What is CREST certification for penetration testing?

CREST (Council of Registered Ethical Security Testers) is the gold-standard certification body for penetration testing in the UK. CREST-certified companies are assessed on their processes, methodology, and staff qualifications. For regulated industries (financial services, government), CREST certification is often a procurement requirement.

Should I use a freelance penetration tester?

Freelance penetration testers can offer significant cost savings (40–50% cheaper than boutique firms) and often provide more hands-on senior attention. Risks include lack of insurance, inconsistent methodology, no peer review, and difficulty with compliance audits that require certified company credentials. Best suited for smaller scopes with an existing security relationship.

What are red flags when choosing a pentest provider?

Key red flags: very low quotes (under £2,000 for a web app), reports that are clearly automated scanner output, no evidence of manual testing, inability to explain methodology, no CREST/CHECK certification for regulated work, unclear NDA or data handling terms, and lack of re-test inclusion.

How to Choose a Pentest Provider

Freelancer, boutique firm, or Big 4? A comparison of provider types, pricing models, red flags, and the questions you should ask before signing.

Freelancer / Independent Consultant

SMBs with limited budgets, repeat testing relationships, single-application scopes

£2,500 – £12,000

~50–60% of boutique rates

Advantages

+Lowest cost option
+Often highly specialised (e.g. mobile-only experts)
+Direct access to the tester doing the work
+Flexible scheduling
+Good for small, well-defined scopes

Disadvantages

−No team peer review of findings
−May lack professional indemnity insurance
−Not suitable for CREST/CHECK-required work
−Availability can be limited
−Less formal methodology and reporting
−Risk of 'scan and report' rather than genuine manual testing

Red Flags

⚠No clear methodology explanation
⚠Pricing that seems too low
⚠No professional indemnity insurance
⚠Reluctance to provide sample report

Boutique Security Firm

Mid-market companies, regulated industries, compliance-driven testing, anyone wanting quality without Big 4 pricing

£5,000 – £35,000

Mid-market benchmark

Advantages

+Best value for most organisations
+CREST, CHECK, or ISO 27001 certified
+Peer-reviewed findings
+Clear methodology and structured deliverables
+Dedicated account manager
+Re-test usually included
+Good audit documentation

Disadvantages

−Less name recognition than Big 4 (can matter for some boards)
−Quality varies between firms — vetting required
−May not have global presence for multinational scope

Red Flags

⚠No CREST/CHECK certification
⚠Can't provide client references
⚠Unable to scope test before quoting
⚠Excessive automated tool reliance in methodology

Big 4 / Top-Tier Consultancy

FTSE 100 / Fortune 500 companies, board-level credibility requirements, integrated GRC programmes

£12,000 – £150,000+

2–3x boutique rates

Advantages

+Maximum brand credibility for board/auditor audiences
+Large team resource for wide-scope engagements
+Integrated with broader risk and compliance advisory
+Strong contractual protections
+Global reach for multinational programmes

Disadvantages

−Significantly higher cost
−Junior staff often do the actual testing
−Less specialist depth than boutique firms
−Bureaucratic engagement process
−Overkill for most mid-market security needs

Red Flags

⚠Inability to specify who will do the actual testing
⚠Purely automated deliverables at Big 4 pricing

Platform-Based / Crowd Testing

Companies with mature security programmes wanting broad coverage, bug bounty supplements, large web surfaces

£3,000 – £20,000

Bug bounty / managed crowd model

Advantages

+Large pool of diverse testers (many perspectives)
+Pay-per-finding models available
+Continuous testing model
+Good for broad coverage of large attack surfaces

Disadvantages

−Less structured than traditional pentest
−Variable tester quality
−Report format may not suit compliance audits
−Not suitable for all test types (red team, social engineering)
−Limited liability model

Red Flags

⚠Using crowd-sourced results as primary compliance evidence without independent verification

Pricing Models Explained

Fixed Price

Agreed scope, agreed deliverables, fixed cost. Most common for standard test types.

Good for: Predictable budgets, compliance-driven engagements

Watch out for: Scope creep is not covered — get clear scope definition in writing.

Time & Materials

Pay for consultant days actually spent. Flexible but less predictable.

Good for: Complex or poorly-defined scopes, red team engagements

Watch out for: Costs can escalate without clear day-cap agreements.

Day Rate

Buy a block of consultant days. You define how they're used.

Good for: Organisations with internal security teams wanting specialist support

Watch out for: Ensure the rate reflects senior tester time, not graduate-level work.

Retainer

Annual or quarterly commitment for ongoing access to pentest resource.

Good for: High-change environments, frequent release cycles, continuous assurance

Watch out for: Ensure unused days roll over and rates are benchmarked at contract start.

10 Questions to Ask Any Provider

Use these before you sign the statement of work.

How much of the testing is manual vs automated? What percentage of findings typically come from manual analysis?

Who specifically will perform the testing? What are their qualifications and experience?

Are you CREST/CHECK certified? Can you provide your certification reference?

What is your methodology? Which standards do you follow (PTES, OWASP, NIST)?

Can you provide a sample report from a similar engagement?

Is re-testing included in the quoted price?

What are your data handling and NDA terms? How is sensitive finding information stored?

What happens if you discover a critical vulnerability mid-engagement?

What is your professional indemnity insurance level?

Can you provide references from similar-sized organisations?

Certification Bodies to Know

CREST

Gold standard for UK penetration testing. Required for HM Government and many regulated sectors. Check at crest-approved.org.

CHECK

NCSC-approved scheme for UK government systems. Required for any testing on public sector networks.

OSCP / OSEP

Offensive Security certifications. Strong indicators of hands-on technical capability for individual testers.

CEH

Certified Ethical Hacker. Entry-level credential — less meaningful than OSCP or CREST for senior engagements.

ISO 27001

Indicates the firm manages their own security properly. Not specific to pentest quality but relevant to data handling.

Cyber Essentials Plus

NCSC scheme. A baseline for UK firms. Relevant but not sufficient as a pentest quality indicator.

Get an independent review of your pentest vendor

Not sure if you're getting value from your current provider? We'll review your last pentest report and give you an honest assessment.

Get a Free Security Exposure Teardown →

Or use the cost calculator to benchmark what you should be paying.