CREST-Approved Penetration Testing for UK Businesses
CREST is the UK’s gold-standard accreditation for penetration testing. We are an active CREST member firm — verifiable directly on the CREST marketplace. Every engagement is delivered to CREST methodology and quality standards. Reports accepted by FCA, NCSC, NHS, ICO, SOC 2 auditors, and cyber insurers — without translation work.
Self-certified pen testing reports won’t pass audit. CREST-approved testing will.
Many cybersecurity firms claim to deliver “professional” penetration testing without any external accreditation. Their reports are self-certified. When ISO auditors, FCA-regulated firms’ compliance teams, NHS DSPT assessors, or cyber insurance underwriters review the report, they ask: “Who validates the methodology? Who holds the testers accountable? Is this firm independently verified?”
CREST (the Council of Registered Ethical Security Testers) is the only UK accreditation body whose membership is explicitly recognised by NCSC, FCA, and the UK Government Digital Marketplace. CREST member firms undergo rigorous independent assessment of methodology, governance, technical capability, and individual tester competence. Our active membership is verifiable directly on marketplace.crest.org/supplier/ejn-labs-ltd.
CREST METHODOLOGY · ALL SERVICES
CREST-Approved Penetration Testing — Every Service Type
CREST methodology applied to every engagement. Choose the service type — we deliver to the same accreditation standard.
Web App Pen Testing
OWASP Top 10 + ASVS, manual exploitation of business-logic flaws, IDOR, SSRF, broken authentication. CREST-certified testers.
Mobile App Pen Testing
iOS + Android against OWASP MASVS. Frida runtime, SSL pinning bypass, biometric bypass, backend API. CREST-certified testers.
API Pen Testing
OWASP API Top 10 (BOLA, BFLA, BOPLA), REST + GraphQL + gRPC. Schema-aware coverage.
External Pen Testing
PTES + NIST SP 800-115. Public-IP attack surface, exposed services, subdomain takeover, weak SSL/TLS.
AWS Cloud Security
CIS AWS Foundations Benchmark v3.0. IAM, S3, EKS, Lambda, KMS. Manual exploitation chains.
Azure Cloud Security
CIS Microsoft Azure Foundations v3.0. Entra ID, RBAC, Key Vault, AKS, Storage.
GCP Cloud Security
CIS Google Cloud Platform Foundations v3.0. IAM impersonation, GKE, Cloud Storage, Secret Manager.
Threat Intelligence
CREST CTI capabilities. Sector-specific threat actor profiling, dark-web monitoring.
Attack Surface Monitoring
Continuous external asset discovery, exposed services, leaked credentials.
Cyber Essentials Plus
IASME-accredited Cyber Essentials Certifying Body. Pre-audit gap analysis, full CE+ testing.
FOUR-PHASE METHODOLOGY
CREST Penetration Testing — From Scope to Attestation
Every CREST engagement follows the four-phase delivery model. Findings tagged to specific control IDs. Reports accepted by every UK auditor.
Scope & Threat Model
Manual Exploitation
Live Findings
Report & Retest
Verified Accreditations Auditors Accept
Every accreditation independently issued by a recognised UK certification body. Click CREST to verify our membership.
COMPLIANCE READY
CREST Reports Accepted by Every UK Audit Framework
CREST methodology is explicitly recognised by NCSC, FCA, ISO auditors, and UK Government. Reports submitted directly without translation.
FCA Cyber Resilience
CREST is the FCA’s recognised standard for penetration testing in regulated financial services. Reports accepted by FCA examiners.
NCSC IT Health Check
CREST and NCSC CHECK are the two recognised UK government standards. CREST membership is verified independently.
PCI DSS
CREST-aligned testing satisfies Req 11.3 (application + network) and Req 11.2 (vulnerability scanning) requirements.
ISO 27001 + SOC 2
CREST-tested findings pre-mapped to Annex A.12.6.1 / Trust Services Criteria. ISO + SOC 2 auditors accept directly.
NHS DSPT
CREST testing accepted as evidence for the Data Security and Protection Toolkit Assertion 9 (asset 7) requirement.
Cyber Insurance
UK cyber-insurance underwriters increasingly require CREST-attested testing for renewal — particularly for premiums above £100k.
TRANSPARENT PRICING
Transparent CREST Penetration Testing Pricing
All CREST engagements include the same accreditation standard. Price varies by service type and scope complexity.
Depends on service + scope
External / web / API / mobile single-target engagement. CREST-certified delivery. Typically 3-5 day engagement.
- ✓Free retests included
- ✓Free rescheduling
- ✓No cancellation fees
- ✓24-hour scope to active testing
- ✓Live findings to client portal
- ✓Executive + technical report
- ✓60-min walkthrough call
- ✓Letter of attestation
Depends on service + scope
Multi-target combined engagement (web + API + external + AD), or single complex target. Typically 7-10 days.
