logo svg
logo

July 13, 2026

Updated: July 13, 2026

SWIFT CSP Penetration Testing: CSCF v2026 Control 7.3A Explained

A practical guide to CSCF v2026 Control 7.3A status, scope, cadence, evidence, remediation, retesting, and assessment boundaries.

Mohammed Khalil

Mohammed Khalil

Featured Image

Framework verified: 13 July 2026 — CSCF v2026

Swift’s Customer Security Programme (CSP) is mandatory for Swift users, but that does not make every control in the Customer Security Controls Framework (CSCF) mandatory. In the public CSCF v2026, Control 7.3A, “Penetration Testing,” is an advisory control for architecture types A1, A2, A3, A4 and B. A properly authorised Swift-focused penetration test can validate attack paths, segmentation, access controls and other technical weaknesses affecting Swift-related infrastructure. It does not replace Control 2.7 vulnerability scanning, the annual independent assessment or the KYC Security Attestation (KYC-SA) submission. Scope must follow the user’s architecture, ownership boundaries, connectivity, material changes and risk. The public control does not create a universal annual penetration-test obligation.

Key takeaways

What is the Swift Customer Security Programme?

Swift describes CSP as a mandatory initiative for reinforcing the security of each user’s Swift-related environment. The CSCF translates that programme into product-agnostic controls organised around three objectives: secure the environment; know and limit access; and detect and respond.

Mandatory controls establish the community security baseline; advisory controls are recommended good practice. Applicability depends on architecture and the components forming the user’s Swift footprint. The user identifies applicable controls, implements them, obtains an independent assessment and submits its annual KYC-SA security attestation.

Swift states that the independent assessment must validate, at minimum, the applicable mandatory controls. It can be performed by an appropriately independent internal function, an external assessor, or a qualifying mixed team. This distinction matters because a penetration test examines selected technical attack paths; an independent assessment evaluates whether applicable controls are designed and implemented as declared.

Is penetration testing mandatory under SWIFT CSP?

Not as a universal Control 7.3A requirement in CSCF v2026. CSP itself is mandatory, while the framework assigns different statuses to its controls. The current CSCF v2026 document labels 7.3A as advisory across A1, A2, A3, A4 and B.

ItemCurrent v2026 statusWhat it requiresWhat it does not mean
Swift CSP programmeMandatory initiativeFollow the CSP process for the user’s Swift footprintEvery CSCF control is mandatory
Applicable mandatory CSCF controlsMandatory by architecture/applicabilityImplement and attest applicable mandatory controlsOne technical test proves all controls
Control 2.7 Vulnerability ScanningMandatory for A1–A4; advisory for BRegular scanning for known OS- and application-level vulnerabilities; at least annually or after significant change in the public guidanceA scan is a penetration test
Control 7.3A Penetration TestingAdvisory for A1–A4 and BRisk-based penetration testing of relevant Swift-related components, with documented results and remediation inputEvery user must buy an annual pentest
Independent assessmentRequired to support the yearly declarationIndependently assess design and implementation of at least applicable mandatory controlsThe pentest provider alone decides CSCF compliance
Annual KYC-SA attestationAnnualDeclare compliance status for applicable controls through KYC-SAAttestation cadence automatically dictates pentest cadence

As with penetration testing for compliance generally, a mandatory programme can contain an advisory testing method. An institution may still test annually because of regulation, material change, counterparties, risk or policy; that is not automatically a Swift 7.3A mandate.

Diagram showing applicable CSCF controls, implementation, vulnerability scanning and technical evidence, advisory Control 7.3A penetration testing, independent assessment, KYC-SA attestation, and remediation as separate stages.

What changed in CSCF v2026—and what did not

The public v2026 control sharpens guidance on scope, perspective, cadence and evidence. It calls for risk-based scoping, allows the method and attack origin to vary, and expects testing to adapt to change. Testing must minimise availability or integrity risk, use staff independent of the infrastructure team, and be documented for remediation.

The public text in CSCF v2026 Control 7.3A (pages 95–96) provides four important timing signals:

  1. Penetration testing is performed at least every two years, in line with local regulation, and ideally after significant environmental changes.
  2. Comprehensive testing of all in-scope components is expected every four years, building on recent interim testing.
  3. The wider programme may use previous but still-recent testing; the control notes describe “recent” as not older than three years.
  4. Risk or material change can justify earlier or repeated testing.

What the public control does not provide is a named list of three official scenarios that must be allocated across a three-year cycle. It refers users to Swift CSP FAQ KB 5021823 for additional scoping and testing-scenario detail. Some current third-party pages describe a three-scenario, three-year model, but those labels should not be presented as Swift’s wording until the KB article is checked. Do not repeat an unsupported scenario list as Swift guidance.

As of 13 July 2026, Swift’s public CSP document centre still identifies v2026 as the latest CSCF, while Swift’s own webinar material refers to “v2027 readiness.” Recheck the CSP document centre before publication or any later refresh.

Control 2.7 vs Control 7.3A vs independent assessment

ActivityMain purposeTypical methodOutputCSCF relationshipCan it replace the others?
Vulnerability scanningFind known weaknesses broadlyCredentialed or uncredentialed automated scanning with reviewVulnerability list, severity and remediation statusControl 2.7; mandatory for A1–A4 and advisory for BNo
Penetration testingValidate exploitability, attack paths and control effectivenessAuthorised, goal-based manual and tool-assisted testingNarrative of tested paths, findings, evidence and remediation guidanceControl 7.3A; advisory in v2026No
Independent control assessmentEvaluate control design and implementationEvidence review, interviews, observation and samplingAssessment conclusions against applicable CSCF controlsRequired to support the annual attestationNo
Security attestationDeclare the user’s compliance statusKYC-SA submission based on assessed statusPublished security attestationAnnual CSP stepNo
Remediation retestVerify a claimed fixTargeted re-examination of the issue and affected pathClosure, partial closure or residual-risk evidenceSupports evidence maintenance; not a substitute for original testingNo

In practical terms, scanning asks, “Which known weaknesses may exist?” Penetration testing asks, “Can an authorised tester turn weaknesses or control gaps into a meaningful path?” Assessment asks, “Are the applicable controls designed and implemented as declared?” Attestation records the organisation’s declared status. For more detail, see why vulnerability assessments and penetration tests serve different purposes.

What should a SWIFT CSP penetration test cover?

There is no universal asset list. Start with the architecture, Swift-related components, data flows, operator paths and provider boundaries. CSCF v2026 identifies jump servers, dedicated operator PCs, the data-exchange layer, Swift-related hosts and access, protective network devices, and relevant remote virtualisation or cloud access as possible in-scope components.

Scope areaWhy it may matterExample validation objectiveEvidence producedApplicability caveat
Secure-zone boundaryDefines a critical trust boundaryValidate segmentation and authorised pathsTested paths, boundary findings, rule observationsArchitecture dependent
Back-office first-hop systems and data flowsMay provide a path toward the secure zoneAssess whether approved flows can be abused or bypassedFlow coverage and attack-path evidenceInclude only relevant flows
Messaging/communication interface and GUIHosts or exposes Swift-related functionsAssess access controls and configuration safelyComponent coverage and findingsSwift-specific product testing must follow Swift policy
Customer connectors or middlewareBridges systems and trust zonesValidate authentication, authorisation and isolationConnector-path evidenceOwnership and architecture vary
Operator PCs and jump serversConcentrate privileged or operational accessAssess role separation, access controls and hardeningRole/path coverage and observationsDedicated and general-purpose systems differ
Identity, MFA and privileged accessControls entry to critical componentsValidate approved identity and privilege boundariesAccount-role matrix and findingsUse approved test accounts only
Network and security devicesProtect the zone and connectorsAssess rule design and segmentation effectivenessConfiguration/test evidenceAvoid disruptive techniques
Virtualisation or cloud managementMay control Swift-related VMsAssess management-plane and remote-access boundariesAuthorised management-path evidenceProvider policy and written permission apply
Logging and detectionSupports investigation and responseConfirm agreed test events are visible and escalatedDetection timestamps and control observationsNot every pentest includes SOC validation
Disaster recoveryMay reproduce sensitive components and pathwaysValidate equivalent boundaries where applicableDR scope and findingsInclude only if active or materially relevant
Service bureau/provider connectionCreates a shared-responsibility boundaryTest customer-controlled connection pointsBoundary and responsibility evidenceDo not test provider assets without permission
Participating web/API componentsMay introduce application-layer exposureValidate authentication, authorisation and logicApplication findings and coverageOnly where part of the Swift-related flow
High-level Swift penetration-testing scope map showing the customer-controlled back office, operator and administrator access, controlled boundary, protected Swift-related zone, messaging interfaces, authorised data flows, logging, service-bureau connections, and cloud or virtualisation boundaries.

