Intelligence-Led Red Teaming

CBEST

CBEST — Threat Intelligence-Led Assessments

Bank of England (with CREST and UK financial sector) Source Document →

What It Is

The first national-level threat intelligence-led red teaming framework, operational since 2014. Developed by the Bank of England for UK financial infrastructure, CBEST defines a three-phase assessment model where test scenarios are driven by real threat intelligence — not generic vulnerability scanning:

  1. Threat Intelligence Phase — Accredited TI providers build bespoke threat scenarios based on adversary TTPs known to target the specific institution. Which APT groups target UK financial services? What are their preferred initial access vectors? What crown jewels would they pursue?

  2. Penetration Testing Phase — CREST-accredited red teams execute those scenarios against the institution’s live production systems. Not a staging environment. Not a sandbox. Production.

  3. Remediation and Report Phase — Findings documented, remediation tracked, regulatory debrief conducted with BoE/PRA/FCA oversight.

Why It Matters

CBEST fundamentally changed what “pentest” means at the regulatory level. Before CBEST, financial sector pentests were largely compliance-driven vulnerability assessments. CBEST introduced the concept that a meaningful test must simulate how a real adversary would actually attack that specific institution — using real threat intelligence, real TTPs, and real production infrastructure.

The model was so influential that the European Central Bank built TIBER-EU directly on CBEST’s design.

When to Use It

Directly applicable to UK financial institutions regulated by BoE/PRA/FCA. More broadly, CBEST is the reference model for any organization wanting to understand what intelligence-led red teaming looks like when done at regulatory scale. Even if you never run a CBEST assessment, understanding its structure informs how to design red team engagements that go beyond “find vulns” to “simulate the adversary.”

The Offensive Angle

Testing against production is the critical distinction. A red team that operates in a lab environment validates whether an exploit works. A red team that operates in production validates whether the defenders detect it. CBEST’s requirement for production testing creates a real adversary simulation — the blue team doesn’t know it’s happening, and the results measure detection and response capability, not just vulnerability count.

Pairs Well With

  • TIBER-EU — Pan-European evolution of CBEST’s model
  • PTES — Engagement methodology for the technical execution phases
  • ISSAF — Granular phase model for the red team’s operational lifecycle