Published.
Many financial firms use the terms red team exercise and penetration testing interchangeably.
While both are critical elements of a mature cybersecurity programme, they serve different purposes, require different resources, and deliver different outcomes.
Choosing the right approach can mean the difference between a technical assessment and a true test of organisational resilience.
This article explains the distinctions and helps investment managers, insurers, and fintech firms decide which approach fits their risk profile and regulatory expectations.
A penetration test is a controlled security assessment that simulates cyberattacks against specific systems, applications, or networks. Its purpose is to identify vulnerabilities that could be exploited by malicious actors and to verify the effectiveness of technical controls.
Typical examples include:
Penetration testing is scoped and time-bound. It provides detailed technical findings and practical remediation steps. It is essential for meeting compliance obligations under frameworks such as FCA SYSC, ISO 27001, and DORA Article 26.
Learn more about our Penetration Testing Services for U.K. Financial Firms and how they align with FCA, PRA, and DORA requirements.
What is Red Teaming?
A red team exercise goes further. It is an intelligence-led simulation designed to test not just technology but also people, processes, and detection capability. Rather than focusing on individual vulnerabilities, a red team aims to achieve specific business objectives, such as gaining access to customer data or disrupting a trading system, while avoiding detection.
The exercise is usually conducted covertly, with only a small number of stakeholders informed in advance. This allows firms to evaluate their real-world detection and response readiness rather than just technical defences.
See the Bank of England CBEST Framework, which formalised threat-led testing in the U.K. financial sector.
| Aspect | Penetration Testing | Red Team Exercise |
| Objective | Identify and validate vulnerabilities | Test detection and response capabilities |
| Scope | Defined and limited systems | End-to-end attack paths across systems and people |
| Visibility | Known to IT and security teams | Covert, known only to a few stakeholders |
| Output | Technical findings and remediation plan | Executive-level insights and resilience report |
| Duration | Days to weeks | Several weeks to months |
| Regulatory Context | ISO 27001, FCA SYSC, DORA TLPT | CBEST, TIBER-EU, DORA TLPT (advanced form) |
Both methods are complementary. Penetration testing provides depth, while red teaming provides realism.
Penetration testing is appropriate when a firm needs to:
It is particularly effective for firms building or maturing their security programme, where the focus is on improving baseline control effectiveness.
For guidance on cadence and best practice, read How Often Should Financial Firms Conduct Penetration Tests.
A red team exercise is suited to more mature organisations that want to test their incident detection, escalation, and response processes under realistic conditions.
It is ideal when a firm wants to assess:
Under DORA, larger investment and financial firms may be expected to conduct Threat-Led Penetration Testing (TLPT), which shares the same principles as red teaming.
This is reinforced by the European Banking Authority (EBA) Guidelines on TLPT, which outline expectations for intelligence-led testing of critical systems.
The most resilient firms combine both approaches within a structured testing framework.
A typical maturity pathway might look like this:
1. Start with penetration testing to identify and remediate vulnerabilities
2. Progress to scenario-based testing of critical systems and suppliers
3. Conduct a red team exercise to evaluate full-scale detection and response
4. Use findings to inform training, investment, and Board reporting
This sequence delivers both assurance and learning. It supports operational resilience, a key focus of the FCA and PRA, and helps firms demonstrate alignment with best practice across Europe and the U.K.
See how our Cyber GRC Services help integrate testing, governance, and regulatory reporting into a unified resilience framework.
Red Team vs Penetration Testing: Selecting the Right Approach for Your Firm
When deciding which approach to take, firms should consider:
Smaller or mid-sized investment managers can achieve strong assurance with regular penetration testing and targeted scenario exercises, building toward red teaming as capability matures.
See the NCSC Red Teaming Guidance, which provides practical advice on design and execution.
Both penetration testing and red team exercises are essential components of a robust cybersecurity strategy. Penetration testing identifies technical weaknesses and strengthens your defences.
Red teaming tests the organisation’s ability to detect, respond, and recover under pressure.
Choosing the right approach is not about one or the other, but about timing, readiness, and strategic intent. The strongest firms use both to demonstrate resilience, governance, and continuous improvement.