Record asset owners, environment status, shared responsibility, test accounts, blackout windows, safety limits, third-party approvals, escalation, data handling and retest boundaries. A public-IP scan cannot show whether an internal or operator path reaches a protected Swift component.

What CSCF v2026 actually says about cadence and coverage

The safe planning model is built from the public control’s verified timing statements, not from an unsourced “three-year scenario” chart.

Planning pointVerified public guidancePractical planning actionEvidence to retainTrigger for earlier testing
Initial baselineUse a risk-based scope covering relevant components and attack originsEstablish architecture, trust boundaries, objectives and test methodApproved scope, diagrams, rules of engagement, reportNew deployment or weak evidence
Periodic testAt least every two years, aligned with local regulationSelect the highest-risk paths not recently validatedCoverage record, findings and remediation planSignificant server, OS, virtualisation or network change
Interim evidencePrevious testing may contribute if still recent; the control notes use not older than three yearsMap prior tests to current components and identify gapsTest dates, unchanged-scope rationale and assessor reviewScope drift or evidence no longer representative
Comprehensive coverageAll in-scope components expected every four years, building on interim testsConfirm no relevant component or path remains untestedMulti-engagement coverage matrix and closure statusThreat change, repeated findings or architecture change
Remediation and retestResults feed security updates and remediationRetest the issue and affected path; record residual riskRetest evidence, tickets, approvals and closureFailed fix or compensating-control change
Swift CSCF v2026 penetration-testing planner showing a risk-based baseline, testing by two years, recent evidence under three years, comprehensive coverage by four years, remediation and retesting, and earlier testing after material change or elevated risk.

This model is not rigid. A material change can invalidate prior evidence or bring testing forward. The annual independent assessment may consider technical evidence from the current or prior cycle only if the assessor accepts its relevance and freshness. Assessment cadence and technical-testing cadence should therefore be coordinated without being conflated.

How to scope the engagement safely

An effective scope begins with the assurance question, not with an IP count. The buyer and provider should agree:

NIST defines rules of engagement as the constraints and authority established before testing. A documented penetration testing methodology should translate those rules into a controlled workflow. Do not assume that a signed statement of work alone authorises testing of every connected provider or shared platform.

Testing approaches and the questions they answer

ApproachWhen it may add valuePrimary question answered
External infrastructure testingInternet-reachable customer-controlled assets existWhat can an unauthorised external party reach?
Internal network testingInternal compromise or insider paths are relevantCan a lower-trust internal position cross into the Swift boundary?
Segmentation validationSecure-zone isolation is a key controlDo intended boundaries block unauthorised paths?
Authenticated or grey-box testingRoles and approved credentials are availableCan a valid user exceed intended privilege or access?
Application-layer testingWeb, API, middleware or GUI components participate in the flowDo application controls prevent unauthorised actions?
Operator-workstation and identity-path assessmentOperator or administrative access is materialCan identity or workstation weaknesses undermine protected components?
Cloud/virtualisation testingSwift-related systems use a shared platformAre customer-controlled management and isolation controls effective?
Detection validationSOC evidence is an agreed objectiveAre agreed test events logged, correlated and escalated?
Remediation retestingFindings have been addressedIs the specific weakness closed, and is the affected path still viable?

Choose internal and external penetration testing perspectives by threat path. Swift does not mandate every approach for every architecture.

Service bureau, cloud and outsourced environments

Outsourcing can change who operates a control, but it does not automatically remove the Swift user’s CSP responsibilities. Document which components and controls are operated by the user, service bureau, cloud provider or another third party; then identify the evidence each party must supply.

The penetration-test scope should focus on assets the buyer owns or is authorised to test, plus explicitly approved connection points. Provider assurance reports, contractual controls, architecture diagrams and technical evidence can support the independent assessment, but they are not blanket permission to test shared infrastructure. Where cloud-hosted components are relevant, engage a provider that understands both the applicable cloud testing policy and cloud penetration testing boundaries.

