2025 CBEST thematic

Foreword

The purpose and context for this thematic

This thematic is relevant to all finance sector organisations, and for board members, senior managers, Chief Information Security Officers, Chief Information Officers, Chief Operations Officers, Chief Risk Officers as well as technology leadership teams, internal audit teams and technical cyber teams. Boards can use it to inform their challenge and oversight discussions with cyber resilience leaders.

CBEST remains central to UK regulatory priorities for cyber and operational resilience and supports financial stability and global competitiveness. Its TLPT approach mirrors real-world attacks to assess protection, detection, and response capabilities for a range of cyberattack scenarios. Internationally, regulators are adopting TLPT, guided by the G7 Fundamental Elements, enabling cross-border co-operation and consistency in standards.

This thematic report reflects the joint work of the Bank of England, Prudential Regulation Authority, and Financial Conduct Authority (UK regulators) with a perspective provided by the National Cyber Security Centre (NCSC) and consolidates findings from banks, insurers, asset managers, and FMIs that participated in the latest cycle.

The information and opinions expressed in this document are for information purposes only. They are not intended to constitute legal or other professional advice and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances. The sponsors and authors of this document shall accept no responsibility for any errors, omissions or misleading statements in this document, or for any loss that may arise from reliance on the information and opinions expressed within it.

We continue to work with firms and FMIs, other authorities, and international partners to enhance the CBEST programme. We welcome any feedback or comments on these thematic findings. Please send them to CBEST@bankofengland.co.uk and CBEST@fca.org.uk.

Technical observations of CBEST

Maintaining strong cyber hygiene is not a one-time exercise but a continuous effort to reduce exposures and strengthen resilience. In today’s evolving threat landscape, tactical fixes alone are insufficient. While quick remediation may address immediate vulnerabilities, it often leaves underlying weaknesses unaddressed.

This thematic’s findings encourage organisations to consider the underlying causes of cyber risk as well as how it is reflected in the results of their risk management activities. This means analysing systemic gaps, such as poor asset management, weak identity controls, or inadequate third-party oversight, that often lead to recurring vulnerabilities. Addressing these foundational issues will create sustainable security improvements rather than temporary patches.

In this section, we set out the most significant findings identified in 13 CBEST assessments in 2025. We have aggregated our observations into five cyber security areas. Three areas focus on protective technical controls, one addresses detection and response, and one relates to staff culture, awareness, and training.

Given the sophistication of some attackers, it is important that firms and FMIs are prepared to handle breaches effectively, rather than relying solely on protective controls. In addition to technical measures, we continue to observe challenges in staff culture, awareness, and training, highlighting that technical measures alone are not sufficient.

Each of the findings have an associated reference to the NIST Cybersecurity Framework 2.0 (CSF). The references to the CSF are intended to assist firms and FMIs in finding relevant supporting information, but it is not intended to indicate an expectation that firms and FMIs use the CSF in their own management of cyber risk and resilience. In addition, this mapping is intended only to be indicative rather than comprehensive: there may also be other areas of the NIST CSF not explicitly referenced here which are relevant to CBEST findings.

Infrastructure security and data security

Weaknesses in infrastructure security, asset management or application security that were exploited during CBESTs include:

• Firms/FMIs not maintaining strong configuration practices. Inconsistently configured system endpoints or insufficiently hardened or unpatched systems were vulnerable to simulated attempts to exploit vulnerabilities by threat actors seeking to gain malicious access. (PR.PS-01)
• Firms/FMIs that did not have strong cryptographic protections for data-at-rest were likely to have insufficient protection against attempts to access, damage or destroy sensitive data and/or privileged credentials. (PR.DS-01)

Identity management and access control

Weaknesses in the secure management and control of identities, authentication and access that were exploited during CBESTs include:

