What is TLPT (Threat-Led Penetration Testing) and why DORA requires it

TLPT (Threat-Led Penetration Testing) is a red team exercise based on real threat intelligence that the DORA Regulation requires from the most critical financial entities in the EU. It isn't a more thorough pentest: it's a full adversary simulation — red team, not a scoped vulnerability assessment — designed to measure whether your organization detects and responds to a targeted attack, not just whether it has patchable vulnerabilities.

What TLPT actually is

TLPT reproduces the tactics, techniques and procedures (TTPs) of real threats relevant to your sector, sourced from up-to-date threat intelligence, against your critical production systems, in a covert red team exercise: the blue team (SOC, incident response) doesn't know it's happening. The goal isn't finding the maximum number of vulnerabilities — it's answering a different question: if a threat actor with the capabilities and motivation of a real adversary came after you, how far would they get before you detected and contained them?

Which entities DORA requires to run TLPT

Article 26 of the DORA Regulation requires TLPT every 3 years for financial entities designated as critical by their competent authority (significant credit institutions, market infrastructures, large insurers, among others) — not the full population of entities subject to DORA. The designation criteria combine systemic impact, risk profile, size and cross-border activity. If your entity is already subject to advanced operational resilience testing under DORA, TLPT is likely part of that obligation; if you're unsure whether it applies to you, your supervisory authority is the one that determines the designation.

How a TLPT exercise runs in practice

DORA doesn't invent a methodology from scratch: it relies on established frameworks like the ECB's TIBER-EU (Threat Intelligence-Based Ethical Red Teaming), which structures the exercise into phases: (1) preparation and scoping, defining the critical functions to be tested; (2) threat intelligence phase, where a specialized provider builds realistic attack scenarios based on actors relevant to the sector; (3) red team phase, executing those scenarios against production with maximum stealth; (4) closure and remediation, with a joint report from the threat intelligence provider, the red team and the entity. The full process typically spans several months and requires coordination with the supervisor.

TLPT vs traditional pentesting: key differences

A standard pentest has a scoped target (one application, one network), is known in advance by the defensive team, and aims to maximize vulnerability coverage within a fixed timeframe. TLPT is a covert red team exercise, based on real, sector-specific threat intelligence, scoped at the level of critical business functions (not just technical assets), and measures detection and response capability, not just attack surface. A pentest is a useful input to prepare before a TLPT — it clears out the noise of known vulnerabilities — but it doesn't substitute the regulatory obligation if your entity is designated.

FAQ

Is my company required to run TLPT if I already comply with DORA?

Not necessarily. DORA applies broadly to a wide range of financial entities, but TLPT is only mandatory for those designated as critical by the competent authority, at a minimum cadence of every 3 years. Most entities subject to DORA are not required to run TLPT, but are subject to less demanding operational resilience tests.

Can QuantumSec run a full TLPT?

A TIBER-EU-compliant TLPT requires providers specifically accredited for the threat intelligence and red team phases, coordination with the supervisor, and a concrete regulatory scope. We can help you prepare your organization before a TLPT (prior red team, hardening, gap analysis against the framework) and interpret your obligations under DORA; for the formal TLPT exercise, we guide you through the accreditation process and the right provider for your profile.