Skip to main content
  • This website sets cookies on your device. To find out more about how we use cookies please refer to our Privacy and Cookie Policy. By continuing to use the site, we’ll assume that you are content for us to set these on your device.
  • Close


CBEST Vulnerability Testing Framework Launch

Following their meeting in June 2013, the FPC issued a recommendation requesting that HMT and the regulators work with the core of the UK financial system and its infrastructure to put in place a programme of work to improve and test resilience to cyber attack. The committee also noted it was important that boards of financial firms and infrastructure providers recognised their responsibility for responding to those attacks.
To assist the boards of financial firms and infrastructure providers, and regulators, in improving their understanding of the types of cyber attack that could undermine financial stability in the UK, and the extent to which the UK financial sector is vulnerable to those attacks, a new, intelligence-led testing framework has been devised by the UK Financial Authorities in conjunction with CREST (the Council for Registered Ethical Security Testers) and Digital Shadows.
On 23 May CBEST was launched to industry during an event hosted by the Bank of England.
On 10 June CBEST was publicly launched following a speech by Andrew Gracie, Executive Director Resolution, at the BBA’s conference on Managing Cyber Risk – the Global Banking Perspective. Further details on CBEST and Andrew Gracie’s speech can be found in the following documents.

Key Resources

CBEST FAQ June 2015
Frequently asked questions on CBEST vulnerability testing framework, June 2015

BBA Cyber Speech - CBEST Launch 
Details of the official launch of CBEST vulnerability testing

CBEST: An Introduction to threat modelling
Defining an analytical model of cyber threat intelligence in terms of a threat entity's goal orientation, that capabilities it uses to pursue its goals and its modus operandi.

Explaining the key phases, activities, deliverables and interactions involved in a CBEST assessment.
CBEST: Services Assessment Guide
Providing background information, in the form of a set of assessment criteria, that CBEST participants can use as they assess prospective service providers.  
Defining best practice standards for the production and consumption of threat intelligence.