TLPT (Threat-Led Penetration Testing)

TLPT (Threat-Led Penetration Testing) is an advanced form of penetration testing that emulates the tactics of real threat actors. Under DORA, certain financial entities are required to conduct TLPT at least every three years to validate their actual resilience against sophisticated attacks.

Back to Dictionary

What is TLPT?

TLPT (Threat-Led Penetration Testing) is an advanced form of penetration testing designed to emulate the actual tactics, techniques and procedures (TTPs) that sophisticated threat actors – including state actors and organised cybercriminals – use against financial institutions.

Unlike traditional penetration testing, which is typically broader in scope and more technically focused, TLPT is based on current threat intelligence and simulates a realistic, targeted attack against the specific organisation's critical systems and processes.

DORA's requirements for TLPT

DORA Article 26 sets out the requirements for TLPT for financial entities:

Frequency: At least every three years.
Scope: The test must cover live production systems and critical functions.
Third-party inclusion: Certain critical ICT third-party service providers must be included in the test scope.
Supervisory validation: The test is conducted under the oversight of and with validation from the competent supervisory authority.
External testers: TLPT must be carried out by accredited external testers.

Not all financial entities are required to conduct TLPT: Supervisory authorities identify which financial entities are obligated to conduct TLPT based on criteria such as systemic importance, market share and potential systemic consequences. Many financial entities are subject to the more basic resilience tests instead.

TLPT and TIBER-EU

TIBER-EU (Threat Intelligence-Based Ethical Red-Teaming) is the ECB's and national central banks' framework for TLPT, which was the predecessor to DORA's TLPT requirements. Financial institutions that have already completed TIBER-EU tests may in certain cases use these as recognition under DORA.

In Denmark, the TIBER-DK framework is administered by Danmarks Nationalbank.

TLPT vs standard penetration testing

The key differences between TLPT and standard penetration testing are:

Threat intelligence-driven: TLPT is based on bespoke threat intelligence identifying the specific threats facing the organisation, rather than generic vulnerability scanning.
Red team simulation: TLPT involves a full red team engagement simulating real attacker behaviour over an extended period.
Live production systems: TLPT is conducted against live production systems, not test environments.
Supervisory oversight: TLPT requires involvement and validation from the competent authority.
Accredited testers: Only accredited external testers may conduct TLPT.

Frequently Asked Questions about TLPT (Threat-Led Penetration Testing)

What is TLPT?

TLPT (Threat-Led Penetration Testing) is an advanced form of penetration testing that emulates the tactics, techniques and procedures of real threat actors. Under DORA, certain systemically important financial entities must conduct TLPT at least every three years.

Are all financial entities required to conduct TLPT under DORA?

No. TLPT is required for financial entities identified as particularly systemically important by supervisory authorities. Most financial entities are instead subject to the more basic resilience tests, including vulnerability assessments and scenario-based tests.

What is the difference between TLPT and a standard penetration test?

TLPT is based on current threat intelligence and simulates a realistic, targeted attack from a sophisticated threat actor. A standard penetration test is typically broader and more technically orientated. TLPT also covers live production systems and requires supervisory validation.

What is TIBER-EU?

TIBER-EU (Threat Intelligence-Based Ethical Red-Teaming) is the ECB's framework for threat-led penetration testing, which was the predecessor to DORA's TLPT requirements. In Denmark, the national framework is TIBER-DK, administered by Danmarks Nationalbank.

How often must TLPT be conducted?

DORA requires that designated financial entities conduct TLPT at least every three years. The test must cover live production systems and critical functions, and must be carried out by accredited external testers under supervisory oversight.