Understanding the CREST Penetration Testing Maturity Model

CREST penetration testing maturity model

Penetration testing, or pen testing, is a critical component of any organisation’s cyber security strategy, as it helps to determine vulnerabilities that attackers could exploit. However, simply conducting a pen testing exercise is not enough.

Organisations need to ensure that their pentesting strategies, methodologies and programs are mature and effective to ensure that they are identifying and considering all potential vulnerabilities. This is where pentesting maturity models come in.

Moving on in this article, we will explore the concepts of the pentesting maturity model put forward by CREST maturity assessment tools in detail, including its maturity levels, benefits, and how organisations can use it to enhance their pentesting methodologies and achieve their cyber security goals.

What are maturity assessment tools or maturity models?

A maturity model is a set of guidelines for assessing and improving an organisation’s processes and capabilities in a specific domain. It typically defines some maturity levels, each with its own attributes, best practices, and performance metrics. Such models can be seen as structured frameworks that provide a set of benchmarks that organisations can use as an assessment tool to measure the maturity levels in a particular domain or a service and determine any areas for improvement.

Maturity assessment model

What is a penetration testing maturity model?

A pentesting maturity model is a framework that assists organisations in measuring and improving the effectiveness of their pen testing programme. It consists of several levels, each representing a particular stage to measure the maturity of an organisation’s pen testing capabilities.

By using the maturity assessment tools, organisations can determine their security and maturity levels and create a roadmap for improving their pen testing capabilities over time. This can help to reduce the risk of cyber attacks, enhance security, and improve overall organisational cyber resilience.

CREST penetration testing programme

Many organisations do not know how effective their penetration testing programme is in practice. One of the best ways to help determine the effectiveness and value of a penetration testing programme is to measure the maturity levels of your penetration testing programme in terms of the:

  • People, processes, technology and information.
  • Requirements, testing and follow-up.

Different types of organisations will require different maturity levels for their penetration testing programme. For example, a small company operating in the retail business will not have the same requirement – or ability – to carry out penetration tests in the same way as a major corporate organisation in the finance sector – or a government department.

risk equation

Cyber attacks are not a matter of if, but when. Be prepared.

Box-ticking approach to penetration tests is long gone. We help you identify, analyse and remediate vulnerabilities so you don’t see the same pentest report next time.

There are several CREST related topics we have covered extensively you might want to explore: 

CREST pentesting management guide and maturity model

The CREST penetration maturity assessment is a 3 phase model, with maturity levels in each phase further divided into sub-levels. These three levels of maturity assessment are:

  1. Preparation
  2. Testing
  3. Follow-up

This section will discuss each of these levels and their sub-levels.

CREST penetration testing maturity model

1. Preparation

The first level in the CREST pentesting maturity model is the preparation phase. This phase is responsible for preparing a CREST-accredited organisation ready to carry out and deliver a pentesting exercise.

This phase is further divided into seven sub-phases which are as follows:

Maintain a technical security assurance framework

This sub-section involves establishing and maintaining a standard for technical security assurance. It includes policies, procedures, and guidelines for conducting pentesting exercises.

Establish a Penetration Testing governance structure

Establishing a governance structure for the pentesting program, which includes roles and responsibilities, policies and procedures, and communication plans, is very necessary. The governance structure includes a process for managing issues and incidents that are identified through the pentesting assessment tool.

Evaluate drivers for conducting penetration tests

This involves determining the drivers for carrying out penetration tests, such as compliance requirements, customer requirements, and/or internal risk management objectives. Understanding the drivers for conducting penetration tests is critical for defining the scope and objectives of a penetration test.

Identify target environments

This involves determining the target scope for the pentesting assessment. This could include production environments, test or development environments. It is important to determine the appropriate environments to conduct the entire security assessment safely and effectively.

Define the purpose of the penetration tests

This phase is responsible for assessing flaws and potential attack paths or validating and assessing the effectiveness of existing security controls. It helps guide the rest of the preparation and testing phases.

Produce requirements specifications

This phase determines what should be included in the scope of testing. This involves deciding the types of assessment tools to measure the maturity, critical assets to be tested, the maturity level to be achieved, the testing methodologies to be developed and used, and the expected deliverables from the testing program.

Select suitable suppliers

This involves selecting suitable suppliers for the penetration testing programme, such as external third-party providers or internal resources. The selection process should consider experience, expertise, and availability factors.

2. Testing

The testing phase determines and decides the execution of a pentesting programme and assessment tool. This phase involves the following steps:

Agree testing style and type

Before conducting a penetration test, it is important to agree on the appropriate maturity assessment tools and methodologies that will be used. This involves considering factors such as the organisation’s cyber security goals, the nature and criticality of the systems and networks being tested, and the potential impact of a successful attack or data breach. Different testing styles and types can include black box, grey box, or white box testing.

