What is TLPT (Threat-Led Penetration Testing)?
Short definition
TLPT is a regulator-mandated form of penetration testing where the attack scenarios are explicitly driven by threat intelligence about adversaries currently targeting the tested entity, executed by an independent red team under a documented methodology with verifiable evidence chain.
Why this matters now
TLPT became a binding requirement for significant EU financial entities under DORA Art. 26 from January 2025. The Regulatory Technical Standards RTS 2025 codified TIBER-EU as the reference methodology and made the evidence chain — from threat-intel input through red-team test to closure — auditable by the competent authority. Failing the evidence test is an enforcement event, not a quality finding.
Key points
- ▸Mandated by DORA Art. 26 for significant financial entities; recommended for any regulated operator under NIS2.
- ▸Reference methodology: TIBER-EU (Threat Intelligence-based Ethical Red Teaming).
- ▸Phases: TI Provision → Red Team Test → Purple Team → Closure, each with mandatory artefacts.
- ▸External red team independence is a binding requirement, not a quality preference.
- ▸Evidence must be verifiable — typical contractor PDFs no longer satisfy the standard.
- ▸Cadence baseline: every 3 years for the formal exercise; continuous testing of critical ICT systems under Art. 25 in between.
How TLPT differs from a standard pentest
A standard pentest starts from a scope document. TLPT starts from threat intelligence about who is targeting your sector — Brain Cipher, Akira, FIN12, Scattered Spider, state-aligned actors — and reproduces their actual tactics, techniques and procedures (TTPs) in your environment.
The practical implications: scope is informed by adversary capability rather than client convenience, the test crew must be independent of the entity (no in-house red teams for the formal exercise), and the methodology is documented and reproducible. Each phase produces signed artefacts that the competent authority can request and verify.
TIBER-EU phases in plain terms
- TI Provision — a threat-intelligence provider produces a tailored report on who would attack you, how, and which crown-jewel assets they would target. Signed, dated, attributable.
- Red Team Test — an independent red team executes the scenarios from the TI report against the production environment, observing rules of engagement signed by both parties. Real systems, real users, no announcement to the SOC.
- Purple Team — red and blue teams reconstruct the attack chain together. Findings, detection gaps, and process failures are catalogued.
- Closure — remediation plan, retest, formal closure report signed by the entity and the competent authority observer.
The evidence-chain requirement (RTS 2025)
The 2025 Regulatory Technical Standards strengthened the evidence requirements. Every TLPT artefact must be cryptographically verifiable in sequence from the threat-intelligence input to the final closure document. A PDF marked "v1.3" with an editorial date stamp is no longer sufficient.
This is the operational reason continuous-testing platforms with built-in signed-evidence chains (ECDSA, X.509-signed bundles, time-stamped logs) have become procurement-favoured: they ship the artefact requirement as a byproduct of normal operation, rather than as a manual assembly task at TLPT submission time.
How often must TLPT be run?
The DORA baseline is once every three years for the formal TLPT exercise on critical ICT systems. However, this does not replace the Art. 25 obligation to test continuously — the EBA technical standards make explicit that "continuous" means continuous, informed by current threat intelligence, not a quarterly cadence with TLPT bolted on top.
In practice, mature entities run the formal TLPT every 24-36 months and run a continuous TLPT-style validation in between (automated, with the same TI inputs and the same signed-evidence chain). The benefit is that the formal exercise becomes a confirmation, not a discovery.
Goes deeper
Want this against your environment?
Book a 30-minute scoping call — we will map this directly to your current compliance scope and threat profile.