How Scrutex Aligns With Global TLPT Frameworks

Framework requirements

• Medium-risk insurers: 3 end-to-end attack scenarios
• High-risk insurers: 5 end-to-end attack scenarios
• Simulations in production environment
• Threat intelligence specific to insurance industry
• External consultants required for medium/high risk
• Assessor qualifications (OSCP, OSEP, CEH, CISM, CISSP)
• CEO/Senior Executive sign-off on submission
• Submit to IA within 12–18 months; repeat every 3 years

Scrutex role

The Hong Kong Insurance Authority explicitly acknowledges automated Breach and Attack Simulation (BAS) platforms as valid delivery tools for TIBAS. Scrutex serves as the BAS platform that qualified external consultants use to execute the required simulations. Scrutex provides: sector-specific threat actor mapping for the Hong Kong insurance industry, TTP-driven scenario generation, automated attack simulation, and structured compliance reporting formatted for IA submission. The human external consultant retains sign-off responsibility and regulatory accountability.

Engagement model

Scrutex is deployed by an IA-qualified external consultant. The consultant scopes critical functions, reviews Scrutex’s threat actor intelligence for the insurance sector, configures the 3–5 required scenarios, supervises execution, and signs the IA submission report. Scrutex automates the intelligence and simulation layers.

Framework requirements

• Applies to banks with medium or high inherent risk
• Intelligence-driven, bespoke scenario design
• Simulates TTPs of real threat actors targeting HK banking
• Qualified external TI and red team providers required
• Accreditation relaxed since 2018 — expertise assessment suffices
• Tests people, processes, and technology
• Cyclical — HKMA directed

Scrutex role

Scrutex serves as the Threat Intelligence Provider (TIP) component of an iCAST engagement. The platform maps threat actors active in Hong Kong banking and financial services, extracts their TTPs, and generates bespoke attack scenarios for the red team execution phase. CART provides continuous intelligence-led simulation between formal iCAST cycles, ensuring the bank maintains a continuously tested posture rather than relying on point-in-time assessments.

Engagement model

Scrutex partners with HKMA-qualified red team firms. Scrutex delivers the TIP phase (threat actor profiling, scenario design, TTP mapping). The partner firm executes the red team phase. Joint reporting is produced for HKMA. CART runs continuously between cycles.

Framework requirements

• TLPT mandatory every 3 years from January 2025
• External TI provider always required
• External red testers required at least every 3rd test
• Purple teaming is mandatory
• TIBER Cyber Team (TCT) regulatory oversight
• Tests on live production systems
• Mutual recognition across EU jurisdictions

Scrutex role

TIBER-EU is the most prescriptive framework globally. Scrutex does not position as a standalone TIBER-EU compliance tool — the formal test requires human external testers and TCT oversight that automated platforms cannot substitute. Scrutex’s primary role is continuous assurance between TLPT cycles — running CART to maintain ongoing intelligence-led testing between the mandatory 3-year formal engagements. Scrutex also serves as the external TIP in partnered formal TIBER engagements.

Engagement model

For formal TIBER-EU tests: Scrutex acts as the external TIP in partnership with an accredited red team provider. For the periods between formal tests: Scrutex CART runs continuously, maintaining tested posture and alerting on emerging threat actor TTPs relevant to the entity.

Framework requirements

• Applies to systemically important UK financial firms
• Threat Intelligence Service Provider (TISP) is a distinct role
• Penetration Testing Service Provider (PTSP) is separate
• CREST-accredited providers required
• Regulator reviews and approves threat scenarios
• Regulator oversees full lifecycle

Scrutex role

Scrutex serves as the intelligence platform supporting the Threat Intelligence Service Provider (TISP) function — profiling threat actors relevant to the UK financial sector, mapping their TTPs, and generating bespoke scenarios for the PTSP to execute. CBEST requires CREST accreditation from providers. Scrutex partners with CREST-accredited TISP firms who use the platform to augment their intelligence delivery.

Engagement model

Scrutex is deployed by a CREST-accredited TISP firm. The platform accelerates their threat actor research and scenario design. The TISP retains regulatory accountability. PTSP executes the test. Regulator validates scenarios at the Validation Workshop.

Framework requirements

• Intelligence-led, scenario-based red team testing
• Threat actors relevant to Saudi financial sector
• SAMA “green team” plays oversight role
• External providers required
• Tests people, processes, and technology

Scrutex role

Scrutex maps threat actors targeting Saudi Arabia and broader Gulf financial institutions, including nation-state actors, ransomware groups, and hacktivists active in the region. TTP-driven scenario generation feeds FEER red team engagements. CART provides continuous intelligence-led assurance between formal FEER exercises.

Engagement model

Scrutex partners with SAMA-qualified red team firms in the GCC. The platform provides regional threat actor intelligence and scenario design. Partner firms execute the red team phase under SAMA green team oversight.

Framework requirements

• Industry guidance — less prescriptive than TIBER-EU
• Complements other security practices as maturity grows
• Targets people, processes, and technology
• Scenario-led, threat intelligence driven
• Aims to detect weaknesses not found by standard VAPT

Scrutex role

AASE’s less prescriptive nature gives Scrutex the most flexibility. The platform can serve as both the TIP function (Singapore-specific threat actor profiling) and as the primary execution layer for AASE-aligned exercises. CART provides ongoing intelligence-led simulation between formal AASE exercises, helping Singapore-based institutions mature their cyber resilience posture continuously.

Engagement model

For formal AASE exercises: Scrutex serves as TIP with a partner red team firm. For continuous assurance: Scrutex CART runs independently, providing ongoing intelligence-led coverage aligned with AASE principles.

Framework requirements

• Intelligence-led testing for Australian financial institutions
• TIBER-EU inspired methodology
• Threat actors relevant to Australia and APAC
• Aligned with APRA CPS 234 and Cyber Security Act 2024
• External TIP and red team providers required

Scrutex role

Scrutex is incorporated under Cyber Insights Solutions Pty Ltd in Melbourne, making it uniquely positioned for the Australian market. The platform maps threat actors targeting Australian financial institutions — including APAC nation-state actors and ransomware groups — providing the TIP function for CORIE engagements. CART provides continuous assurance aligned with APRA CPS 234’s requirement for ongoing information security testing.

Engagement model

Scrutex partners with Australian-based red team firms for CORIE engagements. The platform provides Australia-specific threat actor intelligence. CART runs continuously for APRA CPS 234 alignment. Reports formatted for APRA submission.