditions; the delivery phase should follow the approved methodology and document constraints; and the sign-off phase should formally attest whether the agreed scope was addressed, with any deviations documented. For reporting, CREST expects at minimum clear scope and objectives, full results, timeline evidence, sufficient reproduction detail, risk-rating, remediation advice, a statement of totality against scope, named CREST IDs for the people involved, and evidence that those people were suitably qualified.

A procurement-grade penetration test should therefore include: agreed scope and rules of engagement; a defined asset list; tester assumptions such as black-box, gray-box, or white-box; manual validation rather than scanner output alone; safe exploitation standards; evidence of successful exploit paths where applicable; business-impact explanation; severity rationale; an executive summary for non-technical stakeholders; technically reproducible findings; remediation guidance; clear retesting terms; secure data handling; and a sign-off framework. Buyers should also expect the provider’s methodology to align naturally with established references such as NIST SP 800-115, OWASP WSTG, OWASP’s API testing guidance, PTES, and, where relevant, MITRE ATT&CK, PCI guidance, and ISO 27001-linked controls.

CREST Penetration Testing Cost and Pricing Models

CREST-accredited penetration testing pricing varies by provider, scope, asset count, testing depth, reporting requirements, retesting, region, and whether the engagement requires CREST STAR or threat-led testing. Public pricing is often not clearly listed, so buyers should request a scoped quote.

The public evidence supports a broad range rather than a fixed market price. CREST Marketplace profiles for some providers show project-size bands ranging from under £10k at smaller specialists, to £10k–£25k and £25k–£50k for many mid-market tests, to £50k–£100k and £100k–£500k for larger enterprise and threat-led programs. In other words, “CREST penetration testing cost” is really a scoping question, not a universal rate card.

Common commercial models include fixed-scope penetration tests, time-and-materials work, subscription or PTaaS models, enterprise retainers, red-team engagements, STAR or formal threat-led testing, and compliance-focused assessments mapped to a defined requirement. Threat-led and regulator-facing engagements usually cost more because they introduce more planning, governance, intelligence input, and sign-off complexity.

Cost FactorWhy It Affects PriceBuyer Note
Number of applicationsMore attack surface and report volumeAsk how apps, subdomains, and user roles are counted
Number of APIsAPI auth and business logic add depthConfirm whether backend and mobile APIs are separate
Number of IPsIncreases infrastructure coverage effortClarify external and internal counts separately
Cloud accountsAdds IAM, config, and service-specific complexityConfirm whether cloud config review is included
Mobile platformsiOS and Android may require separate effortBackend/API linkage often adds scope
Internal vs external scopeInternal tests often involve lateral movement and safety controlsAsk how assumed-breach work is priced
Black box vs gray box vs white boxAccess model changes test depth and timeMore context can increase depth, not always reduce price
Tester senioritySenior specialists cost more but may find more meaningful issuesAsk who actually performs the work
CREST certification requirementsNamed credential requirements affect staffingVerify if senior certified staff are guaranteed
CREST STAR or TLPT requirementsIntelligence, governance, and deconfliction expand effortSeparate quotes are common
Reporting depthExecutive, technical, and audit-ready outputs take timeSample reports matter here
RetestingAdds post-remediation effortClarify whether one retest cycle is included
Onsite workTravel and scheduling overhead applyMany scopes can still be done remotely
Compliance mappingAdds framework-specific reporting stepsUseful only if it matches a real audit need
Urgency and timelineRush work affects staffing and costAvoid compressing timelines without reason

Enterprise vs SMB CREST Penetration Testing Guidance

Enterprise buyers often need formal CREST verification, repeatable scoping over multiple assets, regional delivery, evidence for procurement and audit files, executive reporting, data-handling review, recurring test cadence, and sometimes STAR or other threat-led frameworks. That naturally pushes them toward providers with mature delivery governance and broader accredited coverage.

SMBs usually need a narrower answer: focused scope, fixed or at least predictable pricing, clear remediation guidance, limited but explicit retesting, and proof that the provider’s CREST status will satisfy customer assurance questions. In that market, a specialist boutique can be a better fit than a global enterprise provider if the actual requirement is a web application test, API penetration testing, or infrastructure test rather than a full resilience program.

Common Buyer Mistakes When Comparing CREST Penetration Testing Companies

The most common mistakes are straightforward: assuming every “CREST-certified” claim means the company itself is accredited; not checking the official CREST directory; overlooking the exact legal entity; assuming all offices and subsidiaries carry the same status; buying a vulnerability scan when the real need is manual penetration testing; choosing a brand name without confirming actual service scope; failing to ask for sample reports; skipping retesting detail; and assuming compliance language equals real security validation. CREST’s public buyer materials and testing guidance directly support a more disciplined process than that.

