Introducing STAR FS – UK regulatory body and CREST accreditation


Nettitude has been listed as the first STAR-FS accredited company that are able to deliver both ‘Threat Intelligence’ and ‘Intelligence-Led Penetration Testing’ Services

STAR-FS has been created by a number of UK regulatory bodies and CREST, as another tool to assess the effectiveness of a firm’s cyber capability and risk profile. This assessment is designed to be hands-off and delivered by the Threat Intelligence (TI) and Penetration Testing (PT) provider only. STAR-FS was designed to deliver similar outcomes to that of CBEST while being less onerous and resource intensive on the regulatory services that back it up.

CREST define STAR-FS as “An intelligence-led Penetration Testing approach that mimics the actions of cyber threat actors’ intent on compromising an organisation’s important business services and the technology assets and people supporting those services. Collaboration, evidence and improvement lie at the heart of STAR-FS as well as a close liaison with key stake holders.”

Our Global Head of Red Teaming, Ben Turner, comments:  

Being one of the first companies accredited is a significant achievement and demonstrates our commitment to building out a professional and sophisticated service. It is testament to the strength of the team, as well as the incredible work we are doing, where we were so rapidly able to meet the stringent accreditation process. We are further delighted that we were able to enter the platform for both Threat Intelligence Services as well as Penetration Testing Services.

The accreditation further augments our existing services and sits nicely beside other intelligence-led services such as CBEST, GBEST and TBEST…..

The benefits of this scheme include:

The scheme; created by a governing UK financial body, will help the UK Financial organisations understand the Cybersecurity Posture of selected regulated entities. It has proved to be an effective way to deliver tailored intelligence-led Cybersecurity Tests. To allow other organisations in the UK Financial Services Sector to have access to a similar type of assurance service, the STAR-FS scheme has been developed by a UK financial authority and CREST.

STAR-FS assessments are similar to CBEST engagements as they both leverage the concepts of red teaming and utilise Threat Intelligence to simulate the tactics, techniques and procedures (TTPs) of threat actors against financial institutions. However, STAR-FS assessments are designed to allow for a lighter or optional involvement of the Regulator. Additionally, in STAR-FS engagements there is no validation of the Threat Intelligence (TI) from the National Cyber Security Centre (NCSC).

Nettitude were one of the first organisations to be recognised under the original CREST STAR scheme. We were also the first organisation to conduct a joint Threat Intelligence and Penetration Testing CBEST engagement. Nettitude has gone onto to deliver extensive services within global financial services and within the UK governments GBEST scheme having built a range of highly capable tooling to mimic the behaviours of threat actors.