Methodology, credentials, and the standards we test to.
Arcseer is built by offensive security practitioners with the scepticism of people who have spent careers reviewing other people's work. Every claim is grounded in independently verifiable methodology.
"Whatever we built needed to produce outcomes that were verified, reproducible, and defensible under expert review. That was not a marketing position. It was an engineering requirement."
CREST Accredited
Penetration Testing
CREST is the international not-for-profit accreditation body that sets professional standards for cybersecurity services. CREST accreditation is the benchmark required by UK enterprise procurement, government frameworks, and major financial sector buyers.
Our methodology, specialist team, and assessment outputs are aligned to CREST standards. Where a formal engagement requires CREST-certified delivery, Arcseer operates accordingly.
Why CREST accreditation is the first question to ask.
In UK enterprise security procurement, CREST is the minimum credential that separates serious providers from the rest. It is required for NHS supplier assessments, public sector contracts, and increasingly by major financial institutions as a condition of vendor approval.
CREST certification means the methodology has been independently assessed, practitioners meet defined standards, and outputs can be relied upon for regulatory and audit purposes — not just internal reporting.
Arcseer's AI-driven approach does not bypass this rigour. It applies it at a speed and scale that manual-only testing cannot match.
- ✓ Methodology independently assessed against CREST standards
- ✓ Specialist team certified to required competency levels
- ✓ Outputs structured for audit and regulatory submission
- ✓ Accepted by NHS, public sector, and major financial services buyers
The standards we test against, report to,
and generate evidence for.
Assessment findings are mapped to the frameworks your auditors, regulators, and procurement teams require. Compliance evidence is generated automatically — not translated manually after the fact.
Every exploitation chain and attack path identified by Arcseer is mapped to ATT&CK techniques, giving your security team the language to understand exactly how a real threat actor would operate against your environment.
Core methodologyArcseer tests against OWASP Top 10, OWASP API Security Top 10, and the Application Security Verification Standard — the globally recognised benchmarks for web application and API assessment.
Core methodologyFindings are mappable to CSF identify, protect, detect, respond, and recover functions — increasingly referenced in UK government guidance and required by US-headquartered enterprises and their UK subsidiaries.
Core methodologyArcseer's assessment methodology follows PTES phase structure — from pre-engagement through post-exploitation — ensuring completeness and consistency across every engagement regardless of scope.
Core methodologyThe technical standards for secure configuration of cloud infrastructure, operating systems, and network devices. Used as the benchmark for cloud and infrastructure security assessments.
Core methodologyRequired for all organisations bidding for UK government contracts. Arcseer assessments validate controls across all five Cyber Essentials technical domains: firewalls, secure configuration, user access control, malware protection, and patch management.
UK GovernmentThe NCSC's framework for operators of essential services regulated under the NIS Regulations — energy, water, transport, and health. Arcseer assessments support CAF Objective B: protection of networks and information systems.
UK GovernmentRelevant for public sector supply chain organisations who need to demonstrate security assurance aligned to government expectations and cross-department security requirements.
UK GovernmentAssessment findings mapped to Annex A controls, supporting both initial certification and ongoing compliance — including the technical testing obligations in A.12 and A.18.
EnterpriseSatisfies PCI DSS 11.3 (methodology) and 11.4 (internal and external testing requirements), with reporting structured for QSA review. Version 4.0 introduced 63 new requirements — Arcseer covers the testing-related additions explicitly.
EnterpriseApplies to essential and important entities across energy, transport, health, and digital infrastructure. Arcseer supports Article 21 technical measures — vulnerability handling and systematic penetration testing.
EnterpriseMandates Threat-Led Penetration Testing for in-scope financial entities, in force from January 2025. Arcseer's methodology is aligned to TIBER-EU — the technical standard underpinning DORA TLPT requirements.
Financial servicesThe Bank of England's framework for systemically important financial institutions — the most demanding penetration testing framework in UK financial services. Arcseer's specialist team has experience within CBEST-aligned engagements.
Financial servicesTIBER-EU underpins DORA TLPT requirements across EU financial regulators. SWIFT CSP annual assessment obligations for network participants. Both supported by Arcseer's assessment methodology and specialist team.
Financial servicesSupports CC6 and CC7 common criteria — the sections most relevant to penetration testing evidence. Widely required by US enterprise customers of UK technology providers.
EnterpriseFCA and PRA requirements for firms to test important business services under disruption scenarios. Arcseer's continuous monitoring and assessment model directly supports ongoing operational resilience testing obligations.
Financial servicesMandatory for NHS organisations and data-handling suppliers. Standards 7 and 9 reference penetration testing as assurance evidence. Arcseer generates DSPT-structured evidence as part of standard assessment output.
Healthcare
How we manage the risk
of getting this wrong.
We watched what AI-generated security content was doing to the quality of the industry's output. These are the specific commitments we made as engineering requirements.
Every finding is validated before it reaches you
AI-generated findings are reviewed by specialists for accuracy, exploitability, and contextual risk before they appear in your report. If a finding cannot be validated, it does not make the report. We do not send raw tool output.
All findings are reproducible
Every finding includes evidence for independent verification — request details, response evidence, step-by-step reproduction instructions. If your team or a third party cannot reproduce it, it does not meet our standard for inclusion.
Hallucination management is an engineering requirement
We built hallucination detection and grounding mechanisms into the platform architecture — not as a post-hoc filter. The system refuses to assert claims it cannot ground in observed evidence. This is where we invested significant engineering effort before going to market.
Humans remain in the loop throughout
Automation handles volume and velocity. Specialists contribute contextual judgement in real-time supervision during assessment, in post-assessment review, and in direct engagement when required. This is a deliberate architecture decision, not a temporary limitation.
What the AI does, and where the specialists contribute.
The combination of AI capability and specialist expertise is not a compromise — it is why the output is better than either alone. AI handles what it is structurally better at. Specialists handle what they are structurally better at.
AI runs in parallel across a large attack surface without fatigue, correlates patterns across thousands of data points simultaneously, and maintains consistent methodology across every assessment. Specialists bring contextual risk judgement, creative attack path development, and the interpretation of ambiguous findings.
Comprehensive discovery of the attack surface at a scale and speed that manual enumeration cannot match — endpoints, services, technology stack, exposed infrastructure.
Multiple attack scenarios tested simultaneously. Where a manual team works sequentially, Arcseer's multi-agent system runs concurrent chains — covering more surface in less time.
Specialists monitor assessments as they run, flagging anomalies for closer attention and directing additional focus to areas where the evidence warrants it. Active contribution — not oversight after the fact.
Every finding is reviewed before delivery. Specialists assess exploitability, business context, and actual risk — not just CVSS scores. What reaches your report has been evaluated by someone who understands what it means in your environment.
Post-assessment monitoring of identified technologies for new advisories and surface changes — automated, continuous, generating alerts that require human review before action.
Every assessment concludes with a debrief from the specialist team who ran it — a conversation about what was found, what it means strategically, and what to prioritise.
Ready to run your first assessment?
Start with a single target — or read about how the platform handles your specific use case, whether that's active product security or a complex compliance programme.