Buying & Building Cyber Services icon
Back
Accreditation Pathway & Membership icon
Back
Skills, Certifications & Careers icon
Back
News, Events & Research icon
Back
About Us icon
Back
Login to profile
Join Today Find a Supplier

Threat-led Penetration Testing: Guidance for financial services

Home  »  Threat-led Penetration Testing: Guidance for financial services

For over a decade, CREST has worked with the financial services industry to deliver a threat-led penetration testing framework for systemically important Financial Institutions.

Building on that work, CREST has published new guidance to help financial institutions, supervisors, and threat intelligence and penetration testing service providers understand the Threat-Led Penetration Testing for Financial Services (TLPT-FS) process and the roles involved in its delivery.

Through current threat intelligence and realistic attack scenarios, the guide sets out how testing can identify weaknesses and vulnerabilities and support remediation to enhance cyber resilience around important business services.

Download the guide to explore the full TLPT-FS framework, including its phases, responsibilities and deliverables.

Key insights:

  • More than penetration testing: TLPT-FS combines threat intelligence, realistic attack scenarios, controlled testing and remediation to support cyber resilience.
  • Centred on important business services: Testing focuses on the people, processes and technology supporting the financial institution’s important business services.
  • Informed by credible threat intelligence: Current threat intelligence shapes realistic scenarios and the penetration testing plan.
  • Controlled testing of live systems: TLPT-FS is conducted on live production systems, unless legal or ethical constraints apply, with the financial institution remaining in control.
  • From assessment to action: As a result, findings inform remediation planning and, where applicable, regulatory reporting.

What’s inside:

✔ Explore the Threat-Led Penetration Testing for Financial Services (TLPT-FS) framework.

✔ Understand the four phases of a TLPT-FS assessment: Initiation, Threat Intelligence, Penetration Testing and Closure.

✔ Guidance on scoping important business services and establishing oversight and accountability.

✔ See how threat intelligence, targeting and scenario development inform penetration testing.

✔ Clarify the responsibilities of financial institutions, regulators, service providers and certified individuals.

✔ Guidance on remediation planning and regulatory reporting.

TLPT Guide Visual