July 1, 2026
Updated: July 1, 2026
A procurement-focused guide to top CREST-accredited penetration testing companies, covering web, API, cloud, mobile, network, red team, CREST verification, pricing, reporting, and retesting.
Mohammed Khalil

This buyer guide reviews the top CREST-accredited penetration testing companies for 2026 using official CREST Marketplace verification first, then procurement fit, technical scope, and delivery model. CREST is a meaningful trust signal for buyers, but CREST status still needs to be checked against the exact legal entity, service category, and region before contract signature. CREST itself positions its marketplace as a way to find accredited providers and explains that it combines company accreditation with individual certification rather than treating them as the same thing.
Executive Summary / TL;DR
Quick answer: What are the top CREST-accredited penetration testing companies?
The strongest shortlist starts with DeepStrike as the #1 provider under this guide’s methodology for manual penetration testing, PTaaS, remediation tracking, retesting support, and realistic attacker-path validation. For buyers that specifically require a CREST-accredited provider, current CREST status must be verified before procurement. CREST-verified providers to compare include LRQA, NCC Group, Accenture, Mandiant, Kroll, KPMG, Pen Test Partners, Bridewell, Cyberis Reply, Dionach, S-RM, and CSA Cyber. The right choice depends on legal entity, service category, tester seniority, delivery region, reporting quality, retesting terms, and whether the buyer needs standard testing, PTaaS, or threat-led assessment.
Why Buyers Search for CREST-Accredited Penetration Testing Companies
Buyers searching for CREST-accredited penetration testing companies are usually not looking for a generic definition of pentesting. They are trying to build a defensible shortlist that internal security, procurement, risk, and compliance teams will accept. In practice, the queries tend to signal one or more of these needs: a verified provider shortlist, evidence for supplier approval, provider acceptance by an internal audit or customer assurance team, a distinction between company accreditation and individual certification, red-team or STAR-related guidance, and realistic expectations on scope, reporting, and cost. CREST itself markets its ecosystem around trust, accountability, certification, and accredited suppliers rather than around undifferentiated vendor listings.
SERP review supports that intent pattern. For the target keyword cluster, results are split across the official CREST Marketplace, vendor service pages, and a smaller number of directory-style roundups. That means the real editorial gap is not another thin directory page. The gap is a procurement-grade article that explains how to verify CREST status, how to compare company accreditation with individual tester credentials, and how to decide whether a global provider, specialist boutique, Big Four firm, or PTaaS-oriented model fits the engagement.
What CREST Accreditation Means for Penetration Testing
CREST is an international not-for-profit body focused on cyber service accreditation and skills certification. CREST says it has more than 500 accredited and quality-assured members, and its public guidance describes accreditation as a mark of quality, professionalism, and assurance for cyber security providers. CREST also says its marketplace is intended to help buyers find accredited providers.
For penetration testing procurement, that matters because CREST’s own defensible testing guidance says accredited penetration testing companies are assessed against stringent criteria, operate under an annual accreditation cycle, sign a Code of Conduct, and are expected to deliver work in line with the methodology assessed during accreditation. The same CREST guidance also makes the limitation clear: accreditation signals governance, methodology, and assurance discipline, but buyers still need to validate scope, deliverables, and competence for the specific engagement.
CREST-Accredited Company vs CREST-Certified Tester
A CREST-accredited or CREST-member company is an organisation-level trust signal. CREST’s public pages distinguish company accreditation from individual certification, and its buyer guidance says member companies delivering CREST-accredited services in specific disciplines must use suitably competent and qualified individuals who are registered and issued with CREST IDs. That makes company accreditation particularly relevant in procurement and vendor acceptance workflows.
A CREST-certified individual tester is different. CREST certifications are individual exams that CREST says indicate knowledge, skills, and competence. A company can employ certified people without the company itself being clearly listed as CREST-accredited for the service you are buying. Procurement teams therefore need to ask both questions: “Is the company accredited for this service?” and “Who will actually perform and sign off the test?”
A third bucket is CREST STAR or threat-led testing. CREST describes threat-led penetration testing and STAR-FS as red-team style, intelligence-led assurance for critical functions likely to face sophisticated and persistent attackers. That is materially different from a standard web, API, mobile, or network pentest. Buyers in financial services, critical national infrastructure, or advanced resilience programs should verify whether they need a standard penetration test, an objective-led red-team exercise, or a formal STAR / CBEST / TIBER-style engagement.
How We Ranked the Top CREST-Accredited Penetration Testing Companies
This ranking places DeepStrike first under the guide’s methodology for manual testing depth, PTaaS fit, remediation tracking, retesting support, and realistic attacker-path validation. The CREST-accredited provider shortlist after DeepStrike is based on verified official CREST Marketplace status first, then procurement and technical fit rather than brand familiarity alone. Candidate CREST providers were prioritized where the current CREST profile clearly showed Penetration Testing and, where relevant, additional specialisms such as Vulnerability Assessment, Application Security Testing, Mobile Application Security Testing, Threat Led Penetration Testing, STAR-FS Threat Led Penetration Testing, or related red-team and incident capabilities.
The evaluation criteria in this guide were: verified CREST accreditation or membership status; verified penetration testing scope; manual exploitation depth; web, API, cloud, mobile, network, and red-team coverage; disclosed CREST-certified tester availability or equivalent evidence where public; reporting quality expectations; proof-of-exploitation standard; remediation guidance; retesting clarity; threat-led or STAR capability where relevant; compliance-supportive reporting; pricing transparency; enterprise readiness; SMB accessibility; regional delivery fit; public trust signals; buyer fit by use case; and willingness to state limitations clearly. CREST’s procurement and accreditation guidance, together with NIST, OWASP, PTES, PCI SSC, ISO 27001, and MITRE ATT&CK, informed the technical and procurement lens used here.