• Firms/FMIs that did not maintain strong identity and access management control, such as credentials, or that had weak passwords (or weak enforcement of strong password standards), or that did not enforce secure password storage (such as allowing passwords to be stored insecurely, in plaintext) were more likely to have user identities compromised, enabling further attack activities. (PR.AA.01 and PR.AA.02)
• Overly permissive access controls, such as the lack of role-based access controls, or inadequate restrictions on administrator and service accounts, left firms/FMIs more susceptible to privilege escalation and lateral movement. (PR.AA.05)

Detection and response

Weaknesses in detection and response capabilities exploited during CBESTs include:

• Firms/FMIs with insufficient detection capabilities, for example poorly tuned monitoring or alerting for adverse incidents, were less able to detect potential cyberattacks in the early stages of the simulated attack. This included weaknesses in the capability to detect attacks through appropriately tuned endpoint detection and response, and to detect data exfiltration. (DE.CM-01)
• Firms/FMIs with ineffective network monitoring, for example where there was not appropriate traffic inspection, were vulnerable to attackers obfuscating their malicious activities in seemingly legitimate traffic and/or maliciously enabling outbound connectivity from unmonitored devices. (DE.CM-01 and DE.CM-09)

Network security

Weaknesses in security architecture exploited during CBESTs include:

• Firms/FMIs that did not maintain effective network segmentation, such as segmentation between critical assets, increased the risk of unauthorised access to sensitive information and systems. This included firms/FMIs with a lack of segmentation between development and production environments which heightened the potential impact of a cyberattack. Risk exposure was also increased where there was only limited application of least-privilege principles. (PR.IR-01)

Staff culture, awareness and training

Weaknesses in cyber resilience culture exploited during CBESTs include:

• Firms/FMIs whose staff were susceptible to social engineering tactics were more likely to be vulnerable to simulated attacks aimed at credentials or system access. These attacks could occur directly via phishing or indirectly through the exposure of sensitive information, for example in job descriptions or on social media. (PR.AT-01)
• Firms/FMIs in which users were routinely storing credentials in unprotected facilities, such as in spreadsheets or in open file shares, were more likely to have those credentials exposed and used as part of simulated cyberattacks. (PR.AT-01)
• Firms/FMIs with insecure protocols for helpdesks, such as limited or no authentication of users during interactions with cyber attackers, were vulnerable to being attacked using fraudulently obtained credentials to further malicious access to sensitive information or systems. (PR.AT-02)

Threat intelligence in CBEST

With threat actors growing more organised and sophisticated, the need for effective threat intelligence has never been greater. Leveraging actionable insights enables firms and FMIs to strengthen their resilience, enhance incident response capabilities, and protect critical operations.

For both firms and FMIs, success in today’s rapidly evolving threat landscape is not just about reacting to cyber threats, but about proactively staying ahead of them. By integrating high-quality threat intelligence into their cyber strategies, organisations can strengthen their ability to detect, respond to, and recover from incidents. This proactive approach not only aligns with regulatory expectations but also bolsters trust in the stability and integrity of the UK’s financial system.

Observations of CBEST threat intelligence findings

Our observations about threat intelligence could be helpful for firms and FMIs considering their own threat-led testing programmes. We have structured our observations of CBEST threat intelligence findings into two sections:

Key insights from the Threat Intelligence Maturity Assessment

The CREST Cyber Threat Intelligence Maturity Assessment (TIMA) is a toolset designed to evaluate how mature an organisation’s Cyber Threat Intelligence (CTI) capabilities are. The tool evaluates how well-equipped firms and FMIs are to collect, analyse, disseminate and act on threat intelligence.

The TIMA provides an assessment across four thematic domains:

• Governance: how threat intelligence is managed effectively, securely, and in alignment with organisational objectives;
• Programme Planning and Requirements: how the TI programme is defined, resourced, and aligned;
• Threat Intelligence Operations: the processes of collecting, analysing, producing, and distributing intelligence; and
• Functional Management: how the TI function is integrated in business continuity, incident response and sustains itself.