The independent assessor, not the pentest provider, determines whether outsourced-service evidence is sufficient for the applicable controls. Gaps may require clarification, additional evidence, a customer-controlled test or remediation—not unauthorised testing of the provider.

Evidence for the independent assessment

Evidence itemOwnerWhy it mattersFreshness expectationCommon weakness
Approved scope and asset listSwift user / asset ownersShows what was authorised and coveredCurrent for the engagementStale inventory
Architecture and data-flow diagramsArchitecture teamConnects assets to trust boundariesReflects current footprintMissing provider or back-office paths
Rules of engagementBuyer and providerEstablishes authority and safety limitsApproved before testingVague third-party authority
Test dates and methodologyProviderShows when and how work occurredSufficient for the assessor’s cycleGeneric methodology statement
Tester qualifications and independenceProvider / userSupports competence and separationCurrent engagement teamConfusing tester skill with assessor authority
Asset, perspective and path coverageProviderShows what the test actually addressedMapped to current scope“Network tested” with no coverage detail
Findings and risk ratingsProviderRecords technical weaknesses and impactFinal report versionUnsupported severity
Remediation tickets and exceptionsControl ownersShows treatment decisionsCurrent statusClosed ticket without technical evidence
Retest resultsProviderValidates claimed remediationAfter the fixRetesting only the symptom
Management review and residual riskManagement / riskRecords accountability for open riskCurrent approvalInformal acceptance
Mapping to relevant CSCF objectivesProvider and assessment teamHelps evidence review without claiming complianceVersion-specificMapping every finding to “compliance” generically

A well-structured penetration testing report makes coverage, limitations, evidence and remediation easier to evaluate. It should not state that the organisation “passed SWIFT” unless the statement is part of a separate, authorised assessment conclusion and is accurately described.

Remediation and retesting

Assign each finding an owner, deadline and treatment decision. Prioritise by plausible impact and attack path, not scanner severity alone. Fix root causes where possible; if a compensating control or exception is used, document why, who approved it, its duration and the residual risk.

Retesting should verify the specific weakness and any affected attack path. A configuration change that closes one entry point may leave an equivalent path elsewhere. The retest record should state what was re-examined, the result, any limitations and whether further action remains. Update the evidence pack and coverage matrix rather than issuing a context-free “clean certificate.”

Choosing a penetration-test provider

Use a buyer checklist that tests delivery capability and role clarity:

Swift's official independent-assessment guidance says assessor certification is optional and permits qualifying certified or non-certified internal and external assessors. That concerns the independent assessment role; every technical tester need not be a Swift CSP Certified Assessor. Conversely, a technical certification alone does not establish competence for the entire CSP assessment.

Common mistakes

Practical readiness checklist

Readiness itemComplete?Evidence or owner
Current CSCF version confirmedFramework owner
Architecture type confirmedSwift architecture team
Applicable controls identifiedCompliance / assessor
7.3A advisory status verifiedCSCF v2026 pages 95–96
KB 5021823 scenario guidance checkedAuthorised Swift user / assessor
Asset inventory completeAsset owners
Trust boundaries documentedArchitecture / network teams
Third-party approvals obtainedProcurement / legal / providers
Rules of engagement approvedBuyer and test provider
Safety controls agreedOperations / incident response
Assessment and pentest roles separatedAssurance lead
Evidence requirements agreedIndependent assessor
Remediation owners assignedControl owners
Retest process agreedProvider and control owners

When DeepStrike can help

DeepStrike can support authorised penetration testing of relevant network, cloud, web, API and supporting assets when they are included in an approved Swift-related scope. The engagement can provide technical findings, remediation guidance and retesting evidence. A separate appropriately independent CSP assessor may still be required to reach assessment conclusions. Testing does not guarantee compliance, KYC-SA acceptance, fraud prevention or breach prevention. Learn more about DeepStrike’s penetration testing services.

Frequently asked questions

Is penetration testing mandatory under SWIFT CSP v2026?

Swift CSP is mandatory, but Control 7.3A is advisory for A1, A2, A3, A4 and B in the public CSCF v2026. That means it is recommended rather than a universal mandatory control. Another obligation—such as local regulation, internal policy or a counterparty requirement—may still make testing necessary for a particular institution. Always separate the framework’s control status from the organisation’s wider obligations.

What is CSCF Control 7.3A?

Control 7.3A is the advisory penetration-testing control. Its objective is to validate operational security configuration, identify security gaps through regular penetration testing and act on the results. Its scope may include Swift-related systems, operator PCs, jump servers, boundary devices, connectors and relevant virtualisation or cloud access. The exact scope is determined by architecture and risk, not by a universal checklist.

Does the annual Swift attestation require an annual penetration test?

Not automatically. Swift requires the yearly independent assessment and KYC-SA attestation process, but the public 7.3A guidance calls for penetration testing at least every two years and after significant changes, with comprehensive in-scope coverage every four years. An institution may choose annual testing for other reasons, but it should not describe that cadence as a universal v2026 requirement unless another applicable source creates it.

What is the difference between Control 2.7 and Control 7.3A?

Control 2.7 focuses on regular vulnerability scanning for known weaknesses. In v2026 it is mandatory for A1–A4 and advisory for B, with public guidance calling for scanning at least annually or after significant change. Control 7.3A uses penetration testing to validate security gaps and attack paths. Scanning provides breadth; penetration testing provides deeper validation. Neither replaces the other.

Can a penetration test replace the independent assessment?

No. A penetration test produces technical evidence about an agreed scope. The independent assessment evaluates the design and implementation of applicable CSCF controls and supports the organisation’s yearly attestation. The assessor may use the pentest report, remediation records and retest evidence, but also needs governance, process, configuration and other control evidence. The assessor decides whether the evidence is sufficient.

What should be included in a Swift penetration-testing scope?

Begin with the architecture type, component inventory and trust boundaries. Relevant areas may include the secure-zone boundary, data flows, jump servers, operator PCs, Swift-related hosts, connectors, network devices, identity paths, cloud or virtualisation management and customer-controlled service-bureau connections. Include only assets that are relevant and authorised, and document exclusions, safety limits and third-party permissions.

How does using a service bureau affect the scope?

It creates a shared-responsibility and evidence boundary. The user should document which controls and components it operates and which are operated by the bureau. Testing may cover customer-controlled components and authorised connection points, while provider reports and other assurance evidence support the assessment of outsourced elements. A pentest provider must not test the bureau’s shared infrastructure without explicit written permission.

Can an internal security team perform the penetration test?

The public 7.3A guidance expects testing by expert staff independent of the team responsible for the Swift infrastructure, such as an internal red team or external provider. Whether an internal team is sufficiently skilled and independent depends on its role and reporting lines. Keep this technical independence question separate from the eligibility rules for the CSP independent assessor.

What evidence should be retained for the assessor?

Retain the approved scope, current diagrams, rules of engagement, test dates, tester competence and independence information, coverage, findings, risk ratings, remediation tickets, exceptions, retest results, closure status and management review. Map evidence to relevant CSCF objectives without claiming that the pentest itself decides compliance. Ask the independent assessor what evidence and freshness it will accept.

How should organisations prepare for CSCF v2027?

As of 13 July 2026, Swift’s public document centre still identifies v2026 as the latest framework, and Swift material discusses v2027 readiness rather than a published current framework. Monitor the document centre, then compare the final 7.3A status, scope, cadence and applicability before changing this article or the test plan. Do not update only the version number.

Conclusion

The central distinction is simple: Swift CSP is mandatory, while Control 7.3A is advisory in the public CSCF v2026. A useful Swift-focused penetration test is architecture-aware, risk-based, authorised and documented. It complements vulnerability scanning and contributes evidence for remediation, retesting and independent assessment; it does not replace assessment or attestation.

Build the scope around real trust boundaries and ownership, use the verified v2026 cadence as the baseline, and confirm any additional scenario detail directly in Swift KB 5021823. If you need technical testing within an approved Swift-related scope, DeepStrike can help define and execute the engagement without presenting the result as a compliance guarantee.

Author

Mohammed Khalil — Cybersecurity Architect at DeepStrike
Current DeepStrike profile lists CISSP, OSCP and OSWE. No Swift assessor status is claimed.

background
Let's hack you before real hackers do

Stay secure with DeepStrike penetration testing services. Reach out for a quote or customized technical proposal today

Contact Us