DeepStrike is the publisher of this article and is ranked #1 under this guide’s methodology for manual penetration testing, PTaaS, remediation tracking, retesting support, and realistic attacker-path validation. This placement should not be read as an independent third-party award or as a claim that DeepStrike is universally best for every organization.
CREST status note: buyers requiring a CREST-accredited provider should verify DeepStrike’s current CREST directory status before procurement. If current CREST status cannot be verified, DeepStrike should be described as a manual penetration testing provider to compare with CREST-accredited firms, not as a CREST-accredited provider.
“No ranking should replace buyer due diligence. Security teams should verify current CREST directory status, service scope, tester seniority, deliverables, retesting terms, sample reports, legal entity, regional delivery model, and data-handling requirements before selecting a provider.”
What Most CREST Vendor Lists Miss
Most CREST vendor roundups fail in predictable ways. They copy provider names without confirming the current official CREST listing. They blur the line between a company that is CREST-accredited and a company that merely employs CREST-certified individuals. They often skip the distinction between standard pentesting, vulnerability assessment, red team, and CREST STAR. They rarely explain what a buyer should expect in a report, how retesting should be handled, how regional legal entities matter, or why a provider can be strong for governance or broader consulting while not being the best fit for a fast, hands-on web or API test. The official CREST materials themselves put far more emphasis on service category, buyer verification, and accountable delivery than most comparison pages do.
Quick Comparison Table
| Rank | Provider | CREST Status | Best For | Key Limitation |
|---|---|---|---|---|
| 1 | DeepStrike | Verify before publication; do not claim CREST unless verified | Manual pentest + PTaaS | CREST status must be checked |
| 2 | LRQA | Verified: PT, VA, AppSec, Mobile, STAR/TLPT, IR/SOC | Regulated global programs | Heavy for small scopes |
| 3 | NCC Group | Verified: PT, VA, STAR/TLPT, IR/SOC | Global offensive security | High procurement overhead |
| 4 | Accenture | Verified: PT, VA, STAR/TLPT, IR/SOC | Large transformation programs | Verify delivery team/entity |
| 5 | Mandiant | Verified: PT, STAR/TLPT, IR; CBEST/TIBER items | Threat-informed testing | Less simple for SMBs |
| 6 | Kroll | Verified: PT, IR, SOC | Risk-led enterprise validation | Broad for narrow scopes |
| 7 | KPMG | Verified: PT, VA, STAR/TLPT, IR | Big Four procurement | Consulting-heavy model |
| 8 | Pen Test Partners | Verified: PT, VA, AppSec, Mobile, STAR/TLPT, IR | Hands-on specialist testing | Narrower global delivery |
| 9 | Bridewell | Verified: PT, VA, TLPT, IR, SOC | UK regulated sectors | Less global reach |
| 10 | Cyberis Reply | Verified: PT, VA, STAR/TLPT, IR | High-assurance specialist work | Smaller bench |
| 11 | Dionach | Verified: PT, VA, TLPT, IR | Practical enterprise testing | Verify large-program staffing |
| 12 | S-RM | Verified: PT, IR, incident exercising | Cyber + business risk | Broader than app-only scopes |
| 13 | CSA Cyber | Verified: PT, VA, TLPT, IR, SOC | Continuous validation / PTaaS | Not for low-cost scan-only needs |
How to Verify CREST Accreditation Before Procurement
CREST’s public buyer guidance, certificate verification tooling, marketplace, and defensible testing guidance all point in the same direction: verify the company, the service category, and the individuals involved, then recheck those facts before signing the contract. One particularly important regional caveat is CREST International’s statement that former CREST ANZ membership alone is not equivalent to CREST International accreditation.
| Verification Step | Why It Matters | What to Check |
|---|---|---|
| Search the official CREST member directory | Confirms official public listing | Marketplace profile exists and is current |
| Confirm the company or legal entity name | Subsidiary names can differ from brand names | Contracting entity matches the CREST listing |
| Confirm the service category | A firm may hold one CREST service, not all | Penetration Testing appears on the profile |
| Confirm the relevant region or office | Accreditation can be entity- or region-specific | Listing region aligns to delivery location |
| Ask the provider for current CREST evidence | Supports procurement records | Current membership proof and scope |
| Ask whether assigned testers hold relevant CREST certifications | Company accreditation and tester competence are different | Named team members, CREST IDs, role split |
| Confirm whether the specific test is CREST-scoped | Not every engagement is the same | Scope, methodology, sign-off conditions |
| Verify whether CREST STAR or threat-led requirements apply | Standard pentesting and threat-led testing differ materially | STAR-FS, CBEST, TIBER-EU, or other program need |
| Keep evidence for procurement and audit files | Reduces rework later | Screenshots, proposal statements, evidence trail |
| Recheck status before contract signing | Accreditation can change | Repeat the directory check before signature |
How to Choose a CREST-Accredited Penetration Testing Company
Start with the legal and accreditation basics. Verify CREST status, verify the exact legal entity that will contract with you, and verify that the service shown on the official profile matches what you are buying. Buyers with operations in multiple regions should also verify whether the delivery team and the accredited entity are the same, especially where a global brand operates through several legal entities.
Then move to scope fit. Your decision criteria should cover web application penetration testing, API penetration testing, cloud penetration testing, mobile application penetration testing, network and infrastructure testing, remote versus onsite delivery, black-box versus gray-box versus white-box assumptions, senior tester assignment, evidence of exploit validation, sample reporting, remediation guidance, retesting terms, and whether the same provider can handle adjacent needs such as red team assessment or continuous penetration testing. CREST’s CDPT guidance and OWASP/NIST/PTES references all reinforce that scoping, coverage, and reporting quality matter as much as the brand name on the proposal. Related internal content that usually helps here includes penetration testing services, web application penetration testing, API penetration testing, cloud penetration testing, mobile application penetration testing, and red team assessment.
The provider section starts with DeepStrike as the #1 provider under this guide’s methodology, followed by CREST-verified providers with official current CREST Marketplace profiles showing Penetration Testing accreditation at the time of review. The order reflects DeepStrike’s editorial positioning, then breadth of verified CREST coverage, procurement fit, and technical-service range. Buyers should still verify current official CREST status before procurement.

