Threat-Led Penetration Testing

Threat-Led Penetration Testing (TLPT) is a rigorous form of cybersecurity testing mandated under Chapter IV of DORA (Articles 26-27) for certain financial entities. Unlike standard penetration testing, TLPT is guided by real threat intelligence and mimics the tactics, techniques, and procedures (TTPs) of actual threat actors targeting the financial sector.

DORA requires that financial entities identified by competent authorities carry out TLPT at least every three years. The tests must cover several or all critical or important functions of the financial entity and be performed on live production systems. The scope of each test is determined in collaboration with the competent authorities and must include critical ICT third-party service providers where appropriate.

TLPT under DORA must follow the TIBER-EU framework (Threat Intelligence-Based Ethical Red Teaming) or equivalent national frameworks recognised by the European Supervisory Authorities. The testing involves three phases: a threat intelligence phase to identify realistic attack scenarios, a red team phase in which external testers attempt to compromise the entity's systems using the identified scenarios, and a blue team phase where the entity's defences are evaluated.

The results of TLPT are shared with competent authorities and must include a remediation plan. Financial entities must demonstrate that they have addressed identified vulnerabilities. While the tests involve controlled "attacks," they must be conducted with appropriate safeguards to avoid disrupting the entity's operations or the stability of the broader financial system. Only qualified external testers may perform TLPTs, subject to specific requirements regarding their expertise and independence.