Loading...
Loading...
Independent assurance buyers can verify. Every nCrypt test is led by a CREST-certified, OSCP-holding consultant and delivered under CREST PTP or STAR methodology.
CREST is the international accreditation body for the technical security industry, recognised by the Bank of England, the European Central Bank, MAS Singapore, the Hong Kong Monetary Authority and Bank Negara Malaysia. It accredits member firms against their processes and code of conduct, and certifies individual testers against rigorous practical examinations.
For Malaysian buyers procuring penetration testing, CREST is the cleanest, most defensible proof that the people on the keyboard actually know what they are doing — and that the firm behind them is bound to a documented ethical and quality framework.
Every lead consultant on an nCrypt engagement holds at minimum OSCP plus a current CREST certification. We staff to credentials, not headcount — the named tester on your statement of work is the one on the keyboard.
CREST CCT-INF · OSCP · OSEP
CREST CCT-APP · OSCP · OSWE
CREST CRT · OSCP · OSCP+ · CCSP
CREST CCSAS (STAR) · OSEP · CRTO
CREST CRT · OSCP · GMOB
All scoped engagements follow CREST's Penetration Testing (PTP) methodology: scoping, reconnaissance, vulnerability identification, exploitation, post-exploitation, reporting and quality assurance — under documented quality gates. Threat-intelligence-led red team work follows CREST STAR, the same scheme used by the Bank of England's CBEST.
We map every finding to MITRE ATT&CK and provide both CVSS v3.1 and business-impact ratings, so executives and engineers each see a relevant view.
Engagement: External + internal infrastructure penetration test, Bursa-listed group
Methodology: CREST PTP, OWASP, NIST SP 800-115
Duration: typically 4-6 weeks (10-day test window + reporting)
Team: CREST CCT-INF lead + CREST CRT senior consultant
Deliverables: technical report, executive summary, retest, board readout
CREST (Council of Registered Ethical Security Testers) is an international not-for-profit accreditation body for the technical security industry. CREST verifies the company (member firm status) and the individual testers (CRT, CCT-INF, CCT-APP, CCSAS) against rigorous technical, methodology and ethical standards. Buyers can rely on CREST as an independent assurance of competence — the same standard used by the Bank of England's CBEST and HKMA's iCAST schemes.
Bank Negara's RMiT Policy Document expects penetration testing to be performed by accredited and competent professionals. While RMiT does not name a single scheme, CREST and equivalent (OSCP, OSCE, GIAC GPEN/GXPN) are the recognised benchmarks. For intelligence-led testing under RMiT 10.49, BNM examiners look for CREST STAR or CBEST-aligned methodology.
Individual CREST certifications (CRT, CCT, CCSAS) are valid for three years and require continuous professional development plus re-examination to renew. CREST member-firm status is reviewed annually against the firm's processes, code of conduct adherence and incident-free record.
CREST PTP (Penetration Testing) covers conventional scoped pentests — infrastructure, web, mobile, cloud. CREST STAR (Simulated Targeted Attack & Response) is the threat-intelligence-led scheme for full-kill-chain red team exercises. STAR is the methodology aligned with CBEST/TIBER and is the right scheme for BNM RMiT 10.49 intelligence-led testing.
Yes — BNM accepts testing by other recognised credentials including OSCP, OSCE, GIAC GPEN/GXPN and equivalent, provided the tester is independent, competent and follows a documented methodology. CREST is the cleanest evidence to present to an examiner, which is why most large Malaysian FIs default to it.
Most scoping calls turn into a fixed-price proposal inside one business day.
Get a Scope