Please note that a CBEST test is an intelligence-led approach specifically relevant to financial services organizations who are regulated by the Bank of England in the United Kingdom.

However, if your organization is interested in engaging a similar test outside of this regulatory framework, please contact us about CREST STAR testing.

CBEST/CREST STAR Intelligence-Led Penetration Testing

GDS is accredited to deliver CBEST and CREST STAR (Simulated Target Attack & Response) intelligence-led penetration testing for Financial Services organizations in line with the requirements of the Bank of England for the CBEST scheme.


CBEST is a framework to deliver controlled, bespoke, intelligence-led cyber security tests. The tests replicate behaviours of threat actors, assessed by the UK Government and commercial intelligence providers as posing a genuine threat to systemically important financial institutions.

CBEST and CREST STAR testing differ from other security testing currently undertaken by the financial services sector because it is threat intelligence based, is less constrained and focuses on the more sophisticated and persistent attacks on critical systems and essential services. This provides an holistic assessment of a financial services or infrastructure provider’s cyber capabilities by testing people, processes and technology in a single test which will be less time constrained than traditional penetration testing.


CBEST and CREST STAR tests emulate real-world attacks through risk managed, open scope testing - allowing simulation of real world attacks that are not constrained by a requirement to target a single IT system. All CBEST and CREST STAR tests should progress through the following steps in order. The activities performed and the amount of time spent on each step will vary depending on the nature of the test. This will be defined by the scope and agreed prior to testing, and should include considerations of the target organization’s industry and likely threat actors. Given the nature of this type of testing and the critical nature of the systems and environments being tested, detailed risk assessment and risk management activities are also included. As part of a CBEST/CREST STAR activity, the following methodology will be adopted for the execution:

  • Reconnaissance — Background information is gathered on and from the target organization. An example of this is obtaining public information from the Internet about the target organization, establishing the potential attack surface of the target or identifying possible target user information. Under CBEST this will be conducted by approved cyber threat intelligence providers.

  • Staging — Based on the information gathered from reconnaissance activities, staging platforms will be implemented to emulate that of the agreed threat actors. This platform will be used as a base from which further simulated attacks against the target organization are to be launched.
  • Exploitation — Using tactics, techniques and procedures similar to those of the agreed threat actors, identified vulnerabilities will be exploited to gain unauthorized access to the target. This will be performed to the level agreed in the scoping study and in line with the results of the risk assessment.
  • Control and Movement — Once a successful compromise has been performed, attempts to move from initial compromised systems to further vulnerable or high value systems will be made. For example, this may consist of "..pping" between internal systems, continually reusing any increased access obtained, in order to eventually compromise agreed target systems.
  • Actions On Target — Gaining further access on compromised systems and acquiring access to previously agreed target information and data. Again this phase will be performed based on the agreed scope and risk assessment, and approved by the target organization.
  • Persistence and Egress — Mimicking the activities of an advanced attacker, persistent access to the network will be secured and simulated exfiltration of staged data will be performed. Staged data will be created in line with the risk assessment and approved by the target organization before any action is taken.

CBEST/CREST STAR tests are generally performed without the widespread knowledge of the target organization’s IT security or response capability. A key part of the test is to assess how effectively the target is able to detect and respond to simulated attacks.

Additional Resources

Additional details about CBEST can be found below:

Related Services

If you would like to learn more about our CBEST STAR/CREST STAR services, please email us, or call us on 0845-643-9220.