CBEST Penetration Testing Providers
CBEST Intelligence-Led Testing · Published by Bank of England / CREST
CBEST is the UK's intelligence-led penetration testing framework specifically designed for the financial services sector, developed by the Bank of England in collaboration with CREST and the UK government's National Cyber Security Centre (NCSC). Introduced in 2014, CBEST was one of the first threat intelligence-based red teaming frameworks globally and served as a model for subsequent frameworks including TIBER-EU. CBEST assessments simulate realistic cyber attacks against UK financial institutions by combining targeted threat intelligence with controlled red team operations against live production environments.
The framework requires that both the threat intelligence provider and the red team provider hold specific CBEST accreditation, which involves demonstrating advanced capabilities beyond standard CREST accreditation. CBEST tests are commissioned by financial regulators and conducted under the supervision of the Bank of England's supervisory teams. The threat intelligence phase identifies the most likely and capable threat actors targeting the specific institution, their tactics and techniques, and the institution's most critical functions and assets. The red team phase then designs and executes realistic attack scenarios based on this intelligence, testing the institution's ability to detect, respond to, and recover from sophisticated cyber attacks.
CBEST results are shared with regulators and inform supervisory assessments of the institution's cyber resilience. Only a small number of companies hold CBEST accreditation, making it one of the most exclusive and demanding security testing credentials. CBEST assessments are considered the gold standard for financial sector security testing in the UK.
Key Features
- —Bank of England supervised framework
- —Intelligence-led red teaming
- —Tests live production environments
- —Regulatory supervision of results
- —Most demanding UK security testing
Best For
- —UK financial institutions
- —Banks and building societies
- —Payment service providers
- —Financial market infrastructure
- —Insurance companies under PRA regulation
Providers using CBEST (4)
SECFORCE
Leading UK offensive security consultancy based in Canary Wharf, delivering CREST-accredited penetration testing and adversary simulation to organisations with the most demanding security requirements.
NCC Group
Global cybersecurity consultancy with CREST, CHECK, and CBEST accreditation, renowned for deep technical research and comprehensive penetration testing services.
Nettitude
CREST, CHECK, and CBEST accredited UK consultancy within Lloyd's Register, delivering premium penetration testing for government and critical infrastructure.
Mandiant
World-renowned cybersecurity firm now part of Google Cloud, delivering threat intelligence-led penetration testing and red teaming informed by front-line incident response experience.
CBEST FAQs
Who is required to undergo CBEST testing?+
CBEST testing is typically required for systemically important UK financial institutions as determined by the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA). This includes major banks, building societies, insurers, and financial market infrastructure providers.
How many companies are CBEST accredited?+
CBEST accreditation is held by a very small number of companies — typically fewer than 15 — due to the demanding requirements that go significantly beyond standard CREST accreditation. Both threat intelligence and red team providers require separate CBEST accreditation.
What is the relationship between CBEST and TIBER-EU?+
CBEST predates and directly influenced TIBER-EU. Both are intelligence-led red teaming frameworks for financial services, but CBEST is UK-specific and supervised by the Bank of England, while TIBER-EU is the EU-wide framework coordinated by the ECB.