Penetration testing providers are using CREST certifications to give customers greater confidence in the professionals delivering their testing services.
In this member article, Synack explains how it applies CREST certifications within its penetration testing delivery model, and why it has expanded the range of certifications it recognises for team members working on customer engagements.
First published on Synack.com, April 28, 2026
When a cybersecurity company tells you its testers are vetted, what does that actually mean? Most of the time, it means the company ran its own screening, trusted its own judgment, and hoped you’d trust it too. That works, right up until the pentest is in your production environment and the outcome matters.
CREST exists to offer the industry a structured way to answer that question. As an international not-for-profit membership body, CREST has been setting standards for cybersecurity since 2006. More than 500 companies and thousands of individual professionals carry CREST credentials today. CREST has already been part of our SRT Pathways since we created the program three years ago, because the certification signals the rigor the Synack Red Team (SRT) looks for.
Today, we’re expanding our recognition of CREST by adding two additional CREST certifications to SRT Pathways:
They join CREST Registered Penetration Tester (CRT), which has been recognized on Pathways for years. Although CREST offers credentials across the penetration testing discipline, we optimised for certifications that best predict a tester’s performance on a live engagement. CCT INF maps to the hands-on, in-depth work our SRT does on host and infrastructure assessments, while CCT APP maps to web application testing. CRT remains a strong signal of field-ready skill across both and is the most widely held CREST exam in our community.
The SRT is the reason Synack customers get the outcomes they do. Our hand-picked global community of offensive security researchers must first pass our five-stage vetting process before ever touching a customer environment. In fact, fewer than 10% of applicants make it through. Then CREST certifications add a second, independent layer on top of that.
CCT INF and CCT APP are not easy credentials. Earning either requires substantial commitment and passing an exam specifically designed to benchmark senior practitioners against a globally recognised standard.
When a CREST-recognised researcher works on your engagement, that credential is doing something specific. It’s telling you that the person behind the test has been measured against a consistent standard and found capable. That assurance sits beneath the platform, the methodology, and the report, and it’s part of the reason why customers trust the output.
Synack has also been a CREST Accredited Member Company for Penetration Testing since 2019. That accreditation sits at the organisational level: our methodology, data handling, reporting, and the enforceable code of conduct we operate under. Company accreditation tells you Synack meets the standard, while a researcher’s certification tells you the people actually testing your environment meet it too. Together, they mean CREST’s bar applies from the contract down to the keyboard.
Trust in cybersecurity isn’t built alone. It’s the product of every provider, practitioner, and standards body adding credible signals that the industry can rely on. Recognising more CREST certifications on SRT Pathways is one way Synack contributes to that shared trust, so customers, researchers, and the wider security community all benefit from a stronger, clearer signal.
Further reading from member company Synack: