CBEST 2025 Still Losing to the Basics
The 2025 CBEST Thematic reinforces a familiar but uncomfortable truth most systemic cyber risk in UK financial services still comes from basic failures, not advanced adversaries.
Across 13 CBEST assessments, regulators observed that:
- Foundational cyber hygiene issues (patching, configuration, asset management, credential handling) are still routinely exploited.
- Detection and response remain weaker than protection, allowing adversaries to operate undetected for too long.
- Identity, access control, and network segmentation failures continue to enable lateral movement and privilege escalation.
- Human factors which are social engineering, helpdesk processes, insecure credential storage remain a primary attack vector.
- Threat intelligence operations are generally strong operationally, but weaker strategically, with poor linkage to business risk and long-term planning.
- Critical Analysis (What the Thematic Really Tells Us)
CBEST Is No Longer About “Advanced” Failures . It’s About Discipline or lack of!
Basics, basics, basics. I feel this is all I preach nowadays, yet for some reason very rarely see it. Despite heavy emphasis on APTs, MITRE ATT&CK, and sophisticated tradecraft (whatever that is right), the majority of successful CBEST attack paths still rely on, ahem well……….
- Weak credentials
- Poor segmentation
- Over-privileged accounts
- Inadequate monitoring
This exposes a quiet contradiction and honestly winds me up. Stop simulating top-tier adversaries when you’re loosing out to entry-level mistakes
firms are simulating top-tier adversaries, but losing to entry-level mistakes.
CBEST has effectively become a discipline and governance test, not just a technical one.
Detection Is the Persistent Weak Point — And Regulators Know It
The thematic repeatedly stresses, “Early detection and effective monitoring… are key to reducing impact.” No shit right
Yet detection failures remain consistent across years.
This suggests a structural issue:
- Logging exists, but is not actionable (my pet peeve)
- Alerts exist, but are poorly tuned (my 2nd pet peeve)
- EDR exists, but isn’t operationally trusted
- SOCs exist, but lack threat-led context (Bad intel)
- CBEST is implicitly shifting firms from “can you stop an attacker?” to
“how long do you let them operate before noticing?” This for me is a far more uncomfortable question.
Threat Intelligence Is Mature. But Often Misaligned.
Intelligence operations scored the highest whereas Programme Planning & Requirements scored the lowest. So in basic terms, Organisations are good at collecting and analysing intelligence but not very good at defining why, for whom and to what end. Also not always aligned to business risk, resilience priorities, or long-term capability planning.
Good Intelligence , Wrong Decisions! Intelligence without strategic anchoring is a resilience risk, not a strength.
It’s no surprise that Supply Chain Risk remains the hardest problem and remains largely unresolved. Third-party compromise appears repeatedly across scenarios, yet remediation guidance remains conservative.
This reflects a regulatory reality:
Supply chain risk is systemic
Controls are fragmented
Accountability is diffuse
Assurance is shallow
CBEST highlights the risk, but does not (and arguably cannot) fully resolve it.
This could potentially be one area where STAR-FS may become more influential over time.
CBEST 2025 Still Losing to the Basics
The 2025 CBEST Thematic confirms what many security leaders already suspect but rarely say out loud.
The UK financial sector is not primarily being challenged by cutting-edge cyber techniques it is being undermined by persistent foundational weaknesses.
Despite years of investment, regulation, and threat-led testing, CBEST assessments continue to reveal the same issues, weak identity controls, inconsistent patching, inadequate segmentation, poor detection, and human-centric failures that sophisticated adversaries exploit with ease.
Threat-Led, But Basics-Bound
CBEST remains one of the world’s most mature Threat-Led Penetration Testing (TLPT) frameworks. Its realism, regulatory backing, and intelligence-led design are widely respected. Yet we find ourselves in a paradox.
Organisations are modelling highly capable adversaries, nation states, organised crime groups, malicious insiders etc but attackers are a=rarely forced to deploy advanced techniques they succeed through, Credential Compromise, Over permissive access, Weak Monitoring, Social Engineering and Poor Segregation. In short, attackers don’t need to be very clever, just patient .
While preventative controls continue to dominate investment, detection and response are lagging behind being the weakest link. The thematic findings consistently show that attacks are going unnoticed for extended periods, poorly tuned EDR and network monitoring, limited visibility of data exfiltration and inadequate alerting and escalation. This actually matters, as modern adversaries assume breach.
People Still Matter (More Than Tools)
CBEST continues to demonstrate that human behaviour remains a primary attack surface.
Phishing, helpdesk manipulation, insecure credential storage, and information leakage through social media and job adverts repeatedly enabled attack progression. The increasing use of AI-generated social engineering only amplifies this risk. Technology alone cannot solve a cultural problem.
Remediation Is Now the Real Test
Perhaps the clearest regulatory signal in the 2025 thematic is around remediation. Closing findings is no longer enough. Firms are expected to demonstrate Measurable risk reduction, Effective governance, Board-level ownership and strategic, not just tactical, fixes
CBEST is no longer just an assessment , it is a test of organisational learning. But that’s the point right?
My final thought
The 2025 CBEST Thematic does not introduce new rules, but it delivers a sharp message:
Cyber resilience in financial services will not be achieved through more tools, more frameworks, or more reports but through disciplined execution of the fundamentals, guided by intelligence and enforced by governance.
Check out the full report here