CBEST
intelligence-led penetration testing for UK financial services

CBEST in context: the UK regulator-led framework for intelligence-led red teaming

CBEST is the Bank of England framework for intelligence-led penetration testing of UK financial entities, run jointly with the Prudential Regulation Authority and the Financial Conduct Authority. The framework was first introduced in 2014 and refreshed several times since to align with modern threat intelligence practice and operational resilience expectations. CBEST is the regulator-led testing programme: the supervisor sets the inclusion list, agrees the scope, and reviews the closure attestation. The accredited provider community, the rules of engagement, and the methodology are documented and applied consistently across firms so the results are comparable to the supervisor.

CBEST sits inside the wider UK and European resilience picture. For UK firms operating across the EU, the same testing discipline is increasingly required under the Digital Operational Resilience Act, whose threat-led penetration testing expectations point to TIBER-EU as the reference methodology. CBEST and TIBER-EU share the structural shape: a bespoke threat assessment, role separation, controlled execution, replay, and a closure attestation. The differences are jurisdictional and procedural rather than philosophical, so groups operating across both pools usually map a single workflow across the schemes rather than running two separate evidence efforts.

Who CBEST applies to and where it sits in the UK supervisory regime

CBEST applies to the population of UK financial entities the regulator considers material enough that an intelligence-led test of their important business services is a reasonable supervisory expectation. The supervisor relationship determines who leads: the PRA leads for prudentially regulated firms, the FCA leads for conduct-regulated firms, and the Bank of England Financial Market Infrastructure directorate leads for the FMI population. The cadence and depth scale with size, complexity, and systemic relevance, and the inclusion list for each cycle is set by the supervisor. Critical third parties supporting the in-scope services may be drawn into the scoping conversation and tested in coordination with the firm.

The targeted threat assessment: what makes CBEST intelligence led

Every CBEST engagement begins with a targeted threat assessment produced by an accredited threat intelligence provider. The targeted threat report is bespoke to the firm and the in-scope important business services rather than a generic landscape document. It profiles the threat actors plausibly targeting UK financial services, the prevailing tradecraft, and the attack patterns the supervisor expects to see reflected in test scenarios. The report is the document that the red team builds the test plan from, and it remains part of the closure pack the supervisor may review.

Roles and segregation of duties: white, control, blue, red, and TI

Role separation is the structural feature that makes CBEST credible to the supervisor and the board. The framework names five roles, with explicit boundaries between who knows about the test, who runs it, who oversees it, and who defends against it. The audit of who knew what and when is part of the closure record, so the role membership is captured before launch and maintained throughout the engagement.

Phase 1: Preparation

Preparation is the longest phase by elapsed time and the phase that most determines whether the engagement is defensible. The launch document, the procurement of accredited providers, the legal pack, and the rules of engagement all sit in preparation, and the supervisor is engaged early so expectations are baked into the plan rather than discovered later. CBEST engagements that fail review usually fail because preparation was rushed and the launch document had to be backfilled after testing began.

Phase 2: Testing (targeted threat report and red team execution)

Testing is the phase most readers picture when they hear CBEST. The threat intelligence provider builds the targeted threat assessment from the firm scope and the wider UK threat picture. The red team builds the test plan from the targeted threat report, with scenarios and flags. The white team approves and the controlled red team execution runs against live production. Operator notes, evidence per flag, and timestamps are captured during execution rather than reconstructed afterwards.

Tagging every red team finding by tactic and technique sharpens the test report and the replay conversation. The MITRE ATT&CK framework page covers tagging end to end, the threat-led penetration testing workflow covers the cycle on a single engagement record, and the red teaming workflow keeps the timeline, attack paths, and operator notes structured rather than scattered across chat history.

