Wednesday 14th July 2021

BLOG: Star-Fs & CBest Compared

STAR-FS and CBEST are both frameworks for intelligence-led penetration testing of the financial sector. STAR-FS was created and has been developed to meet the needs of the Regulators by ensuring the same level of demand and attention is applied to them whilst reducing resourcing implications on regulators.


Before the introduction of STAR-FS, CBEST was the framework that many organisations utilised. CBEST are Intelligence-led cybersecurity tests that replicate behaviours of those threat actors, assessed by Government and commercial intelligence providers as posing a genuine threat to systemically important financial institutions. CBEST is part of the Bank of England and Prudential Regulation Authority’s (PRA’s) supervisory toolkit to assess the cyber resilience of firms’ important business services.


CBEST concentrates on complex, advanced and persistent attacks against critical systems and essential services. This will ensure that the tests carried out can realistically replicate the evolving threat landscape and stay pertinent and current. STAR-FS reduces the role of the regulator in its delivery, this provides wide-reaching institutions with the ability to implement this framework and use the results to inform the Regulators. As a result, regulators will then be able to understand the current cybersecurity posture of structured entities and help entities themselves to recognise where improvements in the current security arrangements need to be applied.


STAR-FS promotes an intelligence-led penetration testing approach, that mimics the actions of cyber threat actors’ intent on compromising an organisation’s important business services and the technology assets and people supporting those services. The process of STAR-FS is to utilise commercially available threat intelligence services to distinguish the difference between realistic and existing threat situations that will be utilised by the penetration testing teams to replicate real-world attacks to operational systems. Threats and risks to these systems are mitigated through the establishment through a range of extensive factors. To find out more about STAR-FS or CBest, click here.

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.