Background

On Tuesday 16th November 2021, at its AGM, CREST ANZ announced the launch of its new Accredited Best of Breed Penetration Tester (ABPT) program.

The CREST ANZ Board reviewed the spectrum of vendors and qualifications in the sector, and identified gaps in the penetration testing industry's approach to certification, namely:

  1. Existing certifications vary significantly between vendors, across:
    • technology coverage
    • degree of difficulty
    • format and delivery mechanisms
    • quality of learning and testing
  2. Existing certification processes and outputs do not provide any insights into:
    • professionalism
    • on-the-job performance competency
    • trustworthiness
  3. Historically, there has been no mechanism to assess the competency of penetration testers who have:
    • not pursued technical certification
    • significant penetration testing experience, but no certifications

This identification of these gaps, by the CREST ANZ Board, aligned to the 2020 National Cyber Security Strategy's call for a more holistic, multi-dimensional approach to accreditation; one based on skills, experience, qualifications, professionalism and trust (recommendation #49 ... "Consider creating an internationally aligned accreditation scheme to recognise the skills, experience and qualifications of cyber security professionals in both technical and management roles. This should include mapping the equivalency of existing qualifications." )

Accordingly, work began in 2020 to develop a multi-dimensional approach to accreditation which accredited individual penetration testers (employees and contractors) against Technical Competency, Professional Competency and Trust Standards that have been developed and defined by CREST ANZ members, and aligned to best practice exemplar programs across other industries.