Skip to content

Part 3: CBEST Series – The Future of Threat-Led Penetration Testing

Regulated testing like CBEST is pivotal, but as threats shift, organizations must adopt more strategic, agile threat-led penetration testing. Discover what’s next.

  • Resources
  • News
  • Part 3: CBEST Series – The Future of Threat-Led Penetration Testing
aerial view of a city symbolising complexity and continuous threat readiness

As regulatory frameworks mature and attacker behaviors evolve, threat-led penetration testing (TLPT) is entering a new phase. No longer limited to fixed scope annual exercises or point-in-time validation, TLPT is becoming a key component in the validation of ongoing resilience across a broader range of financial services firms and critical third party suppliers.

But this evolution isn’t just about frequency. It’s about relevance, adaptability, and scalability. The future of TLPT lies in testing that reflects real-world threats, aligned with business risk.

 

From periodic validation to ongoing readiness

Frameworks like CBEST and STAR-FS have laid the foundation for maturity in regulated threat-led testing. But in between assessments, organizations still face evolving threats. Increasingly, security leaders are looking to:

  • Extend assurance beyond the testing window
  • Model new threat scenarios as they emerge
  • Understand their organizations ability to repel an attack and respond/recover rapidly.

This isn’t a move away from regulated testing-it’s about building on it. TLPT is no longer just a compliance checkpoint. It’s a strategic lens into resilience.

 

What’s next in TLPT? Key trends to watch

The scope of threat-led testing is expanding to cover risk areas that have traditionally fallen outside red teaming programs.

Emerging areas of focus include:

  • Supply chain attack simulation – Assessing how vulnerabilities in third parties could affect core business functions
  • Social engineering and phishing – Testing staff response to real-world deception, not just perimeter breaches
  • Insider threats – Understand the effectiveness of insider threat detection capability
  • Business logic abuse – Targeting workflows, not just infrastructure, to test how process flaws could be exploited

These focus areas shift TLPT from “what can be exploited” to “what would impact the business if exploited.”

 

The growing role of automation and AI

While threat-led testing will always require human insight, automation is beginning to enhance how engagements are delivered.

From automated reconnaissance to AI-assisted payload generation and attack path modelling, automation is:

  • Creating high fidelity social engineering lures in multiple languages and better tailored to their target
  • Discovering new attack vectors where human intervention/enumeration would traditionally be required
  • Helping simulate high-frequency, low-effort attacks

For security leaders, this opens the door to lighter, more frequent simulations that supplement regulated frameworks without duplicating them.

 

Scaling TLPT: STAR-FS and sector accessibility

Not every firm operates at the scale of a CBEST-mandated institution. That’s where STAR-FS and other more agile frameworks come in.

These models offer structured threat-led testing tailored for:

  • Mid-market financial institutions
  • Payment service providers
  • Insurers and asset managers
  • Third-party technology vendors

They bring rigour and relevance to firms that may not yet be in regulatory scope for a full CBEST but still recognize the strategic value of adversarial simulation.

 

Why This Matters

The future of TLPT isn’t about running more tests. It’s about smarter, more strategic testing that evolves with your business.

Security and risk leaders face keeping up with a dynamic threat landscape. Regulations are expanding their scope. Supply chains are ever growing in complexity. Expectations from boards and regulators are rising.

In this context, TLPT, when applied well, helps firms:

  • Prioritize their response to real-world risks
  • Close gaps in the risks facing people, process and technology
  • Build a defensible resilience strategy grounded in intelligence and proven test outcomes

Embracing TLPT across industry verticals is not just about compliance readiness. It’s about resilience leadership.

The most resilient organizations do not test constantly for the sake of it. They test with purpose. A targeted, repeatable approach to threat-led testing ensures security strategies evolve alongside threats, keeping defenders in control and regulators reassured.

 

At CovertSwarm, we’ve seen organizations succeed when they treat threat-led testing as more than a compliance obligation. When testing becomes targeted, repeatable, and intelligence-led, it drives stronger alignment across teams and clearer decisions at the board level.

The future of TLPT isn’t about doing more testing. It’s about doing it better: grounded in real threats, adapted to risk appetite, and integrated with broader resilience strategies.