DORA - TLPT (Threat-Led Penetration Testing) Complete Guide

Aspect	Traditional Pentest	TLPT / TIBER-EU
Objective	Find technical vulnerabilities	Test resilience against targeted real-world attacks
Approach	Standardized test checklist	Scenarios based on real threat intelligence
Scope	Technical (IT/network/apps)	Holistic (IT + personnel + physical + processes)
Duration	1-4 weeks	6-12 months (preparation + test + analysis)
Teams	Pentesters	Red Team (attackers) + Blue Team (defenders) + White Team (arbiters)
Intelligence	General vulnerability knowledge	Threat Intelligence specific to financial sector
Detection	Declared tests, Blue Team informed	Blue Team not informed, "blind" test
Cost	€10k - €50k	€100k - €500k+

⚠️ TLPT IS NOT MANDATORY FOR ALL ENTITIES

Only entities identified as "significant" by their supervisor are subject to the mandatory TLPT every 3 years.

"Significance" Criteria (Significant Entities)

Criterion	Indicative Threshold	Sector
Size	Total assets > €30 billion	Banks
Interconnection	Market infrastructures (CCP, CSD, etc.)	All
Systemic Importance	G-SIBs, O-SIIs	Banks
Cross-border Activity	Operations in ≥ 5 Member States	All
Activity Volume	• Banks: >500k retail clients • Insurance: >1M policyholders • PSP: >10M transactions/year	Variable

📊 Estimated Number of Entities Concerned in the EU

~120 significant banks under ECB supervision (SSM)
~50 major insurance companies
~30 market infrastructures (CCPs, CSDs, trading venues)
~20 major payment service providers
TOTAL: ~200-250 entities subject to mandatory TLPT

💡 For others: TLPT remains highly recommended as best practice, but not legally mandatory.

TIBER-EU is the framework developed by the ECB that defines the standardized methodology for conducting TLPT tests in the European financial sector.

Advantages of TIBER-EU:

✅ Mutual recognition: A TIBER-EU test in one Member State is recognized by all others
✅ Avoids duplication: Entity operating in multiple countries = 1 single test
✅ Guaranteed quality: Proven and standardized methodology
✅ Certified tester pool: TIBER-EU qualified Red teams

The 8 Phases of TIBER-EU

Phase 1: Preparation (2-4 weeks)

Responsible: Financial entity + Supervisory authority

Actions:

✅ Formal decision to launch a TLPT
✅ Notification to supervisor
✅ Formation of internal White Team
✅ Definition of scope (which systems to test?)
✅ Budget validation

Phase 2: Provider Selection (4-8 weeks)

Responsible: Financial entity

Actions:

✅ Call for proposals for:
- Threat Intelligence Provider: Provide intelligence on threats targeting the sector
- Red Team Provider: Conduct attack testing
✅ Verification of certifications and references
✅ Contract signing (with strict NDA clauses)

💡 Indicative costs:

Threat Intelligence: €30k - €80k
Red Team: €80k - €300k
Internal White Team: €30k - €100k (staff time)
TOTAL: €150k - €500k for a complete exercise

Phase 3: Scoping (4-6 weeks)

Responsible: White Team + External Providers

Actions:

✅ Precisely define systems in scope
✅ Identify critical functions to test
✅ Explicitly exclude out-of-scope areas (e.g., sensitive production systems if risk too high)
✅ Define Rules of Engagement (RoE):
- Authorized attack techniques
- Forbidden techniques (e.g., data destruction)
- Authorized activity hours
- Emergency stop conditions
✅ Validation by management and supervisor

Phase 4: Threat Intelligence (6-8 weeks)

Responsible: Threat Intelligence Provider

Actions:

✅ Research on threats targeting the financial sector:
- Active APT groups (nation-states, cybercriminals)
- Observed Tactics, Techniques, Procedures (TTPs)
- Vulnerabilities exploited in the sector
- Attacker motivations
✅ Production of a Threat Intelligence report (TI Report)
✅ Identification of 3-5 realistic attack scenarios
✅ Selection of 1-2 scenarios to be tested by the Red Team

Example Threat Intelligence Scenario:

Scenario: APT group "FIN7" (sophisticated cybercriminal)
Objective: Customer data theft and fraudulent transfers
Initial vector: Spear-phishing targeting finance employees
Tools: Custom malware + RDP exploitation
TTPs: Lateral movement via Active Directory, privilege escalation, exfiltration via encrypted channels

Phase 5: Red Team Test Preparation (4-6 weeks)

