Australia's Council of Financial Regulators (CFR) introduced the CORIE framework - Cyber Operational Resilience Intelligence-led Exercises - because standard penetration testing was no longer sufficient. Financial institutions were passing compliance audits while remaining genuinely vulnerable to coordinated, targeted attacks. CORIE was built to close that gap.
What CORIE Is Built On
CORIE draws directly from international threat-led testing frameworks: TIBER-EU, used across European central banks, and CBEST, operated by the Bank of England. All three share the same foundational principle: simulate a real attack, using real threat intelligence specific to your organisation, executed by skilled adversary teams with minimal insider knowledge.
The critical difference from conventional red teaming is the intelligence-led component. A CORIE engagement does not begin with a defined scope and a list of IP ranges. It begins with a dedicated threat intelligence provider analysing your actual adversary landscape: who targets organisations like yours, what their intrusion tradecraft looks like, and which parts of your business present the most credible entry points. That analysis becomes the operational brief for everything that follows.
The Three Phases of a CORIE Engagement
Every CORIE engagement moves through three structured phases, each with defined outputs and regulatory visibility.
Phase 1 - Threat Intelligence: An accredited Threat Intelligence (TI) provider, independent from the red team, builds a Target Threat Intelligence (TTI) report. This covers your specific threat actors, their TTPs (tactics, techniques, and procedures), and the attack paths most likely to be used against you. The TTI report drives the entire red team phase; nothing in the exercise is generic.
Phase 2 - Red Team Execution: A CREST-accredited red team provider executes a full adversarial campaign based on the TTI brief. Scope is deliberately broad: people, process, and technology are all valid targets. Social engineering, spear-phishing, physical access attempts, and technical exploitation of external and internal systems all sit within the engagement boundary. The red team operates with the same information and constraints a real threat actor would face.
Phase 3 - Closure and Remediation: All parties - TI provider, red team, and the target organisation - participate in a structured debrief. Findings, detection timelines, and control gaps are documented. Critically, results are reported to APRA and ASIC, making this a regulatory disclosure event. The organisation leaves with a remediation roadmap tied to confirmed, demonstrated failures rather than theoretical risk.
Who CORIE Applies To
CORIE formally targets Significant Financial Institutions (SFIs) and Financial Market Infrastructure (FMI) entities designated by the CFR: major banks, clearing houses, payment system operators, and entities whose compromise would carry systemic risk to the Australian financial system.
In practice, the framework's reach extends well beyond that list. APRA's CPS 234 tightens third-party risk obligations on financial entities, which flows directly to critical suppliers and managed service providers operating in the sector. If you provide services to a CORIE-regulated entity, expect your security posture to come under scrutiny as part of their supply chain assurance process.
What CORIE Consistently Finds
Organisations that complete CORIE engagements report the same categories of failures: control gaps that existed outside the scope of regular testing, detection and response times that significantly exceed internal estimates, and incidents that propagate laterally through trusted internal systems before any alert fires.
This is by design. CORIE is built to surface the failures that standard compliance testing does not reach: the gaps between your documented architecture and how your environment actually behaves under pressure. A quarterly vulnerability scan and a firewall audit cannot replicate what a skilled red team operating with real threat intelligence will find.
How OziCyber Supports CORIE-Ready Organisations
OziCyber holds CREST accreditation for penetration testing, the same accreditation standard mandated for CORIE red team providers. Our adversarial engagements are conducted by certified operators who apply intelligence-led methodology aligned with what CORIE demands.
For financial institutions preparing for a formal CORIE engagement, working toward CPS 234 compliance, or looking to understand where their defences genuinely stand before a regulated exercise, we provide targeted red team assessments, CORIE readiness gap analysis, and post-engagement remediation support. We translate findings into actionable improvements.
The threat landscape that CORIE responds to does not stay static. Neither should your testing programme. Talk to our team about what a genuine adversarial test would find in your environment.
