Threat-Led Penetration Testing (TLPT) for DORA.

The intelligence-led red team test DORA requires — run by senior testers who do this for a living. Standalone, or as the independent red team alongside your programme lead.

800+ projects delivered
10+ years of experience

We secure the Czech tech companies that made it globally.

Threat-Led Penetration Testing

TLPT simulates a real, intelligence-led attack against your live production systems — the ones behind your critical or important functions. Unlike a standard penetration test, it measures detection and response against credible, targeted scenarios drawn from your actual threat profile, not a checklist of known vulnerabilities.

Under DORA, TLPT follows the TIBER-EU methodology, formalised by the TLPT Regulatory Technical Standards (Commission Delegated Regulation (EU) 2025/1190, applicable since 8 July 2025). The test runs in secret against your defenders, across five defined phases, with the outcome reported to your competent authority.

Where insighti fits

We are the red team.

DORA requires the threat intelligence provider and the red team provider to be separate and independent. insighti is the independent red team test provider — the senior specialists who plan and execute the attack scenarios. We work two ways: as your standalone red team, or alongside a programme led by a larger advisory firm, bringing the deep technical testing they coordinate but don't perform in-house.

Every tester on a TLPT engagement is a certified senior specialist — no junior hands learning on your systems.

The five phases

  1. Preparation — scoping with your Control Team, provider engagement, and rules of engagement.
  2. Threat intelligence — a targeted threat profile feeds the attack scenarios (delivered by the independent TI provider).
  3. Red teaming — we execute the scenarios against your live environment, covertly.
  4. Closure — findings, evidence, and a replay / purple-teaming step with your blue team.
  5. Remediation & reporting — the outcome and attestation prepared for your competent authority.

Is your organisation in scope?

DORA's TLPT obligation falls on financial entities that meet impact, risk, and systemic-relevance criteria set by your competent authority — not every regulated entity, but a notification from your authority is the signal. If you've been designated, or expect to be, the lead time on a full TLPT cycle is long. Talk to us early.

TLPT sits within DORA's wider digital operational resilience requirements. We also test toward NIS2, ISO 27001, and PCI-DSS.

Frequently asked, always answered.

What's the difference between TLPT and a penetration test?

A standard pentest finds vulnerabilities in a defined scope; TLPT is intelligence-led, covert, and tests whether your people and controls detect and respond to a realistic, targeted attack on your live production systems.

Do we have to do TLPT?

Only if your competent authority designates you based on the DORA criteria. Many financial entities won't — but those that do face a long preparation cycle, so start early.

Can a prior TIBER-EU test count?

Tests meeting the RTS requirements may be recognised toward the obligation — bring us what you've done and we'll assess fit.

Can you work with our existing advisory firm?

Yes; we're frequently the independent red team alongside a programme led by another firm.

Who runs the test?

Senior specialists only — every tester holds at least an OSCP, with red-team and OSWE-level depth above that.

Let's talk it through.

Tell us what you need tested — we'll set up a no-obligation call and propose a scope.

Book a free consultation ›