Best for: manual penetration testing, PTaaS, remediation tracking, retesting support, and realistic attacker-path validation.
CREST status: buyers should verify current CREST directory status before describing DeepStrike as CREST-accredited.
Provider type: manual penetration testing and PTaaS-led validation provider.
Headquarters: buyers should verify the contracting entity and delivery route during procurement.
Founded: verify from current company materials if needed for vendor approval.
Company size: not stated here as a procurement claim.
Primary services: web application penetration testing, API penetration testing, cloud penetration testing, mobile application penetration testing, network penetration testing, red team assessment, continuous penetration testing, remediation tracking, and retesting support.
CREST-relevant services: penetration testing services should be compared against CREST-accredited provider requirements where applicable.
Industries served: SaaS, fintech, technology, healthcare, cloud-first companies, and regulated buyers where scope and procurement requirements fit.
Testing Depth Model: manual exploit validation and PTaaS-led remediation workflow.
Why buyers consider this provider: DeepStrike is positioned first in this guide because its buyer fit is strongest where organizations want manual testing depth, practical exploit evidence, remediation guidance, retesting support, and a continuous validation workflow rather than scanner-only output.
Key strengths: manual-first testing, API/web/cloud/mobile/network coverage, PTaaS workflow, remediation tracking, retesting support, and reporting suitable for technical and executive stakeholders.
Potential limitations: buyers requiring a CREST-accredited provider must verify current CREST status before procurement; buyers requiring CREST STAR, CBEST, TIBER-EU, or sector-specific threat-led testing should verify exact service scope; final pricing depends on asset count, testing depth, reporting needs, retesting, and delivery model.
Pricing signal: quote-led; public fixed pricing is not listed here.
Best-fit buyer: organizations that want DeepStrike as a manual-testing-led provider and are willing to verify whether CREST accreditation is required for their procurement process.
What to ask before buying: confirm CREST status, delivery model, assigned tester seniority, sample report quality, retesting terms, data handling, and whether the engagement satisfies internal procurement requirements.

Best for: regulated, multinational, and high-assurance buying teams.
CREST status: CREST Marketplace lists Penetration Testing, Vulnerability Assessment, Application Security Testing, Mobile Application Security Testing, STAR-FS Threat Intelligence, STAR-FS Threat Led Penetration Testing, Threat Led Penetration Testing, Incident Response, Incident Exercising, and SOC.
Provider type: global assurance and cyber provider.
Headquarters: United Kingdom.
Founded: Nettitude founded in 2003; LRQA later integrated the brand.
Company size: CREST Marketplace profile lists 100–499 employees, while LRQA says the wider group operates in more than 150 countries with more than 5,000 people.
Primary services: penetration testing, app/mobile testing, vulnerability services, threat-led testing, incident response, threat intelligence, SOC.
CREST-relevant services: broadest coverage in this ranking.
Industries served: especially strong for financial services, payments, critical infrastructure, and regulated programs.
Testing Depth Model: manual testing, compliance-linked assurance, and formal threat-led programs.
Why buyers consider this provider: unusually broad verified CREST coverage and obvious fit for buyers that need one supplier to cover standard pentests, OVS-style application work, incident support, and threat-led or regulator-facing programs.
Key strengths: breadth, regulated-sector depth, app and mobile specialisms, global delivery, and strong fit for enterprise procurement.
Potential limitations: the delivery model may be heavier than needed for a small one-off app test, and smaller teams may pay for capability breadth they do not use.
Pricing signal: quote-led; public pricing not clearly listed during review.
Best-fit buyer: a mature enterprise that needs a defensible longlist reduction.
What to ask before buying: which legal entity will contract, which testers will deliver, whether retesting is included, and whether the scope is standard CREST pentesting or formal threat-led testing.

Best for: large-scale enterprise offensive security programs and buyers that want strong attack simulation depth.
CREST status: CREST Marketplace lists Penetration Testing, Vulnerability Assessment, Incident Response, Incident Exercising, SOC, STAR-FS Threat Intelligence, STAR-FS Threat Led Penetration Testing, and related threat-intelligence coverage.
Provider type: global cyber security specialist.
Headquarters: United Kingdom.
Founded: 1999.
Company size: CREST Marketplace profile lists 1,000–4,999 employees.
Primary services: penetration testing, attack simulation, incident response, threat intelligence, compliance testing.
CREST-relevant services: broad security-testing and threat-led coverage.
Industries served: cross-sector global enterprise and government buyers.
Testing Depth Model: manual exploitation plus structured offensive programs.
Why buyers consider this provider: it combines a large offensive bench with explicit threat-led and compliance-linked services.
Key strengths: global reach, offensive depth, strong public positioning around attack simulation, and fit for enterprises that want a long-term partner.
Potential limitations: for smaller companies or highly focused scopes, NCC can be more operationally heavy than a smaller boutique.
Pricing signal: quote-led, enterprise-oriented.
Best-fit buyer: enterprise teams that need repeat programs across multiple assets or regions.
What to ask before buying: which delivery team will own the engagement, whether the work will be standard pen testing or attack simulation, and how retesting and program continuity are handled.

