CREST-Aligned VAPT — What That Actually Means and Why It Matters
Published May 3, 2026 · 12 min read
Buyers in regulated industries see "CREST" or "CREST-aligned" on vendor proposals all the time, and almost never get a clean explanation of what the term actually covers. The word does work in three different places at once — a methodology, a certification scheme for individuals, and a membership accreditation for firms — and conflating those three is how procurement decisions go sideways. This post defines each, explains the schemes that matter (CHECK, OWASP, STAR), gives the regulated-buyer framing for why CREST matters under DORA, TIBER-EU, UK government work, and Indian audit committees, and ends with the honest disclosure of where AxVeil sits in the CREST stack.
What is CREST?
CREST — the Council for Registered Ethical Security Testers — is a not-for-profit accreditation and certification body for the technical information-security industry, headquartered in the UK with chapters globally. The authoritative source is crest-approved.org. CREST does three things: it sets methodology benchmarks for offensive security work, it certifies individuals who pass technical examinations, and it accredits member firms whose people, processes, and insurance meet the published standard. Each of those is a separate thing; a vendor can have one without the others.
What are the CREST schemes — CHECK, OWASP, STAR?
CREST publishes several schemes that bundle methodology, examination, and accreditation for specific engagement types. The three most-asked-about are CHECK, OWASP, and STAR.
| Scheme | What it covers | Who buys it |
|---|---|---|
| CREST CHECK | UK government IT-health-check scheme. Mandatory for assessments of UK government and CNI systems. | UK central / local government, CNI operators, gov suppliers. |
| CREST OWASP Verification Standard (OVS) | Application security testing aligned to OWASP ASVS / MASVS / ISVS. | SaaS, fintech, regulated app owners. |
| CREST STAR / STAR-FS | Intelligence-led red team scheme for financial services, aligned with TIBER-EU and Bank of England CBEST. | Banks, central banks, large insurers under EU / UK financial regulation. |
STAR (Simulated Target Attack and Response) and STAR-FS underpin two of the most consequential testing regimes in finance: the Bank of England CBEST programme and TIBER-EU, the European Central Bank's framework for threat intelligence-based ethical red teaming. We covered the TIBER-EU framework in depth in our TIBER-EU explainer.
CREST-certified individual vs CREST-member firm
The distinction that buyers most often miss. CREST certifies individuals who pass technical exams (CRT, CCT, CCSAS, CRTL and others), and it accredits member firms whose corporate posture meets the published standard. The two are different awards.
- CREST-certified individual. An operator has personally passed a CREST exam (CREST Registered Tester, CREST Certified Tester, etc.). The certification belongs to the person.
- CREST-member firm. The firm has applied for and been awarded membership at one of CREST's tiers (Member, Approved, Accredited). Membership covers people, processes, insurance, and ongoing audit.
- CREST-aligned methodology. A vendor follows the published CREST methodology and engagement standards but is not (or not yet) a member firm. The work product mirrors a CREST engagement; the badge does not.
A CREST-member firm is the strongest signal. A firm with CREST-certified individuals running engagements against the published methodology is the second-strongest. A vendor claiming CREST without either is using the term loosely — ask which exact award and verify on the CREST member directory.
Why does CREST matter to regulated buyers?
Three reasons CREST shows up in regulated procurement.
- UK government. CHECK is mandatory for UK government IT health checks and a strong preference for suppliers to government departments and CNI operators.
- EU financial regulation under DORA. The Digital Operational Resilience Act applies from 17 January 2025 across the EU financial sector. Article 26 mandates threat-led penetration testing for in-scope entities; the implementing technical standards reference CREST STAR-FS and TIBER-EU as accepted methodologies.
- Audit-committee acceptability. Indian and APAC audit committees increasingly ask whether testing methodology is "CREST-aligned" even when no UK or EU obligation exists. The label has become a shorthand for "the work was done to a defensible international standard."
CREST vs CERT-In empanelment — how do they relate?
