Streamline your cloud experience and maximise your cloud investment with Microsoft Azure-aligned public cloud services.
Host all of your workloads in the most appropriate location while experiencing the simplicity of one cloud from Six Degrees.
Enhance your cyber security and safeguard your organisation with our cyber security strategy and advisory, consultancy, and managed services.
Connect your business through a comprehensive connectivity portfolio delivered via our owned and operated core Next Generation Network (NGN).
Access the smarter, faster technology needed to make the most of your hybrid working future.
Streamline your hosting with comprehensive colocation services delivered from three UK data centres.
Gain clarity and control of your 5G estate, ensuring ongoing cost efficiencies are managed on your behalf through our managed service.
Gain confidence in your cloud direction and achieve accelerated time to value through our assured and optimised cloud services.
Master today’s complex threat landscape and protect your business with our intelligence-led security services.
Videos and webinars are a great way to digest the latest technology insights.
Our eBooks and whitepapers provide in-depth insights from our experts.
Our thought leaders publish regular blogs on up-to-the-minute topics.
Learn all about the latest news from Six Degrees as we continue to evolve.
We host regular in-person and virtual events for our clients.
Learn how we enable our clients to achieve more; providing superior secure solutions, powered by our passionate people.
We are proud to partner with many of the world’s leading vendors, enabling you to leverage our continual investment in difference-making technology.
Learn how CNS at Six Degrees delivers intelligence-led security services that protect organisations in today’s hostile landscape.
We are committed to operating in an environmentally and socially conscious way. Learn more about our commitments as a business.
We are proud of our secure cloud credentials. Learn why we’re one of the most highly accredited providers in the UK.
We are a friendly and passionate bunch here. Whether you want to work with us or for us, we think you’ll enjoy the Six Degrees experience.
Home » Blogs » The Real Value of Credentials and Accreditations in Penetration Testing
Penetration testing – otherwise known as pen testing or ethical hacking – has become mainstay of cyber security measures for many organisations. If your infrastructure or data can be breached, you want to know about it before someone with malign intentions lets you know in a disruptive or even catastrophic way. The pen testing sector is booming – there are many different providers eager to help you test out whether your security is up to the job of withstanding today’s cybercrime threats.
Pen testing is no different from any other service you need for your business, in that you’re looking for a trustworthy, reliable and high-quality provider who can deliver what you want within the budget available. Plenty of companies will likely seem to fit the bill. But the big difference is the level of risk in actively encouraging a third party to hack your systems and get inside your data, apps, hardware and business-critical technology tools.
There are myriad offshore testing firms who claim to deliver what looks like incredible value on paper. And it’s no surprise that they can be competitively priced, with lower wage costs and expenses in overseas markets. Wherever they’re based, you need to know who you’re trusting with access to your critical systems.
If your pen testing team is made up of crowdsourced freelancers, it’s inevitably harder to tell whether they are trustworthy and genuine. We’re aware of specialist pen testing firms who have recently had to scale back their activities because of their reliance on Russian testers. In the current political climate, that’s a no-no in terms of cyber security risk for many US and west European firms.
One way to find out who’s talking the talk and who’s actually walking the walk too is to scrutinise your shortlisted pen testing providers’ credentials and certifications. Anyone can throw a list of acronyms and logos at you; it’s well worth making sure you understand exactly what they mean, who issues them and what kind of assurance they provide. Not all certifications and accreditations are equal, in penetration testing or in any other sector or specialism! The quality is far more important than the quantity in this instance.
For penetration testing in the UK market, there are five widely recognised marks of authority to look out for. Look for accreditation for the organisation as well as certification of individual testers.
The NCSC is the National Cyber Security Centre, a UK Government organisation that provides advice and support for the public and private sector in how to avoid computer security threats. CHECK is NCSC’s scheme that approves companies and their methodologies to conduct authorised penetration tests of public sector and CNI (critical national infrastructure) systems and networks. Accreditation is reviewed every year to make sure firms keep up their qualifications and practices. CHECK assures a standard of reporting that will make sense as well as the quality and rigour of pen testing work. It includes overseeing and scoping the testing as well as delivering it. You can search for a CHECK accredited service provider on the organisation’s website.
To qualify for the NCSC CHECK scheme, firms need to employ individuals who hold at least one of two qualifications. One of these is CREST Certified level in penetration testing, which sets a benchmark for senior professionals. CREST is an international not-for-profit membership body that represents the global cyber security industry. You can verify a practitioner’s digital CREST exam certificate on the CREST website.
The Cyber Scheme Team Leader (CSTL) certification is the other qualification accredited and recognised by NCSC. At Six Degrees, we actively ensure that our team includes a mix of specialists who are certificated by Cyber Scheme and CREST, because the qualifications are slightly different, so this gives us the best range of penetration testing skills and capabilities. We are active sponsors of Cyber Scheme – we contribute to their levels of testing and provide information to help keep the certification current and relevant to the real world and industry.
As well as being a certification body for individual practitioners, CREST accredits organisations that offer penetration testing services. Firms that are members of CREST must maintain a certain number of certifications in their team, representing a high level of cyber security qualification. They also have to meet compliance standards for their own internal business, including quality standards like the ISO 27000 family and Cyber Essentials. They must also hold a high level of liability insurance.
IASME Consortium is the governing body and deliverer of Cyber Essentials – a security standard in the UK that is generally required by government organisations. It sets out minimum measures for confidentiality, vetting, qualification, insurance and processes to deal with sensitive data and technology.
UK Government security clearance is also a valuable trust mark. Organisations need it to qualify for the NCSC CHECK and CREST accreditations. Security clearance includes background checks on individual testers, to confirm that they are trustworthy and have a clean reputation.
There are many other niche and specialist qualifications and certifications in the complex field of penetration testing. Don’t take anything at face value though. If a provider offers a list of credentials that you’re not familiar with, look them up and find out about the issuing body and the process of testing or certificating – satisfy yourself that you’re looking at rigorous and genuine standards in pen testing.
Six Degrees’ Penetration Testing services are NCSC and CREST accredited. We only use certificated, qualified and experienced in-house testers, who deliver expert manual pen testing alongside automated vulnerability scanning. We have an exceptional track record of helping clients to optimise their cyber security through effective penetration testing. Get in touch if you’d like to find out more about our reputation and how we can support you.
Andy Swift is Technical Director of Offensive Security at Six Degrees. At Six Degrees, we’ve been helping organisations confront cyber security challenges for over 15 years. While cyber threats are always developing, our experience and industry presence are testament to our ability to stay ahead of emerging threats.
A realistic approach to the challenges and benefits…
Our Cyber Security Practice Director Chris Cooper talks…
The metaverse is the latest shiny thing that…
More information on our Privacy and Cookies Policy can be found here: https://www.6dg.co.uk/privacy-cookies/. You can update how we contact you in the future by visiting our Communications Preference Centre here: https://www.6dg.co.uk/preference-centre/.
