The Trigger
An HKMA iCAST regulatory requirement for intelligence-led penetration testing. The institution needed an intelligence-led red team engagement aligned to HKMA iCAST, with findings structured for regulatory submission.
The Environment
An HKMA-regulated financial services institution operating in Hong Kong. Internal security function with existing controls. The red team engagement was required to satisfy a specific HKMA iCAST obligation.
The Theos Approach
Threat Delivered Phase
Theos developed an institution-specific threat profile prior to testing. Delivered gathering focused on the threat actors most likely to target financial services institutions in Hong Kong, the attack patterns they use, and the specific vulnerabilities most relevant to the client’s sector and technology environment. Attack scenarios were built around the client’s specific threat environment.
Red Team Execution
A full-scope, multi-vector red team engagement executed against the live environment. Testing covered external perimeter, internal network, identity and access management, cloud environments, and social engineering. Theos practitioners operated with the tradecraft patterns used by the threat actors identified in the intelligence phase.
Regulatory Documentation
Findings were documented to the standard HKMA iCAST examination requires. The report was structured for direct submission to HKMA, including threat intelligence, attack scenarios, findings by risk rating, and remediation recommendations. Documentation was built to the regulatory standard from the outset.
"
Theos built the engagement around the threat actors targeting our sector in Hong Kong. The findings were structured for HKMA submission and the gaps have since been closed.