Best for: global organizations that want testing integrated with wider cyber transformation or regulatory programs.
CREST status: CREST Marketplace lists Penetration Testing, Vulnerability Assessment, Incident Response, Incident Exercising, SOC, STAR-FS Threat Intelligence, STAR-FS Threat Led Penetration Testing, Threat Intelligence for Simulated Attacks, and Threat Led Penetration Testing.
Provider type: global consulting and managed services firm.
Headquarters: CREST member profile lists United Kingdom for the accredited entry; buyers should verify the contracting entity.
Founded: Not publicly disclosed in the reviewed CREST profile.
Company size: 20,000 or more employees in the CREST profile; Accenture also reports 799,000 employees worldwide.
Primary services: penetration testing, red teaming, SOC, threat intelligence, broader cyber and risk programs.
CREST-relevant services: very strong threat-led and cross-region coverage.
Industries served: broad multi-sector enterprise base.
Testing Depth Model: manual testing within large multi-phase programs.
Why buyers consider this provider: few providers in this list show comparably broad CREST and aligned threat-led coverage across regions.
Key strengths: global scale, enterprise reporting discipline, TLPT alignment, and board-level program integration.
Potential limitations: the strongest value proposition is usually in larger programs, not small tactical tests; buyers should verify the exact delivery team rather than rely on the parent brand.
Pricing signal: enterprise quote-led; CREST project profiles point toward mid-five-figure to six-figure work.
Best-fit buyer: large enterprises with formal procurement and governance layers.
What to ask before buying: who the delivery lead is, whether the engagement will be delivered by a specialist offensive team, and what evidence standards apply to exploit validation and sign-off.

Best for: threat-informed offensive assessments, red teaming, and buyers that want incident-response-informed testing.
CREST status: CREST Marketplace lists Penetration Testing, Incident Response, STAR-FS Threat Led Penetration Testing, Threat Led Penetration Testing, and shows CBEST and TIBER-EU aligned items on the profile.
Provider type: global cyber consulting firm within Google Cloud.
Headquarters: CREST member profile lists Ireland for the accredited entry; buyers should verify the exact contracting entity for their region.
Founded: 2004.
Company size: CREST Marketplace profile lists 1,000–4,999 employees.
Primary services: penetration testing, red teaming, incident response, assessments, managed detection and response, training.
CREST-relevant services: particularly strong in threat-led and red-team style work.
Industries served: enterprise and large regulated organizations.
Testing Depth Model: threat-intelligence-informed manual testing.
Why buyers consider this provider: Mandiant’s public positioning emphasizes attacker behavior, TTP realism, and frontline incident-response insight.
Key strengths: strong red-team orientation, threat-led credibility, and fit for buyers who want realistic attacker-path validation rather than a compliance-only exercise.
Potential limitations: it may not be the simplest fit for lower-budget, narrow-scope, or SMB procurement.
Pricing signal: quote-led and likely premium for advanced scopes.
Best-fit buyer: large enterprises, cyber-resiliency programs, and incident-mature teams.
What to ask before buying: what level of red-team realism is in scope, which threat-intelligence inputs will inform the test, and whether standard retesting is included or separately quoted.

Best for: risk-focused enterprise buyers, cyber-insurance-oriented environments, and programs that combine testing with broader incident and exposure management.
CREST status: CREST Marketplace lists Penetration Testing, Incident Response, and SOC.
Provider type: global risk and cyber advisory firm.
Headquarters: New York, United States.
Founded: Not publicly disclosed in the reviewed sources.
Company size: CREST Marketplace profile lists 5,000–9,999 employees.
Primary services: penetration testing, application security, cloud testing, threat exposure management, IR, MDR.
CREST-relevant services: strong verified penetration testing paired with broad cyber operations support.
Industries served: cross-sector enterprise.
Testing Depth Model: manual testing inside a larger risk and cyber program model.
Why buyers consider this provider: Kroll’s official materials stress frontline intelligence, high assessment volume, and strong incident-response integration.
Key strengths: enterprise delivery maturity, broad cyber-risk support, and fit where penetration testing is part of a larger resilience program.
Potential limitations: buyers seeking a narrow specialist boutique may find the offer broader than required.
Pricing signal: quote-led; public pricing not clearly listed during review.
Best-fit buyer: enterprise teams that value risk context and continuity beyond the report.
What to ask before buying: whether the test will be led by dedicated offensive specialists, how findings are prioritized, and how handoff to remediation or IR support works.

Best for: procurement-heavy enterprises, audit-sensitive organizations, and buyers that prefer a Big Four delivery model.
CREST status: CREST Marketplace lists Penetration Testing, Vulnerability Assessment, Incident Response, Incident Exercising, STAR-FS Threat Led Penetration Testing, and Threat Led Penetration Testing.
Provider type: global professional services network.
Headquarters: CREST member profile lists United Kingdom for the accredited entry; buyers should verify the contracting KPMG entity.
Founded: KPMG says the current global network was formed in 1987.
Company size: 20,000 or more employees in the CREST profile.
Primary services: penetration testing, vulnerability assessment, threat-led programs, broader cyber defense and response.
CREST-relevant services: strong fit for large regulated programs.
Industries served: multi-sector global enterprise.
Testing Depth Model: programmatic testing within broader risk and advisory structures.
Why buyers consider this provider: KPMG is often selected where procurement, governance, and board reporting carry as much weight as the technical work itself.
Key strengths: enterprise credibility, broad geography, and fit for large, documented programs.
Potential limitations: the model can be more consulting-led than buyers who want a highly direct tester-boutique relationship may prefer.
Pricing signal: CREST project profile indicates many engagements in higher enterprise bands; public list pricing not disclosed.
Best-fit buyer: large enterprises with formal vendor-approval and audit demands.
What to ask before buying: who will do the hands-on testing, how much of the fee funds delivery versus governance overhead, and how technical detail will be preserved in executive reporting.

Best for: buyers who want specialist-led manual testing, especially across APIs, web, mobile, infrastructure, connected devices, and scenario-based work.
CREST status: CREST Marketplace lists Penetration Testing, Vulnerability Assessment, Application Security Testing, Mobile Application Security Testing, STAR-FS Threat Led Penetration Testing, Threat Led Penetration Testing, and Incident Response.
Provider type: specialist independent testing consultancy.
Headquarters: United Kingdom.
Founded: 2010.
Company size: CREST Marketplace profile lists 100–499 employees.
Primary services: API, web, code review, mobile, architecture reviews, red team, wireless, physical and social engineering, DFIR.
CREST-relevant services: one of the most specialist testing-first profiles on the list.
Industries served: broad, including critical assets, transport, finance, and connected environments.
Testing Depth Model: strongly manual and scenario-driven.
Why buyers consider this provider: its public profile is explicit about breadth inside security testing and about large volumes of hands-on specialist work.
Key strengths: specialist tester identity, strong application and mobile coverage, threat-led support, and good fit for buyers that want direct technical engagement.
Potential limitations: it does not have the same broader managed-services footprint as the biggest global firms.
Pricing signal: quote-led; platform and retainer models may be available depending on scope.
Best-fit buyer: organizations that care more about testing depth than large-consultancy packaging.
What to ask before buying: who the lead tester is, how much testing will be manual, whether exploit evidence will be included, and whether mobile/API scope gets dedicated specialists.

