TLPT/TIBER: Threat-Led Penetration Testing / Threat Intelligence-based Ethical Red Teaming

Threat-Led Penetration Testing: structure, methodology, and objectives

With the Digital Operational Resilience Act (DORA) regulation on digital operational resilience in the financial sector, Threat-Led Penetration Tests (TLPTs) have been made a mandatory part of the regulatory framework. These tests are based on the TIBER framework and describe threat-led red teaming assessments in which actors are emulated using appropriate scenarios. The technical standard contains all relevant information.

In such a TLPT test, a real cyber threat is simulated in the form of a customized test for the the respective company's live production systems. The red team takes on the role of various attackers (or groups of attackers) and replicates them using the appropriate tactics, techniques, and procedures (TTP). 
In corresponding red team assessments, all lines of defense are tested, from the protection of systems in the outer perimeter to attack detection and the special protective measures for the corresponding crown jewels, the core systems.
Thus, red team assessments provide companies with the opportunity to check how well they are prepared for real threats and to learn where there is still potential for improvement.

To this end, the TIBER-EU Framework 2025 has been adapted accordingly to also meet the DORA requirements for TLPTs in the future–the updated framework is available at the European Central Bank (ECB). SySS has already conducted several TIBER-DE tests and gained a wealth of experience in this field. This means that SySS is ideally equipped to support you in carrying out these threat-oriented penetration tests.

Such TLPTs are conducted both in live and production environments, making it important for the project team to be familiar with the relevant networks and systems. Dealing with difficult conditions and communicating appropriately with management also play an important role. Therefore, clear requirements apply to red team testers and the red team manager. For DORA TLPTs, this qualification must be proven through professional experience and specialized certifications. Red team managers must demonstrate five years of experience, and red team testers must have two years of experience.
In addition, the team is assembled in such a way that a total of five different assessments have been performed in the past.
The technical standard (Article 5, 2f) specifies the relevant requirements.

In principle, the framework can also be adapted to other sectors outside the financial industry—for example, tests based on the TLPT and TIBER frameworks also yield corresponding results for companies in critical infrastructure (KRITIS).
This is another area in which SySS can look back on many successful projects.

Target groups

In addition to the institutions selected by the TLPT Authority, this framework is also suitable for the following groups of companies:

• Financial institutions of various sizes
• Large insurers
• IT-critical financial service providers

Whether you are preparing to conduct a TLPT, planning an unregulated TLPT, or want to perform a general red team assessment, our experts are happy to advise you.

You can find further information in our TLPT/TIBER flyer.

1. Preparation phase

After identification by the TLPT Authority, appropriate service providers are procured and initial kickoff meetings are held to determine the project scope. Both the red team and the TI provider provide assistance during the kickoff meeting. 
In addition, the scoping workshop ensures that the critical functions of the company are analyzed (often based on a current business impact analysis in combination with a corresponding protection needs assessment).  

This results in a set of objectives for the project, which are addressed in the active phases.

2. Testing phase

The test phase is divided into the TI phase, in which the TI team develops attack scenarios, and the red teaming phase, in which the developed attack scenarios are carried out.

Threat Intelligence:

In this phase, public information is collected and summarized in combination with a threat assessment report. As a result, the TI provider creates a profile of the company as well as various threat scenarios and the corresponding target systems.
In addition to defining scenarios, this phase also involves technical reconnaissance, which represents the public attack surface.

Red teaming

Based on the previously gathered information and the defined scenarios, the red team develops possible attack vectors for the corresponding scenarios and targets. The result is a detailed attack plan that is coordinated with the customer's CT and the TCT. 
This marks the start of the active phase of the red team test, which involves conducting attacks over a period of at least twelve weeks.

 

These attacks include at least three end-to-end scenarios which are examined by the red team. In doing so, the red team tailors the corresponding attacks to the threat situation and the selected scenarios. For example, the red team may assume the role of hacker groups such as Black Basta and attempt to obtain the relevant data for exfiltration and encryption in just the same way as this group.

Additionally, daily status meetings are held throughout the project to keep you informed of the red team's next steps. At these meetings, the red team also provides a risk assessment—the final decision ultimately rests with the CT.

3. Final phase

In the final phase, the red team produces a test report that can be used in combination with the blue team report to create an action plan. This blue team report is created by the customer and describes which actions were identified and where there is still room for improvement. Therefore, the red team report contains a detailed timeline of the actions performed.
Subsequently, corresponding attacks are retested in replay and purple team workshops.