
Over 42,000 CRA Accounts Breached: What to Know
More than 42,000 Canadian taxpayer accounts have been breached since 2020. Learn more about the data breach class-action lawsuit involving CRA accounts.
May 20, 2026 - Blog
Authored By Packetlabs

For over a decade, CREST has worked with the financial services industry to deliver a threat-led penetration testing framework for systemically critical financial institutions.
Since 2006, CREST has spearheaded raising the standards of cyber service providers and professionals, quality assuring the sector and, in turn, providing confidence to the buying community, government and regulators.
Building on that work, CREST has published new guidance to help financial institutions, supervisors, and threat intelligence and penetration testing service providers understand the Threat-Led Penetration Testing for Financial Services (TLPT-FS) process and the roles involved in its delivery.
As cyber threats continue to evolve, traditional security assessments are no longer enough to validate an organization's ability to withstand sophisticated attacks. Financial institutions face increasingly complex threat actors, including nation-state groups, organized cybercriminals, and advanced persistent threats (APTs) that specifically target critical financial services.
Threat-Led Penetration Testing (TLPT) has emerged as one of the most effective methods for evaluating cyber resilience in the financial sector. Unlike conventional penetration testing, TLPT leverages real-world threat intelligence to simulate realistic attack scenarios against critical business services, helping organizations understand how they would perform during a genuine cyberattack.
CREST's Threat-Led Penetration Testing for Financial Services (TLPT-FS) framework provides a structured methodology that enables financial institutions to assess and improve their cyber resilience through intelligence-driven testing.
Financial institutions are increasingly expected by regulators, customers, and stakeholders to demonstrate operational resilience. Cyberattacks can impact confidentiality, integrity, and availability, triggering service disruptions, financial losses, reputational damage, and regulatory scrutiny.
Threat-led penetration testing helps organizations move beyond vulnerability scanning and standard penetration testing by answering the key question of, "Can our organization withstand a realistic attack from a threat actor targeting our most important business services?"
The TLPT approach focuses on the systems, people, and processes that support critical business operations. By simulating realistic attack paths, organizations gain actionable insights into their defensive capabilities, incident response effectiveness, and overall resilience posture.
Traditional penetration testing focuses on identifying vulnerabilities within a defined scope. While valuable, it may not accurately reflect how real threat actors operate.
Threat-led penetration testing goes further by:
Using current threat intelligence to create realistic attack scenarios
Emulating the tactics, techniques, and procedures (TTPs) of actual threat actors
Testing live production environments under controlled conditions
Assessing detection and response capabilities
Evaluating end-to-end business service resilience
Measuring organizational preparedness against sophisticated threats
In essence, TLPT is about understanding whether attackers could compromise critical business services and how effectively the organization can detect and respond.
The CREST TLPT-FS framework consists of four key phases that work together to deliver a comprehensive assessment.
The initiation phase establishes the foundation for the assessment.
During this stage, the financial institution:
Defines roles and responsibilities
Establishes a Control Group
Identifies important business services
Develops risk management processes
Creates project governance structures
Procures accredited threat intelligence and penetration testing providers
A key component of this phase is the Control Group, a small group of senior stakeholders responsible for overseeing the engagement while maintaining strict confidentiality.
The objective is to ensure the assessment can be conducted safely against live operational systems without creating unnecessary business risk.
The threat intelligence phase transforms the assessment from a standard penetration test into a threat-led exercise.
Threat intelligence providers gather and analyze information about:
Relevant threat actors
Industry-specific cyber threats
Attack surfaces
Exposed assets
Potential attack paths
Business-specific vulnerabilities
This phase produces two critical deliverables:
The targeting report identifies potential attack surfaces across the organization, including:
Technology infrastructure
Personnel
Processes
Publicly exposed assets
Unintentional data exposures
The threat intelligence report develops realistic threat scenarios based on actual threat actor behavior.
These scenarios provide the foundation for the penetration testing phase and ensure testing activities reflect genuine risks facing the organization.
The penetration testing phase uses the intelligence gathered earlier to emulate realistic cyberattacks.
Unlike traditional testing, the objective is not simply to exploit vulnerabilities but to achieve specific threat actor goals associated with critical business services.
Activities may include:
External reconnaissance
Privilege escalation
Lateral movement
Persistence techniques
Data access attempts
Critical system compromise simulations
Testing teams follow the attack scenarios developed during the intelligence phase while adapting to discoveries made during the engagement.
The result is a realistic assessment of how an attacker might progress through the environment and whether defensive controls can stop them.
The closure phase focuses on improvement and accountability.
Deliverables typically include:
Executive summaries
Remediation recommendations
Risk prioritization guidance
Regulatory reporting documentation
Organizations develop a remediation plan based on identified findings and use the results to strengthen their overall cyber resilience strategy.
Threat intelligence is the cornerstone of a successful threat-led penetration testing engagement.
Without credible intelligence, organizations risk testing unrealistic attack scenarios that provide limited value.
Effective threat intelligence enables organizations to:
Focus on the most relevant threats
Understand adversary motivations
Prioritize defensive investments
Develop realistic testing objectives
Align security initiatives with current threat landscapes
By grounding testing activities in real-world intelligence, organizations gain meaningful insights that support strategic decision-making.
Organizations that implement TLPT programs gain several significant benefits.
Threat-led testing identifies weaknesses before threat actors can exploit them, allowing organizations to strengthen defenses proactively.
Many TLPT engagements assess Security Operations Center (SOC) performance, helping organizations validate detection and response capabilities.
As operational resilience requirements continue to expand globally, TLPT provides a structured approach to demonstrating cyber resilience and regulatory compliance.
Threat-led testing helps security leaders understand which vulnerabilities pose the greatest risk to critical business services.
The assessment provides business-focused insights that boards and senior leadership can use to make informed cybersecurity investment decisions.
Choosing the right provider is essential for a successful engagement.
CREST-accredited TLPT providers undergo rigorous assessment processes and must demonstrate expertise in:
Threat intelligence
Red teaming
Risk management
Financial services security
Ethical testing practices
Organizations should look for providers with certified professionals, including:
CREST Certified Threat Intelligence Managers (CCTIM)
CREST Certified Red-Team Managers (CCRTM)
CREST Certified Red-Team Specialists (CCRTS)
These certifications help ensure assessments are conducted safely, effectively, and according to industry-recognized standards.
At Packetlabs, our solutions orbit around one core goal: strengthening your organization’s security posture.
Our comprehensive, CREST-accredited testing methodologies tackle difficult-to-find vulnerabilities and demonstrate, in real-time, their potential impact on your finances, reputation, and general security infrastructure.
As cyber threats continue to target critical infrastructure and financial institutions, threat-led penetration testing will become an increasingly important component of cybersecurity programs.
Organizations can no longer rely solely on compliance-driven assessments or point-in-time vulnerability testing. Instead, they need realistic evaluations that mirror how sophisticated adversaries operate. TLPT provides that capability.
By combining threat intelligence, realistic attack simulation, and collaborative remediation, threat-led penetration testing enables organizations to continuously improve resilience against evolving threats.
Threat-Led Penetration Testing for Financial Services (TLPT-FS) represents a significant advancement in cybersecurity assurance. By leveraging real-world threat intelligence and simulating genuine attack scenarios, financial institutions gain a deeper understanding of their security posture and operational resilience.
Organizations seeking to strengthen cyber defenses, meet regulatory expectations, and validate incident response capabilities should consider incorporating CREST-aligned threat-led penetration testing into their broader cybersecurity strategy.