Threat-Led Penetration Testing (TLPT) is one of the most technically demanding requirements under DORA. Unlike standard penetration testing, TLPT simulates real-world threat actor tactics against live production systems — with the goal of testing actual operational resilience rather than identifying theoretical vulnerabilities in a test environment.
Under DORA Article 26, significant financial entities are required to conduct TLPT at least every three years. This guide explains what TLPT is, who must conduct it, how the TIBER-EU framework applies, and what running a programme looks like in practice.
What is TLPT?
TLPT (Threat-Led Penetration Testing) is an advanced red team exercise that uses current, entity-specific threat intelligence to design realistic attack scenarios, targets live production systems rather than test environments, is conducted by certified external testers, and tests the full attack chain — from initial access through to impact on critical functions.
The key distinction from standard penetration testing is that TLPT is intelligence-led. Testers operate based on realistic threat actor profiles built from actual intelligence about threats facing your specific organisation and sector. The blue team — your internal security operations — typically operates normally and is unaware the test is occurring until the debrief phase.
TLPT is not a vulnerability scan or a standard pentest. It is a full simulation of a sophisticated, targeted attack on your most critical systems, conducted against your live production environment.
Who is required to conduct TLPT?
Not all entities in scope of DORA are required to conduct TLPT. Article 26(8) specifies that competent authorities identify which entities must undergo TLPT based on:
- Systemic importance or critical role in the financial sector
- The entity's ICT risk profile and maturity level
- The nature and scale of operations
Entities identified for TLPT receive notification from their competent authority. Most large credit institutions, systemically important payment infrastructures, central counterparties, and major investment firms are expected to fall in scope.
If you are not identified for mandatory TLPT, you may still choose to conduct it voluntarily — and doing so can demonstrate a proactive approach to your regulator and differentiates your resilience posture.
The TIBER-EU framework
DORA requires that TLPT follows the TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) framework, developed by the European Central Bank. TIBER-EU defines how threat intelligence is gathered and used to build attack scenarios; how red team testers must be qualified and selected; how the test is structured, conducted, and documented; how findings are reported and remediation is tracked; and how results are communicated and attested to supervisory authorities.
TIBER-EU has been implemented at national level across the EU, with national variants (e.g. TIBER-IE in Ireland, TIBER-DE in Germany) providing local guidance and approved provider lists.
The three phases of a TLPT programme
Phase 1: Preparation (4–6 weeks)
The preparation phase establishes the governance and scope for the test. Key activities include:
- Defining the scope — which critical or important functions and systems will be tested
- Establishing a Test Management Team (TMT) comprising senior stakeholders from compliance, risk, IT, and the management body
- Procuring an approved Threat Intelligence (TI) provider and Red Team (RT) provider through a documented selection process
- Briefing providers with available entity-specific intelligence and scope documentation
- Obtaining management body sign-off on scope and test plan
Phase 2: Testing (8–12 weeks)
The testing phase is the live red team exercise. Key stages include:
- The TI provider produces a Targeted Threat Intelligence (TTI) report describing realistic attack scenarios based on current threat actor profiles relevant to your sector and organisation
- The red team conducts the simulated attack against live production systems, following the TTI scenarios
- The blue team (internal security) operates normally throughout — they are typically unaware the test is occurring
- All findings, actions, and timelines are continuously documented by the TMT
- The TMT receives regular secure updates from the red team throughout the exercise
Testing against live production systems is a deliberate requirement. DORA explicitly states that TLPT must test "live production systems" — results from test environments do not satisfy the requirement.
Phase 3: Closure and remediation (4–6 weeks)
The closure phase covers the debrief, reporting, and regulatory attestation:
- A purple team debrief between the red team and blue team to share findings and methodology
- Production of the final TLPT report covering findings, attack paths, and root causes
- Remediation plan developed for all identified vulnerabilities, with owners and target dates
- Attestation to the competent authority that the TLPT was conducted in accordance with TIBER-EU requirements
- Summary report provided to the management body
Mutual recognition across jurisdictions
One of the practical benefits of DORA's TLPT framework is mutual recognition. A financial entity operating in multiple EU member states that conducts a TLPT in one jurisdiction can have the results recognised by competent authorities in other jurisdictions — avoiding the need to run duplicate tests for the same entity.
This is a significant operational efficiency for cross-border financial groups and is one of the areas where DORA has improved on the pre-existing national TIBER implementations.
Common TLPT programme challenges
- Scope definition — Defining what constitutes a "critical or important function" for TLPT purposes requires alignment between compliance, risk, and IT. The scope must be informed by your ICT risk assessment and business impact analysis.
- Provider selection and procurement — Both the TI provider and RT provider must meet specific competence requirements, and procurement must be documented. Selection alone typically takes 4–8 weeks.
- Senior management bandwidth — The TMT requires genuine senior management engagement throughout. Sign-off decisions at scope approval, mid-test briefings, and final remediation approval all require executive time.
- Evidence management — The documentation trail for a full TLPT is extensive and must be maintained securely. Every phase generates evidence that must be retained for regulatory inspection.
- Remediation tracking — Findings from TLPT must be tracked through to remediation. Competent authorities will ask about remediation progress at the next supervisory engagement.
How often must TLPT be repeated?
DORA Article 26(2) requires that TLPT is conducted at least every three years. However, competent authorities may require more frequent testing based on the entity's risk profile or following a significant ICT-related incident. The three-year clock resets from the date the previous test was attested.