DORA_[ready]?
Threat-Led Penetration Testing for financial entities under the EU Digital Operational Resilience Act.
Threat-Led Penetration Testing
Test your defenses the way real attackers would test them.
Built for DORA, TIBER-EU, and any financial entity serious about operational resilience.
Where conventional penetration testing focuses on a defined system or application, TLPT looks at the whole organisation: people, processes, technology, and the live production systems they depend on. The point is not just to find vulnerabilities. The point is to find out whether your detection and response actually work when an attacker is already inside.
Whether you are a bank, an insurer, an investment firm, a payment institution, or any other financial entity in scope for DORA, we can help you design and execute a TLPT that meets the regulation — and gives your blue team a fight worth remembering.
Our insight.
-
Threat actors do not respect change windows. Neither do we.
-
Lateral movement inside a financial network usually involves credentials harvested in places nobody is watching.
-
Regulators want to see the report, but the value lives in the lessons learned by your defenders during the exercise.
-
The most expensive part of a breach is the time between initial access and detection. TLPT measures that time directly.
-
Threat-led testing reveals which detection rules fire, which ones are noise, and which ones never fire at all.
-
The white team — the small group inside your organisation aware of the test — is as important as the red and blue teams combined.
-
A TLPT engagement is conducted against live production systems. That is intentional — and exactly what makes it valuable.
-
Most organisations discover their EDR is silent during the parts of the kill chain that matter most. Better to discover that in an exercise than in a breach.
-
Threat intelligence is what separates TLPT from a standard red team exercise. Without realistic, current TTPs, you're testing an imaginary attacker.
-
The European Central Bank's TIBER-EU framework predates DORA. The methodology is mature, and our team has experience operating within it.
-
Under DORA Article 26 and 27, certain financial entities will be required to conduct advanced testing based on TLPT at least every three years.
-
A vulnerability scan tells you what's wrong. A penetration test tells you what's exploitable. A threat-led penetration test tells you whether anyone would actually notice.
-
The most commonly used port for data exfiltration is port 53.
Frequently asked, always answered.
Yes. Our team includes both the threat intelligence providers and the red team operators required to deliver an end-to-end TLPT. For organisations that prefer to separate the two functions, we are happy to work alongside a third-party intelligence provider.
DORA introduces advanced testing for a defined group of financial entities, designated by competent authorities based on size, risk profile, and systemic importance. This includes significant banks, central counterparties, central securities depositories, and certain insurers and investment firms. If you are unsure whether your organisation is in scope, we can help you make that determination as part of an initial consultation.
A standard red team exercise can be scoped however the client wants. TLPT is bound by a specific methodology (TIBER-EU or equivalent under DORA), uses threat intelligence to drive scenario design, must be conducted against live production systems, and is observed by your competent authority. The bar is intentionally higher.
End-to-end, expect 6 to 9 months from scoping to closure report. The active red teaming phase alone typically runs for 10-12 weeks. We work with your team to build a realistic timeline that fits your release cycles and regulatory deadlines.
The engagement is carefully designed to minimise operational impact. Risk management is a formal part of the methodology, and the white team has clear escalation paths to pause the exercise if necessary. In practice, well-run TLPT engagements complete without service disruption.
