Operational Resilience Beyond CBEST

What the Bank of England’s 2025 Findings Mean for Financial Services Leaders

The Bank of England’s 2025 CBEST Thematic is a timely reminder that cyber resilience is no longer a specialist concern reserved for a small subset of regulated firms. It is now a core determinant of operational resilience, customer trust, and financial stability.

While CBEST remains a gold standard for threat-led penetration testing within the UK’s most systemic financial institutions, the report’s insights extend far beyond the CBEST perimeter. For the vast majority of financial services firms, and the suppliers that support them, the thematic offers something even more valuable: clear signals on what “good” looks like in real-world cyber resilience.

The Real Message Behind the CBEST Thematic

Strip away the framework labels, and the 2025 CBEST thematic tells a familiar but increasingly urgent story: most successful attacks still exploit basic weaknesses, not exotic zero-days.

Across CBEST exercises, threat actors repeatedly succeeded by chaining together issues such as:

• Poor asset visibility
• Weak identity and privilege controls
• Gaps in detection and response
• Over-reliance on perimeter security
• Limited understanding of third-party exposure

These are not CBEST-specific problems. They are industry-wide resilience challenges, and they affect firms of all sizes, regulated and non-regulated alike.

Why This Matters for Firms Outside CBEST

Only a relatively small number of UK firms are mandated to undertake CBEST testing. Yet the same threat actors, same techniques, and same operational dependencies apply across the entire financial ecosystem.

The thematic reinforces a critical truth:

Waiting for regulatory compulsion is not a resilience strategy

Firms that treat penetration testing purely as a compliance exercise risk missing the point. Effective testing should answer business-critical questions:

• Could an attacker disrupt a critical service?
• How quickly would we detect them?
• Could they move laterally across our environment?
• Would we recover within our impact tolerances?

These questions are just as relevant outside CBEST and they can be answered through high-quality, intelligence-led penetration testing, even where formal CBEST certification is not required.

What High-Value Penetration Testing Looks Like in 2025

The CBEST thematic makes it clear that depth matters more than labels. The most valuable testing today focuses on:

1. Realistic Attack Paths – Testing that reflects how modern attackers actually operate, chaining misconfigurations, identity weaknesses, and human error rather than isolated technical findings.
2. Identity as the New Perimeter – Repeated CBEST findings show identity and access management as a primary attack vector. Effective penetration testing now prioritises privilege escalation, lateral movement, and credential abuse not just external entry points.
3. Detection and Response Validation – Resilience isn’t about preventing every breach; it’s about how quickly you notice and contain one. Testing should validate SOC visibility, alert quality, and response workflows, not just exploitability.
4. Actionable Outcomes, Not Just Reports – Boards and senior leaders need clarity, not noise. Testing should translate technical findings into operational and business risk, aligned to critical services and recovery objectives.

Where Non-CBEST Providers Add Strategic Value

CBEST certification is an important assurance mechanism but it is not the only way to drive meaningful resilience outcomes.

Experienced penetration testing providers who:

• Understand financial-services threat models
• Apply threat-informed methodologies
• Work closely with defensive teams
• Focus on learning, not just finding flaws

can deliver substantial value to firms preparing for future regulation, improving operational resilience, or strengthening board-level confidence.

In fact, many organisations use non-CBEST testing as a stepping stone, building maturity, addressing foundational weaknesses, and embedding a testing-led security culture long before formal regulatory testing is required.

A Broader Lesson for Leaders

Perhaps the most important takeaway from the 2025 CBEST thematic is that operational resilience is a journey, not an event.

Whether or not your organisation is within the CBEST regime, the direction of travel is unmistakable. Regulators, customers, and markets increasingly expect firms to:

• Assume compromise
• Test their defences realistically
• Learn continuously from failure
• Treat cyber resilience as a business risk, not an IT issue

Penetration testing when done well, is one of the most effective ways to support that journey.

Looking Ahead

CBEST may define the benchmark, but resilience is built day-to-day through informed testing, honest assessment, and a willingness to confront uncomfortable truths.

The organisations that thrive will not be those that ask, “Do we need CBEST?”
They will be the ones that ask “What would an attacker do, and are we ready?”

‍