From the 2025 CBEST thematic findings we identified that firms and FMIs demonstrated a range of maturities across cyber threat intelligence management domains, including Governance; Programme Planning and Requirements; Threat Intelligence Operations and Functional Management.

Actual self-assessed scores across all domains not only met but surpassed their targets. For most firms and FMIs, Threat Intelligence Operations emerged as the self-identified strongest domain, reflecting that they have developed comparatively advanced capabilities in intelligence collection, triage, enrichment, and dissemination. It also indicates well-established processes for detecting and analysing threat activity, robust tools for correlating indicators, and effective mechanisms for operational response.

By comparison, Programme Planning and Requirements achieved the lowest self-assessed score among the assessed domains, despite exceeding its target. This suggests that although day-to-day threat intelligence operations are effective, the underlying aspects such as strategic planning, defining requirements, establishing governance frameworks, and mapping out long-term capabilities are less developed. As a result, firms and FMIs may experience a disconnect between the intelligence produced and their actual business or operational needs, potentially resulting in inefficient allocation of resources, and difficulties in scaling or evolving their threat intelligence programmes. Enhancing maturity in this area would help ensure that threat intelligence activities are consistently guided by clear priorities, aligned with organisational risk models, and supported through resilient and sustainable processes.

Firms and FMIs should assess the maturity of their threat intelligence capabilities by benchmarking themselves against industry peers, to support them in maintaining an appropriately robust understanding of emerging threats, identifying capability gaps, and strengthening their overall resilience.

Our observations of the most common CBEST threat intelligence threat actors and scenarios

CBEST requires that its red teaming assessment is based on simulations of threat actors and scenarios considered by expert Threat Intelligence Service Providers (TISPs) as being plausible and severe for the firms’ and FMIs’ important business services.

Highly capable attackers and advanced persistent threats (APTs). We observed that the threat actors most commonly used in 2025 CBESTs included highly capable state actors, organised criminal groups as well as malicious insiders, each motivated to cause disruption and/or make financial gains. Highly capable attackers represent adversaries with exceptional technical expertise, substantial resources, and strategic intent, often including nation-state actors and sophisticated cybercriminal groups. These attackers employ advanced techniques such as zero-day exploits, custom malware, and AI-driven automation to bypass defences and achieve objectives like espionage, sabotage, or financial gain. APTs exemplify this approach through long-term, targeted campaigns designed to infiltrate organisations and remain undetected for extended periods. Characterised by advanced tools, persistence, and precise targeting, APTs typically aim to steal intellectual property, compromise critical infrastructure, or disrupt operations.

Third party and supply chain attacks. The most frequently encountered attack scenarios consistently centre around third-party supplier compromise, social engineering, and malicious insider activity. These avenues remain at the forefront of supervisory attention, as they represent ongoing and systemic risks that firms and FMIs often find challenging to address. The growing dependence on external providers has resulted in intricate supply chains, where a single breach has the potential to impact multiple organisations simultaneously.

Social engineering attacks. Phishing campaigns and other techniques, which exploit human behaviour on a large scale, persistently expose weaknesses in staff awareness and organisational resilience.

Malicious insiders. Trusted colleagues or collaborators, whether acting negligently, or turning malicious under coercion, or with deliberate intent, pose a considerable threat due to their privileged access and the inherent difficulty in early detection.

Collectively, these factors emphasise the importance of firms and FMIs reinforcing their controls, enhancing visibility, and maintaining rigorous oversight to effectively manage these high-impact risks.

Cyber threat behaviour analysis

This year for the first time we have included observations about commonly used tactics, techniques and procedures (TTPs) as mapped to the MITRE ATT&CK framework.

Attackers are likely to vary their approach depending on the target environment, available opportunities, and specific goals. For example, some may skip certain steps, repeat stages, or adapt tactics in real time as circumstances change. In practice, the kill chain serves as a useful framework for understanding common attack progression, but actual adversary behaviour can be unpredictable and non-linear. Across our observations from 2025 CBESTs, 469 successful tactics were identified, reflecting this diversity in attack methods.