Responsible: Red Team

Actions:

✅ Study of the TI Report
✅ Passive reconnaissance (OSINT) on the entity:
- Public infrastructure (domains, IPs)
- Employees (LinkedIn, social networks)
- Technologies used (job postings, conferences)
✅ Development/adaptation of attack tools
✅ Creation of attack infrastructure (C2 servers, phishing domains, etc.)
✅ Briefing with White Team on the attack plan

Phase 6: Red Team Test (4-12 weeks)

Responsible: Red Team (attack) vs. Blue Team (defense)

⚠️ CRITICAL PHASE - "Blind" test

Red Team Actions:

🎯 Initial intrusion:
- Targeted phishing on key employees
- Exploitation of public vulnerabilities
- Supply chain attacks
🎯 Establishing persistence:
- Backdoor installation
- Creation of hidden accounts
- Active Directory compromise
🎯 Lateral movement:
- Movement within internal network
- Privilege escalation
- Access to critical systems
🎯 Exfiltration / Impact:
- Access to sensitive data (simulation)
- Demonstration of potential impact (without actual destruction)

Blue Team Role (SOC/CERT):

🛡️ Detection: Identify malicious activities
🛡️ Analysis: Classify alerts, investigate IOCs
🛡️ Response: Block attacks, isolate compromised systems
🛡️ Remediation: Eradicate threat, restore services

💡 The Blue Team does NOT know a test is ongoing! They must react as to a real incident.

White Team Role (Arbiters):

👁️ Observe both teams
👁️ Ensure Red Team respects RoE
👁️ Document all actions and reactions
👁️ Decide to stop test if real operational risk

Phase 7: Closure & Remediation (2-4 weeks)

Responsible: White Team + Red Team + Blue Team

Actions:

✅ Immediate debriefing after test completion
✅ Cleanup of attack artifacts (backdoors, accounts, etc.)
✅ First analysis of results:
- What did the Red Team manage to do?
- What did the Blue Team detect/miss?
- Detection time vs. response time
✅ Identification of immediate fixes to apply

Phase 8: Reporting & Replay (4-8 weeks)

Responsible: White Team + External Providers

Actions:

✅ Detailed test report:
- Complete timeline of Red Team actions
- Blue Team detections and responses
- Gap analysis: identified vulnerabilities
- Remediation recommendations
✅ Presentation to executives:
- Executive summary
- Resilience level achieved
- Remediation action plan with budget and timeline
✅ Notification to supervisor:
- Results summary
- Confirmation that TIBER-EU test is complete
✅ Replay (optional but recommended):
- Training session for Blue Team
- Replay of attacks for training
- Sharing of observed IOCs and TTPs

Success/Failure Criteria

Aspect Evaluated	Good (✅)	Medium (⚠️)	Weak (🚫)
Detection time	< 24 hours	24h - 7 days	> 7 days
Detection rate	> 80% of actions	50-80%	< 50%
Response time	< 4 hours	4h - 24h	> 24 hours
Containment effectiveness	Attack stopped before critical systems	Attack slowed but not stopped	Full access achieved
Crisis communication	Management informed quickly, DORA process activated	Delays in escalation	Failed communication
Recovery	Critical services restored in <RTO	Recovery >RTO	Unable to recover

💡 What is Really Being Tested

TLPT does NOT only test technology, but:

🧑‍💼 People: Phishing awareness, SOC reactivity, analyst skills
📋 Processes: Incident response procedures, escalations, communication
🔧 Technology: Effectiveness of detection tools (SIEM, EDR, etc.)
🤝 Coordination: IT/Security/Management/Legal collaboration
⚖️ Governance: Board's ability to make crisis decisions

⏰ DORA Obligation: TLPT minimum every 3 years

First deadline for significant entities: Before January 17, 2028 (3 years after DORA entry into force)

Typical Timeline for a TLPT Exercise

Phase	Duration	Cumulative Timeline
1. Preparation	2-4 weeks	Month 1
2. Provider selection	6-8 weeks	Months 1-3
3. Scoping	4-6 weeks	Months 3-4
4. Threat Intelligence	6-8 weeks	Months 4-6
5. Red Team Preparation	4-6 weeks	Months 6-7
6. Red Team Test	8-12 weeks	Months 7-10
7. Closure	2-4 weeks	Months 10-11
8. Reporting	4-8 weeks	Months 11-12
TOTAL	9-14 months	~1 year

💡 Recommendation: Start planning at least 18 months before the deadline to have a margin in case of delays or need to redo phases.

