Skip to content

Part 1: CBEST Series – Beyond the Checklist

Explore how threat-led penetration testing helps financial institutions go beyond traditional checks to strengthen resilience and meet regulatory expectations like CBEST, STAR-FS and DORA.

Low-angle view of institutional buildings at dusk, symbolising structure and resilience in a regulated environment

Beyond the checklist: Redefining threat-led penetration testing.

As financial services face increasing regulatory pressure and escalating cyber threats, operational resilience has become a board-level priority. But building true resilience requires more than policies and plans, it demands evidence of how your organization holds up under attack. 

That’s where threat-led penetration testing (TLPT) adds critical value. 

 

What is TLPT and why traditional testing falls short

TLPT simulates real world, high impact attacks using current threat intelligence to reflect the tactics, techniques and procedures (TTPs) of actual adversaries. 

Unlike traditional pen testing, which often focuses on surface-level exploits in isolated systems, TLPT delivers something fundamentally different: 

Intelligence-driven: Built on live threat intelligence specific to your sector and organization, not generic test scripts. 

 Scenario-based: Designed around plausible, high consequence attack paths that mirror real adversary behavior. 

Regulator-aligned: Mandated or guided by regulatory bodies, often with national security implications. 

Business-integrated: Tests not just tech defenses, but also decision-making, incident response, and internal governance.
 

There is often a significant gap between an organization’s perceived level of cyber risk and its actual level of risk. TLPT closes this gap by showing exactly how your organization would fare against an attack designed by a capable, well-informed threat actor.

 

Key frameworks defining the landscape 

 Understanding TLPT means understanding the frameworks shaping its application. Here’s what you need to know: 

CBEST (UK) 

  • What it is: Developed by the Bank of England, with support from CREST and NCSC. 
  • Scope: Regulatory instructed, typically targeting Tier 1 financial institutions in the UK. 
  • Focus: Uses bespoke threat intelligence and regulated test providers to simulate sophisticated, targeted cyber attacks. 
  • Why it matters: Sets the bar for maturity, rigor, and regulatory alignment. CBEST tests both technical controls and operational resilience.

STAR & STAR-FS (CREST) 

  • What it is: Industry-led frameworks accredited by CREST. 
  • Scope:  A structured framework for businesses to commission TLPT assessments. STAR-FS tailors the approach for financial services, allowing for firms to initiate an assessment with regulatory oversight 
  • Focus: Offers a structured way to implement TLPT. 
  • Why it matters: Accessible for firms that want threat-led assessments but aren’t directly mandated to run it. 

TIBER-EU 

  • What it is: The Threat Intelligence-Based Ethical Red Teaming framework developed by the European Central Bank. 
  • Scope: Adopted by multiple EU member states to assess critical infrastructure. 
  • Focus: Nationally coordinated, cross-sector resilience testing. 
  • Why it matters: Highlights the European commitment to TLPT and ensures consistency across borders. 

DORA (Digital Operational Resilience Act) 

  • What it is: Upcoming EU regulation impacting all financial entities and third-party ICT providers. 
  • Scope: Enforces operational resilience standards across the digital supply chain. 
  • Focus: Includes threat-led testing obligations that echo TIBER principles. 
  • Why it matters: Will make TLPT a regulatory requirement for a much broader segment of the market. 


Why CBEST still sets the benchmark 

While the ecosystem is broadening, CBEST remains the most mature and rigorously enforced TLPT framework. It demonstrates what ‘good’ looks like in terms of threat intelligence integration, provider accreditation, scope definition, and board-level accountability. 

  

Who Should Care?

Tier 1 financial institutions: Required to run CBEST and similar mandatory frameworks. 

Financial institutions: Increasingly expected to adopt STAR-FS or prepare for DORA. 

Risk & Compliance Teams: Need to understand the frameworks to translate results into operational resilience strategy. 

Security Leadership: Must steer testing priorities based on realistic, regulator-validated threat scenarios. 

 

Why This Matters 

The difference between conventional penetration testing and threat-led approaches isn’t academic, it’s critical to resilience. Many standard tests are focused on a narrow scope of technology or systems. TLPT, on the other hand, mirrors how a real attacker behaves: persistent, adaptive, and relentless. 

TLPT isn’t about passing or failing; it’s about pressure-testing your ability to withstand a real-world breach and using that insight to adapt, mature, and build resilience that lasts. 

Understanding frameworks like CBEST, STAR-FS, and TIBER-EU isn’t just a compliance requirement, it’s an opportunity. It helps security leaders translate testing into strategic advantage and deliver value that goes well beyond assurance alone.