TLPT

What is TLPT?

TLPT (Threat-Led Penetration Testing) is an advanced form of security testing in which attack scenarios are based on current threat intelligence specific to the organisation and its sector. Unlike standard penetration tests, TLPT simulates the actions of specific adversary groups that could realistically target the institution.

The TLPT process consists of three phases. In the preparation phase, a threat intelligence provider produces a threat report identifying APT groups active in the sector, their tactics, techniques and procedures (TTP). Based on this, the red team designs attack scenarios. In the testing phase, the red team conducts the operation, simulating the identified threats. The closing phase involves analysis of results and development of a remediation plan.

TLPT is required under the DORA regulation (Articles 26-27) for financial institutions designated by supervisory authorities. Tests must cover critical business functions and be conducted every three years by external providers meeting defined requirements. The TIBER-EU framework serves as the methodological reference point for TLPT.

Why does it matter?

TLPT allows an assessment of the organisation’s real resilience against the threats most likely to affect it. It is not a test of “do we have vulnerabilities”, but a test of “can we detect and stop an attack that could realistically target us”.

For financial institutions subject to DORA, conducting TLPT is a regulatory obligation. Test results are reported to the supervisory authority and can influence the institution’s operational risk assessment. Selecting a TLPT provider requires verifying their competence, experience in the financial sector and independence.

Related topics

• DORA
• Red teaming
• MITRE ATT&CK