OSFI I-CRT Intelligence-Led Cyber Resilience Testing

OSFI I-CRT intelligence-led cyber resilience testing for Canadian financial institutions. Threat-led red team testing that complements your OSFI B-13 program.

DarkPoint Security delivers intelligence-led red team testing aligned to OSFI's Intelligence-Led Cyber Resilience Testing (I-CRT) framework. Rather than a scoped, announced penetration test, I-CRT uses real threat intelligence to emulate the adversaries most likely to target your institution, validating whether your people, processes, and technology can prevent, detect, and respond to a realistic attack.

  • Threat-intelligence-led adversary emulation against live production systems
  • Full-scope red teaming across network, application, and human layers
  • Detection and response (blue team) validation and purple team collaboration
  • Reporting structured for board, senior management, and OSFI engagement
  • A program that complements and builds on your OSFI B-13 testing

Book A Meeting|

Loading...

What is OSFI I-CRT?

I-CRT, or Intelligence-Led Cyber Resilience Testing, is the Office of the Superintendent of Financial Institutions' framework for threat-led red team testing of federally regulated financial institutions in Canada. It represents the most advanced rung of security testing OSFI expects: where a conventional penetration test examines a defined scope for vulnerabilities, an intelligence-led test emulates a specific, realistic adversary to measure how the institution actually withstands an attack.

The defining feature of I-CRT is that it is driven by cyber threat intelligence. Before any testing begins, threat intelligence is gathered to understand which threat actors are most likely to target the institution, what their objectives would be, and the tactics, techniques, and procedures they use. A red team then emulates those adversaries against the institution's live production environment, attempting to reach critical functions while the organization's defenders operate as they would on any normal day. This tests the full chain of prevention, detection, and response, not just the presence of vulnerabilities.

I-CRT follows the same intelligence-led model as established international frameworks, including the United Kingdom's CBEST, the European Central Bank's TIBER-EU, and Australia's CORIE. For Canadian institutions, it sits alongside OSFI Guideline B-13 as the threat-led validation of the resilience that B-13's broader risk management program is meant to deliver.

How I-CRT Fits With Your B-13 Program

I-CRT does not replace your existing testing obligations under OSFI Guideline B-13 — it extends them. The two work together as a maturity progression.

  • B-13 sets the foundation — Guideline B-13 expects regular technology risk assessment, vulnerability management, and security testing such as penetration testing and red team exercises across your technology estate. This is the ongoing program that keeps your environment assessed and remediated.
  • I-CRT validates resilience — Intelligence-led testing goes a step further, using threat intelligence to emulate a realistic adversary end to end. It answers the question that a scoped pentest cannot: if a capable, motivated attacker came for our critical functions today, would we prevent, detect, and respond in time?
  • Findings feed back into B-13 — The detection gaps, response failures, and attack paths uncovered by an intelligence-led exercise become concrete inputs to your B-13 risk management and continuous improvement program, closing the loop.
  • Proportionality matters — Full intelligence-led testing is aimed primarily at larger, systemically important institutions. Smaller institutions can adopt the same methodology scaled to their risk profile, building toward intelligence-led maturity over time.

The Intelligence-Led Testing Process

An intelligence-led engagement follows a structured lifecycle modeled on recognized frameworks such as CBEST and TIBER-EU:

  • Scoping and Preparation — We work with your institution to identify the critical functions and systems that matter most, agree on rules of engagement, and establish the control group and safety measures needed to test safely against live systems.
  • Threat Intelligence — We research the threat landscape specific to your institution, profiling the adversaries most likely to target you and the tactics, techniques, and procedures they use. This intelligence drives realistic attack scenarios.
  • Red Team Execution — Our operators emulate the identified adversaries across the network, application, and human layers, attempting to reach the agreed critical functions while your defenders respond under normal conditions.
  • Detection and Response Analysis — We evaluate how effectively your security operations prevented, detected, and responded to the activity, identifying the gaps that a real adversary would exploit.
  • Reporting and Purple Teaming — We deliver findings structured for board and senior management, then run a collaborative replay with your blue team to transfer knowledge and strengthen detection and response.

How DarkPoint Supports Your I-CRT Engagement

DarkPoint Security brings intelligence-led red team capability and a manual-first methodology to financial institutions preparing for or undergoing intelligence-led testing.

Frequently Asked Questions

I-CRT stands for Intelligence-Led Cyber Resilience Testing, OSFI's framework for threat-led red team testing of federally regulated financial institutions in Canada. Rather than a conventional scoped penetration test, I-CRT uses current cyber threat intelligence to model the tactics, techniques, and procedures of real adversaries likely to target the institution, then has a red team emulate those adversaries against live production systems to test the organization's ability to prevent, detect, and respond to a realistic attack. It follows the same intelligence-led model as international frameworks such as the UK's CBEST, the EU's TIBER-EU, and Australia's CORIE.

OSFI Guideline B-13 sets the broad expectations for technology and cyber risk management, including that institutions conduct regular security testing such as penetration testing and red team exercises. I-CRT is the more advanced, intelligence-led red team testing approach that the largest and most significant institutions are expected to perform. In practice, a strong B-13 testing program builds the foundation, and I-CRT is the threat-led, full-scope exercise that validates resilience against a realistic, intelligence-driven adversary. The two are complementary.

Intelligence-led testing programs of this kind are aimed primarily at larger, systemically important financial institutions whose disruption could have a broad impact on the financial system. Smaller institutions may not be required to run a full intelligence-led exercise, but benefit from the same methodology scaled to their risk profile. We help institutions of all sizes determine an appropriate, proportionate approach and build toward intelligence-led testing maturity.

Yes. We combine cyber threat intelligence with full-scope red team operations: we research the threat actors and techniques most relevant to your institution, then emulate them across the network, application, and human layers to test your detection and response capabilities end to end. Our team holds OSCP, CEH, and CISSP certifications and has published original vulnerability research, and every engagement is conducted under strict scope and safety controls appropriate for testing against live financial systems.

Relevant Services

DarkPoint Security offers the capabilities that underpin an intelligence-led testing program: