On this page
LEVERAGE CYBER has signed the CREST AI Charter, joining more than 60 cybersecurity organisations in a public commitment to responsible AI use.
AI already shapes how cyber security services get delivered: analysis, testing, detection, response, reporting, research. The Charter is a way to keep that growth anchored to trust, transparency, and accountability.
What the CREST AI Charter is
The CREST AI Charter is a voluntary public commitment to support responsible AI use in cyber security. By signing it, organisations publicly support CREST’s AI Principles and contribute to the wider industry conversation about assurance in AI-enabled security services.
CREST launched the Charter in June 2026. More than ten per cent of its member organisations signed at launch, spanning Europe, North America, the Middle East, and Asia-Pacific. Between them they deliver penetration testing, vulnerability assessment, incident response, security operations, threat intelligence, and threat-led penetration testing.
AI is already part of the job across the whole profession. Signing the Charter is a public commitment to use it responsibly.
The nine principles we are supporting
CREST published nine principles for AI-enabled activities. They cover the areas that matter in real delivery:
- Accountability and governance — defining the scope and purpose of AI use, with oversight proportionate to risk.
- Transparency of use — informing clients how AI is used in tools, methodologies, and automations.
- Documentation and auditability — keeping AI use traceable and reviewable.
- Boundaries and control — ensuring competent personnel retain oversight and can intervene.
- Data handling, sovereignty and client control — being clear how client data is used and where it goes.
- Security and confidentiality — protecting client data, prompts, outputs, and AI-generated artefacts.
- Secure development of AI tooling — using secure development and assurance practices for AI tools.
- Supply chain assurance — assessing third-party AI dependencies for security, compliance, and resilience.
- Resilience and business continuity — maintaining fallback arrangements where AI systems fail.
Each one maps to a decision a consultancy makes when delivering AI-assisted work.
Why we signed
Our work is consultancy first: judgement, experience, and a human who owns the outcome. AI supports that, as it does for most cybersecurity consultancies now. It handles repetitive analysis, draft structure, research, pattern recognition, and the connective work around delivery, freeing a consultant to spend more time on the problem that matters to the client.
We also know the risks. A plausible but wrong explanation wastes a client’s time; an unverified recommendation can leave a system less secure than before we touched it. A careless prompt leaks sensitive information. In over a decade of cybersecurity work, we’ve learned to spot those failure modes before they reach a client.
The Charter gives us a public way to say how we think about that trade-off. We are interested in AI where it improves quality, speed, consistency, or coverage without weakening client control, confidentiality, or professional accountability. Signing it puts that commitment on record.
What this means for clients
Our starting point is simple: clients should know when AI matters to their engagement. If it materially affects service delivery, data handling, decision-making, reporting, contractual commitments, or client risk, we disclose it and govern it.
In practice, that means:
- we define where AI may and may not be used in delivery,
- we keep human consultants responsible for conclusions, recommendations, and reports,
- we protect client data, prompts, outputs, and AI-generated artefacts,
- we assess material third-party AI dependencies before relying on them,
- we retain enough documentation for quality review and proportionate assurance,
- we maintain fallback arrangements where an AI dependency is unavailable or unsuitable.
These controls decide whether we can explain, defend, and repeat the work later.
AI’s place in the toolkit
Security work has always involved tools. Scanners, fuzzers, exploit frameworks, static analysis engines, password crackers, traffic analysers, decompilers, and custom scripts all shape how consultants work. AI is the latest addition, and a powerful one.
Traditional tools fail in ways a skilled operator can inspect: a false positive, a missed finding, a parsing error. AI systems fail more quietly, inventing confidence and producing a fluent explanation that reads as finished before the underlying work is done.
AI-assisted work still needs scoped objectives, testable evidence, peer review, client-agreed handling rules, and accountable human sign-off. The Charter puts that in writing.
Part of a bigger picture
This isn’t our first public commitment to professional standards. We proudly joined The Cyber Scheme Accredited Company Programme as an inaugural member. We hold Cyber Essentials Plus. Our consultants hold UK Cyber Security Council titles including Chartered Cyber Security Professional.
Each of these is a different kind of commitment. The Cyber Scheme programme evidences organisational capability. Cyber Essentials Plus verifies our own controls. The CREST AI Charter addresses how we use AI in delivery. Together, they give clients a clearer picture of how we work and what we stand for.
The opportunity ahead
AI will keep changing how security work gets delivered. The firms that benefit will be the ones that adopt it thoughtfully, govern it properly, and keep a human accountable for the outcome. The Charter is a framework for doing that.
We would rather help shape how AI gets used in this profession than wait for someone else to set the standard. Signing the Charter puts us in that room.
If you want to talk to us about how we use AI in security testing, get in touch.
References
Where can I read your AI Policy?
Our AI Policy is published at leveragecyber.com/ai-policy. It sets out the nine principles we apply to all AI-enabled activities, covering accountability, transparency, data sovereignty, security, and governance.
What is the CREST AI Charter?
The CREST AI Charter is a voluntary public commitment to support responsible AI use in cyber security. By signing it, organisations publicly support CREST's AI Principles covering accountability, transparency, human oversight, data handling, confidentiality, secure development, supplier assurance, and resilience. More than 60 organisations have signed.
Is signing the CREST AI Charter the same as CREST accreditation?
No. Signing the Charter is not CREST certification, CREST accreditation, or a claim that services are CREST-approved. It is a voluntary commitment to support CREST's AI Principles for responsible AI use in cyber security.
How does LEVERAGE CYBER use AI in security work?
AI is used to accelerate repetitive analysis, draft structure, research support, and pattern recognition. It is not a substitute for judgement or technical competence. Human consultants remain responsible for conclusions, recommendations, and reports. Client data and AI-generated artefacts are protected, and material third-party AI dependencies are assessed before use.
What should clients expect regarding AI in their engagements?
Clients should know when AI materially affects service delivery, data handling, decision-making, or reporting. LEVERAGE CYBER defines where AI may and may not be used, keeps human consultants accountable for conclusions, protects client data, and maintains fallback arrangements where AI is unavailable.
Founder · Principal Consultant
Accomplished cybersecurity leader with over 25 years of experience. OSCP-certified penetration tester, Cyber Scheme Team Leader, and founder of LEVERAGE CYBER. Former Head of Professional Services and CHECK Team Leader (Infrastructure). Published in Which? Magazine and quoted by the BBC on mobile banking security. Passionate about offensive security, team leadership, and making cybersecurity practical for businesses.
