The Bank of England’s 2025 CBEST thematic report, alongside the Prudential Regulation Authority and the Financial Conduct Authority, reviews findings from recent threat-led penetration testing across banks, insurers, asset managers, and financial market infrastructures.
The report underlines that the financial sector continues to face growing cyber risks as digital transformation, cloud use and increasingly interconnected supply chains expand. Instead of setting out new regulatory requirements, it focuses on shared weaknesses in cyber defences and the practical steps firms and financial market infrastructures can take to strengthen their resilience.
Key Findings
Red Team and Threat Led Penetration Test (TLPT) assessments consistently revealed that fundamental security flaws remain exploitable, even within organisations with established governance frameworks. Common technical vulnerabilities identified include:
- Inadequate Identity and Access Management (IAM)
- Insufficient Network Segmentation
- Endpoint and Infrastructure Weaknesses
- Limited Detection Capabilities
Throughout various engagements, the Red Teams successfully navigated entire attack chains without being detected in a timely manner. This highlights significant deficiencies in both technical defences and security operations.
Observed Adversary Techniques
The report identifies a range of adversary behaviours successfully exercised during engagements, mapped to recognised attack frameworks. These included:
- Use of publicly available information to support targeted reconnaissance.
- Social engineering and phishing to obtain initial access or credentials.
- Credential harvesting and privilege escalation through misconfigured identity controls.
- Lateral movement using standard administrative tools and remote access protocols.
- Defence evasion techniques designed to bypass endpoint and network monitoring.
These outcomes reinforce the importance of layered controls and continuous validation of detection and response capabilities against realistic threat scenarios.
Overall, the report makes it clear that getting the basics right still matters. This includes keeping systems properly patched and securely configured, strengthening identity and access controls such as using multi-factor authentication and improving network segmentation. It also points to the value of spotting threats early, monitoring systems effectively and having clear procedures/plans in place to remediate issues quickly.
It also highlights broader, more ingrained problems, such as poor asset management and a lack of security awareness among staff, which can leave organisations unnecessarily exposed. Rather than relying on quick fixes, firms are encouraged to focus on the root causes and to use threat intelligence and continuous improvement to build stronger, long-term cyber resilience.
Intertek provides a threat-led cybersecurity testing service that identifies systemic weaknesses by replicating the adversary behaviours observed in the BoE report, including credential compromise, lateral movement and data exfiltration. The service focuses on root-cause remediation and the continuous validation of detection and response capabilities, supporting sustained operational resilience against realistic threat scenarios. - Red Teaming Solutions
/Passle/5e4a7839abdfeb03584d01f6/SearchServiceImages/2026-01-20-16-06-05-772-696fa7edad488fb876c2df78.jpg)
/Passle/5e4a7839abdfeb03584d01f6/SearchServiceImages/2026-01-30-14-02-39-952-697cb9ff4d2a6c08cfd378ff.jpg)
/Passle/5e4a7839abdfeb03584d01f6/SearchServiceImages/2026-01-28-01-21-50-132-697964aede22798d0dab454f.jpg)
/Passle/5e4a7839abdfeb03584d01f6/MediaLibrary/Images/2025-02-14-20-21-26-133-67afa5c68c41fb62e9803279.png)
/Passle/5e4a7839abdfeb03584d01f6/SearchServiceImages/2026-01-15-11-33-37-427-6968d091f76c97be8fb6f838.jpg)