Deciding on Penetration Testing: Understanding existing NCSC Guidance and Qualifications
Conversations around quality assurance are vital when we’re talking about picking a team to support your organisation with cybersecurity. All too often, not knowing exactly what to ask of providers is precisely why teams struggle to find a perfect fit for them. The ‘Penetration Test’ – where teams essentially invite someone to attack your network/website/application to feedback on what can be improved, is possibly where it is most vital that we are selecting based on good merit and trust.
The NCSC, as the UK’s technical authority for cybersecurity, provides essential advice on how to approach penetration testing that cuts through the marketing noise and establishes clear standards for quality assurance. This little post is aimed at exploring exactly what that guidance is, and exploring what it is that makes it good guidance!
This is a good read for anyone looking to conduct a formal security test now or in the future.
NCSC Guidance: Qualified Testers Are Non-Negotiable
The NCSC is unambiguous: Always make sure that the individuals conducting your test are suitably qualified. In what is a largely unregulated UK cybersecurity market, this straightforward advice is crucial.
The NCSC specifically recommends working with testers who hold industry certifications such as those offered by CREST (Council of Registered Ethical Security Testers) or individuals with qualifications like OSCP (Offensive Security Certified Professional).
Assuring that these credentials are in place is absolutely necessary – the market regulations are such that anyone can claim to offer “expert penetration testing services” without any qualifications at all. Sadly, a lot of unqualified teams will run automated scanning tools that identify enough issues to appear like a thorough test was done, but doesn’t actually follow a vigorous testing methodology applied by a testing team with professional insight or curiosity. This can give a false sense of security, and also serve as a big waste of your money.
Let’s actually expand a little on what it means to be OSCP or CREST, so that we understand how they form a framework for accountability and professional conduct.
What Does OSCP Certification Mean?
OSCP (Offensive Security Certified Professional) is one of the most respected hands-on certifications in the security industry. Unlike theoretical exams that test memorisation, OSCP requires candidates to demonstrate actual penetration testing skills in a controlled lab environment (Authors note: It is really hard!).
What makes OSCP distinctive:
- Practical examination: Candidates must successfully compromise multiple systems during a 24-hour hands-on assessment
- Real-world techniques: The certification validates a tester’s ability to identify and exploit vulnerabilities manually
- Problem-solving under pressure: The exam simulates the time constraints of real-world testing
When your penetration tester holds an OSCP, you’re working with a professional who has demonstrated practical offensive security skills – and is comfortable in a complex or unpredictable testing environment. They’ve proven they can think like an attacker and identify paths of compromise that automated tools might miss.
CREST: The UK’s Recognized Standard
While OSCP validates individual technical skills, CREST provides a comprehensive framework for both individual testers and the companies that employ them. CREST is particularly significant in the UK market, where it’s recognised by the NCSC as a pre-eminent penetration testing certification body.
CREST registration means:
For individual testers:
- They’ve passed rigorous written and practical examinations
- They’ve demonstrated deep technical knowledge and practical exploit skills
- They’re committed to a code of conduct and ethical framework
For organisations:
- They follow documented methodologies and maintain quality standards
- They carry appropriate insurance and handle client data responsibly
- They’re subject to regular assessments of their own testing practices
The NCSC has established the CHECK scheme for government and critical national infrastructure testing, with CREST delivering the technical assessment for CHECK status. This creates a clear pathway of recognised quality standards that the NCSC explicitly recommends for all organisations—not just government entities.
Just my thoughts here, it’s not necessarily that CHECK is better testing, it just meets the right standards for auditing and accountability that are required when private sector is out testing critical national infrastructure. For most private enterprises, OSCP and CREST Registration is ideal and sufficient. I say this as a CSPM Registered Penetration Tester, which sits inside the CHECK pathway.
Proper accreditation delivers better results
Choosing penetration testers with NCSC-recommended certifications delivers tangible benefits:
- Superior Findings: Certified professionals bring deeper analytical skills, understanding attack chaining (where multiple lower-risk issues combine to create serious exposures – usually unidentified by automatic tooling and requires that human touch), and can validate findings to ensure they’re relevant to your environment.
- Actionable Recommendations: Quality testing doesn’t just identify problems—it delivers practical paths to resolution that consider your specific business constraints.
- Legal and Compliance Protection: Should the worst happen and your organisation suffers a breach, having engaged properly certified testers provides evidence of due diligence in regulatory investigations and cyber insurance claims.
- Access to Wider Markets: Many enterprise and government contracts now specifically require penetration testing by certified professionals. Having testing performed by CREST or CHECK-certified testers is increasingly becoming a gateway requirement for supplier relationships. It is a sad tale when we’ve encountered teams who undertook penetration testing to meet a certain third-party standard, and then found out that the penetration testers weren’t sufficiently qualified to provide that test! Back to square one.
Our Approach: Following NCSC Guidance baked in from the very beginning.
At ADAS, we’ve built our entire penetration testing service around NCSC guidance. We carefully vetted and partnered exclusively with select CREST Registered Penetration Testing Providers and OSCP-certified professionals who meet NCSC‘s recommended standards.
The whole idea of this approach was that our clients don’t need to go to market themselves and verify these credentials—we’ve already done that work for you. When you engage ADAS for penetration testing, you can have complete peace of mind that your testing will be conducted by professionals who meet the exact qualifications recommended by the UK’s cybersecurity authority.
Continuing the good news – we believe proper security testing that adheres to NCSC guidelines shouldn’t be a luxury. Our model gives organisations of all sizes access to NCSC-standard testers at reasonable rates (£700-850 + VAT per day), without the enterprise markup that often puts quality testing out of reach for smaller teams. We even offer flexible payment options, so you can invest in penetration testing on an easier timescale for you.
Conclusion: Following NCSC Guidance for Peace of Mind
The NCSC couldn’t be clearer: qualified testers with recognized certifications like CREST and OSCP are essential for effective penetration testing. By following this straightforward guidance from the UK’s cybersecurity authority, you ensure your penetration testing delivers genuine security value rather than a false sense of security.
When you engage NCSC-recommended certified professionals for your penetration testing—either directly or through a trusted partner like ADAS who exclusively works with such professionals—you’re not just paying for a report. You’re deciding to turn a tickbox exercise into an investment in your security culture.
Remember:
- Ask directly about certifications – Request the specific qualifications of the individuals who will perform your testing (not just “our team includes certified professionals”)
- Verify CREST membership – Check the CREST website for current organisational membership
- Look for transparency – Quality providers will be upfront about their methodologies and the qualifications of their testers
- Examine sample reports – These should demonstrate clear, actionable findings rather than tool outputs