Penetration Testing
Independent, principal-led penetration testing that supports OSFI Guideline B-13 (Technology and Cyber Risk Management) expectations for federally regulated financial institutions in Canada. CREST-certified, threat-led, and delivered entirely within Canadian jurisdiction.
OSFI Guideline B-13 (Technology and Cyber Risk Management) sets out the Office of the Superintendent of Financial Institutions' expectations for how federally regulated financial institutions (FRFIs) in Canada manage technology and cyber risk. Published 31 July 2022 and effective 1 January 2024, it is organised around three domains: governance and risk management, technology operations, and cyber security. B-13 is outcome-based — it does not mandate a fixed test cadence — but independent penetration testing and threat-led adversary simulation are how FRFIs evidence that their cyber security controls are designed and operating effectively. CSPI delivers principal-led, CREST-certified penetration testing that supports the B-13 cyber security and technology operations outcomes, with findings mapped to the relevant B-13 domains. Engagements are Canada-based, executed by Arturs Stay (CREST CRPT, OSCP, OSEP). We frame our work as supporting B-13 alignment; OSFI determines compliance.
Penetration Testing Aligned to OSFI Guideline B-13
OSFI Guideline B-13, Technology and Cyber Risk Management, is the federal baseline for how banks, insurers, and trust and loan companies in Canada are expected to manage technology and cyber risk. It was published on 31 July 2022 and came into effect on 1 January 2024. Unlike a prescriptive control checklist, B-13 is a principles- and outcome-based guideline: it describes the resilience outcomes OSFI expects FRFIs to achieve, and leaves the institution to choose the controls and testing that demonstrate those outcomes.
Independent penetration testing is one of the most direct ways an FRFI can produce evidence for the cyber security outcomes B-13 describes — that the confidentiality, integrity and availability of technology assets is maintained, and that the institution can identify, defend against, detect, respond to and recover from cyber threats. At Cyber Security Pentesting Inc., every engagement is principal-led by Arturs Stay (CREST CRPT, OSCP, OSEP), and reports are framed against the three B-13 domains so your risk, technology, and compliance teams can place findings into their B-13 self-assessment without re-interpretation.
An accuracy note we hold ourselves to: we describe our testing as supporting and aligned to B-13 outcomes. We do not claim that any test, on its own, makes an institution compliant with B-13. Compliance is a determination OSFI makes across the institution's full technology and cyber risk programme — governance, framework, operations, and controls — not a single engagement.
The Three Domains of OSFI B-13 — and Where Testing Fits
OSFI organises B-13 around three domains. Penetration testing touches all three, but its evidentiary weight is concentrated in cyber security and technology operations. The descriptions below reflect the structure of the guideline; we deliberately avoid citing specific paragraph numbers we cannot stand behind, and speak instead to the guideline's stated themes.
Domain 1 — Governance & Risk Management
B-13 expects FRFIs to have clear accountability, a technology and cyber strategy, and a risk management framework that the board and senior management can oversee. Penetration testing supports this domain indirectly but materially: an independent, risk-rated view of residual technology and cyber risk is exactly the kind of objective input a board needs to discharge its oversight responsibilities. Our executive reporting is written for that audience.
Domain 2 — Technology Operations
This domain covers technology architecture, asset and configuration management, change management, and operational resilience. Penetration testing validates that the security properties an architecture is supposed to have actually hold under attack — segmentation that should isolate, configurations that should harden, and change processes that should not silently reopen exposure. Findings here feed directly into operational risk registers.
Domain 3 — Cyber Security
This is where penetration testing carries the most evidentiary weight. B-13's cyber security outcomes speak to maintaining confidentiality, integrity and availability, and to the ability to identify, defend, detect, respond to and recover from cyber threats. Manual, threat-led testing produces empirical proof of whether detective and protective controls work against realistic attacker techniques — not whether a tool reports them as enabled.
Threat-Led Testing & Resilience
For FRFIs with mature security functions, threat-led penetration testing — intelligence-driven, objective-based adversary simulation against production systems — produces the most defensible evidence of detect-and-respond capability. It tests dwell time and response, not just vulnerability presence. For institutions earlier in their B-13 journey, scoped network, web, and Active Directory testing is the right and pragmatic starting point.
What a B-13 Aligned Engagement Covers
A B-13 aligned programme is rarely a single test. We scope engagements to the institution's risk profile, technology footprint, and maturity. Common components:
- External and internet-facing penetration testing of the institution's perimeter, customer-facing portals, and exposed APIs.
- Internal network and assumed-breach testing, including lateral movement, privilege escalation, and segmentation validation of regulated and high-value zones.
- Active Directory and identity testing — Kerberoasting, ADCS abuse paths, NTLM relay, delegation, and hybrid AD plus Entra ID exposure — because identity is the dominant attack path in financial-sector breaches.
- Web and API application security testing of core banking, payments, broker-dealer, and customer platforms.
- Threat-led adversary simulation for the most critical systems, where detection and response capability is the thing being measured.
- Reporting that maps each finding to the relevant B-13 domain and to supporting frameworks (NIST SP 800-115, MITRE ATT&CK) for the institution's self-assessment evidence pack.
Our Methodology
Engagements follow a structured methodology aligned to the Penetration Testing Execution Standard (PTES) and NIST SP 800-115, adapted with real-world adversarial tradecraft. The objective is defensible evidence for your B-13 self-assessment, not a scanner dump.
Scoping & Risk Alignment
We map the engagement to your technology and cyber risk framework, define rules of engagement, identify regulated and critical systems, and agree how findings will be mapped to the B-13 domains in reporting.
