CBEST Penetration Testing Providers
CBEST Intelligence-Led Testing · Published by Bank of England / CREST
CBEST is the UK's intelligence-led penetration testing framework specifically designed for the financial services sector, developed by the Bank of England in collaboration with CREST and the UK government's National Cyber Security Centre (NCSC). Introduced in 2014, CBEST was one of the first threat intelligence-based red teaming frameworks globally and served as a model for subsequent frameworks including TIBER-EU. CBEST assessments simulate realistic cyber attacks against UK financial institutions by combining targeted threat intelligence with controlled red team operations against live production environments.
The framework requires that both the threat intelligence provider and the red team provider hold specific CBEST accreditation, which involves demonstrating advanced capabilities beyond standard CREST accreditation. CBEST tests are commissioned by financial regulators and conducted under the supervision of the Bank of England's supervisory teams. The threat intelligence phase identifies the most likely and capable threat actors targeting the specific institution, their tactics and techniques, and the institution's most critical functions and assets. The red team phase then designs and executes realistic attack scenarios based on this intelligence, testing the institution's ability to detect, respond to, and recover from sophisticated cyber attacks.
CBEST results are shared with regulators and inform supervisory assessments of the institution's cyber resilience. Only a small number of companies hold CBEST accreditation, making it one of the most exclusive and demanding security testing credentials. CBEST assessments are considered the gold standard for financial sector security testing in the UK.
Key Features
- —Bank of England supervised framework
- —Intelligence-led red teaming
- —Tests live production environments
- —Regulatory supervision of results
- —Most demanding UK security testing
Best For
- —UK financial institutions
- —Banks and building societies
- —Payment service providers
- —Financial market infrastructure
- —Insurance companies under PRA regulation
Providers using CBEST (13)
Aristi
CHECK and CREST-accredited Birmingham-based cyber security consultancy with over 15 years of experience delivering penetration testing, red teaming, and OT security assessments for government and private sector clients.
CovertSwarm
Subscription-based offensive cybersecurity firm delivering continuous cyber attack services with CREST STAR and CBEST accreditations from its London headquarters.
Cyberis
CREST and CHECK-accredited UK penetration testing consultancy with CBEST approval, specialising in infrastructure, application, and simulated attack assessments across the public and private sectors.
Dionach
Global enterprise cybersecurity consultancy founded in 1999 in Oxford, holding rare CREST STAR-FS accreditation and delivering penetration testing, red and purple teaming, and PCI QSA services across five international offices.
JUMPSEC
Full-service London-based cybersecurity consultancy with CREST, CHECK, and NCSC accreditations delivering offensive testing, managed detection, and strategic advisory services.
Mandiant
World-renowned cybersecurity firm now part of Google Cloud, delivering threat intelligence-led penetration testing and red teaming informed by front-line incident response experience.
MDSec
Elite UK offensive security consultancy specialising in CBEST/STAR/TIBER red teaming, advanced adversary simulation, and CREST-accredited penetration testing for FTSE 100 clients.
NCC Group
Global cybersecurity consultancy with CREST, CHECK, and CBEST accreditation, renowned for deep technical research and comprehensive penetration testing services.
Nettitude
CREST, CHECK, and CBEST accredited UK consultancy within Lloyd's Register, delivering premium penetration testing for government and critical infrastructure.
Pen Test Partners
The UK's largest independent security testing firm, renowned for IoT/OT research, CBEST red teaming, and CHECK/CREST-accredited penetration testing across all sectors.
PwC Cyber Security
Global Big Four professional services firm delivering CREST, CHECK, and CBEST-accredited penetration testing and red teaming services from London, serving the UK's largest enterprises and regulated organisations.
Salus Cyber
Award-winning Cheltenham-based cybersecurity consultancy with NCSC CHECK Green Light status and CREST approval, specialising in defence, government, and critical national infrastructure security.
SECFORCE
Leading UK offensive security consultancy based in Canary Wharf, delivering CREST-accredited penetration testing and adversary simulation to organisations with the most demanding security requirements.
CBEST FAQs
Who is required to undergo CBEST testing?+
CBEST testing is typically required for systemically important UK financial institutions as determined by the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA). This includes major banks, building societies, insurers, and financial market infrastructure providers.
How many companies are CBEST accredited?+
CBEST accreditation is held by a very small number of companies — typically fewer than 15 — due to the demanding requirements that go significantly beyond standard CREST accreditation. Both threat intelligence and red team providers require separate CBEST accreditation.
What is the relationship between CBEST and TIBER-EU?+
CBEST predates and directly influenced TIBER-EU. Both are intelligence-led red teaming frameworks for financial services, but CBEST is UK-specific and supervised by the Bank of England, while TIBER-EU is the EU-wide framework coordinated by the ECB.