The thing an accreditation cannot do

I have sat on the CREST European Council since 2022. The seat is an advisory role rather than an executive one — the work is to help CREST think about how the European market is changing, what standards need to do next, and where the rough edges are between what CREST accredits today and what the customer needs tomorrow. I am writing about it now because I think the next chapter is going to be harder than the last, and the firms that are about to enter the accreditation pipeline deserve to hear that out loud rather than discover it on the way through.

What CREST has been good at

CREST has been good, for most of its life, at the thing standards bodies are supposed to be good at: producing methodologies that customers can trust, holding firms to them through assessment, and giving practitioners a credential that means something on a CV. The accreditation process is not light-touch. The exams are not light-touch either. There are firms in this market that quietly do not have CREST accreditation and there is, in most cases, a reason for that you can find inside an hour if you look.

That work has been the foundation of British penetration testing as a profession. It is not glamorous. It is the unfashionable middle of the market — methodology guides, peer review, technical assessments, code of conduct enforcement — and it has done more for the credibility of the practice than any individual firm could have done on its own.

What an accreditation cannot do

An accreditation tells you that, on the day the firm was assessed, the people inside it could do certain things to a certain standard. It does not tell you which of those people are still there. It does not tell you whether the work the firm currently sells is the work the accreditation was granted for. It does not tell you whether the firm's commercial pressure is degrading the methodology it tells customers it follows.

That gap — between the accreditation and the lived practice — is the gap CREST is now trying to close. It is a harder problem than the one CREST solved fifteen years ago. The original problem was how do we tell a customer that a firm can do this work? The current problem is how do we tell a customer that the firm is still doing this work, this week, on this engagement?

I do not think there is a clean answer to that question, and I distrust people who claim there is. What I do think is that the answer is iterative — recurring assessment, more granular evidence, better customer feedback mechanisms, public action when firms fall short — and that the iteration is the work the next decade demands.

What I have learnt sitting on the Council

Three things, in the order I have learnt them.

One: standards bodies move at the pace of their slowest member. This is not a complaint. It is a structural property of any consensus body, and the alternative — a faster, more opinionated body that ignores its slower members — would produce worse standards. The thing you can do, as a Council member, is make sure that what the slowest members need to catch up on is the question on the table, rather than should we wait. CREST tends to do the former. It is the source of most of the productive friction in the room.

Two: the threat landscape moves at a pace that no accreditation can keep up with. A penetration testing methodology that was adequate in 2022 is not adequate in 2025. The pace of change in AI-assisted offensive tooling alone has outrun several documents. The discipline this forces is to write methodology that ages well — principles rather than checklists, judgement rather than recipe — and that is harder to write and harder to assess against. It is also the right thing to do.

Three: the firms that benefit most from accreditation are not the firms that need it most. A mid-sized established firm with a credible reputation gets relatively little marginal value from accreditation. A small or new firm with a thinner reputation gets a great deal of value from it. The market subsidy moves in the right direction. What does not always flow in the right direction is the cost of the assessment — which falls on the same firms that need it most. That tension is worth thinking about properly.

Where I think the next chapter is harder

The next chapter is harder for three reasons.

First, the customer base is more sophisticated than it was, and is starting to ask questions that the methodology guides do not yet answer. Does your team test the AI components of our stack the way they test the conventional components? is one. How do you treat the supply-chain artefacts in your scope? is another. Can you evidence what you found, not just what you tested? is a third. The standards body is going to have to address these in writing, not just in conversation.

Second, the European regulatory direction of travel — NIS2, DORA, the UK's own Cyber Security and Resilience Bill — increasingly treats penetration testing as a regulated activity rather than a discretionary one. The standards body that was nice to have ten years ago is becoming infrastructure. Infrastructure has a different obligation to its users.

Third, the labour market is tighter and noisier than it used to be. Firms are recruiting from a smaller pool of credentialled testers, and several of the larger non-CREST players are running their own training programmes. CREST is now in a competition for talent that did not exist five years ago, and the credential has to remain worth more than the alternatives.

Why I have stayed in the seat

I have stayed because the work is unfashionable in the right way. The bits of an industry that matter most are usually the bits no one writes about — the methodology committee, the standards review, the disciplinary panel — and they are the bits that determine what the rest of the industry can do.

If I retire from this work having helped the methodology age better than it would otherwise have done, that will be enough. The accreditation is a means. The practice it supports is the thing.

That is the seat. That is the work.