CREST Pathway & Pathway+: A New Era for Cybersecurity Accreditation

Opening the Doors to Global Cyber Excellence

As the cybersecurity threat landscape evolves at breakneck speed, the need for credible, consistent, and professional service providers has never been more urgent. For many organizations, especially those still building their technical maturity, meeting globally recognized standards can be daunting. To bridge this gap, CREST—a globally recognized not-for-profit cybersecurity accreditation body—has launched two strategic initiatives: Pathway and Pathway+. These programs are designed to help companies of all sizes and stages progressively work toward full CREST accreditation through structured support, self-assessment tools, mentorship, and access to CREST’s professional community.

These entry-level options lower the barriers to entry for cybersecurity accreditation while promoting excellence, consistency, and accountability. They are tailored for organizations that are serious about improving their services but may not yet be fully prepared for the rigorous standards of complete accreditation. This initiative is not only about growing the CREST ecosystem but also about strengthening the global cybersecurity community with trustworthy, capable providers.

Building a Clear Route to Full Accreditation

CREST’s new Pathway and Pathway+ programs aim to support aspiring cybersecurity service providers on their journey toward full accreditation. These programs open the door to organizations seeking recognition and improvement but who may lack the immediate resources or maturity to meet CREST’s demanding standards.

The Pathway stage is the starting point, where organizations formally join the CREST ecosystem. By submitting essential company details and committing to CREST’s Code of Conduct, these participants gain access to valuable resources and communities, keeping them aligned with global trends, threat updates, and peer support. Pathway+, a more advanced tier, includes tools for self-assessment across CREST’s accreditation standards. It encourages organizations to evaluate their current strengths and identify areas for improvement, helping shape a practical roadmap toward certification.

One of the standout advantages of Pathway+ is potential access to mentoring from accredited CREST members and even entry into government-funded cybersecurity development programs in certain regions. This tier pushes participants to align with at least one CREST-recognized cybersecurity service domain—such as penetration testing, red teaming, or threat intelligence—and actively work toward aligning with CREST’s organizational standards.

CREST’s end goal is to see Pathway+ members become fully accredited within two years, while those starting from Pathway are expected to achieve this milestone within four years. By introducing these transitional stages, CREST ensures that every committed organization, regardless of its starting point, has a realistic and guided path to professionalism.

Once fully accredited, companies earn the trustmark that signals to clients worldwide that their services meet the highest levels of independently verified quality. This not only reassures clients of competence and security but also elevates the organization’s reputation and global market positioning.

According to Jonathan Armstrong, CREST’s Head of Product, cyberattacks represent enormous financial and reputational risks, and working with unqualified vendors is no longer an option. He emphasizes that Pathway and Pathway+ offer a scalable and supportive accreditation framework, enabling committed service providers to prove their dedication to cybersecurity best practices even before full certification.

What Undercode Say:

Strategic Accessibility in a High-Stakes Industry

The launch of Pathway and Pathway+ by CREST represents a critical pivot in how cybersecurity accreditation is approached globally. Traditionally, cybersecurity certifications have catered mainly to mature service providers with existing compliance infrastructures. This model, while effective for maintaining high standards, has inadvertently excluded smaller or emerging players who could contribute significantly to the cybersecurity ecosystem if given the right support. CREST’s tiered approach is a direct response to that gap, promoting inclusion without compromising quality.

From a market perspective, this initiative can significantly boost the supply of trusted providers at a time when demand for cybersecurity services is skyrocketing. Small to mid-size enterprises (SMEs) often lack the capacity to undergo full accreditation processes. With the introduction of Pathway and Pathway+, they can now gain a foothold, validate their progress, and attract clients through demonstrated commitment. This shift will likely foster a more competitive, dynamic, and trusted cybersecurity market.

Technically, the inclusion of self-assessment tools in the Pathway+ tier is a standout feature. It gives organizations a tangible framework to measure where they stand and what they need to improve. This is a marked improvement over many other industry certifications that often operate as pass-or-fail systems. Here, CREST adopts a growth mindset approach—helping companies evolve instead of merely judging them.

Another critical dimension is the mentorship and government-funded development access potentially available to Pathway+ members. These partnerships can accelerate learning and reduce the typical trial-and-error costs associated with gaining industry experience. It also reflects CREST’s deeper integration into policy-making and governmental trust, reinforcing the legitimacy of the Pathway model.

However, one concern that must be acknowledged is the potential for “credibility inflation.” If too many organizations receive recognition without adequately progressing, the weight of full accreditation could diminish. CREST must ensure that the standards at each stage remain rigorous and that there’s transparent tracking of participants’ progression to full accreditation.

In essence, this program is not about lowering standards but about offering a structured runway to reach them. For clients, this means they can begin working with organizations who are on the right track, even if not fully accredited yet. For the providers, it means measurable improvement, peer support, and a realistic goalpost.

As cybersecurity continues to evolve into a top-tier business priority, Pathway and Pathway+ are positioned to play a vital role in scaling quality assurance, especially in emerging economies and among startups.

🔍 Fact Checker Results:

✅ CREST is a globally recognized nonprofit that provides cybersecurity accreditation.
✅ Pathway and Pathway+ are officially launched programs designed to support pre-accredited organizations.
✅ Organizations in Pathway+ may access mentoring and government-funded programs depending on location.

📊 Prediction:

As CREST Pathway and Pathway+ gain traction, we anticipate a sharp increase in the number of SMEs joining the CREST ecosystem. Within the next three years, over 50% of new CREST accreditations may originate from organizations that began in these preliminary stages. Additionally, the presence of partially accredited firms will likely influence procurement policies, with buyers considering “Pathway+ engagement” as a trust factor when shortlisting vendors. This will make early adoption a strategic advantage.