For Indian buyers, CERT-In empanelment is the domestic regulatory floor — the Computer Emergency Response Team-India empanels firms that meet a published standard for information-security audit and VAPT delivery. CREST is the international methodology benchmark. They are not substitutes; the strongest posture is CERT-In empanelment for the domestic regulator (RBI, SEBI, NCIIPC will look here) plus CREST-aligned methodology for international audit committees, customer trust-page disclosures, and DORA-adjacent buyers.
| Dimension | CERT-In empanelment | CREST |
|---|---|---|
| Issuing body | CERT-In, MeitY, Government of India | CREST, UK-based not-for-profit, global chapters |
| Primary jurisdiction | India (RBI, SEBI, NCIIPC, government) | UK, EU (DORA, CBEST, TIBER-EU), global |
| Granted to | Firms (with named auditors on file) | Both individuals and member firms |
| Methodology focus | VAPT, IS Audit | CHECK, OVS, STAR, STAR-FS, threat-led red team |
What does "CREST-aligned" mean specifically?
When a vendor describes its work as "CREST-aligned" (rather than CREST-accredited or CREST-member), the credible meaning is: operators on the engagement follow the published CREST methodology and engagement standards; report templates mirror the CREST engagement-output expectations; individual operators may or may not hold personal CREST certifications; the firm is not, or not yet, a paying member of the CREST scheme. This is a defensible position when the buyer's regulator does not mandate the badge but does want the methodology. It is not defensible when the regulator's framework explicitly cites CREST membership — for example, where DORA implementing standards require an accredited STAR-FS provider, "aligned" is not a substitute.
Where AxVeil sits — the honest framing
AxVeil follows CREST-aligned methodology. Operators on engagements work to the CREST published standards for engagement scoping, testing depth, finding qualification, and report structure. AxVeil is not, at time of writing, a CREST member firm; we do not claim membership we do not hold. For UK-government CHECK scope or DORA-mandated STAR-FS testing, the buyer should engage a CREST-accredited member firm. For the broad regulated-buyer market — SaaS, BFSI, ISO 27001, SOC 2, RBI, SEBI, DPDP, MENA — CREST-aligned methodology delivered by CERT-In empanelled and senior operators is the working equivalent. Read more at /methodology.
DORA, TIBER-EU, and CBEST — where CREST is non-negotiable
Three regulatory regimes elevate CREST from a useful badge to a procurement requirement. DORA — the EU Digital Operational Resilience Act — applies from January 2025 across the EU financial sector and mandates threat-led penetration testing for in-scope entities under Article 26 with implementing technical standards that reference accredited red-team providers. TIBER-EU is the European Central Bank's framework for threat-intelligence-based ethical red teaming; national TIBER-XX implementations (TIBER-DE, TIBER-NL, TIBER-IT and others) require providers approved under the TIBER-EU governance, which in practice maps to CREST STAR-FS-accredited member firms. CBEST is the Bank of England's equivalent for UK financial services; the published CBEST Implementation Guide names CREST STAR as the accreditation reference. Read our deeper coverage of the framework in our TIBER-EU explainer. For an Indian bank with no EU branch, none of this is binding; for an Indian bank with an EU operating presence, all of it is.
Buyer questions that separate marketing from substance
- Is the firm a CREST member, and at what tier (Member, Approved, Accredited)?
- Which named operators on this engagement hold which CREST individual certifications?
- Which CREST scheme will this engagement be delivered under (CHECK / OWASP / STAR / STAR-FS / aligned-only)?
- Will the report be issued under CREST engagement-output templates?
- If your regulator cites CREST explicitly, can the firm produce the membership certificate or the relevant operator certifications?
Vendors with substance answer those five questions in five minutes. Vendors using the term loosely will redirect, generalise, or pivot to other badges.
CREST individual certifications — what each one means
CREST publishes a graded ladder of individual certifications. Buyers reading CVs or proposals see acronyms and rarely get the relative weight. Briefly:
- CPSA — CREST Practitioner Security Analyst. Entry-level certification covering vulnerability assessment fundamentals.
- CRT — CREST Registered Tester. Practitioner-level certification; the operator can perform an infrastructure pentest under supervision of a senior.
- CCT — CREST Certified Tester. Senior-level technical certification, separately badged for Application (CCT App) and Infrastructure (CCT Inf). The CCT level is the credible benchmark for a senior pentester.
