Login to profile


Working alongside the UK central Bank, the Bank of England (BoE), CREST has developed a framework to deliver controlled, bespoke, intelligence-led cyber security tests that replicate behaviours of those threat actors, assessed by Government and commercial intelligence providers as posing a genuine threat to systemically important financial institutions.  CBEST is the first of initiative of its type to be led by any of the world’s central banks.

CBEST differs from other security testing currently undertaken by the financial services sector because it is threat intelligence based, is less constrained and focuses on the more sophisticated and persistent attacks against critical systems and essential services. The inclusion of specific cyber threat intelligence will ensure that that the tests replicate as closely as possible the evolving threat landscape and therefore will remain relevant and up to date.

CREST helped to develop the new accreditation standards for CBEST penetration testing, based on the already stringent standards for assessing the capabilities, policies and procedures that CREST member companies have to achieve. CBEST accredited professionals also need to demonstrate extremely high levels of technical knowledge, skill and competency.



  • access to advanced and detailed cyber threat intelligence;
  • access to knowledgeable, skilled and competent cyber threat intelligence analysts who have a detailed understanding of the financial services sector;
  • realistic penetration tests that replicate sophisticated, current attacks based on current and targeted cyber threat intelligence;
  • access to highly qualified penetration testers that understand how to conduct  technically difficult testing activities whilst ensuring that no damage or risk is caused;
  • confidence in the methodologies utilised by the companies within CBEST for conducting these sophisticated and sensitive tests;
  • confidence that the results and the information accessed by the testers will protected;
  • standard key performance indicators that can be used to assess the maturity of the organisation’s ability to detect and respond to cyber attacks;
  • access to benchmark information, through the key performance indicators, that can be utilised to assess other parts of the financial services industry;
  • a framework that is underpinned by comprehensive, enforceable and meaningful codes of conduct administered by a specialist professional body.