Threat-Led Penetration Testing

Definition

A framework for testing the cyber resilience of financial entities by simulating the tactics, techniques, and procedures of real threat actors. Under DORA, significant financial entities must carry out TLPT at least every three years, using external testers and following the TIBER-EU framework.

What is TLPT?

Threat-Led Penetration Testing (TLPT) is an advanced form of security testing that simulates the tactics, techniques, and procedures (TTPs) of real-world threat actors targeting a specific financial entity. Unlike standard penetration testing, TLPT is based on threat intelligence specific to the tested entity and aims to test the entity's people, processes, and technology in a realistic scenario.

DORA Requirements

Under Article 26 of DORA, financial entities identified by competent authorities must carry out TLPT at least every three years. The testing must cover critical or important functions, be performed by external testers (with limited exceptions for internal testers under strict conditions), and follow the TIBER-EU framework. Results must be reported to the competent authority.

Scope and Exemptions

Not all financial entities are required to perform TLPT. Competent authorities identify which entities must conduct TLPT based on factors including systemic importance, ICT risk profile, and the criticality of financial services provided. Microenterprises are generally exempt from TLPT requirements.