If you are paying somewhere between $30,000 and $120,000 for a penetration test, you should know exactly what a CREST-aligned engagement is supposed to deliver. Most buyers do not. Most vendors, quietly, are counting on that.

We have re-tested environments that passed a “CREST-aligned” pentest six weeks earlier and found seventeen unauthenticated SQL injections, a domain-wide Kerberos delegation issue, and an S3 bucket leaking customer PII. The original report was sixty pages long, beautifully formatted, and effectively fictional.

This article is a working buyer’s guide. It explains what CREST actually requires, where vendors cut corners without technically lying on the statement of work, and what questions to ask before you sign.

What CREST actually is

CREST — the Council of Registered Ethical Security Testers — is an international accreditation body that certifies both individual testers (CRT, CCT, CCSAM) and the companies that employ them. Its real value is not the logo on the cover page. It is the audit trail: CREST-accredited firms must demonstrate consistent methodology, documented evidence collection, peer review, and insurance.

A CREST-aligned engagement should therefore include at minimum the following, and in this order.

1. A scoped rules-of-engagement document

Targets, IPs, domains, excluded systems, testing windows, emergency contacts, legal authorization, and data-handling provisions. If your SOW has none of this, it is not a pentest — it is a vulnerability scan with better marketing.

2. Reconnaissance and attack-surface mapping

For an external engagement, this means OSINT on your subdomains, cloud footprint, exposed services, leaked credentials, and public code repositories. For an internal engagement, this means an adversary-emulation approach that starts from a pre-defined foothold (assumed-breach) rather than a network port scan.

3. Authenticated testing, not just surface scanning

This is the most common corner-cutting point. A cheap pentest looks at your login page from the outside. A real pentest gets credentials in every role that matters — customer, admin, support, partner — and tests each one against the business logic underneath.

4. Manual testing beyond automated tool output

Every serious tester uses Burp Suite Pro, Nessus, Nuclei, and a dozen other tools. The question is what they do with the findings after the scanner’s job ends. Business-logic flaws, IDOR chains, multi-step privilege escalations, race conditions, and authentication edge cases are never found by a tool alone. They are the reason a human pentest costs real money.

5. Exploitation and proof-of-impact

A finding described as “possible SQL injection on /api/search” is not a finding. A finding described as “unauthenticated SQL injection on /api/search permitting full read of production database, evidenced by extraction of three customer rows included as Appendix C” is a finding. CREST expects the latter.

6. Chained attack paths

Real attackers do not treat vulnerabilities as a list. They chain them. A senior pentest report should tell you the two or three shortest paths from the internet to your most sensitive data, using the findings you have, as a story — not as a spreadsheet.

7. Risk-rated, reproducible, remediation-ready reporting

Each finding should include: CVSS v3.1 scoring with vector string, affected scope, steps to reproduce (copy-pasteable), screenshots or request/response captures as evidence, business impact in plain English, and remediation guidance specific to your stack — not a copy-paste from OWASP.

8. A retest included in scope

Any credible CREST-aligned firm will include a free retest of remediated findings within sixty to ninety days. Vendors who refuse this or charge a second full fee are betting you will not come back.

9. An executive debrief separate from the technical walkthrough

Your CFO does not need to hear about XSS payloads. Your developers do not need to sit through a board-level risk narrative. A serious firm delivers both, separately.

What most vendors quietly skip

In order of how often we have seen it:

• No authenticated testing. The SOW says “web application penetration test” but no credentials were ever provisioned. Always specify role coverage in writing.
• No business-logic testing. Tools do not find IDOR on /api/v1/orders/:id. Humans do. Ask for examples in the vendor’s previous reports, redacted.
• No retest included. Cheap sign of a commodity engagement. Push back.
• Reports generated by a scanner wrapper. You can tell: findings have canned descriptions, no environment-specific evidence, and no exploitation.
• Junior testers on senior engagements. Ask who specifically will perform the work, their certifications (CCT, OSCP, OSWE, GPEN), and their years of experience in your vertical.
• No attack-chain narrative. If the report is just a CVSS-sorted table, you are not getting senior thinking.

Seven questions to ask before you sign

1. Who, specifically by name and certification, will perform this engagement?
2. What is the ratio of automated to manual testing effort, in hours?
3. How many credential sets will you require, and which roles do they cover?
4. Can I see a redacted report for a comparable engagement?
5. Is retest included in the fee, and for how long?
6. What happens if you find a critical during testing — what is your disclosure and escalation process within the engagement?
7. Are you insured for professional indemnity, and at what level?

What a fair price looks like

Rough public-market ranges for 2026, in US dollars, assuming a reputable CREST-aligned team:

• External network pentest, 20–50 live hosts: $18,000–$35,000.
• Web application pentest, one medium-complexity app with three roles: $22,000–$45,000.
• Web + API combined, enterprise SaaS: $40,000–$85,000.
• Internal / assumed-breach, 500–2000 endpoints: $35,000–$75,000.
• Red team, objective-based, three-to-six weeks: $80,000–$200,000.

Below these ranges, you are almost always paying for a scanner and a report template. Well above them, you should expect deliverables that justify the premium — typically bespoke tooling, multi-week timelines, and an engagement manager separate from the lead tester.

A final word

Penetration testing is one of the few line items in a security budget where the cheapest vendor is almost never the best value. A $22,000 commodity pentest that misses the authenticated SQL injection on your billing endpoint is not cheaper than a $55,000 engagement that finds it. It is many multiples more expensive — you just pay the difference in the next breach.

If you want a second opinion on a SOW you have already received, or a scoping conversation before issuing an RFP, start here. We will read the document with you and tell you, honestly, whether it is worth signing.