Expense Item	Low Range	High Range	Notes
Threat Intelligence Provider	€30,000	€80,000	TI Report + scoping assistance
Red Team Provider	€80,000	€300,000	Varies by scope and test duration
Internal White Team	€20,000	€100,000	Staff time (PM, security, legal)
External consultants (optional)	€0	€50,000	White Team support
Temporary infrastructure	€10,000	€30,000	Test environments, additional monitoring
Post-test remediation	€50,000	€500,000+	Identified fixes (highly variable)
TOTAL (excluding remediation)	€140,000	€560,000

💡 Cost influencing factors:

Organization size: More systems = broader scope = higher cost
Technical complexity: Hybrid architectures (cloud + on-prem) more expensive to test
Red Team test duration: 4 weeks vs. 12 weeks = 3x cost
Location: Red teams based in Northern Europe generally more expensive
Provider reputation: Top-tier providers = premium pricing

12-18 Months Before Test

☐ Obtain Board approval and approved budget
☐ Notify supervisor of intention to launch TLPT
☐ Form internal White Team (project manager + security experts + legal)
☐ Define preliminary scope

9-12 Months Before

☐ Launch RFP (Request for Proposal) for TI Provider and Red Team
☐ Evaluate candidates (certifications, references, TIBER-EU experience)
☐ Select and contract providers
☐ Finalize detailed scope
☐ Draft Rules of Engagement

6-9 Months Before

☐ Threat Intelligence phase (TI Provider)
☐ Selection of attack scenarios
☐ Red Team preparation
☐ Strengthen monitoring (logs, SIEM) if necessary

3-6 Months Before (Test Phase)

☐ Launch Red Team test
☐ Continuous monitoring by White Team
☐ Documentation of all actions/reactions
☐ Regular debriefings (White Team only)

0-3 Months After (Closure & Reporting)

☐ Cleanup of attack artifacts
☐ In-depth analysis of results
☐ Writing complete report
☐ Presentation to Board
☐ Notification to supervisor of results
☐ Definition of remediation plan
☐ Replay sessions for Blue Team training

❌ Top 5 Fatal Errors

Informing the Blue Team in advance
→ The test loses all its value if defenders know they are being tested. Only the White Team (3-5 people max) should be aware.
Too limited scope
→ Excluding systems out of fear creates blind spots. A real attacker will exclude nothing.
Stopping the test too early
→ Letting the Red Team go all the way (within RoE limits) reveals the true level of resilience.
Not preparing the remediation plan
→ Identifying flaws is useless if no budget/timeline for correction is planned.
Considering the test as "a checkbox"
→ TLPT is an immense learning opportunity. Organizations that benefit most are those that integrate it into a continuous improvement approach.

TIBER-EU Framework (ECB): Complete methodological guide - ecb.europa.eu
DORA Article 26: Legal basis for mandatory TLPT
National TIBER Implementations:
- TIBER-NL (Netherlands)
- CBEST (United Kingdom) - TIBER-EU precursor
- TIBER-FR (France - ACPR)
- TIBER-DE (Germany - BaFin)
List of certified Red Team Providers: Available from national authorities

🎯 TLPT: Threat-Led Penetration Testing

📋 What is TLPT?

Definition

TLPT vs. Traditional Security Tests

👥 Who is Concerned by TLPT?

"Significance" Criteria (Significant Entities)

📊 Estimated Number of Entities Concerned in the EU

🏗️ The TIBER-EU Framework

TIBER-EU

The 8 Phases of TIBER-EU

Phase 1: Preparation (2-4 weeks)

Phase 2: Provider Selection (4-8 weeks)

Phase 3: Scoping (4-6 weeks)

Phase 4: Threat Intelligence (6-8 weeks)

Phase 5: Red Team Test Preparation (4-6 weeks)

Phase 6: Red Team Test (4-12 weeks)

Phase 7: Closure & Remediation (2-4 weeks)

Phase 8: Reporting & Replay (4-8 weeks)

📊 Metrics and Evaluation

Success/Failure Criteria

💡 What is Really Being Tested

⏰ Timeline and Frequency

Typical Timeline for a TLPT Exercise

💰 TLPT Budgeting

✅ TLPT Preparation Checklist

12-18 Months Before Test

9-12 Months Before

6-9 Months Before

3-6 Months Before (Test Phase)

0-3 Months After (Closure & Reporting)

⚠️ Common Errors to Avoid

❌ Top 5 Fatal Errors

📚 Resources and References