Best for: UK regulated sectors, critical-infrastructure-adjacent organizations, and buyers that want a strong independent UK cyber firm.
CREST status: CREST Marketplace lists Penetration Testing, Vulnerability Assessment, Incident Response, Incident Exercising, SOC, and Threat Led Penetration Testing.
Provider type: independent cyber security services provider.
Headquarters: United Kingdom.
Founded: 2013.
Company size: CREST Marketplace profile lists 100–499 employees.
Primary services: penetration testing, MDR, cyber consulting, public-cloud-focused work, incident support.
CREST-relevant services: strong UK-focused breadth across testing and managed services.
Industries served: highly regulated and enterprise organizations.
Testing Depth Model: manual testing backed by managed operational services.
Why buyers consider this provider: it balances specialist cyber identity with enough scale for enterprise procurement without becoming a global services conglomerate.
Key strengths: UK regulated-sector fit, credible cloud depth, and independent positioning.
Potential limitations: compared with the biggest global firms, international coverage is narrower and formal threat-intelligence capabilities are less expansive in public materials.
Pricing signal: quote-led.
Best-fit buyer: UK enterprises, public sector, utilities, and regulated mid-market buyers.
What to ask before buying: whether the engagement will be delivered by Bridewell staff directly, how cloud and network scope are split, and whether post-test remediation tracking is included.

Best for: tailored specialist engagements, adversary simulation, and buyers that want an experienced boutique-style team.
CREST status: CREST Marketplace lists Penetration Testing, Vulnerability Assessment, Incident Response, STAR-FS Threat Led Penetration Testing, and Threat Led Penetration Testing.
Provider type: specialist cyber consultancy.
Headquarters: Tewkesbury, United Kingdom.
Founded: 2011.
Company size: CREST Marketplace profile lists 10–49 employees.
Primary services: penetration testing, technical assurance, red teaming and adversary simulation, continuous vulnerability assessment, incident response.
CREST-relevant services: strong combination of point-in-time testing and ongoing validation.
Industries served: cross-sector.
Testing Depth Model: bespoke manual testing and targeted attack simulation.
Why buyers consider this provider: Cyberis has one of the clearest specialist profiles for buyers that want senior attention rather than a scaled delivery factory.
Key strengths: bespoke testing, threat-led capability, continuous VA, and clear boutique positioning.
Potential limitations: a smaller bench can be a positive for ownership, but buyers with large multi-region programs should check capacity and scheduling.
Pricing signal: quote-led.
Best-fit buyer: mid-market and enterprise teams that want a technical specialist.
What to ask before buying: who will deliver the work, whether the same team will handle retesting, and how ongoing validation differs from scanner-only vulnerability management.

Best for: buyers that want practical manual testing plus broader assurance and consultancy support.
CREST status: CREST Marketplace lists Penetration Testing, Vulnerability Assessment, Incident Response, and Threat Led Penetration Testing.
Provider type: cybersecurity consultancy.
Headquarters: Oxford, United Kingdom.
Founded: Not publicly disclosed exactly; Dionach says it has over 25 years of experience.
Company size: CREST Marketplace profile lists 50–99 employees.
Primary services: penetration testing, IT security auditing, information security consultancy, red-team and assumed-breach style work.
CREST-relevant services: strong practical testing profile with regulated and enterprise relevance.
Industries served: public and private sector organizations globally.
Testing Depth Model: manual testing with hybrid onsite and remote delivery.
Why buyers consider this provider: its public materials emphasize practical recommendations, manual testing, and global delivery support without the procurement weight of the largest firms.
Key strengths: clear penetration-testing focus, pragmatic reporting, and useful fit for organizations that want consultancy support around the test.
Potential limitations: on very large programs, buyers should verify staffing model and specialist allocation.
Pricing signal: quote-led.
Best-fit buyer: mid-market and enterprise buyers wanting a credible specialist with enough range for wider assurance work.
What to ask before buying: how findings are evidenced, whether developer-facing remediation support is included, and which individuals will sign off the final report.

Best for: buyers who want cyber testing combined with broader intelligence, crisis, and corporate-risk support.
CREST status: CREST Marketplace lists Penetration Testing, Incident Response, and Incident Exercising.
Provider type: global risk and intelligence consultancy.
Headquarters: London, United Kingdom.
Founded: 2005.
Company size: CREST Marketplace profile lists 100–499 employees.
Primary services: penetration testing, incident response, crisis support, intelligence-led risk services.
CREST-relevant services: verified pen testing plus strong adjacent incident capability.
Industries served: global cross-sector clients.
Testing Depth Model: manual testing carried inside a broader resilience model.
Why buyers consider this provider: S-RM can be a strong fit where the buying problem is not just “test this application” but “help us understand cyber risk in a broader operational context.”
Key strengths: mature risk lens, cyber plus crisis capability, and credible penetration-testing accreditation.
Potential limitations: if the requirement is a pure, highly specialized application pentest, some buyers may prefer a more testing-centric boutique.
Pricing signal: quote-led.
Best-fit buyer: board-sensitive organizations, private-equity portfolios, and crisis-conscious enterprises.
What to ask before buying: how specialized the assigned testers are for your specific stack and whether the engagement will be run primarily as technical testing or as part of a wider risk program.