A separate and increasingly important mistake is failing to distinguish standard pentesting from formal threat-led programs. If a regulator, customer, or sector rule actually requires STAR-FS, CBEST, TIBER-EU, or a comparable model, a standard pentest proposal is not an interchangeable substitute.

CREST Penetration Testing RFP Checklist

RequirementWhy It MattersWhat to Ask the Provider
CREST statusConfirms accredited standingWhich exact CREST service categories are current?
Legal entity verificationPrevents contracting mismatchWhich legal entity will sign the contract?
Service categoryNot all CREST services are the sameAre you accredited for Penetration Testing specifically?
Regional deliveryRegional status and staffing can differWhich office or region will deliver?
Tester certificationCompany and tester are different questionsWho are the named testers and what are their credentials?
Scope definitionPrevents vague quotesWhat is explicitly in and out of scope?
MethodologyShows how the work will be doneWhich methodology governs the engagement?
Manual testing depthDistinguishes a pentest from a scanWhat percentage is manual validation?
Web/API/cloud/mobile/network coverageConfirms fit to the asset typeWhich testers specialize in our stack?
Red team or CREST STAR requirementsAvoids scope mismatchCan you deliver STAR/TLPT if required?
Sample reportValidates reporting qualityCan we review a redacted sample report?
Exploit evidenceHelps engineering teams actWill you include proof-of-exploitation where safe?
Remediation guidanceSpeeds fix cyclesHow prescriptive is your remediation advice?
RetestingAffects cost and closure timeIs retesting bundled, limited, or separately billed?
Data handlingHigh stakes for sensitive systemsHow do you store, retain, and delete engagement data?
NDA and confidentialityLegal baselineDo you have standard confidentiality terms?
Testing windowsPrevents operational disruptionCan you test within our allowed windows?
Compliance mappingHelps audit use casesCan findings be mapped to our framework if needed?
Pricing modelAvoids hidden change ordersIs this fixed scope, T&M, retainer, or subscription?
Communication cadenceKeeps stakeholders alignedHow often will we receive updates during the test?
Executive reportingNeeded for boards and leadersWhat does the executive summary include?
Technical reportingNeeded for remediationHow reproducible are the findings?
Procurement evidenceSupports vendor approvalWhat formal evidence can you provide for audit files?
Post-test supportDetermines closure qualityWhat support is available after report delivery?

Red Flags When Choosing a CREST Penetration Testing Company

Red FlagWhy It MattersBuyer Action
Vendor claims CREST status but is not in the official directoryStatus may be outdated or inaccurateCheck the official CREST Marketplace yourself
Only individual certifications are shownOnly individual certifications are shownCompany accreditation may be missingAsk whether the company is accredited for Penetration Testing
Legal entity does not match the contractProcurement evidence may failMatch the CREST listing to the contract entity
Service category is unclearYou may buy the wrong serviceConfirm Penetration Testing is explicitly listed
No sample reportReporting quality is unknownRequest a redacted sample before selection
No retesting clarityClosure risk moves to the buyerGet retest terms in writing
No proof-of-exploitationFindings may be hard to prioritizeAsk how evidence is captured safely
No clear methodologyQuality control is weakAsk what standard and workflow govern delivery
Quote is very cheap and scope is vagueOften indicates shallow testingForce asset-level scope definition
Provider only delivers scanner outputNot a true pentestAsk what manual validation is included
No named tester seniorityDelivery risk is hiddenRequest the proposed team structure
No data-handling processSensitive data could be mishandledReview retention, storage, and deletion controls
CREST STAR is claimed without evidenceThreat-led testing may be overstatedVerify the exact specialism on the CREST profile
Compliance is promised without framework understandingAudit expectations can be missedAsk how the provider supports the specific requirement
Regional delivery is assumed, not verifiedThe wrong office may be assignedConfirm the delivery region and legal entity

Questions and Publishing Notes

FAQs

What are the top CREST-accredited penetration testing companies?

A strong 2026 shortlist includes LRQA, NCC Group, Accenture, Mandiant, Kroll, KPMG, Pen Test Partners, Bridewell, Cyberis Reply, Dionach, S-RM, and CSA Cyber because each had an official current CREST profile showing Penetration Testing at the time of review. The right choice still depends on your scope, budget, reporting needs, legal entity, and whether you need standard testing or formal threat-led assessment. 

What does CREST accreditation mean?

CREST describes accreditation as a mark of quality, professionalism, and assurance for cyber providers. Its guidance says accredited penetration testing companies are assessed against defined criteria, operate under a Code of Conduct, and are expected to deliver work in line with their assessed methodology. It is a useful procurement trust signal, but it does not replace service-scope validation or buyer due diligence. 

What is the difference between a CREST-accredited company and a CREST-certified tester?

