Best STAR-FS Penetration Testing Companies (2026)
STAR-FS (Simulated Targeted Attack and Response for the Finance Sector) is the CREST-run, intelligence-led penetration testing scheme for FCA-regulated financial firms. It is a companion to CBEST that covers a wider range of firms and relies on commercially available threat intelligence rather than CBEST's bespoke, systemic-risk focus. Delivering it requires CREST-accredited threat intelligence and red team providers. The list below opens with our Featured partner, clearly labelled, followed by the wider set of providers carrying the CREST STAR accreditation in our directory.
Related: CBEST-accredited companies · CREST pen testing companies · Threat-led penetration testing (TLPT)
What is STAR-FS, and who can deliver it?
STAR-FS is the CREST scheme for intelligence-led penetration testing of FCA-regulated financial services firms. It works the same way as CBEST, mimicking the tactics, techniques, and procedures of real threat actors against a firm's Important Business Services, but relies on commercially available threat intelligence rather than the bespoke, systemic-risk intelligence CBEST uses. It can be supervisory-led or self-initiated, and self-initiated tests can count for supervisory purposes if the firm involves its regulator.
An engagement follows the same phases as CBEST (Initiation, Threat Intelligence, Penetration Testing, and Closure) and typically runs up to 24 weeks, with the red team phase lasting up to six weeks. Both the threat intelligence and the red team must be delivered by CREST-accredited providers.
The providers below carry the CREST STAR accreditation in our directory. Because STAR-FS uses the same accredited pool and qualifications as CBEST, look for demonstrated financial-sector red team experience and CCRTS and CCRTM staffing, and confirm a supplier's current STAR-FS scheme status with CREST before appointing them.

SECFORCE
Our top recommendation on this page.
Canary Wharf-based adversary simulation and CBEST-aligned penetration testing consultancy, delivering CREST-accredited offensive security to UK financial services and other organisations with the most demanding requirements.
- CBEST-approved provider staffed by certified CCRTM and CCRTS consultants.
- Has delivered over 15 CBEST engagements for UK high street banks, major financial institutions, and other regulated entities.
- Works with a network of trusted, CBEST-approved threat intelligence partners, and can also work alongside any threat intelligence provider selected by the client or regulator.
- Independently audited against both ISO 27001 and SOC 2 for information security, data handling, and operational integrity.
Dionach
Global enterprise cybersecurity consultancy founded in 1999 in Oxford, holding rare CREST STAR-FS accreditation and delivering penetration testing, red and purple teaming, and PCI QSA services across five international offices.
PwC Cyber Security
Global Big Four professional services firm delivering CREST, CHECK, and CBEST-accredited penetration testing and red teaming services from London, serving the UK's largest enterprises and regulated organisations.
MDSec
Elite UK offensive security consultancy specialising in CBEST/STAR/TIBER red teaming, advanced adversary simulation, and CREST-accredited penetration testing for FTSE 100 clients.
Cyberis
CREST and CHECK-accredited UK penetration testing consultancy with CBEST approval, specialising in infrastructure, application, and simulated attack assessments across the public and private sectors.
Best STAR-FS Penetration Testing Companies (2026), FAQs
What is STAR-FS?+
STAR-FS (Simulated Targeted Attack and Response for the Finance Sector) is a CREST-run, intelligence-led penetration testing scheme for FCA-regulated financial firms. It mimics the tactics of real threat actors against a firm's Important Business Services, and is a companion to the Bank of England's CBEST that covers a broader range of firms.
How is STAR-FS different from CBEST?+
Both are intelligence-led red team schemes for UK financial services that run the same phases. CBEST is the Bank of England's regulator-led scheme for systemically important firms and uses bespoke, systemic-risk threat intelligence. STAR-FS is CREST-run, covers a wider range of FCA-regulated firms, can be self-initiated, and relies on commercially available threat intelligence.
Who can deliver a STAR-FS engagement?+
STAR-FS engagements must be delivered by CREST-accredited threat intelligence and red team providers, using the same accredited pool and consultant qualifications (CCRTS and CCRTM) as CBEST. Always confirm a provider's current STAR-FS status with CREST before appointing them.
How long does a STAR-FS engagement take?+
A STAR-FS engagement follows the same phases as CBEST and typically runs up to 24 weeks end to end, with the red team (penetration testing) phase lasting up to six weeks.