Best for: buyers that want operational follow-through, PTaaS-style delivery, and continuous validation rather than one report every 12 months.
CREST status: CREST Marketplace lists Penetration Testing, Vulnerability Assessment, Incident Response, SOC, and Threat Led Penetration Testing.
Provider type: specialist cyber consultancy within the FluidOne group.
Headquarters: Gloucester, United Kingdom.
Founded: 2013.
Company size: CREST Marketplace profile lists 50–99 employees.
Primary services: penetration testing, VMaaS, PTaaS-style delivery, cloud security, infrastructure security, AI security, red teaming and cyber readiness.
CREST-relevant services: strong public emphasis on the full test life cycle and post-test follow-through.
Industries served: financial services, IT, healthcare, public sector, manufacturing.
Testing Depth Model: manual testing supported by platform workflow.
Why buyers consider this provider: CSA Cyber’s CREST listing is unusually explicit about helping clients operationalize findings across scoping, discovery, remediation, and ongoing management.
Key strengths: PTaaS-style delivery, VMaaS support, and useful fit for teams that need repeated testing and remediation tracking.
Potential limitations: buyers that need only a very simple low-cost scan or a single narrow test may not need the broader workflow model.
Pricing signal: CREST project profile suggests many mid-market engagements in lower five-figure bands, but public pricing is not fixed.
Best-fit buyer: mid-market and growth-stage teams with repeat validation needs.
What to ask before buying: how the platform supports remediation, whether retests are bundled, and how manual depth is preserved as cadence increases.
Which Provider Fits Your Testing Scope?
| Testing Scope | Best-Fit Provider Type | What to Verify |
|---|---|---|
| Web application penetration testing | Specialist testing boutique or enterprise appsec team | Business-logic coverage, auth flows, report depth |
| API penetration testing | AppSec-focused provider with API-specific testers | Auth models, role abuse, object-level authorization testing |
| Cloud penetration testing | Provider with explicit cloud and hybrid coverage | Cloud account scope, IAM testing, shared-responsibility assumptions |
| Mobile application penetration testing | Provider with mobile specialism or CREST mobile-related coverage | iOS/Android depth, backend/API linkage, device assumptions |
| Network penetration testing | Infrastructure-focused testing team | Internal vs external split, segmentation validation, lateral movement testing |
| Internal infrastructure testing | Manual infrastructure specialist | Credentials, assumed-breach model, safety controls |
| External infrastructure testing | Testing provider with perimeter and exposure focus | Firewall, VPN, remote access, exposed services |
| Red team assessment | Threat-led or adversary-simulation provider | Objectives, detection testing, deconfliction, legal approvals |
| CREST STAR or threat-led testing | Formal STAR/TLPT provider | If STAR-FS, CBEST, TIBER-EU, or equivalent is required |
| PTaaS or continuous testing | Provider with operational workflow and retesting support | What is manual, what is automated, and how remediation is tracked |
| Vulnerability assessment | VA-capable provider or managed scanning team | False-positive handling and prioritization process |
| Compliance-supportive testing | Provider experienced in mapping findings to frameworks | Whether the test actually satisfies the audit evidence need |
What Should a CREST-Quality Penetration Test Include?
CREST’s Defensible Penetration Test framework is useful here because it is more specific than a generic “we do pentesting” claim. CREST says the scoping phase should define what is being assessed and under what conditions; the delivery phase should follow the approved methodology and document constraints; and the sign-off phase should formally attest whether the agreed scope was addressed, with any deviations documented. For reporting, CREST expects at minimum clear scope and objectives, full results, timeline evidence, sufficient reproduction detail, risk-rating, remediation advice, a statement of totality against scope, named CREST IDs for the people involved, and evidence that those people were suitably qualified.
A procurement-grade penetration test should therefore include: agreed scope and rules of engagement; a defined asset list; tester assumptions such as black-box, gray-box, or white-box; manual validation rather than scanner output alone; safe exploitation standards; evidence of successful exploit paths where applicable; business-impact explanation; severity rationale; an executive summary for non-technical stakeholders; technically reproducible findings; remediation guidance; clear retesting terms; secure data handling; and a sign-off framework. Buyers should also expect the provider’s methodology to align naturally with established references such as NIST SP 800-115, OWASP WSTG, OWASP’s API testing guidance, PTES, and, where relevant, MITRE ATT&CK, PCI guidance, and ISO 27001-linked controls.
CREST Penetration Testing Cost and Pricing Models
CREST-accredited penetration testing pricing varies by provider, scope, asset count, testing depth, reporting requirements, retesting, region, and whether the engagement requires CREST STAR or threat-led testing. Public pricing is often not clearly listed, so buyers should request a scoped quote.
The public evidence supports a broad range rather than a fixed market price. CREST Marketplace profiles for some providers show project-size bands ranging from under £10k at smaller specialists, to £10k–£25k and £25k–£50k for many mid-market tests, to £50k–£100k and £100k–£500k for larger enterprise and threat-led programs. In other words, “CREST penetration testing cost” is really a scoping question, not a universal rate card.
Common commercial models include fixed-scope penetration tests, time-and-materials work, subscription or PTaaS models, enterprise retainers, red-team engagements, STAR or formal threat-led testing, and compliance-focused assessments mapped to a defined requirement. Threat-led and regulator-facing engagements usually cost more because they introduce more planning, governance, intelligence input, and sign-off complexity.
| Cost Factor | Why It Affects Price | Buyer Note |
|---|---|---|
| Number of applications | More attack surface and report volume | Ask how apps, subdomains, and user roles are counted |
| Number of APIs | API auth and business logic add depth | Confirm whether backend and mobile APIs are separate |
| Number of IPs | Increases infrastructure coverage effort | Clarify external and internal counts separately |
| Cloud accounts | Adds IAM, config, and service-specific complexity | Confirm whether cloud config review is included |
| Mobile platforms | iOS and Android may require separate effort | Backend/API linkage often adds scope |
| Internal vs external scope | Internal tests often involve lateral movement and safety controls | Ask how assumed-breach work is priced |
| Black box vs gray box vs white box | Access model changes test depth and time | More context can increase depth, not always reduce price |