The summary below reflects key techniques observed but does not constitute an exhaustive list of all MITRE ATT&CK techniques.

Reconnaissance

Attackers begin reconnaissance by gathering publicly available data such as employee names, roles, and email addresses to craft targeted phishing or social engineering attacks.

Firms/FMIs should consider limiting the online exposure of employee information, strengthening authentication and monitoring. They should also consider providing regular security awareness training to reduce the risk of exploitation from such reconnaissance activities.

Initial access

Attackers often gain entry via spear-phishing or compromised third party suppliers, often deploying malicious code through trusted channels or mimicking routine workflows to evade detection.

Firms/FMIs should consider reinforcing vendor security, applying email protections and multi-factor authentication (MFA), segmenting networks and restricting privileged access, and monitoring for anomalous activity to limit impact.

Persistence

Adversaries maintain access even after reboots or password changes, often using tactics like dynamic link library (DLL) side loading to load malicious code through trusted applications.

Firms/FMIs should consider implementing regular integrity checks, application whitelisting, and continuous monitoring to detect and remove persistent threats.

Privilege escalation

Adversaries target domain credentials or use token impersonation techniques to act as a privileged user without needing passwords.

Firm/FMIs should consider enforcing least privilege, deploying privileged access management and credential vaulting, requiring MFA and strong credential hygiene, conducting regular access entitlement reviews, and monitoring for anomalous privileged activity.

Credential access

Weak or exposed credentials like passwords stored on shared drives, in configuration files, or reused across systems are commonly exploited.

Firms/FMIs should consider enforcing strong password policies and MFA, removing plaintext credentials from code and file shares, using centralised secrets management (vaults) with rotation, and monitoring for credential theft.

Defence evasion

Adversaries use techniques like file obfuscation, encryption and process spoofing to bypass detection and hide activity.

Firms/FMIs should consider centralised logging and anomaly detection, endpoint integrity checks and endpoint detection and response (EDR), strong telemetry retention, and regular tuning of detection rules to improve visibility and speed of detection.

Lateral movement

Adversaries move between systems using tools like Remote Desktop Protocol (RDP), Secure Shell (SSH), and network shares after obtaining valid credentials.

Fims/FMIs should consider limiting and monitoring remote access protocols, enforcing strong credential management, segmenting networks, and detecting unusual authentication patterns to slow or prevent lateral movement.

CBEST remediation planning

Following a CBEST assessment, as with any TLPT, effective remediation is critical so that firms and FMIs can reduce the likelihood of a real cyberattack occurring because of the vulnerabilities identified.

Firms and FMIs should take a structured and proactive approach to remediation planning by promptly addressing identified vulnerabilities, prioritising actions based on risk, and assigning clear responsibilities and timelines.

The CBEST Implementation Guide provides guidance on remediation planning. Examples of practices supporting effective remediation planning include:

• Risk-based remediation: Planning remediation based on risk-reduction milestones (not only on delivering specific technical activities) can support understanding of how remediation activities reduce the firm’s/FMI’s cyber risk. Early incorporation of risk owner input as well as early definitions of processes for measuring findings’ closures can help plan effective remediation and meet stakeholder expectations.
• Assurance on risk reduction: Effective remediation should not be limited to the implementation of fixes, and should include assessment of their operational effectiveness, and reduction of exposure.
• Stakeholder and governance engagement: Incorporating feedback from members of the board, senior management, or risk owners can help a firm/FMI to secure executive support and resources for remediation. In addition, clear governance can demonstrate how challenges will be addressed and remediation kept on track.
• Strategic and coordinated planning: CBEST reports often include strategic recommendations alongside technical findings. Responding to those recommendations (instead of only directly resolving specific technical findings), as well as coordinating CBEST remediation with other cyber initiatives, can support greater overall improvement in a firm’s/FMI’s cyber risk exposure.

