What CREST-Accredited Penetration Testing Actually Looks Like
The last time one of our clients ran a pen test before working with us, they received a 90-page PDF on a Friday afternoon. It was colour-coded by CVSS score. The highest-severity findings were three theoretical TLS downgrade attacks against internal endpoints no external user could reach. The critical infrastructure exposure that was actually causing the CISO to lose sleep was rated medium, buried on page 74, and described in three sentences with no proof-of-concept evidence and no remediation guidance.
That report cost $12,000 and was produced in four days. It satisfied the procurement checkbox that said "annual penetration test completed." It did not tell the client anything useful about their actual risk.
I am not picking on the firm that produced it. I am describing a pattern. When organisations buy penetration testing on price and turnaround time, that is often what they get: a technically accurate document that maps to no one's business risk, scoped to maximise coverage breadth rather than depth on what matters, and written to justify its own existence rather than to drive remediation.
CREST accreditation exists, in part, to address this. But it is worth being precise about what CREST actually requires, because the certification gets used loosely in sales material.
What CREST Accreditation Actually Requires
CREST is an international not-for-profit that sets professional and methodological standards for penetration testing, incident response, threat intelligence, and related security services. To carry CREST approval as a company, a firm must demonstrate that its practitioners hold recognised qualifications — including CREST's own examinations, which are technically rigorous — that engagements are scoped and delivered against a documented methodology, and that the firm operates under enforceable professional conduct standards.
Cyberlinx holds CREST ANZ membership for penetration testing, operating under the same framework applied across the UK, US, Singapore, Hong Kong, and Europe.
What this means for a client: you are engaging a firm that has had its people and processes independently assessed. What CREST does not guarantee: that findings will be prioritised correctly for your business. That is a judgement call made by the practitioner, and it requires genuine experience with what actually matters in the client's sector, technology stack, and threat environment.
What a CREST Engagement Looks Like From the Client's Side
A properly structured engagement follows a clear sequence. The scoping conversation establishes what is in scope, the rules of engagement, the client's key concerns, and what success looks like. Discovery involves active reconnaissance of the target environment — identifying exposed services, attack surface, and potential entry points without triggering defensive responses. Exploitation involves targeted testing of identified weaknesses, with the objective of understanding what an attacker could actually achieve. Reporting translates findings into language the organisation can act on. Re-testing confirms that fixes have been applied correctly.
The difference between a good and a poor engagement typically shows up at two points: the scoping conversation and the report. A scoping conversation that does not ask about the client's business context, their threat model, or which systems matter most will produce a test scoped for breadth rather than relevance. A report that presents findings as a raw list ranked by CVSS score has optimised for technical completeness at the expense of business usefulness.
Why Business-Risk Mapping Matters More Than Raw CVSS
When Infomedia engaged Cyberlinx to conduct a penetration test across their external-facing systems, internal network, and wireless infrastructure, the brief was clear: they wanted findings prioritised by business impact, not raw severity scoring. The team worked directly with Infomedia's product owners throughout the engagement to understand which systems processed the most sensitive data, which vulnerabilities would have the greatest operational consequences, and which findings needed board visibility immediately.
The result was an integrated, prioritised remediation roadmap that product owners could action straight away. As Hamed Sehat, Manager of Cyber Security Governance, Risk and Compliance at Infomedia, put it: "The team was laser-focused on finding vulnerabilities that would have business impact, rather than just typical technical vulnerabilities. They worked closely with our product owners and the outcome was what I wanted — an integrated, business-benefiting approach."
That distinction matters most when findings land on desks outside the security team. A CTO explaining findings to the board should not need a CVSS glossary. A product manager receiving a remediation ticket should not need to guess whether a medium-severity finding deserves priority over a feature backlog.
What to Look for in the Report You Receive
A useful penetration test report contains:
- An executive summary that non-practitioners can read and act on without a security background
- Findings with explicit business impact statements — not just a description of the vulnerability, but what happens to the business if it is exploited
- Proof-of-concept evidence for significant findings, not just a theoretical description that a vulnerability exists
- Remediation guidance that is specific and actionable, not a generic reference to a framework control
- A re-test commitment so you can confirm that fixes were applied correctly before the next audit or assessment
A report that does not contain all five of these is not a complete penetration test deliverable. It is a vulnerability enumeration with some context added.
Common Mistakes When Buying on Price
Turnaround time is the clearest indicator of a low-quality engagement. A comprehensive external and internal network penetration test cannot be completed thoroughly in four days. If the report arrives that quickly, something was not tested.
Volume of findings is another misleading signal. A 90-page report with 47 findings is not inherently more valuable than a 30-page report with 15 prioritised findings and detailed remediation guidance for each. Most security teams have capacity to remediate a fixed number of findings per quarter. The relevant question is whether those findings are the right ones — the ones that would actually cause business damage if exploited — not whether the report looks thorough.
Finally, price alone drives commodity behaviour. When a firm competes solely on cost, the margin pressure lands somewhere: on testing time, on seniority of the practitioner, or on the depth of the report. None of those trade-offs works in the client's favour.
Where to Start
If you have never had a penetration test, or if you have had tests that produced reports you could not act on, a scoping conversation is the right first step. That conversation should cover: what environment is in scope, what your team's key concerns are, what you want to do with the findings, and what format and level of technical depth the report should target. If a firm offers you a fixed-price test without asking those questions, that is what you will get.
Cyberlinx is CREST ANZ-accredited for penetration testing and conducts engagements across network, application, API, cloud, and AI systems. To discuss scope, contact us at info@cyberlinx.com.au.
Related Articles