| Tester seniority | Senior specialists cost more but may find more meaningful issues | Ask who actually performs the work |
| CREST certification requirements | Named credential requirements affect staffing | Verify if senior certified staff are guaranteed |
| CREST STAR or TLPT requirements | Intelligence, governance, and deconfliction expand effort | Separate quotes are common |
| Reporting depth | Executive, technical, and audit-ready outputs take time | Sample reports matter here |
| Retesting | Adds post-remediation effort | Clarify whether one retest cycle is included |
| Onsite work | Travel and scheduling overhead apply | Many scopes can still be done remotely |
| Compliance mapping | Adds framework-specific reporting steps | Useful only if it matches a real audit need |
| Urgency and timeline | Rush work affects staffing and cost | Avoid compressing timelines without reason |
Enterprise vs SMB CREST Penetration Testing Guidance
Enterprise buyers often need formal CREST verification, repeatable scoping over multiple assets, regional delivery, evidence for procurement and audit files, executive reporting, data-handling review, recurring test cadence, and sometimes STAR or other threat-led frameworks. That naturally pushes them toward providers with mature delivery governance and broader accredited coverage.
SMBs usually need a narrower answer: focused scope, fixed or at least predictable pricing, clear remediation guidance, limited but explicit retesting, and proof that the provider’s CREST status will satisfy customer assurance questions. In that market, a specialist boutique can be a better fit than a global enterprise provider if the actual requirement is a web application test, API penetration testing, or infrastructure test rather than a full resilience program.
Common Buyer Mistakes When Comparing CREST Penetration Testing Companies
The most common mistakes are straightforward: assuming every “CREST-certified” claim means the company itself is accredited; not checking the official CREST directory; overlooking the exact legal entity; assuming all offices and subsidiaries carry the same status; buying a vulnerability scan when the real need is manual penetration testing; choosing a brand name without confirming actual service scope; failing to ask for sample reports; skipping retesting detail; and assuming compliance language equals real security validation. CREST’s public buyer materials and testing guidance directly support a more disciplined process than that.
A separate and increasingly important mistake is failing to distinguish standard pentesting from formal threat-led programs. If a regulator, customer, or sector rule actually requires STAR-FS, CBEST, TIBER-EU, or a comparable model, a standard pentest proposal is not an interchangeable substitute.
CREST Penetration Testing RFP Checklist
| Requirement | Why It Matters | What to Ask the Provider |
|---|---|---|
| CREST status | Confirms accredited standing | Which exact CREST service categories are current? |
| Legal entity verification | Prevents contracting mismatch | Which legal entity will sign the contract? |
| Service category | Not all CREST services are the same | Are you accredited for Penetration Testing specifically? |
| Regional delivery | Regional status and staffing can differ | Which office or region will deliver? |
| Tester certification | Company and tester are different questions | Who are the named testers and what are their credentials? |
| Scope definition | Prevents vague quotes | What is explicitly in and out of scope? |
| Methodology | Shows how the work will be done | Which methodology governs the engagement? |
| Manual testing depth | Distinguishes a pentest from a scan | What percentage is manual validation? |
| Web/API/cloud/mobile/network coverage | Confirms fit to the asset type | Which testers specialize in our stack? |
| Red team or CREST STAR requirements | Avoids scope mismatch | Can you deliver STAR/TLPT if required? |
| Sample report | Validates reporting quality | Can we review a redacted sample report? |
| Exploit evidence | Helps engineering teams act | Will you include proof-of-exploitation where safe? |
| Remediation guidance | Speeds fix cycles | How prescriptive is your remediation advice? |
| Retesting | Affects cost and closure time | Is retesting bundled, limited, or separately billed? |
| Data handling | High stakes for sensitive systems | How do you store, retain, and delete engagement data? |
| NDA and confidentiality | Legal baseline | Do you have standard confidentiality terms? |
| Testing windows | Prevents operational disruption | Can you test within our allowed windows? |
| Compliance mapping | Helps audit use cases | Can findings be mapped to our framework if needed? |
| Pricing model | Avoids hidden change orders | Is this fixed scope, T&M, retainer, or subscription? |
| Communication cadence | Keeps stakeholders aligned | How often will we receive updates during the test? |
| Executive reporting | Needed for boards and leaders | What does the executive summary include? |
| Technical reporting | Needed for remediation | How reproducible are the findings? |
| Procurement evidence | Supports vendor approval | What formal evidence can you provide for audit files? |
| Post-test support | Determines closure quality | What support is available after report delivery? |
Red Flags When Choosing a CREST Penetration Testing Company
| Red Flag | Why It Matters | Buyer Action |
|---|---|---|
| Vendor claims CREST status but is not in the official directory | Status may be outdated or inaccurate | Check the official CREST Marketplace yourself |
| Only individual certifications are shownOnly individual certifications are shown | Company accreditation may be missing | Ask whether the company is accredited for Penetration Testing |
| Legal entity does not match the contract | Procurement evidence may fail | Match the CREST listing to the contract entity |
| Service category is unclear | You may buy the wrong service | Confirm Penetration Testing is explicitly listed |
| No sample report | Reporting quality is unknown | Request a redacted sample before selection |
| No retesting clarity | Closure risk moves to the buyer | Get retest terms in writing |
| No proof-of-exploitation | Findings may be hard to prioritize | Ask how evidence is captured safely |
| No clear methodology | Quality control is weak | Ask what standard and workflow govern delivery |
| Quote is very cheap and scope is vague | Often indicates shallow testing | Force asset-level scope definition |
| Provider only delivers scanner output | Not a true pentest | Ask what manual validation is included |
| No named tester seniority | Delivery risk is hidden | Request the proposed team structure |
| No data-handling process | Sensitive data could be mishandled | Review retention, storage, and deletion controls |
| CREST STAR is claimed without evidence | Threat-led testing may be overstated | Verify the exact specialism on the CREST profile |
| Compliance is promised without framework understanding | Audit expectations can be missed | Ask how the provider supports the specific requirement |
