Skip to content

Part 2: CBEST Series – Operational Resilience

CBEST threat-led testing proves whether your organization can withstand real-world attacks, uncovering hidden weaknesses and driving true operational resilience.

Looking up at a glass skyscraper framed between concrete overpasses, symbolising layered perspectives and security vantage points in CBEST threat intelligence

Operational resilience: The offensive advantage

Cyber risk in financial services is no longer just an IT issue, it’s a business-wide concern with real world consequences. The Bank of England now requires institutions to ensure they can maintain the delivery of their most important business services, even during severe but plausible disruption scenarios.

That expectation turns operational resilience into a measurable objective, not just a regulatory aspiration.

Threat-led penetration testing (TLPT) supports this by delivering hard evidence of how an organization responds to a simulated real world attack, and is a key to helping understand whether business continuity plans hold, whether escalation paths function, and whether resilience measures actually deliver when tested against the tactics of real adversaries.

 

The hidden weaknesses in people, process & technology

TLPT exercises are designed to mimic the behaviours of real-world adversaries. But unlike conventional testing, they don’t stop at exploiting a single vulnerability. They explore how attackers can move through your environment, exploit soft spots in workflows and pressure decision-makers in real time.

This approach often uncovers issues not visible through traditional security assessments:

People:  Delayed escalation, unclear responsibilities, siloed teams.

Processes: Inconsistent playbooks, gaps between detection and containment, gaps between shared responsibility.

Technology: Misconfigured tooling, fragile integrations, untested backup routes.

These are not hypothetical risks. They are the real gaps that allow minor incidents to become business-wide crises.

Crucially, frameworks like CBEST and STAR-FS do not define success as pass or fail. Instead, they challenge assumptions and provide structured outputs to help:

  • Understand full attack paths, not just the entry point
  • Test control effectiveness during full-spectrum simulation
  • Assess organizational response across departments and leadership
  • Understand the impact of real-world cyber-attacks on Important Business Services (IBS)

In other words, TLPT doesn’t just validate controls. It challenges assumptions.

 

From intelligence to improvement

The intelligence gained through TLPT is meant to drive change. It’s not just about technical fixes, it’s also about improving readiness and resilience at every level.

Security teams, risk leaders and regulators alike benefit from structured outputs that directly support operational resilience planning:

  • Mapping risks to critical business services
  • Linking technical vulnerabilities to business impact
  • Benchmarking against sector norms
  • Shaping operational resilience strategies that the board can act on

Thematic reports produced from regulated engagements also offer firms the ability to anticipate where issues are likely to appear and how to prioritize remediation.

Common themes include:

  • Identity and access management weaknesses
  • Poor segmentation between critical and non-critical systems
  • Delayed or fragmented incident escalation

For firms preparing for TLPT, these reports are a blueprint. For those not in scope, they offer a strategic head start.

Examples of measurable impact

Firms that embed TLPT into their security strategy often report:

  • Faster incident response times due to clearer escalation protocols
  • Better communication between cyber, risk and business units
  • Increased board confidence from evidence-backed reporting
  • Stronger understanding of third-party and supply chain risks

Insights from the Bank of England’s 2024 CBEST thematic report reinforce the critical role of TLPT in strengthening resilience. The findings highlight recurring weaknesses in threat intelligence integration and incident escalation: areas where structured, intelligence-led testing continues to drive meaningful improvement across the sector.

🔍 Related Example CovertSwarm helped a financial services client identify continuity gaps and align incident response with TLPT insights, improving escalation speed and executive reporting clarity.Read the full case study here.

 

Why This Matters

Operational resilience requires more than policies and frameworks. It requires proof.

Threat-led penetration testing provides that evidence by replicating how real attackers move, think and exploit. Frameworks like CBEST ensure this is done with rigour, relevance and strategic oversight.

For security and risk leaders, it’s how you prove your organization can withstand, adapt to and recover from disruption before the real threat arrives.