Thorough remediation planning in response to security findings can help firms and FMIs to mitigate the risks swiftly and effectively.

CBEST accredited providers

NCSC perspectives on CBEST themes

The NCSC has provided the regulators with the following observations based on its position as the National Technical Authority for Cyber Security, structured around the CBEST themes in the ‘Technical observations of CBEST’ section.

Staff training

Staff training and awareness should be considered integral to effective cyber security. Good training and awareness should consider different training methods to ensure that staff are supported in obtaining the skills and knowledge required to work securely in an organisation. This should recognise, and subsequently be tailored to reflect, the way staff work with security and should be in line with design of service protection policies and processes. Organisations may consider what is appropriate for different roles, as well as have regular reminders and top-up training for all staff. This training could come in multiple forms, such as briefings, online courses, blogs or simulations.

Staff may find it increasingly difficult to recognise when adversaries are sending malicious emails or messages, as AI can generate content in a variety of media and has made phishing easier. Therefore, organisations should have a regularly updated cyber security training programme that is clearly communicated to all employees. It is also recommended that organisations develop a positive security culture. This means that staff should be aware of their role in maintaining security and be active participants in contributing to improving security as threats grow and change. A positive security culture can ensure that employees are open about security issues and can help to prevent or detect incidents should they occur.

For example, Scattered Spider, a native English speaking cyber criminal group, have used social engineering to compel IT helpdesk personnel to get them to reset their passwords and MFA tokens. Scattered Spider have also been known to pose as help desk and IT support staff to get staff to access credential harvesting sites or to run monitoring and management tools to give them access. They are known to use phishing and spear phishing to leverage established trust in organisations. Therefore, it is important to ensure that all individuals in an organisation are aware of potential tricks and methods to counter these attempts.

Identity and access management

Effective identity and access management is a necessary function to ensure that activity across networks is accessible and attributable only to those who require access, at times they require it. Organisations should closely manage and maintain identity and access control for users, devices and systems accessing network and information systems supporting essential functions. Organisations should consider closely managing privileged user access to network and information systems supporting essential functions. Additionally, the list of privileged users should be periodically reviewed (annually or twice yearly), to verify that access is still necessary. This could also help with identifying privilege escalation from malicious actors. For example, Volt Typhoon (a highly capable threat actor, that has been observed targeting US critical national infrastructure sectors) has gained initial access by exploiting privilege escalation vulnerabilities in operating system or network services. It relied on valid credentials for persistence and is known to use compromised domain accounts to authenticate devices on compromised networks.

The NCSC recommends that organisations should use additional strong authentication mechanisms such as multi-factor authentication for all user access, including remote access, and all access in support of all identified essential functions.

Credentials, especially those of administrator accounts, should be adequately protected to prevent activity such as hash capturing, thus preventing lateral movement and escalation of privilege.

Infrastructure, asset management and application maintenance

As organisations grow, so does the number of assets within their environment. In turn, there is greater likelihood of legacy IT, which can cause vulnerabilities. To mitigate this risk, oversight of the assets should be in place. Organisations should ensure the identification, documentation and management of all assets that support essential business functions. This in turn supports an organisation’s progress to post-quantum cryptography (PQC) readiness, where a key milestone is discovery and assessment of systems by 2028, as published by the NCSC in March 2025. Furthermore, appropriate security configuration and patching processes should be in place to further mitigate against this risk. Configuration management technologies can be utilised to formalise system deployments to enable easier tracking, updating and redeploying of systems over time.

One example of the importance of ensuring that there is suitable management of assets (both physical and software based), is the WannaCry incident from 2017. This involved the EternalBlue exploit which exploited a vulnerability on the Server Message Block (SMB) protocol in all unpatched Windows systems from XP to 2016. Patching was available for this vulnerability, and not applying patches led to severe consequences for many organisations worldwide.