- CCSAS / CCSAM — CREST Certified Simulated Attack Specialist / Manager. The senior credentials for STAR / TIBER-EU red team work; CCSAM is required for the lead-of-engagement on a STAR-FS delivery.
- CRTL — CREST Registered Threat Intelligence Analyst. Threat-intelligence capability for the TIBER-EU and CBEST workflow.
For a regulated buyer, the question to ask is not "is anyone CREST certified" but "which CREST certification does the named lead operator on my engagement personally hold, and at what year of currency." CREST individual certifications expire and require recertification.
CREST member firm tiers — what changes between them?
CREST member firm accreditation has graded tiers. The highest tiers require not only operator certifications but also documented engagement processes, professional indemnity at specified thresholds, financial-strength criteria, and ongoing audit by CREST. Buyers procuring under DORA STAR-FS or UK government CHECK verify the firm's tier directly on the CREST member directory rather than relying on the vendor's claim. Member-firm scope is also engagement-type-specific — a firm accredited for CHECK is not automatically accredited for STAR-FS.
When does CREST not matter?
For early-stage SaaS preparing a first SOC 2, CREST is not a procurement requirement. For a Series-B fintech outside the EU and outside UK government supply, CREST is a nice-to-have, not a must. For a DORA-scope EU-licensed bank or a UK CNI operator, CREST is non-negotiable. The right move is to choose the level of CREST exposure that matches your regulator and your audit committee — and to refuse to pay for a badge your buyers do not actually demand.
Frequently asked questions
What does CREST-aligned actually mean?
It means the operators on the engagement follow CREST's published methodology and engagement standards, and the report templates mirror CREST's engagement-output expectations — but the firm is not (or not yet) a paying CREST member firm. It is a defensible position when your regulator wants the methodology but does not mandate the badge. It is not a substitute where a regulatory framework explicitly cites CREST membership — for example, where DORA implementing standards require an accredited STAR-FS provider.
What is the difference between a CREST-certified individual and a CREST-member firm?
CREST certifies individuals who pass technical exams (CPSA, CRT, CCT, CCSAS/CCSAM, CRTL) — the certification belongs to the person. CREST accredits member firms at graded tiers (Member, Approved, Accredited) whose people, processes, professional indemnity, and financial strength meet the published standard and are subject to ongoing audit. A vendor can have certified individuals without being a member firm, and a member firm's scope is engagement-type-specific — accreditation for CHECK does not imply accreditation for STAR-FS.
Is CREST mandatory for my organisation?
Only in specific regimes. CREST CHECK is mandatory for UK government IT health checks and CNI assessments; DORA's threat-led penetration testing standards reference CREST STAR-FS and TIBER-EU for in-scope EU financial entities; the Bank of England CBEST programme names CREST STAR. For early-stage SaaS preparing a first SOC 2, or a fintech outside EU/UK government supply, CREST is a nice-to-have rather than a requirement. Match your CREST exposure to your regulator and audit committee.
How does CREST relate to CERT-In empanelment for Indian buyers?
They are complementary, not interchangeable. CERT-In empanelment is the domestic regulatory floor that RBI, SEBI, and NCIIPC look for in India. CREST is the international methodology benchmark that audit committees, customer trust pages, and DORA-adjacent buyers reference. The strongest posture for an Indian buyer with international exposure is CERT-In empanelment for the domestic regulator plus CREST-aligned methodology for the international audience.
Which questions separate a real CREST claim from marketing?
Ask five: Is the firm a CREST member, and at what tier? Which named operators on my engagement hold which CREST individual certifications, and at what year of currency? Which CREST scheme will this engagement run under (CHECK / OVS / STAR / STAR-FS / aligned-only)? Will the report be issued under CREST engagement-output templates? And, if my regulator cites CREST explicitly, can the firm produce the membership certificate or relevant operator certifications? Vendors with substance answer all five in minutes; vendors using the term loosely redirect or pivot to other badges.
CREST-aligned methodology, named operators.
Talk to a senior operator about scoping a CREST-aligned VAPT for your stack and regulator.
Talk to a senior operator →