Reconnaissance & Threat Modelling
Where threat-led testing is in scope, we incorporate current threat intelligence on the actors and techniques most relevant to Canadian financial institutions to drive realistic attack scenarios.
Vulnerability Discovery
Manual-first identification across network, identity, web, and API surfaces, prioritised by exploitability and business impact rather than raw CVSS volume.
Exploitation & Chaining
Hands-on, authorised exploitation with documented proof, including multi-step attack chains that show how individual findings combine into material compromise paths.
Detect & Respond Measurement
For threat-led work, we measure whether your security function detects and responds — the detect-and-respond outcomes at the heart of the B-13 cyber security domain.
Reporting & Re-Test
Dual-audience reporting with findings mapped to B-13 domains, a prioritised remediation roadmap, a leadership debrief, and a free re-test of remediated critical findings.
OSFI B-13 at a Glance
Key facts FRFI risk and compliance teams ask about B-13 and where independent penetration testing fits:
| Question | Answer |
|---|---|
| Full name | OSFI Guideline B-13 — Technology and Cyber Risk Management |
| Issuer | Office of the Superintendent of Financial Institutions (OSFI), Canada |
| Published | 31 July 2022 |
| Effective | 1 January 2024 |
| Applies to | Federally regulated financial institutions (FRFIs): banks, foreign bank branches, life and P&C insurers, trust and loan companies |
| Structure | Three domains: governance and risk management; technology operations; cyber security |
| Nature | Principles- and outcome-based (not a prescriptive control checklist) |
| Mandates a test cadence? | No — testing frequency is risk-based and documented in the institution's framework |
| How pentesting helps | Evidences that cyber security controls are designed and operating effectively against real attacker techniques |
| CSPI positioning | Testing supports / aligns to B-13 outcomes; OSFI determines compliance |
OSFI B-13 Penetration Testing FAQ
What is OSFI Guideline B-13?
OSFI Guideline B-13, Technology and Cyber Risk Management, sets out the Office of the Superintendent of Financial Institutions' expectations for how federally regulated financial institutions (FRFIs) in Canada manage technology and cyber risk. It was published on 31 July 2022 and came into effect on 1 January 2024. The guideline is organised around three domains: governance and risk management, technology operations and resilience, and cyber security. It applies to FRFIs including banks, foreign bank branches, life and property-and-casualty insurers, and trust and loan companies. B-13 is principles- and outcome-based rather than prescriptive, so it describes the resilience outcomes OSFI expects rather than mandating specific tools or test schedules.
Does OSFI B-13 require penetration testing?
B-13 is outcome-based and does not prescribe a fixed penetration testing cadence or a single mandated methodology. It does, however, set out cyber security outcomes — maintaining the confidentiality, integrity and availability of technology assets, and the ability to identify, defend, detect, respond to and recover from cyber threats — that independent security testing directly supports. In practice, FRFIs use regular penetration testing and threat-led adversary simulation as evidence that controls are designed and operating effectively against current and emerging threats. We frame our engagements to support those B-13 outcomes; we do not represent testing as a guarantee of regulatory compliance, which remains OSFI's determination.
Which B-13 domains does penetration testing support?
Penetration testing most directly supports the cyber security domain, where it provides empirical evidence that detective and protective controls work against realistic attacker techniques. It also supports the technology operations domain by validating the security of technology architecture, configuration, and change. Findings feed the governance and risk management domain by giving the board and senior management an independent, risk-rated view of residual technology and cyber risk. We map each finding to the relevant domain in the report so risk and compliance teams can place it in their B-13 self-assessment without re-interpretation.
What is threat-led penetration testing and how does it relate to B-13?
Threat-led penetration testing (sometimes called intelligence-led or threat-led red teaming) uses current threat intelligence about the actors and techniques most likely to target a financial institution to drive realistic, objective-based attack simulation against production environments. It tests not just whether a vulnerability exists but whether the institution can detect and respond to a real adversary. This maps closely to the detect-and-respond outcomes in the B-13 cyber security domain. For FRFIs with mature security functions, threat-led testing produces the most defensible evidence of cyber resilience; for those earlier in their maturity, scoped network, web, and Active Directory penetration testing is usually the right starting point.
Does CSPI keep B-13 engagement data in Canada?
Yes. Engagement data, evidence files, scoping documents, and exploitation artefacts remain inside Canadian jurisdiction under PIPEDA and applicable provincial privacy law, and are not routed through offshore delivery centres. For FRFIs subject to OSFI's third-party risk and data residency expectations, a Canada-based principal-led provider removes a procurement and outsourcing-review step that offshore vendors typically trigger.
How often should an FRFI run penetration testing for B-13?
OSFI does not set a fixed frequency in B-13. Common practice among Canadian FRFIs is at least annual penetration testing of internet-facing and internal environments, additional testing after significant changes to technology architecture, and periodic threat-led adversary simulation for the most critical systems. The right cadence is risk-based and should be documented in the institution's technology and cyber risk management framework so it can be evidenced during an OSFI review. We help clients set a defensible, risk-aligned testing schedule rather than testing for its own sake.
Explore further
- Financial Services Penetration Testing
- Compliance-Driven Assessments
- Network & Infrastructure Penetration Testing
- Active Directory Attack Assessment
- Penetration Testing in Toronto
Prefer email? Send a scoping request and we will respond with next steps.
Regulatory references on this page describe OSFI Guideline B-13 in general terms for informational purposes and do not constitute legal or compliance advice. OSFI is the sole authority on B-13 compliance. Verify current requirements at the Office of the Superintendent of Financial Institutions.