For the best user experience please upgrade your browser


STAR-FS Assessments

Pen Test Partners delivers STAR-FS Red Teaming to assess the Prevention, Detection and Response capabilities of financial institutions, so that they maintain resilience against attack from sophisticated threat actors.

Simulated Targeted Attack and Response – Financial Services (STAR-FS)

What is STAR-FS?

STAR-FS is a framework for providing Threat Intelligence-led simulated attacks against financial institutions in the UK, overseen by the Bank of England and Prudential Regulation Authority (PRA). STAR-FS has less regulatory oversight in comparison to CBEST, and is conducted upon more organisations than CBEST.

How does STAR-FS work?

Once an organisation is encouraged to perform a STAR-FS by the regulator, or they decide to perform a STAR-FS assessment of their own accord, the organisation must go to market to procure the services of a STAR-FS CTI (Cyber Threat Intelligence) provider and a STAR-FS accredited Red Team provider like Pen Test Partners.

Once CTI and Red Team suppliers have been chosen and procured, the CTI supplier will conduct a detailed analysis of the target’s threat landscape, most relevant threat actors, and the creation of threat scenarios. They will also perform reconnaissance from the perspective of a threat actor, which will be combined to deliver a report to the institution and the regulator that contains the threat scenarios and objectives used to guide the Red Team Simulated Attack.

Pen Test Partners then conduct the Red Team Simulated Attack against the target institution.

Once we have achieved the objectives as laid out in the threat intelligence report, Pen Test Partners compose the final Red Team Simulated Attack report that is delivered to the target institution and the regulator. The report details the security posture of the organisation, attacks conducted during the engagement, and security deficiencies revealed, and recommendations to address the deficiencies and improve the resilience of the institution.

What makes us a STAR-FS vendor?

As mandated by the Bank of England and PRA, to deliver the Red Team aspect of a STAR-FS, the engagement must be led by a CCSAM (CREST Certified Simulated Attack Manager) and a CCSAS (CREST Certified Simulated Attack Specialist). Both the CCSAM and CCSAS must also have 14,000 hours of penetration testing experience, and 4000 hours of testing financial institutions.  Pen Test Partners maintains the appropriate technical knowledge, skill and competency required to deliver STAR-FS services as required by the Bank of England and PRA.

How we operate

Security evaluations rarely take the user in to account. Hence, one can have an apparently secure environment that can be compromised with ‘real world’ hacking skills, taking advantage of people’s curiosity and willingness to help.

Our targets are usually data sources such as internal financial systems, employee HR records, high value customer databases such as the CRM, customer credit card data, intellectual property, board meeting minutes, anything that could be of value to a third party.

We sidestep technology, focusing instead on critical data, just as a motivated hacker would. This also helps the business understand the risk associated with these events, rather than getting lost in a list of overly technical vulnerabilities

Examples of attack paths that we may use in an engagement:

Click on image to enlarge. Opens in new tab.


Click on image to enlarge. Opens in new tab.

Improving your responses

The last part of the process is where we work together to identify areas for improvement, and advise on how that can be achieved.

We conduct debriefs will all the key players, typically that means your Blue Team and SOC, but this can vary per engagement.

We pride ourselves on the value these engagements deliver, and we can work with you to implement any recommendations made in the report. That can include:

  • Tuning the technology to detect potentially malicious activity
  • Reducing the triage and escalation process
  • Decommissioning legacy assets that could present a viable attack path

Essentially we work with you to improve your resilience.