Search
scroll it
Abstract modern technology background

What CREST Means for Your Next Synack Engagement

28
Apr 2026
Ryan Rutan
0% read

CREST Helps Raise the Bar for the Researchers Behind Your Pentest

When a cybersecurity company tells you its testers are vetted, what does that actually mean? Most of the time, it means the company ran its own screening, trusted its own judgment, and hoped you’d trust it too. That works, right up until the pentest is in your production environment and the outcome matters.

CREST exists to offer the industry a structured way to answer that question. As an international not-for-profit membership body, CREST has been setting standards for cybersecurity since 2006. More than 500 companies and thousands of individual professionals carry CREST credentials today. CREST has already been part of our SRT Pathways since we created the program three years ago, because the certification signals the rigor the Synack Red Team (SRT) looks for.

Two New CREST Certifications in SRT Pathways

Today, we’re expanding our recognition of CREST by adding two additional CREST certifications to SRT Pathways:

  • CREST Certified Tester Infrastructure (CCT INF)
  • CREST Certified Tester Application (CCT APP)

They join CREST Registered Penetration Tester (CRT), which has been recognized on Pathways for years. Although CREST offers credentials across the penetration testing discipline, we optimized for certifications that best predict a tester’s performance on a live engagement. CCT INF maps to the hands-on, in-depth work our SRT does on host and infrastructure assessments, while CCT APP maps to web application testing. CRT remains a strong signal of field-ready skill across both and is the most widely held CREST exam in our community.

Why CREST Certifications Matter for Researchers

The SRT is the reason Synack customers get the outcomes they do. Our hand-picked global community of offensive security researchers must first pass our five-stage vetting process before ever touching a customer environment. In fact, fewer than 10% of applicants make it through. Then CREST certifications add a second, independent layer on top of that.

CCT INF and CCT APP are not easy credentials. Earning either requires substantial commitment and passing an exam specifically designed to benchmark senior practitioners against a globally recognized standard.

When a CREST-recognized researcher works on your engagement, that credential is doing something specific. It’s telling you that the person behind the test has been measured against a consistent standard and found capable. That assurance sits beneath the platform, the methodology, and the report, and it’s part of the reason why customers trust the output.

What CREST-recognized SRT Members are Saying

We asked researchers on the SRT who already hold CREST credentials what the certification has meant for them. One answer stood out:

“CREST has genuinely helped me out in my career, especially when working in the MEA and EU markets where it’s basically expected. It makes it easier for recruiters to shortlist the right people since CREST is widely recognised and trusted. It’s considered a gold standard in pentesting, so having it adds credibility and makes it easier to get through initial screening and land better opportunities.”
—Nikhil K, CPSA & CRT

That captures why this matters on both sides. CREST gives serious practitioners a structured way to advance in their careers. It gives the rest of the industry a shared definition of what skill and vetted talent actually looks like.

What’s Next for Synack and CREST

Synack has also been a CREST Accredited Member Company for Penetration Testing since 2019. That accreditation sits at the organizational level: our methodology, data handling, reporting, and the enforceable code of conduct we operate under. Company accreditation tells you Synack meets the standard, while a researcher’s certification tells you the people actually testing your environment meet it too. Together, they mean CREST’s bar applies from the contract down to the keyboard.

If you’re a Synack customer, the standard CREST applies to Synack as a company now reaches further into the individual researchers who test your environment. Learn more about Synack’s PTaaS platform.

If you’re a CREST-recognized researcher curious about what we do, the SRT Pathways program page lists the perks your credential unlocks. Explore the SRT Pathways program.

Trust in cybersecurity isn’t built alone. It’s the product of every provider, practitioner, and standards body adding credible signals that the industry can rely on. Recognizing more CREST certifications on SRT Pathways is one way Synack contributes to that shared trust, so customers, researchers, and the wider security community all benefit from a stronger, clearer signal.

Frequently Asked Questions

I am a security researcher that has a current CREST CRT, CCT INF or CCT App, how can I learn more about the Synack Red Team? 

The easiest first step is to apply: synack.com/red-team and be sure to select the qualifying pathways for your application. If you have questions, you can submit them to [email protected] and our team will get back to you ASAP. If you’d like to connect on LinkedIn to ask questions, please feel free to reach out; however, support is the best channel for quicker responses. =)

Will a CREST-recognized researcher be assigned to my engagement?

CREST-recognized researchers work across our SRT, but we don’t assign them by credential alone. Testers are matched to engagements based on the skills your environment needs, such as cloud, API, mobile, web application, or infrastructure expertise. If your organization requires CREST-recognized testers specifically, whether for regulatory reasons or internal policy, talk to your Synack representative and we can scope the engagement accordingly.

How does CREST certification fit with Synack’s own vetting of the SRT?

They’re complementary. Synack vets researchers and CREST certifies them. Every SRT member clears our five-step vetting process, which covers background checks, technical assessments, skills validation, and an ongoing performance review. That process tells you the researcher meets Synack’s bar for skill, trust, and quality, and that we’ve confirmed who they are and how they operate. CREST certifications sit alongside that as an independent, third-party benchmark, confirming the researcher has also been measured against a globally recognized industry standard for technical talent.

Does working with a CREST-accredited provider help us meet regulations like DORA or NIS2?

CREST accreditation is widely recognized by regulators, particularly in EMEA, as evidence that a penetration testing provider meets established technical and professional standards. Under frameworks like DORA, NIS2, and TIBER-EU, procurement teams are increasingly required to demonstrate that their testing partners are independently credentialed. Synack’s company-level CREST accreditation and our recognition of individual CREST certifications on Pathways help meet those expectations, though specific regulatory requirements vary and should be confirmed with your compliance team.

You may also like
Mythos Changes Everything: Why Your Entire Attack Surface Is Now at Risk Mythos Changes Everything: Why Your Entire Attack Surface Is Now at Risk Blog
Become Mythos-Ready and Close the AI Coverage Gap with Synack Become Mythos-Ready and Close the AI Coverage Gap with Synack Blog
Inside the Sara Pentest 5 Step Workflow  Inside the Sara Pentest 5 Step Workflow  Blog
AI Agents and How They Are Used in Pentesting AI Agents and How They Are Used in Pentesting Blog