The NCSC additionally recommends incorporating allow lists into necessary infrastructure to reduce the likelihood of malicious or insecure applications entering the network via end point devices. Allow lists are a much more effective strategy than deny lists as they operate on the basis of ‘trust nothing’ unless specified.

Network segregation

There are many elements of effective network security that can be applied regardless of what platforms are used by the organisation, with the goal being to prevent an attacker broadening and cementing their foothold in the network. Subsequently, it is important to find ways to prevent lateral movement across the network. Many of these also go hand in hand with implementing a zero-trust architecture behind the network. It is important to consider effective monitoring and logging for all parts of the organisation’s network to track unusual behaviour and be able to audit devices on the network.

For example, network segregation has been observed to support prevention of Volt Typhoon’s living off the land (LOTL). Volt Typhoon aim to gather information on a victim’s network topology, security appliances and services. This means that they can gain information on how best to remain undetected on an organisation’s network and compromise other devices on the network with the ultimate intent of causing disruption to the systems. They may then be able to make use of tools and LOTL utilities already on the network if not suitably secured. These known techniques by Volt Typhoon advocate for appropriate security, monitoring and network segregation to better secure critical systems.

Network segregation would also be useful in mitigating the movement of an attacker, as separate and appropriate network security controls can be implemented to different groups or sets on the network. This allows for critical systems to be better protected and harder for an attacker to access. When using network segregation, it is also important to lock down devices on the network and ensure that there are suitable security measures in place, for example, local firewalls on hosts, prompt patching and potentially boot mechanisms.

While network segregation and device hardening are key in limiting an attacker, other controls around accounts should also be considered. One element of a zero-trust architecture is to know the organisation’s users, devices and services, as all can be used as indicators for confidence in the network and as such, accesses should be limited. Organisations should consider suitable methods of protecting credentials, such as using hardware-backed credential storage when possible and ensuring that passwords and password hashes are protected. This links to good authentication practices which are mentioned in the identity and access management section above, highlighting the need to protect high value accounts that could benefit an attacker.

Proactive monitoring, detection and response

Organisations should have an effective monitoring strategy in place so that potential security incidents are discovered and there are appropriate processes in place to assist with a response. This includes the capability to proactively detect adverse activity within networks and information systems.

The NCSC recommends that an organisation’s effective monitoring strategy should include continuous monitoring of systems, services and networks, supported by alerting rules that reflect a clear baseline of normal behaviour, enabling swift detection of anomalies.

Comprehensive logging – covering user actions, system events, and network activity – should be securely stored and retained to support full root cause analysis. The integrity of log data is protected and verified, and any modification, including deletion, is detected and attributed. These measures, integrated within a documented incident response process, ensure that monitoring and detection capabilities remain adaptive, resilient, and capable of safeguarding essential functions against cyber threats.

Proactive threat hunting should complement automated monitoring, helping to uncover malicious activity that may evade existing controls. Effective intrusion detection relies on correlating information from multiple sources and adapting detection rules in line with evolving threats, organisational changes, and technology updates.

A capable actor will take advantage of an organisation’s lack of effective security and network management practices to evade detection; the above mitigations will assist with detection of adversary activity.

Additional considerations

The NCSC, as the National Technical Authority, offers guidance and best practice, but organisations should decide what controls and mitigations they could put in place based on their risk tolerance and organisational context. Consider using Cyber Essentials or the Cyber Assessment Framework (CAF), to achieve and demonstrate cyber resilience. An updated version of the CAF was released in 2025 which contains updates in a number of areas, including threat hunting and security monitoring.

Organisations may also wish to attend CYBERUK – NCSC.GOV.UK 2026, the UK’s flagship cyber security event. In the meantime, organisations are encouraged to make use of the tools and services available on the NCSC website to support their cyber resilience activities.

• NCSC Early Warning – NCSC.GOV.UK
• Report a Cyber Incident – Report a Cyber Incident – NCSC
• All topics – NCSC.GOV.UK

Useful links to themes