CREST Defensible Penetration Test Released

Across the globe it is widely acknowledged that the definitions, practices and expectations associated with a penetration test are inconsistent and fluid. This makes it difficult to define or parameterise a series of activities that looks at all possible requirements, engagements or scenarios. For example, a penetration test may need to assess a mobile phone at one end of the spectrum or an aircraft carrier at the other.

This new CREST guidance provides a best practice framework for penetration test defensibility and an assurance of penetration tester competence. It will help organisations that are looking to procure penetration testing services and organisations that deliver penetration testing services.

Only when the following three elements are satisfied, will the CREST Defensible Penetration Test be commercially defensible:

• The need for penetration testing service providers to have appropriate policies, procedures, practices and methodologies
• The need for all individuals involved in a penetration test to have appropriate levels of skills, experience and competency
• The need for penetration testing service providers and the individuals conducting the assessment to work towards a defined and agreed test specification

Get the guide here:

https://www.crest-approved.org/wp-content/uploads/2022/08/CREST-Defensible-Penetration-Test-v5.pdf

Thanks to Steven Teppler Rowland Johnson Kyle B. Edward Farrell Bhrugvish Gore Rodrigo Marcos Paul Underwood Erin Jones Laura Wright and others who helped shape this project