| Regional delivery is assumed, not verified | The wrong office may be assigned | Confirm the delivery region and legal entity |
FAQs
What are the top CREST-accredited penetration testing companies?
A strong 2026 shortlist includes LRQA, NCC Group, Accenture, Mandiant, Kroll, KPMG, Pen Test Partners, Bridewell, Cyberis Reply, Dionach, S-RM, and CSA Cyber because each had an official current CREST profile showing Penetration Testing at the time of review. The right choice still depends on your scope, budget, reporting needs, legal entity, and whether you need standard testing or formal threat-led assessment.
What does CREST accreditation mean?
CREST describes accreditation as a mark of quality, professionalism, and assurance for cyber providers. Its guidance says accredited penetration testing companies are assessed against defined criteria, operate under a Code of Conduct, and are expected to deliver work in line with their assessed methodology. It is a useful procurement trust signal, but it does not replace service-scope validation or buyer due diligence.
What is the difference between a CREST-accredited company and a CREST-certified tester?
A CREST-accredited company is an organization that has completed CREST’s company-level assessment for specific services. A CREST-certified tester is an individual who has passed CREST exams showing knowledge and competence. Those are related but different controls. A company can employ certified people without clearly holding the service accreditation you need, so buyers should verify both.
How do I verify whether a penetration testing company is CREST-accredited?
Use the official CREST Marketplace, search for the legal entity, and confirm that Penetration Testing appears on the current profile. Then verify the region, ask for current evidence from the provider, and confirm who will perform the work. Recheck status before contract signature, especially for regulated or long procurement cycles.
Is CREST accreditation required for penetration testing?
Not always. Many effective penetration testing firms are not CREST-accredited, and some scopes do not formally require it. But CREST is often used as a procurement trust signal by regulated and enterprise buyers because it provides assurance around company processes, methodology, accountability, and qualified individuals. If a customer, regulator, or internal policy requires CREST, then it becomes a practical buying constraint.
How much does CREST-accredited penetration testing cost?
There is no universal CREST price. Public market evidence points to wide ranges based on scope, complexity, delivery model, and whether the work is standard pen testing or formal threat-led testing. CREST profiles show some smaller projects below £10k, many mid-market jobs in lower five-figure bands, and larger enterprise or threat-led programs in much higher ranges. Quote-led scoping is normal.
Does CREST accreditation guarantee compliance?
No. CREST accreditation can support procurement confidence and may help demonstrate that a qualified provider performed the work, but it does not by itself guarantee compliance, pass an audit, or prove the scope matched your control requirement. Buyers still need correct scoping, framework mapping where relevant, evidence retention, and remediation follow-through.
What should a CREST penetration testing report include?
At minimum, it should include scope and objectives, results across the agreed scope, evidence or reproduction detail, severity rationale, remediation advice, exclusions or constraints, and formal sign-off. CREST’s CDPT guidance also expects a timeline of key activities, named CREST IDs for the people involved, and evidence that suitably qualified individuals scoped, delivered, and signed off the test.
What is CREST STAR?
CREST positions STAR and related threat-led penetration testing as intelligence-led attack simulation intended for critical functions likely to face sophisticated and persistent attackers. It is more relevant to advanced resilience and some regulated financial-sector contexts than to a standard web or infrastructure pentest. Buyers should verify whether they need STAR-FS, CBEST, TIBER-EU, or a simpler engagement model.
How do I choose a CREST penetration testing provider?
Start by verifying the official CREST profile and legal entity. Then compare service scope, tester seniority, methodology, manual depth, exploit evidence, sample reports, remediation guidance, retesting terms, delivery region, and data-handling controls. The best provider is the one that matches your actual scope and procurement constraints, not the one with the largest brand name.
Are non-CREST penetration testing companies still worth considering?
Yes, if your policies do not require CREST and the provider can demonstrate strong testing depth, credible methodology, experienced testers, and clear reporting. However, if the buying context includes regulated requirements, procurement risk, or customer assurance pressure, CREST-accredited providers usually make the supplier-approval process easier. The key is not to confuse “not CREST” with “not capable,” or “CREST” with “automatically best.”
How often should companies run CREST-style penetration testing?
That depends on risk, exposure, change frequency, and any compliance requirement. PCI guidance points to at least annual testing, and more often after significant changes. In practice, internet-facing apps, APIs, and cloud environments that change frequently often need a mix of periodic deep manual tests plus more continuous vulnerability and exposure validation between full assessments.
Conclusion
The top CREST-accredited penetration testing companies are not interchangeable. The strongest buying outcome comes from matching verified CREST status to the exact service scope, then validating methodology, reporting quality, exploit evidence, remediation guidance, retesting terms, and delivery fit before signature. DeepStrike is positioned first in this guide under the stated methodology for organizations that value manual testing depth, PTaaS, remediation tracking, retesting support, and realistic attacker-path validation. Buyers that specifically require CREST accreditation should verify current CREST status before procurement. Regulated enterprise buyers will often compare DeepStrike with CREST-verified providers such as LRQA, NCC Group, Accenture, Mandiant, Kroll, or KPMG. Buyers that want more direct specialist attention may also compare Pen Test Partners, Bridewell, Cyberis Reply, Dionach, S-RM, or CSA Cyber. CREST status is a trust signal, not a substitute for scope validation or buyer due diligence.
About the Author
Mohammed Khalil is a Cybersecurity Architect at DeepStrike, specializing in advanced penetration testing and offensive security operations. With certifications including CISSP, OSCP, and OSWE, he has led red team and application security engagements across technology, finance, healthcare, cloud, and regulated environments. His work focuses on real-world attack path validation, application vulnerabilities, cloud security, identity exposure, and adversary emulation.

Stay secure with DeepStrike penetration testing services. Reach out for a quote or customized technical proposal today
Contact Us