What is CHECK and CREST penetration testing?

Jordan Constantine Headshot
Jordan Constantine
Penetration Testing Manager
08th February 2022

This blog was updated on 26th January 2024

CHECK and CREST are two separate penetration testing accreditations, from the National Cyber Security Centre (NCSC), and the Council of Registered Ethical Security Testers (CREST), respectively. Using a CHECK or CREST certified company for penetration testing services ensures that you are using a competent, legitimate vendor that adheres to industry best practice. For this reason both CHECK and CREST are valuable certifications for penetration testing companies to hold.

CHECK is more formally called a ‘IT Health Check Service’, and is an NCSC initiative for protecting government and public sector systems in line with government policy. CREST, on the other hand, is from the Council of Registered Ethical Security Testers, and accreditation has been developed to ensure the very highest standards of security testing.

But first, let’s recap the basics of penetration testing so we’re all on the same page.

What is penetration testing?

Penetration testing is the practice of gaining access to organisational computer systems and security infrastructure. Its purpose is to identify and enumerate access points and weaknesses within the software that could leave business open to a data breach.

For more info about the fundamentals of cyber security, head to our YouTube channel, where you can see webinars, explainers, interviews and more. This short video gives a quick run-down of penetration testing.

Penetration tests, or “pen tests,” as they are commonly referred to within the cyber security industry and IT communities, are used to find potential vulnerabilities within a company computer system. Penetration testing is carried out by experienced professional security testers, aka ethical hackers, hired to run the necessary checks on IT systems. It is important to note that penetration tests are usually conducted by external companies (like us) for the simple reason that IT specialists within the company are too close to the process of building its systems to take an objective look at the infrastructure and identify weak points.

External cybersecurity specialists or agencies, such as Bulletproof, pride themselves on providing accurate and detailed penetration testing, with the main vulnerabilities usually outlined in a final report, including prioritising results, giving remediation advice and suggestions for improvements. Penetration Testing should be well resourced by every business, with many types of penetration test available for all types of technology: cloud, web apps, mobile apps, networks, IoT/OT and more. All too often penetration is pushed along the pipeline until a security breach has been identified – by which point systems have inevitably been compromised. We take a closer look at why it is so crucial to carry out regular Pen Tests with trusted third-party providers.

Why is pen testing important?

Pen testing is one of the best ways for a company to protect itself from hackers, from the prying eyes of the competition, and from other cyber threats. This is because the process of penetration testing is designed to methodically uncover security risks that a real cybercriminal would try to use to break into systems. The only difference is that in the case of penetration testing, nothing really gets stolen, and no data is left exposed – all vulnerability exploits are carried out with the sole purpose of patching them up after the test is finished. That said, penetration testing is not the same as modelling a real-world attack. For that there’s another service you need: red teaming.

Penetration testing helps businesses to identify their greatest areas of risk and where their systems are vulnerable. They can also serve to test an organisation’s existing security controls and determine their current cyber resilience. Another key reason is that penetration testing supports compliance. GDPR, ISO 27001, PCI DSS, FTC, SOC 2 are just some of the certification and compliance standards that request or require regular penetration testing.

CHECK Accreditation vs CREST Accreditation

So we’ve seen that carrying out regular penetration tests for your businesses IT infrastructure is necessary if you want to keep yours and your customers’ data safe and secure. However, this does not mean that you can just hire any coding freelancer or IT whiz with a computer science degree to test the security of your systems. Aside from the obvious pitfall of running into a real-life hacker, you also run the risk of hiring someone with subpar skills or lacking due diligence processes.

Thankfully, there are accreditation schemes that grant cybersecurity companies the legitimacy they need for potential clients to weed out the professionals from the amateurs and bad actors. CHECK and CREST pen tests are two of the most popular pen test accreditation schemes in the UK.

CHECK pen testing

Created by the National Cyber Security Centre (NCSC), CHECK is an accreditation scheme directly endorsed by the UK government. It is used primarily to certify the cybersecurity experts working for government departments, public sector bodies, and other organisations that can be considered part of the UK’s CNI (Critical National Infrastructure). Penetration tests conducted by CHECK-approved members will do so using NCSC recognised methods.

CREST pen testing

CREST (Council of Registered Ethical Security Testers) is an internationally recognised non-profit organisation devoted to providing top-tier accreditation to cybersecurity service companies providing penetration tests, threat intelligence, cyber incident response, and SOC (Security Operations Centre) services. Their stamps of approval are acknowledged globally and not so easy to come by: to gain CREST certification, cybersecurity agencies need to get their data security, testing methodologies, and business processes thoroughly vetted by a CREST accredited  representative.

CREST certification is what you should look for in your penetration testing providers, as it is the best measure of a cybersecurity company’s legitimacy and competence that is also internationally recognised.

Crest penetration testing or CHECK – Which one is better for your business?

CHECK-certified agencies are required for government departments and associated organisations, and advised for public sector bodies. If an organisation is not public sector, then it does not require a CHECK-certified service provider to conduct penetration testing. In any other instance, the CREST certification is what you should look for in your penetration testing service providers, as it is the best measure of a cybersecurity company’s legitimacy and competence that is also internationally recognised. Appointing a CREST registered penetration tester ensures that your organisation's security measures are thoroughly evaluated by highly qualified professionals.

There are merits to both CHECK and CREST depending on which sector of business you are in. Companies who provide CHECK services will be required for organisations which make up the UK’s national infrastructure, whereas CREST-approved agencies are suitable for organisations across all other sectors. What is important is that penetration testing forms a critical part of assessing the cyber resilience of an organisation.

The government-backed nature of CHECK means that it is typically more expensive than a CREST certified penetration test, whilst not providing any meaningful improvement in assurance or outcome. It’s for this reason that Bulletproof recommends CREST penetration testing for all organisations, unless you are strictly required by regulation or legislation to procure a CHECK test.


Penetration testing is crucial for identifying vulnerabilities in your networks, systems and apps, and for meeting compliance requirements. The end goal of a penetration test is to help businesses secure their user and business-critical data, which should be a top priority for every organisation, regardless of type and size. CREST-approved services are the go-to accreditation schemes for helping to identify professional cybersecurity vendors and tell them apart from the amateurs, ensuring that you have access to industry-approved penetration tests conducted by the experts.

Jordan Constantine Headshot

Meet the author

Jordan Constantine Penetration Testing Manager

Jordan is a Bulletproof Penetration Testing Manager, with several years' experience of Red Team testing and managing complex projects. He still gets involved in regular penetration tests and has a particular flair for Red and Black teaming.

Stay ahead of the hackers with pen testing

Start finding your vulnerabilities and get a prioritised list of remediations.

Learn more about pen tests

Related resources

Trusted cyber security & compliance services from a certified provider

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.