Phase 3: Closure (replay, attestation, and lessons learned)

Closure is what separates CBEST from a standalone red team engagement. The replay phase pairs the red team and the blue team, walks the attack path together, identifies the detection and response gaps, and agrees the remediation. The closure attestation, signed by the firm, the red team provider, and the threat intelligence provider, is the formal record that a CBEST engagement was completed. The supervisor may review the attestation and the evidence pack as part of ongoing supervision.

For the operational side of the remediation work after the attestation, the remediation tracking workflow keeps owners, deadlines, and retest evidence linked to the engagement record so the next supervisor cycle does not turn into a second forensic exercise.

CBEST, STAR FS, and the CREST accreditation regime

CBEST is the supervisor-led programme; the provider accreditation regime that supports it is operated by CREST. STAR FS is the CREST scheme that runs alongside CBEST and accredits threat intelligence providers, red team providers, and the senior individuals who lead intelligence-led engagements. Buyers procuring CBEST testing typically check provider accreditations and individual certifications (CCSAS, CCSAM, CCT-INF, CCT-APP, CRT) against the STAR FS register. The CREST penetration testing framework page covers the wider CREST scheme landscape and the certification ladder.

CBEST vs TIBER-EU vs DORA TLPT vs GBEST and iCAST

CBEST is the UK financial services scheme. TIBER-EU is the European Central Bank framework adopted across the European Union and named as the reference methodology for TLPT under DORA. GBEST is the UK government variant operated by the Cabinet Office and the National Cyber Security Centre. iCAST is the equivalent intelligence-led scheme run by the Hong Kong Monetary Authority. The schemes share the structural ideas: a bespoke threat assessment, accredited providers, a small white team, role separation, controlled execution, replay, and a closure attestation. They differ in jurisdiction, accreditation regime, procedural detail, and the supervisor that signs off the closure pack. Groups that operate across multiple jurisdictions usually run a single underlying workflow and map artefacts to each scheme rather than building parallel evidence pipelines.

For UK firms whose operations also bring in essential service obligations beyond financial supervision, the closure pack often feeds directly into a parallel NCSC Cyber Assessment Framework cycle. CBEST findings against B4 (system security), C1 (security monitoring), and C2 (proactive security event discovery) are exactly the contributing outcomes a CAF assessor expects intelligence-led testing to evidence, so a single body of work can satisfy both the Bank of England supervisor and the CAF reviewer where the firm is in scope of both regimes.

Evidence the supervisor (and your board) actually want

CBEST programmes that struggle on review usually struggle because the artefacts are scattered across drives, secure email threads, and screenshots. Build the closure pack as the work happens, retain raw evidence alongside the structured record, and tie every artefact back to the phase, the role that produced it, and the approver who signed it off. The closure attestation reads the way the underlying record reads.

Where SecPortal fits in the CBEST workflow

SecPortal is the operating layer for the CBEST engagement, not a replacement for the supervisor, the threat intelligence provider, or the red team provider. The platform handles scope, role records, findings, replay notes, attestation artefacts, and the closure pack so the work runs as a structured workflow rather than a long encrypted email thread. Compliance tracking maps the CBEST evidence pack to wider obligations under DORA, NIS2, ISO 27001, and the SWIFT Customer Security Programme for groups that have to satisfy more than one regime from the same body of work.

A CBEST engagement is a multi-month effort, not a one-week test. The first cycle for a new in-scope firm typically takes between six and twelve months from launch to attestation, with preparation alone running several months. Subsequent cycles run faster because the white team, the providers, and the evidence patterns are reusable. Running the work as a managed workflow pays off most over time: prior targeted threat reports, prior red team findings, and prior remediation timelines stay linked, so each cycle becomes an iteration rather than a rebuild. For consultants delivering CBEST work to multiple firms, the security consultants workspace bundles the platform with branded client portals and AI report generation so the deliverable looks as polished as the work behind it.

For programmes that want continuous detection and trend evidence between CBEST cycles, the continuous monitoring capability and attack surface management capability produce the cadence and coverage record that intelligence-led programmes are expected to keep between formal engagements.