- ✓Free retests included
- ✓Free rescheduling
- ✓No cancellation fees
- ✓24-hour scope to active testing
- ✓Live findings to client portal
- ✓Executive + technical report
- ✓60-min walkthrough call
- ✓Letter of attestation
Depends on service + scope
Full-stack engagement (multiple cloud accounts, hybrid AD, complex web + API + mobile). Typically 12-15+ days.
- ✓Free retests included
- ✓Free rescheduling
- ✓No cancellation fees
- ✓24-hour scope to active testing
- ✓Live findings to client portal
- ✓Executive + technical report
- ✓60-min walkthrough call
- ✓Letter of attestation
CREST Penetration Testing for Your Sector
CREST methodology applied to your sector’s specific compliance and threat-model requirements.
Fintech
FCA-regulated firms, Open Banking, payment APIs, PCI scoping.
SaaS
Multi-tenant isolation, SSO/SAML/OIDC, customer-data perimeter, SOC 2 evidence.
Healthcare
NHS DSPT, NHS DTAC, EHR integration, telehealth, patient-data PII.
Insurance
FCA / PRA Operational Resilience, claims data, broker integrations, cyber underwriting evidence.
Law
Privileged-data confidentiality, partner-tier scrutiny, SRA Cyber Standard alignment.
Public Sector
CCS / G-Cloud framework, NCSC-aligned, SC-cleared testers available.
What You Actually Get
Five things that distinguish our service from automated scans and box-tick competitors.
What You Get From CREST Penetration Testing
Verifiable on crest.org
Audit-Ready Out-of-the-Box
Free Retests Within 30 Days
UK CREST + IASME + ISO 27001 + ISO 9001
Frequently Asked
What is CREST penetration testing?
CREST is the UK’s gold-standard penetration testing accreditation. CREST member firms undergo rigorous independent assessment of methodology, governance, technical capability, and individual tester competence. CREST-tested reports are accepted by NCSC, FCA, ISO auditors, and cyber insurers.
How do I verify your CREST membership?
Our CREST membership is verifiable directly at marketplace.crest.org/supplier/ejn-labs-ltd. Auditors typically check this URL during compliance reviews.
How does CREST differ from CHECK?
CREST is for the broader UK private sector and accepted by NCSC. CHECK is specifically NCSC-accredited testing for UK government work. The two have similar methodology rigor — CHECK is required for HMG contracts, CREST is the industry-standard for everything else.
Is CREST recognised internationally?
CREST has growing international recognition. CREST is the dominant standard in UK, Australia, Singapore, and the Middle East. In the US, customers more often request OSCP / OSCE individual certifications. Our team holds both — CREST firm membership and CREST/OSCP/OSCE individual certifications.
How much does CREST penetration testing cost?
Small engagements £3,750-£8,000. Mid-market combined engagements (most commonly commissioned) £8,000-£18,000. Enterprise full-stack engagements £18,000+. UK day rates for CREST-certified testers are £1,000-£1,500 per day.
What service types do you offer under CREST?
All service types — web app, mobile, API, external infrastructure, internal infrastructure, AWS / Azure / GCP cloud, red teaming, threat intelligence, attack surface monitoring, VAPT, code review, social engineering. Same CREST accreditation standard across every service.
Will CREST testing satisfy our PCI DSS Req 11.3?
Yes. CREST-aligned testing methodology satisfies PCI DSS Req 11.3 (application and network penetration testing) requirements. Our PCI DSS engagements specifically follow Req 11.3.x methodology.
Will CREST testing satisfy our ISO 27001 audit?
Yes. CREST-aligned testing satisfies ISO 27001 Annex A.12.6.1 (technical vulnerability management). Our reports include a control-mapping summary that ISO auditors accept as evidence.
Will CREST testing reduce our cyber insurance premium?
UK cyber-insurance underwriters increasingly require CREST-attested annual testing for renewal — particularly above £100k premium tier. While we cannot guarantee a premium reduction, demonstrable CREST testing is now a near-mandatory baseline for many insurance products.
How long does CREST testing take?
Single-target engagements typically 3-5 working days. Multi-target combined engagements 7-10 days. Enterprise full-stack 12-15+ days. Test duration is determined during scoping based on scope complexity.
Are your testers all CREST-certified?
Yes. Every consultant working on CREST engagements holds at minimum CREST CRT (Registered Tester) qualifications. Senior consultants hold CREST CCT (Certified Tester) in their specialism — App, Inf, Cloud, Red Team. Many also hold OSCP, OSCE, OSWE for additional rigour.
Do you sign NDAs?
Yes. Standard NDA before any technical detail is shared. We operate under a project-specific master agreement that includes data handling, deliverable IP, and breach notification clauses. Custom MSAs and AUP terms are accepted for enterprise and public-sector clients.
Book a CREST Pen Test Scoping Call
30 minutes with a CREST-certified consultant. Fixed-price quote within 24 hours. No sales pipeline.
