Abacus wins CREST approval for penetration testing

Abacus has achieved CREST accreditation for its penetration testing services, placing it among a relatively small group of managed service providers with the verification.

The accreditation followed an independent audit of the company's penetration testing practice, including staff expertise, team qualifications, client data handling, and quality control and assurance processes. Abacus also had to demonstrate an ongoing professional training programme and provide client references on the depth and quality of its testing work.

CREST is a recognised accreditation body for cyber security testing, and its standards are widely used in sectors subject to close regulatory scrutiny. In industries such as financial services and healthcare, external verification of testing practices can carry particular weight as boards and compliance teams face pressure to show that security assessments meet recognised standards.

Abacus provides managed IT and cyber security services to regulated industries. The accreditation covers how it delivers penetration testing, a service designed to simulate an attacker seeking to exploit weaknesses in cloud, network, and server infrastructure.

Audit scope

The review ran over several months and examined operational and technical processes as well as governance standards. To retain the accreditation, Abacus will need to renew it annually, making it an ongoing compliance requirement rather than a one-off certification exercise.

The accreditation comes as demand grows for more formal assurance around cyber testing. In regulated markets, penetration testing has increasingly moved beyond a simple procurement requirement, with buyers asking for evidence of tester competence, clear controls around sensitive data, and stronger quality oversight.

This trend has raised the profile of independent accreditation schemes. For service providers, they can serve as a differentiator in a crowded market, particularly when customers are comparing firms on external validation rather than broad claims of expertise.

Abacus has also introduced an adversarial simulation service that combines agentic AI with human-led Red Team testing. It describes the model as a hybrid approach that uses AI systems alongside senior penetration testers.

The use of AI in offensive security testing is attracting growing interest across the cyber sector, as providers look for ways to increase the scale and speed of simulated attacks while keeping human oversight in place. It has also raised questions for customers and regulators about how such tests are governed, documented, and assessed.

Tom Cole, Senior Managing Director, EMEA at Abacus, commented on the accreditation and its relevance for clients in regulated sectors. "In an age of relentless cyberattacks and constantly evolving regulatory requirements, it is crucial our clients can trust that they are working with a top-tier partner. The CREST accreditation validates our alignment with global best practices, providing our clients in regulated industries, like financial services and healthcare, with verification and assurance of our Red Team's strict technical rigor," he said.

The company operates in regulated markets internationally, with headquarters in New York and its EMEA base in London. Its client base includes organisations that typically face strict expectations around cyber resilience, third-party risk management, and the protection of sensitive information.

According to Abacus, few managed service providers have secured CREST accreditation for penetration testing, making the award notable in a segment where many providers offer security services but fewer hold external verification for this part of their work.

CREST carried out the accreditation process between October 2025 and February 2026, and the certification must be renewed each year.