Research Reports & Position Papers

Global Intelligence Led Penetration Test Frameworks – The global proliferation of Intelligence Led Penetration Testing (ILPT) frameworks across all industry verticals since 2014 has seen massive increases in regulatory understanding of common vulnerabilities in organisational cyber resilience. This paper identifies common themes for Tier 1 firms and provides suggestions on how ILPT frameworks might be improved, along with indicators as to how they are perceived by customers and delivery consultants.

Cyber Threat Intelligence in a business context – The CREST Threat Intelligence Professionals (CTIPs) group has released a guide to finding the right Cyber Threat Intelligence (CTI) partner for different businesses. The free guide helps organisations to get the most out of CTI to better meet their security challenges, minimise the impact of cyber-attacks and maximise the return on investment. Read more….

Neurodiversity in the Technical Security Workplace – CREST’s most recent research has indicated that more needs to be done to attract and develop neurodiverse people in the technical security industry.  We must have workplace environments and culture that enable their fundamental needs to be met. The report looks at recommendations and actions to support this effort.

Exploring the Gender Gap in cyber security – CREST’s latest report on this topic looks at any progress that has been made and more importantly, questions what still needs to be done to improve the diversity balance in the cyber security industry.

Physical Disability:  Addressing the accessibiliy challenges faced in a technical security career  – This report published by CREST highlights the issues faced by physically disabled people wanting to work in cyber security.  It also highlights what the industry needs to do to attract more physically disabled people in order to help fill the acute shortage of skills.

Stress and Burnout in the cyber security industry – This report published by CREST looks for solutions to the increasing problems of stress and burnout among many cyber security professionals, often working remotely in high-pressure and under-resourced environments.

Bug Bounties – Working Towards a Fairer and Safer Marketplace With rapid growth in the bug bounty marketplace, the CREST Bug Bounties Report explores good and bad practice to establish how to better understand bug bounty programmes and how they fit into the wider technical assurance framework. It also highlights the need to provide advice to buyers of bug bounty services and protect the interests.

Autism and the technical security industry – The technical security industry needs to develop the skills of its workforce to combat new threats and encourage new talent into the industry.  The industry values some of the attributes associated with autism and already employs people formally on the Spectrum.  However, young autistic people do not always realise that the technical security industry exists nor of the career opportunities it presents.  CREST’s report looks at the background and opportunities.

CREST and NCA Cyber Crime Report – CREST member companies met the National Crime Agency’s National Cyber Crime Unit (NCA NCCU) to assist in their efforts to prevent young people being tempted to participate in illegal online activities. The discussion paper is now available.

Industrial Control Systems Technical Security Assurance – This Position Paper presents the findings from a CREST project on the Technical Security Assurance of Industrial Control Systems (ICS). It is based on detailed research and includes insights, commentary and analysis garnered from subject matter experts through: Requirements and validation workshops held at CREST member facilities;  Desktop review of published literature on ICS security; and ICS security testing.

Closing the Gender Gap in Cyber Security – CREST releases report exploring the reasons behind the lack of gender diversity in cyber security and looking at ways to drive change.