top of page
Barehand boxing

DORA and Threat-Led Penetration Testing (TLPT)

"Threat-led penetration tests (TLPT – Threat-Led Penetration Testing)" describes a framework that replicates the tactics, techniques, and procedures of real attackers, perceived as genuine cyber threats, and enables a controlled, customized, knowledge-based (Red Team) test of the critical live production systems of the financial company." DORA, Art. 3 (17), translated.

While traditional penetration tests are great to identify vulnerabilities and weaknesses they are often executed within tight scopes and restricted to IT-assets without considering further impact or a mapping how a compromise would impact business processes. TLPT adds this context and involves further stakeholders to hollistically address the resilience of an entity, rather than being limited to certain it-assets.


What does that entail?

Think of a TLPT as a large-scale Red Teaming Engagement. The goal is to holistically engage the entity being tested. The only way to eat this elephant is in parts. The TLPT-process encompasses a Threat Intelligence Phase, that will help to identify relevant attack paths against the entity that will cumulate in different Red Team Attack scenarios.

While the amount of relevant scenarios will vary, they will rotate around these three major domains:

  • The physical attack surface: How easily is the physical perimeter breached, i.e. by using publicly-accessible areas?

  • The human attack surface, usually involving different kinds of phishing attacks as or their prevelance.

  • The digital attack surface, mapping and testing the cyber-footprint.

The task for the Red Team is to achieve the scenario goals by any means necessary - in a production environment.

How long does a TLPT take?

The regulators expect an end-to-end timeframe of 6-12 months. This also includes involvement with the regulator, such as singing the engagement off and deadline of reaction times between reports of the Red and Blue team. The active Red Teaming phase has to last no less than 12 weeks.

How often do you need to carry out a TLPT?

A TLPT is due every 3 years.

How do I chose a service provider?

Due to the nature of testing in live production environments it become critical to select a well-suited vendor. Article 27 of DORA defines the requirements for providers who may perform a Threat-Led Penetration Test.

Exploit Labs does fully comply with the TIBER-EU Procurements Guildlines. As TIBER is the reference framework for DORA these guidelines can used to assess the applicability of a provider for DORA.

Are you only available as a Red Team Provider?

Exploit Labs is able to fulfil both Red Teaming and Threat Intelligence requirements. 

We also have experience on supporting the White Team / Control team, however only do so where we do not engage as the red team. 

Who has to perform a TLPT?

Applicability of Dora is not easily answered due to exceptions, however generically speaking DORA applies to:

  • Credit institutions

  • Payment institutions

  • Account information service providers

  • Electronic money institutions

  • Central securities depositories

  • Central counterparties

  • Investment firms

  • Cryptoasset service providers*

  • Trading venues

  • Trade repositories

  • AIFMs

  • Management companies

  • Data reporting service providers

  • Insurance and reinsurance undertakings

  • Institutions for occupationnel retirement provision

  • Credit rating agencies

  • Administrators of critical benchmarks

  • Crowdfunding service providers

  • Securitisation repositories

Do we have to execute a TLPT?

If DORA is applicable for your entity, running a TLPT become mandatory by January 2025.

How is the regulator involved?

Regulators will provide a two members as the TCT team that will oversee the planning and execution of the TLPT, which involves scope definition, provider selection as well as execution and remediation phases.

At multiple points the regulator can intervene and alter or halt the course of action.

Prepare for 2025 with a lightweight Red Team Exercise

Many clients are opting to run a Red Team Exercise or Threat-Led Penetration Test that does not involve the regulator in order to prepare for the official run.


  1. Run the project at your own pace

  2. Execute in a friendly environment

  3. The engagements comes with less overhead

  4. The engagement can be executed in a smaller timeframe 

  5. Gain valuable experience such as defining your critical functions before the official engagement

bottom of page