Posted by Jordan Healy on 12 June 2026
CREST publishes guidance on Threat-Led Penetration Testing for Financial Services
Cyber risk is an important element of operational resilience in financial services. For financial institutions, the impact of a successful cyber-attack can extend beyond compromised technology: disruption to important business services can affect consumers, market participants and, in some circumstances, financial stability.
For over a decade, CREST has worked with the financial services industry to support the delivery of threat-led penetration testing for systemically important Financial Institutions.
Drawing on that experience, CREST has published Threat-led Penetration Testing: Guidance for financial services, setting out the Threat-Led Penetration Testing for Financial Services (TLPT-FS) framework and the roles involved in its delivery.
The guidance is intended for financial institutions undertaking threat-led penetration testing, supervisors exploring, developing or running regulated TLPT-FS activity, threat intelligence and penetration testing service providers delivering TLPT-FS services, and those responsible for overseeing the process and ensuring recommendations are appropriately actioned.
More than a technical assessment
Threat-led penetration testing is designed to help financial institutions understand how their defences perform against realistic attack scenarios. Rather than testing vulnerabilities in isolation, TLPT-FS is centred on important business services and the technology, assets, and people that support them.
The process uses commercially available threat intelligence to define realistic and current scenarios, which are then used by penetration testing teams to replicate real-world attacks against live operational systems. In doing so, TLPT-FS gives financial institutions a structured way to assess their cyber capabilities, identify weaknesses and vulnerabilities, and use the outcomes to inform remediation.
This is what distinguishes threat-led penetration testing from a conventional penetration test. It brings together intelligence, testing, risk management, review and remediation within a single process, with clear relationships between the threats identified, the services in scope, the testing undertaken, and the improvements that follow.
Starting with important business services
The scope of a TLPT-FS assessment begins with identifying the important business services that matter most to the financial institution and those who rely on it.
For a regulated assessment, these may include services which, if disrupted, could pose a risk to the stability of the country’s financial system, affect the financial institution’s safety and soundness, impact the orderly functioning of financial markets, reduce protection for policyholders, or cause intolerable harm to clients.
Once those services have been identified, the financial institution considers the critical systems supporting them and the compromise of actions that would present the greatest concern if they occurred in reality. This allows testing objectives to be linked to the potential impact on confidentiality, integrity, and availability of the systems in scope.
This service-led approach is a central feature of TLPT-FS. The goal is not simply to determine whether a system can be accessed, but to understand how realistic threat activity could affect the services that the institution and its customers depend on.
Turning threat intelligence into realistic testing
The threat intelligence phase provides the basis for the testing that follows.
During this phase, the threat intelligence service provider develops an understanding of the financial institution as a potential target. This includes potential attack surfaces across people, processes and infrastructure, together with relevant threat actors and probable threat scenarios.
The guidance requires a minimum of two scenarios, with the final number proportionate to the important business services in scope. Those scenarios must be representative of the threat landscape and relevant to the systems being assessed.
The resulting targeting and threat intelligence reports provide the penetration testing service provider with an evidential basis for designing the test plan. Threat actor goals inform the actions the testing team will attempt to achieve, while the threat actors’ capabilities and tactics help ensure the test reflects realistic attack activity.
This link between intelligence and testing is critical. The guidance describes a “golden thread” through the TLPT-FS process, preserving the relationship between important business services, threat scenarios and the testing activity designed to assess them.
Testing live systems in a controlled way
Realistic testing in financial services brings inherent risk, particularly where activity is conducted against live production systems and critical business services.
For that reason, a TLPT-FS assessment is built around defined control and accountability. The financial institution remains in control of the threat intelligence and penetration testing activities throughout the assessment and can order a temporary halt if concerns arise about potential damage to a system.
An internal Control Group is established during the initiation phase to manage the assessment on a strict need-to-know basis. Its role includes defining responsibilities, establishing security protocols, creating a project schedule, and developing operational escalation procedures. A Senior Accountable Executive must also be identified to provide sign-off and accountability for the engagement.
The use of CREST-accredited threat intelligence and penetration testing service providers, together with appropriately certified individuals, is another measure designed to mitigate risk and support the controlled delivery of testing against live environments.
The TLPT-FS framework is structured around four phases:
- Initiation establishes the assessment, including planning, scope, procurement, and the initial risk management process.
- Threat Intelligence develops the targeting and threat intelligence reports, including the scenarios that will inform penetration testing activity.
- Penetration Testing translates those scenarios into a test plan, executes the test against the target systems and services in scope, and reviews the findings.
- Closure is where the financial institution finalises its remediation plan and, where applicable, shares relevant reporting with its regulator.
The framework places collaboration at the centre of the process. The financial institution, threat intelligence provider and penetration testing provider must work closely throughout the assessment, particularly during the handover from intelligence into testing and the review of results.
This helps ensure that the scenarios remain relevant, that findings are properly understood, and that remediation is based on evidence gathered through the assessment.
Supporting oversight and regulatory engagement
Threat-led penetration testing can form part of the supervisory toolkit used by regulators in their engagement with regulated financial institutions. Financial institutions may also initiate TLPT-FS activity as part of their own cyber programmes to assess protection, detection, and response capabilities.
Where a regulator is involved, the guidance sets out how the financial institution may notify supervisory teams, seek input on scope, and provide a summary of the assessment results and remediation plan for review.
The framework also gives those responsible for oversight a clear basis for understanding whether the assessment has covered the agreed scope, involved the right providers and qualified individuals, used credible threat intelligence and produced the necessary outputs for remediation and reporting.
Download the guidance
Threat-led Penetration Testing: Guidance for financial services sets out the phases, activities, deliverables and responsibilities involved in undertaking a TLPT-FS assessment
Download the guide to explore the framework in full and understand how threat intelligence, controlled testing and remediation work together to support cyber resilience in financial services.
You may be interested in reading this...
