August 2025, Zoja Antuchevic, SolutionLab, CEO and CREST EU Council Member

How CREST Certification Stands Out in TLPT and DORA Readiness

This is the final blog in our three-part series exploring Threat-Led Penetration Testing (TLPT) under the Digital Operational Resilience Act (DORA). In our first article, we introduced the core requirements of TLPT and what financial institutions need to know to prepare. The second instalment highlighted the critical importance of choosing accredited service providers – not just as a best practice, but as a regulatory necessity under DORA.

In this final article, we examine how CREST certification specifically stands out in the landscape of TLPT, how it compares to other well-known cybersecurity qualifications, and why selecting a properly accredited partner could be the difference between confident compliance and considerable risk.

It’s worth distinguishing CREST accreditation from other well-known cybersecurity certifications like OSCP or GIAC. Many people in the industry have OSCP (Offensive Security Certified Professional) or various GIAC certifications (from the SANS Institute) – these are indeed respected individual qualifications. An OSCP holder, for example, has proven their ability to penetration test by completing a rigorous practical exam, and GIAC offers specialist certs (like GPEN for pen testing, or GCTI for threat intel) that indicate strong knowledge. However, these certifications alone do not equate to a provider being accredited or necessarily having the structured capabilities required for Threat-Led Penetration Testing (TLPT):

• Individual Cert vs Company Accreditation: OSCP/GIAC certify an individual’s skill, whereas CREST accredits both individuals and the service provider organisation. Having team members with OSCP or GIAC is a plus, but when you hire a firm to do a TLPT, you need confidence in the firm’s overall process, governance, and track record – not just one or two star employees. CREST accreditation addresses this by auditing the company’s policies, data security, and quality assurance processes in delivering testing services. In contrast, two different OSCP-certified freelancers might conduct tests in completely different ways; the certification doesn’t enforce a consistent standard or methodology across an engagement.
• Scope of Skills (Threat Intel and Red Teaming): OSCP is mainly focused on network/web penetration testing techniques and exploiting vulnerabilities. GIAC offers a wider range of certs (including some red teaming and threat intel ones), but each is siloed to a specific domain of knowledge. CREST, through its programs like CREST STAR (Simulated Targeted Attack & Response) and threat intelligence certifications, ensures that accredited providers can integrate threat intelligence with Red Team operations effectively. Essentially, CREST ties the pieces together – its accredited companies have demonstrated they can perform intelligence-led attacks (not just hack systems in a vacuum). This ability to simulate realistic threat actors (as required by TLPT) is a key differentiator. Someone who holds the OSCP might be excellent at finding vulnerabilities, but not necessarily experienced in crafting attack scenarios based on specific threat actors or working under covert Red Team conditions.
• Industry Recognition and Requirements: While OSCP and GIAC are well-recognised in the cybersecurity community, they are not typically named by regulators as required qualifications for performing regulated tests. CREST and similar bodies (like the UK’s NCSC CHECK scheme, or other national accreditation programs) are often explicitly required or recommended by regulators for engagements like TLPT. For example, the European Central Bank and many national authorities encourage using frameworks aligned with CREST standards for threat-led tests. Thus, in the context of DORA compliance, citing that your TLPT provider is CREST-accredited likely carries more weight than saying “Our tester has the OSCP.” The latter speaks to an individual’s ability; the former speaks to the organisation’s overall credibility.

To be clear, OSCP, GIAC, and other certifications are great benchmarks for technical talent – and you’ll often find CREST member companies employ many OSCPs and GIAC-certified professionals. They complement each other. But what sets CREST apart is that it provides an external assurance of quality and consistency at the service delivery level, which individual certifications alone do not. In a high-level red teaming engagement governed by DORA, that external assurance is crucial.

Risks of Using Non-Accredited or Poorly Vetted Providers

Choosing the wrong provider for a TLPT isn’t just a minor inconvenience – it can introduce serious reputational, operational, and regulatory risks for a financial institution. Let’s examine these risks:

• Reputational Risk: Your institution’s reputation is on the line during a TLPT. By its nature, a TLPT might expose sensitive weaknesses or even result in notable disruptions if mishandled. An unaccredited or poorly vetted provider may lack adequate safeguards, potentially leading to a public incident (e.g. if the test accidentally takes down online services or if news leaks that customer data was accessed during the exercise). Furthermore, if word gets out in industry circles or to clients that you engaged a sub-par security firm, it could reflect poorly on your due diligence. In contrast, using a renowned, accredited firm shows stakeholders that you take cyber resilience seriously and have done your homework in hiring experts.
• Operational Risk: As discussed, an incompetent Red Team test can cause real damage. Imagine a tester triggering a major outage in core banking systems or failing to contain the test such that it impacts actual business operations. There’s also the risk of false sense of security – a less skilled team might overlook crucial vulnerabilities or not actually test your detection/response effectively, leaving you blind to real dangers. Essentially, a bad TLPT is not just wasted effort; it can actively make you less secure (either by causing incidents or by giving you an inaccurate assessment). Accredited providers significantly mitigate this risk because they follow strict procedures to prevent uncontrolled events and ensure findings are valid. They carry insurance for a reason – but ideally will never have to use it because of their professionalism. With an unvetted provider, you are taking a gamble on their operational discipline.
• Regulatory Risk: Non-compliance with DORA is a serious matter. If you choose a provider that doesn’t meet DORA’s criteria (for example, they’re not accredited/certified as required, or they lack the necessary expertise), you could fail to satisfy the TLPT requirement. Regulators could reject the test results or, worse, impose sanctions for not conducting the TLPT properly within mandated timelines. DORA empowers authorities to enforce penalties for non-compliance, just as they would for failures in other risk management obligations. At the very least, you might be required to redo the TLPT with an acceptable provider – incurring additional cost and effort. Furthermore, regulators across the EU are likely to share information about the quality of TLPT exercises; a poor report or incident in one country could attract scrutiny elsewhere. In short, skimping on provider vetting isn’t worth the risk. Using an accredited firm directly supports compliance by fulfilling the “tester requirements” that DORA set out, whereas an unaccredited firm puts you on legally thin ice.

It’s also worth noting that cybersecurity is ultimately about trust. Financial institutions are entrusting external testers with the keys to their kingdom during a TLPT (at least in a limited scope). If the provider is not well vetted, you risk that trust being broken – perhaps through data mishandling, conflicts of interest, or even malicious behaviour. While rare, there have been cases in the broader industry of “penetration testers” who turned out to be unscrupulous, causing breaches or extortion. Accredited providers are not immune to wrongdoing, but the accreditation process and community oversight make such scenarios far less likely.

In summary, choosing a credible, accredited TLPT provider greatly reduces your risk. It provides assurance that the test will be meaningful and safe, and that your organisation will emerge from the exercise with improved resilience rather than new problems. As one 2025 industry guide put it, even if some non-accredited firms can do a decent job, if you want assurance that the engagement meets recognised standards and has been properly vetted, going with an accredited provider “is best”.

Conclusion

The Digital Operational Resilience Act is raising the bar for cybersecurity in the EU financial sector, and Threat-Led Penetration Testing is a prime example of this elevated standard. By requiring TLPT, regulators are effectively asking institutions to prove their cyber resilience under fire – to show that they can withstand the kinds of sophisticated attacks that real-world adversaries might throw at them. Meeting this challenge means not only conducting TLPTs as a checkbox exercise but doing them with the right approach and partners.

For financial entities gearing up for DORA compliance, the key takeaways are clear: plan your TLPT early, budget for doing it at least every three years, and select your testing partner with extreme care. Engaging an accredited provider (ideally a CREST-accredited company with a strong track record in red teaming and threat intelligence) will provide confidence that the test is executed expertly and in line with regulatory expectations. It will also yield more reliable results that you can use to fortify your defences and demonstrate improvements to regulators and stakeholders.

TLPT, when done properly, is not just a compliance hurdle – it’s an invaluable tool for continuous improvement. It can reveal unseen vulnerabilities in your systems, processes, and people, and it can pressure-test your incident response in a way no theoretical drill can. By partnering with a top-notch, accredited red team, you gain an honest view of your cyber resilience and a roadmap to enhance it. In contrast, cutting corners with unqualified testers could leave you with a false sense of security or land you in hot water.

As a CISO or security manager, you should treat the TLPT provider selection as seriously as you would a critical technology vendor. Ask for certifications, check for CREST (or equivalent) accreditation, inquire about their experience with frameworks like TIBER-EU or CBEST, and ensure they understand DORA’s specific requirements. A good provider will be able to walk you through their methodology and how it maps to DORA’s process (preparation, testing phases, closure/purple team, etc.) and deliverables. They will also emphasise safety and clear rules of engagement to protect your production environment during the test.

At the end, TLPT under DORA is as much about building trust as it is about testing. By undergoing a threat-led penetration test, a financial institution signals to regulators, customers, and itself that it is taking cyber threats seriously and is willing to learn and improve from realistic challenges. By choosing the right accredited partner to perform that test, the institution further ensures that this trust is well placed – that the results of the TLPT will be credible and actionable.