Identify testing constraints

It is important to assess any obstructions or hindrances that may affect the scope or methodology of the maturity assessment, such as regulatory compliance and operational capability or resource limitations. Identifying these constraints will help to ensure that the test is appropriately scoped and focused on addressing the organisation’s security requirements.

Produce scope statements

This phase involves making sure that the maturity assessment is appropriately scoped and targeted at addressing the organisation’s specific security needs. It is important to produce well-defined scope statements highlighting the systems, networks, or applications to be tested, testing goals and objectives.

Establish a management assurance framework

To ensure that the penetration testing programme is conducted effectively and consistently across the organisation, it is necessary to decide upon a management assurance framework that defines roles and responsibilities and provides oversight, support and accountability for the entire maturity assessment activity.

Implement management control processes

Such processes are put in place to ensure that the maturity assessment is conducted in accordance with the previously decided assurance framework. These should include procedures for quality assurance, risk management, change control, and incident response.

Use an effective testing methodology

An effective and solid maturity assessment method should be used to ensure that the test is conducted in a structured and systematic manner. This methodology should include all the essential pentesting steps, such as reconnaissance, enumeration, vulnerability analysis, and exploitation, evidence collection for reporting.

Conduct sufficient research and planning

Before starting the activity, appropriate enough research and planning should be done to ensure that the pentest is properly scoped and focused on addressing the organisation’s specific cyber security needs and requirements. This phase should include gathering information on the in-scope systems, networks, or applications, identifying potential attack vectors, and determining the appropriate testing methodologies.

Identify and exploit vulnerabilities

During the execution of the exercise, the pentesting team should exploit flaws in the target systems, networks, or applications. This involves using a variety of testing techniques and maturity assessment tools to assess and exploit vulnerabilities, such as injection flaws, flawed business and application logic, and buffer overflow attacks.

Report key findings

Once the assessment is complete, the pentesting team should produce a comprehensive report that describes the key findings and highlights recommendations for mitigating and addressing any identified vulnerabilities. It is then presented to stakeholders and subject matter experts.

3. Follow-up

The last and final phase in the pentesting assessment tool is the follow-up phase which concludes the exercise and suggests the remediation, mitigation and revalidation processes. This phase includes the following sub-phases:

Remediate weaknesses

The vulnerabilities identified through the maturity assessment tools must now be dealt with. The IT and development team starts to fix those vulnerabilities and makes sure that appropriate security controls are in place to protect against attacks in the future.

Address the root causes of weaknesses

This phase helps assess the root cause of the vulnerabilities rather than just addressing the findings themselves. This helps prevent the same vulnerabilities from reappearing in the future.

Initiate improvement programme

Initiating the improvement program is based on the lessons that are learned from the activity. The improvement program should focus on improving the organisation’s overall information security posture rather than just dealing with and fixing the vulnerabilities.

Evaluate penetration testing effectiveness

This phase is responsible for evaluating the effectiveness of the penetration testing programme to assess areas for improvement. This evaluation should take into account the factors such as the scope and objectives of the pentesting exercise, the methodologies used, and the evidence gathered.

Build on lessons learned

Building on the lessons learned from the pen testing activity is important to improve the organisation’s security posture continuously. This encompasses implementing changes to policies and procedures and implementing necessary security controls based on the identified vulnerabilities and their root causes.

Create and monitor action plans

Creating action plans to address the discovered vulnerabilities and root causes and monitoring progress helps ensure the necessary changes are being implemented.


The CREST maturity assessment tools are a comprehensive framework for organisations to develop and mature their pentesting abilities and methodologies. It is a tool designed to help organisations move beyond conventional pentesting activities and establish a more strategic and mature approach to security assessments, especially pentesting.

By following this maturity assessment guide, organisations can establish a strong foundation for their penetration testing services and ensure they align with their overall information security objectives.

Do you undergo annual assessments or seek continuous security validation? If not, it should be on your security checklist. You can get in touch to discuss your concerns or schedule an assessment with our team. 



Article Contents

Related Posts

crest defensible penetration test
Compliance and Regulations

Learn about the CREST Defensible Penetration Test (CDPT) and business benefits

CREST, a non-profit membership organisation that represents the global cybersecurity industry, has developed a specification called Crest Defensible Penetration Test (CDPT). This specification is designed to guide organisations in conducting penetration tests and utilising the test results to enhance their overall security posture and establish security programs during significant growth phases. By adhering to the

Read More
CREST penetration testing
Compliance and Regulations

CREST Approved Penetration Testing – Learn How It Improves Cyber Risk Strategy

We’re proud to offer our CREST penetration testing services. Our experienced and qualified testers, who know much about penetration tests, will work with you to identify any vulnerabilities in your system and provide recommendations for remediation. You can be confident that you are procuring a CREST penetration test provider that adheres to a specific code

Read More
Scroll to Top