by peter


Defensible Penetration Test

Penetration Testing is word soup. It has been bastardized over the years by project managers, business management, our own cyber security industry and many others. We are in a world where Penetration Testing is expressed as any of the following:

  • PEN testing
  • pentesting
  • VAPT

Penetration testing has existed as a cyber security assurance activity since the mid 1990’s but still today it lacks clear definition. Penetration Testing as a term is sadly very much misunderstood. For people outside of the Cyber and the Information Security domains, phrases such as security auditing, penetration testing, vulnerability analysis, ethical hacking and red teaming all mean the same thing. Yet for us within the industry, they mean very different things.

In this article, we provide support to the CREST work into Defensible Penetration Testing by turning penetration testing into a clearly defined, defensible term that can be used accurately.

CREST has worked alongside industry recognised and peer selected subject matter experts to define a minimum set of expectations associated with a penetration test. However, as CREST does not own the right to define what a penetration test is, it has chosen to instead focus on producing a specification for a CREST Penetration Test that CREST has termed the “CREST Defensible Penetration Test”.

Defensible Penetration Testing

According to CREST:

“A CREST Defensible Penetration Test is designed to provide a commercially defensible assurance activity that is appropriately scoped, appropriately executed, and appropriately signed off.

Requesting a CREST Defensible Penetration Test could be used as an indicator of undertaking diligent and commercially reasonable cyber security procurement activity.”

We have already realigned our testing methodology to align to this.

What does this change?

A CREST Defensible Penetration Tests has three separate phases. These are distinct from our penetration testing methodology and are designed
to reflect specific outputs that form the test specification.


The scoping phase is essential for ensuring that the CDPT aligns with the assurance goals and objectives of the buyer. The scoping phase must present guidance on the full attack surface that is relevant to the application, system or environment that is to be assessed. Scoping must be undertaken by a suitably skilled individual that has signed the CREST Code of Conduct.

Penetration Testing

The penetration testing phase must be conducted in accordance with the CREST Defensible Penetration Tester’s Accredited methodology. It must be conducted by a suitably skilled individual that has signed the CREST Code of Conduct.

Test Signoff

The sign off phase must be undertaken by a suitably skilled or qualified individual, or by a company officer. This phase is a formal attestation that the CREST Defensible Penetration Test was conducted in accordance with the Penetration Tester methodology, and that the assessment was delivered against the agreed scope.

CDPT Scoping and Scope of Work

The scope of work will be appropriate to meet the assurance requirements that have been defined by the contracting organisation or by their project. We will engage with the client to define the scope of work that achieves their assurance requirements.


The delivery of the CREST Defensible Penetration Test will be conducted in accordance with our penetration testing methodology that was approved as part of our CREST accreditation process. Our team will ensure that clients are informed about our penetration testing methodology during our pre-engagement activities.

The delivery phase will cover all elements highlighted within the scoping phase. If any constraints are identified that prevent the full scope from being addressed, these will be formally documented and included as part of the report write up and sign-off processes.


The sign-off phase provides a formal attestation that the CREST Defensible Penetration Test was conducted in accordance with our penetration testing methodology. It also confirms that the assessment addressed all elements identified during the scoping phase. If there were constraints identified within the delivery phase, then these will have been be formally documented in the sign-off process. If it is felt that the constraints present a significant risk to the integrity of the engagement, these are formally described and presented during the sign-off.