Best CBEST-Accredited Penetration Testing Companies (2026)

CBEST is the Bank of England's intelligence-led red teaming framework for systemically important UK financial institutions. It requires two CREST-accredited, CBEST-approved suppliers working together: a Threat Intelligence provider and a Red Team provider whose consultants hold CCRTS qualifications under a CCRTM-managed engagement. The providers below carry CBEST accreditation in our directory; the list opens with our Featured partner, clearly labelled, followed by the wider set.

Related: Threat-led penetration testing (TLPT) · UK penetration testing companies · DORA threat-led testing

What is CBEST, and who is allowed to deliver it?

CBEST is the Bank of England's framework for intelligence-led penetration testing of systemically important UK financial institutions: the banks, insurers, and financial market infrastructures regulated by the Bank, the PRA, and the FCA. Introduced in 2014, it uses bespoke cyber threat intelligence to simulate the specific real-world attackers most likely to target the financial sector, testing an organisation's detection and response against a realistic, goal-oriented attack on its live production systems.

A CBEST assessment involves two distinct accredited suppliers working together: a Threat Intelligence provider, which builds the bespoke intelligence picture and the target scenarios, and a Red Team provider, which executes the simulated attack. Both must be CREST-accredited and approved under the CBEST scheme. Red Team providers must hold CBEST certification and deploy consultants holding the CCRTS qualification (CREST Certified Red Team Specialist), and the engagement must be managed by a CCRTM (CREST Certified Red Team Manager). These requirements keep the pool of eligible providers deliberately small.

The providers below are CREST members carrying CBEST accreditation in our directory. CBEST engagements are substantial programmes, typically running several months end to end and coordinated with the regulator throughout, so shortlist on demonstrated financial-sector red team experience, CCRTS and CCRTM staffing, and clean operational tradecraft. Always confirm a supplier's current scheme status directly with CREST and the Bank of England before appointing them.

Top PickFeatured
SECFORCE logo

SECFORCE

Our top recommendation on this page.

Canary Wharf-based adversary simulation and CBEST-aligned penetration testing consultancy, delivering CREST-accredited offensive security to UK financial services and other organisations with the most demanding requirements.

CRESTCBESTISO 27001SOC 2Cyber Essentials
  • CBEST-approved provider staffed by certified CCRTM and CCRTS consultants.
  • Has delivered over 15 CBEST engagements for UK high street banks, major financial institutions, and other regulated entities.
  • Works with a network of trusted, CBEST-approved threat intelligence partners, and can also work alongside any threat intelligence provider selected by the client or regulator.
  • Independently audited against both ISO 27001 and SOC 2 for information security, data handling, and operational integrity.
View SECFORCE
7 providers found
6 providers
Best UK ProviderBest for EnterpriseResearch Leaders
NCC Group logo

NCC Group

Global cybersecurity consultancy with CREST, CHECK, and CBEST accreditation, renowned for deep technical research and comprehensive penetration testing services.

Manchester, United KingdomContact for pricing
Web ApplicationNetworkMobile App+13
CRESTCHECKCBEST+5
Verified May 2026
Pen Test Partners logo

Pen Test Partners

The UK's largest independent security testing firm, renowned for IoT/OT research, CBEST red teaming, and CHECK/CREST-accredited penetration testing across all sectors.

Buckingham, United KingdomContact for pricing
Web ApplicationNetworkMobile App+11
CRESTCHECKCBEST+5
Verified Apr 2026
PwC Cyber Security logo

PwC Cyber Security

Global Big Four professional services firm delivering CREST, CHECK, and CBEST-accredited penetration testing and red teaming services from London, serving the UK's largest enterprises and regulated organisations.

London, United KingdomContact for pricing
Web ApplicationNetworkIoT+9
CRESTCHECKCBEST+3
Verified Apr 2026
MDSec logo

MDSec

Elite UK offensive security consultancy specialising in CBEST/STAR/TIBER red teaming, advanced adversary simulation, and CREST-accredited penetration testing for FTSE 100 clients.

Southam, United KingdomContact for pricing
Web ApplicationNetworkCloud+7
CRESTCHECKCBEST+4
Verified Apr 2026
Cyberis logo

Cyberis

CREST and CHECK-accredited UK penetration testing consultancy with CBEST approval, specialising in infrastructure, application, and simulated attack assessments across the public and private sectors.

Worcester, United KingdomContact for pricing
Web ApplicationNetworkMobile App+5
CRESTCHECKCBEST+5
Verified Apr 2026
CovertSwarm logo

CovertSwarm

Subscription-based offensive cybersecurity firm delivering continuous cyber attack services with CREST STAR and CBEST accreditations from its London headquarters.

London, United KingdomContact for pricing
Web ApplicationNetworkCloud+5
CRESTCBESTSTAR
Verified Apr 2026

Best CBEST-Accredited Penetration Testing Companies (2026), FAQs

What is CBEST?+

CBEST is the Bank of England's framework for intelligence-led penetration testing of systemically important UK financial institutions, including banks, insurers, and financial market infrastructures regulated by the Bank, the PRA, and the FCA. It uses bespoke threat intelligence to simulate the real-world attackers most likely to target the financial sector, run against the organisation's live production systems and coordinated with the regulator.

Who is allowed to deliver a CBEST assessment?+

A CBEST assessment uses two accredited suppliers: a Threat Intelligence provider and a Red Team provider, both CREST-accredited and approved under the CBEST scheme. The Red Team provider must hold CBEST certification and deploy consultants holding the CCRTS qualification (CREST Certified Red Team Specialist), with the engagement managed by a CCRTM (CREST Certified Red Team Manager).

How is CBEST different from STAR-FS or TIBER-EU?+

CBEST is the Bank of England's regulator-led scheme for the UK's most systemically important financial firms. STAR-FS is the CREST-run scheme that financial firms can commission themselves using the same pool of accredited providers and qualifications. TIBER-EU is the European Central Bank's equivalent framework, mandated under DORA for significant EU financial entities. All three are forms of threat-led penetration testing.

How much does a CBEST engagement cost, and how long does it take?+

CBEST is a substantial programme rather than a fixed-scope test. Engagements typically run several months end to end, spanning a threat-intelligence and scoping phase, weeks of active red teaming, and a reporting and replay phase, all coordinated with the regulator. Costs sit at the top of the red team range, commonly £50,000 or more depending on scope.