A CREST-accredited company is an organization that has completed CREST’s company-level assessment for specific services. A CREST-certified tester is an individual who has passed CREST exams showing knowledge and competence. Those are related but different controls. A company can employ certified people without clearly holding the service accreditation you need, so buyers should verify both. 

How do I verify whether a penetration testing company is CREST-accredited?

Use the official CREST Marketplace, search for the legal entity, and confirm that Penetration Testing appears on the current profile. Then verify the region, ask for current evidence from the provider, and confirm who will perform the work. Recheck status before contract signature, especially for regulated or long procurement cycles.

Is CREST accreditation required for penetration testing?

Not always. Many effective penetration testing firms are not CREST-accredited, and some scopes do not formally require it. But CREST is often used as a procurement trust signal by regulated and enterprise buyers because it provides assurance around company processes, methodology, accountability, and qualified individuals. If a customer, regulator, or internal policy requires CREST, then it becomes a practical buying constraint. 

How much does CREST-accredited penetration testing cost?

There is no universal CREST price. Public market evidence points to wide ranges based on scope, complexity, delivery model, and whether the work is standard pen testing or formal threat-led testing. CREST profiles show some smaller projects below £10k, many mid-market jobs in lower five-figure bands, and larger enterprise or threat-led programs in much higher ranges. Quote-led scoping is normal. 

Does CREST accreditation guarantee compliance?

No. CREST accreditation can support procurement confidence and may help demonstrate that a qualified provider performed the work, but it does not by itself guarantee compliance, pass an audit, or prove the scope matched your control requirement. Buyers still need correct scoping, framework mapping where relevant, evidence retention, and remediation follow-through. 

What should a CREST penetration testing report include?

At minimum, it should include scope and objectives, results across the agreed scope, evidence or reproduction detail, severity rationale, remediation advice, exclusions or constraints, and formal sign-off. CREST’s CDPT guidance also expects a timeline of key activities, named CREST IDs for the people involved, and evidence that suitably qualified individuals scoped, delivered, and signed off the test. 

What is CREST STAR?

CREST positions STAR and related threat-led penetration testing as intelligence-led attack simulation intended for critical functions likely to face sophisticated and persistent attackers. It is more relevant to advanced resilience and some regulated financial-sector contexts than to a standard web or infrastructure pentest. Buyers should verify whether they need STAR-FS, CBEST, TIBER-EU, or a simpler engagement model. 

How do I choose a CREST penetration testing provider?

Start by verifying the official CREST profile and legal entity. Then compare service scope, tester seniority, methodology, manual depth, exploit evidence, sample reports, remediation guidance, retesting terms, delivery region, and data-handling controls. The best provider is the one that matches your actual scope and procurement constraints, not the one with the largest brand name.

Are non-CREST penetration testing companies still worth considering?

Yes, if your policies do not require CREST and the provider can demonstrate strong testing depth, credible methodology, experienced testers, and clear reporting. However, if the buying context includes regulated requirements, procurement risk, or customer assurance pressure, CREST-accredited providers usually make the supplier-approval process easier. The key is not to confuse “not CREST” with “not capable,” or “CREST” with “automatically best.” 

How often should companies run CREST-style penetration testing?

That depends on risk, exposure, change frequency, and any compliance requirement. PCI guidance points to at least annual testing, and more often after significant changes. In practice, internet-facing apps, APIs, and cloud environments that change frequently often need a mix of periodic deep manual tests plus more continuous vulnerability and exposure validation between full assessments.

Conclusion

The top CREST-accredited penetration testing companies are not interchangeable. The strongest buying outcome comes from matching verified CREST status to the exact service scope, then validating methodology, reporting quality, exploit evidence, remediation guidance, retesting terms, and delivery fit before signature. DeepStrike is positioned first in this guide under the stated methodology for organizations that value manual testing depth, PTaaS, remediation tracking, retesting support, and realistic attacker-path validation. Buyers that specifically require CREST accreditation should verify current CREST status before procurement. Regulated enterprise buyers will often compare DeepStrike with CREST-verified providers such as LRQA, NCC Group, Accenture, Mandiant, Kroll, or KPMG. Buyers that want more direct specialist attention may also compare Pen Test Partners, Bridewell, Cyberis Reply, Dionach, S-RM, or CSA Cyber. CREST status is a trust signal, not a substitute for scope validation or buyer due diligence.

About the Author

Mohammed Khalil is a Cybersecurity Architect at DeepStrike, specializing in advanced penetration testing and offensive security operations. With certifications including CISSP, OSCP, and OSWE, he has led red team and application security engagements across technology, finance, healthcare, cloud, and regulated environments. His work focuses on real-world attack path validation, application vulnerabilities, cloud security, identity exposure, and adversary emulation.

background
Let's hack you before real hackers do

Stay secure with DeepStrike penetration testing services. Reach out for a quote or customized technical proposal today

Contact Us