Financial services organizations face a distinct penetration testing landscape. A bank's failure does not just harm the institution — it can cascade across the financial system. This systemic risk dimension has driven regulators in the UK, EU, and US to develop specialized, intelligence-led penetration testing frameworks that go substantially beyond the annual compliance checkbox test. Understanding these frameworks is essential for security leaders at any regulated financial institution.
Why Financial Services Needs Specialized Frameworks
Standard penetration testing frameworks — PTES, OWASP, NIST 800-115 — are designed to find technical vulnerabilities. They are scope-bounded, time-boxed, and oriented toward cataloguing weaknesses against a defined attack surface. They do not answer the critical question for a systemically important institution: if a sophisticated nation-state or advanced cybercriminal group targeted this institution using their actual capabilities and TTPs, what would they achieve?
Threat-led penetration testing (TLPT) frameworks answer that question. They begin with real threat intelligence about groups actively targeting the financial sector — their specific tooling, infrastructure, initial access methods, and objectives — and construct a red team operation that emulates those specific threats against the institution's most critical functions. The result is not a list of CVEs; it is a scenario-based validation of whether your defenses would hold against the adversaries who are actually coming for you.
CBEST: Bank of England Framework
CBEST (CBEST Intelligence-Led Cyber Security Testing) was developed by the Bank of England (BoE) and is applicable to UK financial institutions the BoE, Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) deem systemically important. It is voluntary but effectively mandatory for the largest UK institutions.
CBEST engagement structure:
- Intelligence phase: An accredited Threat Intelligence Provider (TIP) — firms like BAE Systems, PwC, or Context IS — produces a targeted threat intelligence report specific to the institution, identifying relevant threat actor groups, their current TTPs, and which of the institution's business lines or infrastructure they are likely to target.
- Penetration testing phase: An accredited penetration testing provider receives the threat intelligence report and conducts a red team operation emulating the identified threats against the scoped critical business services (CBS).
- Closure phase: A purple team session where the red team and the institution's blue team review the full attack timeline together, discuss detections and gaps, and develop prioritized remediation.
TIBER-EU: European Central Bank Framework
TIBER-EU (Threat Intelligence-Based Ethical Red-Teaming) was published by the European Central Bank in 2018 as a pan-European framework for intelligence-led penetration testing of systemically important institutions. Individual EU member state central banks have implemented national TIBER variants: TIBER-NL (Netherlands), TIBER-BE (Belgium), TIBER-DE (Germany), and others.
TIBER-EU closely parallels CBEST in structure — intelligence phase, red team phase, closure phase — but adds the European dimension: a single TIBER engagement that satisfies multiple national regulators simultaneously through a mutual recognition framework. A Dutch bank with operations in Germany and Belgium can conduct one TIBER-EU engagement that satisfies De Nederlandsche Bank, BaFin, and the National Bank of Belgium.
TIBER-EU specifies detailed requirements for provider qualification. Red team providers must demonstrate capability in threat intelligence analysis, advanced persistent threat (APT) simulation, physical penetration testing (where scoped), and telecom/social engineering. The intelligence phase must produce a Targeted Threat Intelligence (TTI) report meeting the ECB's specified content requirements.
iCAST: NYDFS-Aligned Framework for US Institutions
The Intelligence-led Cyber Attack Simulation Testing (iCAST) framework was developed with input from the New York Federal Reserve and aligns with NYDFS 23 NYCRR 500 requirements. While not as formally codified as CBEST or TIBER-EU, iCAST represents the US approach to intelligence-led testing for financial institutions subject to New York regulation.
iCAST engagements at US financial institutions typically scope critical business functions including payment processing, trading systems, customer data systems, and correspondent banking infrastructure. The intelligence phase draws on US-focused threat intelligence that the CBEST and TIBER frameworks may not cover — domestic cybercriminal groups targeting the US financial sector, North Korean threat actors targeting SWIFT infrastructure (Lazarus/APT38), and ransomware groups with demonstrated interest in financial services.
G7 Cyber Expert Group Guidelines
The G7 Cyber Expert Group (CEG) publishes fundamental cybersecurity elements for the financial sector, including guidance on threat-led penetration testing. The G7 CEG framework emphasizes mutual recognition between jurisdictions — the goal is that a TIBER-EU engagement conducted under ECB standards should satisfy US regulatory expectations, and vice versa, reducing duplicative testing burden for internationally active institutions.
Engagement Duration and Provider Requirements
Intelligence-led penetration testing engagements are substantially longer than standard penetration tests. A TIBER-EU or CBEST engagement runs far longer than a standard penetration test: the Bank of England reports an average CBEST project duration of 9 to 12 months, with indicative phases of Initiation (~6 weeks), Threat Intelligence (~10 weeks), Penetration Testing (~14 weeks), and Closure (~4 weeks) (Bank of England, CBEST Implementation Guide). The ECB's TIBER-EU framework similarly envisages 10-12 weeks for the red team testing phase alone.
Published Bank of England CBEST Thematic reports group recurring weaknesses into five areas — infrastructure and security, identity management and access control, detection and response, network security, and staff culture, awareness and training — with staff culture and detection/response repeatedly cited as the most persistent gaps (Bank of England, 2025 CBEST Thematic). Individual TIBER-EU and CBEST engagement findings are confidential and shared only with the relevant authorities, so no public per-engagement, per-domain finding counts exist.
Provider qualification requirements are correspondingly rigorous. Testers must demonstrate nation-state-level offensive capability — not the skill set needed to exploit a known CVE, but the skill set to develop custom malware, operate in target environments for extended periods without detection, and reconstruct the TTPs of specific threat actor groups. The Fortress MSSP penetration testing practice conducts financial services security assessments aligned with these frameworks. Contact us to discuss your institution's testing requirements and regulatory obligations.