Penetration Testing and Purple Teaming: Essential for Financial Services Security

The financial services sector is increasingly targeted by cybercriminals, with cyberattacks leading to significant financial losses and reputational damage. Penetration testing and purple teaming are two security testing methodologies essential in enhancing cybersecurity posture and readiness. In this article, we will explore the importance of penetration testing and purple teaming in protecting financial services institutions against ever-evolving threats.

The Impact of Cybercrime on Financial Services

Financial institutions are enticing targets for cybercriminals due to the potential for direct financial gain and access to vast amounts of valuable data. According to a 2019 Boston Consulting Group (BCG) report, financial services firms are 300 times as likely as other companies to be targeted by a cyberattack.

The financial impact of a successful cyberattack is significant. According to a 2024 IBM report, the financial services sector faces the second highest cost for data breaches, only exceeded by the healthcare sector. The average cost of a data breach for financial institutions is USD 6.08 million, 22% above the global average.

However, the damage extends beyond direct financial losses. Successful cyberattacks lead to significant reputational harm and erode the fundamental trust that underpins the financial system. For instance, one analysis found that 74% of customers would consider changing their financial institution after a data breach.

Penetration Testing

A penetration test, colloquially known as a pentest, is an authorised simulated cyberattack on a computer system, performed to evaluate the system’s security.

The UK National Cyber Security Center (NCSC) defines penetration testing as: “A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might.”

Penetration testing can be approached through different methodologies, depending on the amount of information provided to the testing team:

• Black Box: Testers start with little or no prior knowledge of the targeted system, emulating the perspective of an external attacker.
• White Box: Testers are given comprehensive information, including network diagrams, source code, and credentials, allowing for a deep and thorough analysis of underlying systems.
• Grey Box: Testers start with partial knowledge of the targeted system’s inner workings.

Performing regular penetration tests is essential for financial institutions to protect themselves against cyberattacks. These tests allow them to evaluate the effectiveness of their security controls and identify and patch vulnerabilities before malicious threat actors do.

Furthermore, for financial institutions, penetration testing is not only a security best practice but is also necessary for complying with regulatory requirements. For example, the Payment Card Industry Data Security Standard (PCI DSS) mandates performing network and application penetration tests on at least a yearly basis and upon major changes.

By performing regular penetration tests, financial institutions can validate the effectiveness of their security controls, comply with regulatory requirements and build customer trust by demonstrating their commitment to security.

Beyond Penetration Testing: Collaborative Security Testing Through Purple Teaming

While penetration testing is essential in maintaining a strong security posture, it has some limitations—it only provides a snapshot of a system’s security at one point in time. Furthermore, pentesting focuses on testing preventive rather than detective controls.

Meanwhile, neither technology nor the threat landscape remain static—code changes are deployed continuously, new vulnerabilities are discovered daily, and threat actor tactics, techniques, and procedures (TTPs) are ever evolving.

To maintain a strong security posture, financial institutions must not only continuously identify and remediate vulnerabilities but also build robust detection and response capabilities to ensure they can identify attacks in real time and respond to them effectively. This is where purple teaming comes into play.

While the main goal of penetration testing is to identify as many vulnerabilities as possible within the defined scope and time frame, the focus in purple teaming is on improving the organisation’s detection and response capabilities by combining offensive and defensive perspectives. In a purple team assessment, a red team (attackers) and a blue team (defenders) collaborate, share knowledge and provide immediate feedback during emulated realistic attacks.

Performing purple team exercises can be beneficial to financial institutions in multiple ways:

• Validating whether security tools and the Security Operation Center (SOC) can effectively identify and respond to specific attacker techniques by emulating realistic attack scenarios
• Providing the blue team with immediate feedback and real-time training, allowing them to fine-tune alerts and improve incident response playbooks
• Assessing whether security tools provide the intended ROI
• Enhancing collaboration between offensive and defensive security teams and building a strong security culture

Cloud Native Penetration Testing and Purple Teaming

Over the last several years, the financial services sector has rapidly adopted cloud technologies. In a 2024 survey by McKinsey on adopting emerging technologies by financial institutions, cloud and edge computing ranked the highest in being prioritised for adoption and investment, followed by applied AI, next-gen software development and digital identity and trust architecture.

As financial institutions increasingly adopt cloud services and container technologies like Kubernetes, they face new security risks. As traditional application and network penetration testing approaches are insufficient in thoroughly assessing the security risks specific to Cloud Native environments, dedicated cloud penetration testing is necessary to accurately assess the security of platforms like AWS, Azure, GCP and Kubernetes clusters.

Beyond identifying vulnerabilities, the high volume of logs and the short-lived nature of containers introduce additional security monitoring and detection challenges in Cloud Native environments. This is where cloud-focused purple teaming can provide significant value. By simulating cloud-specific attacks in a collaborative exercise, financial institutions can practically test if their security tools and teams can detect and respond to threats like a container escape or the misuse of cloud credentials. This process directly validates security controls and improves the readiness of the defence team.

How Can ControlPlane Help?

If you are looking to secure your Kubernetes clusters and cloud environments, ControlPlane offers penetration testing and purple teaming services. Contact us and read about our security testing success stories to learn more.