Buying & Building Cyber Services icon
Back
Accreditation Pathway & Membership icon
Back
Skills, Certifications & Careers icon
Back
News, Events & Research icon
Back
About Us icon
Back
Login to profile
Join Today Find a Supplier
Home  »  Blog   »   Threat-Led Penetration Testing (TLPT) Under DORA: What Financial Institutions Need to Know

July 2025, Zoja Antuchevic, SolutionLab, CEO and CREST EU Council Member

Threat-Led Penetration Testing (TLPT) Under DORA: What Financial Institutions Need to Know

Financial institutions across the EU are facing new cybersecurity mandates under the Digital Operational Resilience Act (DORA). One key requirement is to conduct Threat-Led Penetration Testing (TLPT) – essentially, advanced Red Team exercises that simulate real cyberattacks on live systems. In this blog post, we’ll break down what TLPT entails as mandated by DORA, how it fits into broader operational resilience, why using accredited service providers (especially CREST-accredited firms) is so important, and the benefits of doing so. We’ll also compare CREST with other well-known certifications like OSCP and GIAC and highlight the risks of choosing unaccredited or unvetted testing providers. The goal is to provide clarity for cybersecurity managers, CISOs, and procurement leads on navigating TLPT in a compliant and effective manner.

What is TLPT and Why DORA Mandates It

Threat-Led Penetration Testing (TLPT) is an intelligence-driven form of penetration testing – essentially a controlled cyber “red team” attack designed to mimic the tactics and techniques of real threat actors. Unlike a regular vulnerability scan or traditional pentest, a TLPT is a full-scale stealth attack simulation on an organisation’s critical live systems, conducted without the defenders knowing it’s a test. This approach provides an authentic measure of the institution’s ability to detect, respond to, and recover from a sophisticated attack in real time. TLPT exercises are bespoke to each institution’s threat profile, guided by threat intelligence about adversaries that would realistically target them. Financial entities identified as significant (e.g. major banks, payment providers above certain size thresholds) must conduct a TLPT at least every three years – or more often if the regulator deems necessary. This ensures that no institution goes too long without a rigorous check of its cyber defenses. DORA’s Article 26 defines TLPT as the pinnacle of operational resilience testing, and Article 27 lays out strict criteria for who can perform these tests, emphasising that the testing must be carried out by highly qualified, reputable professionals.

In the broader operational resilience context, TLPT is one component of DORA’s comprehensive requirements. DORA covers everything from risk management processes and incident reporting to oversight of third-party ICT providers. Regular penetration testing and vulnerability assessments are expected of all in-scope firms, but TLPT is reserved for the largest or most systemically important institutions with mature cyber defences. Think of TLPT as the “advanced level” test of an organisation’s cyber resilience – DORA essentially forces critical financial entities to prove their cyber resilience in a real-world scenario, not just on paper. By doing so, regulators aim to identify weaknesses before real attackers do, and to promote continuous improvement in defences. The inclusion of TLPT in DORA underscores how vital it is for the financial sector to be prepared for sophisticated cyber threats as part of overall operational continuity.

TLPT: A High-Stakes Cyber Resilience Exercise

To put TLPT in perspective, it helps to understand what such a test looks like in practice. A TLPT engagement usually involves two specialised teams from a provider: a Threat Intelligence team (to study relevant threat actors and craft realistic attack scenarios) and a Red Team (to execute the simulated attack). The test spans multiple phases – from initial reconnaissance and scenario planning to active exploitation and, finally, a closure phase that includes debrief and remediation. Notably, DORA’s TLPT standards even mandate a “purple teaming” element in the closure phase, meaning the attacking Red Team and the institution’s defending Blue Team come together after the simulation to share insights and improve detection capabilities

Because TLPT exercises run on live production systems, they carry inherent risk. During the test, Red Team operators attempt to bypass security controls, pivot through networks, and achieve predefined objectives (for example, accessing crown-jewel data or performing fraudulent transactions) – all without causing unintended disruption. The risks of a poorly executed TLPT are real: there’s a possibility of causing outages, corrupting data, or inadvertently exposing sensitive information if the test isn’t carefully controlled. For this reason, both DORA and frameworks like TIBER-EU put a strong emphasis on risk management and tester qualifications. As the ECB notes in the TIBER-EU guidance, testing on critical live systems must be handled by the most competent, qualified, and trusted professionals, with robust risk controls in place always.

Threat-led penetration tests simulate real cyberattacks on an institution’s live systems, revealing how well its defences hold up. These “ethical hackers” operate covertly during a TLPT, mimicking advanced threat actors to test detection and response capabilities under fire. The exercise is intelligence-led and carefully scoped to ensure a controlled, yet realistic, challenge to the organisation’s resilience. In summary, TLPT is a double-edged sword: incredibly valuable for uncovering gaps and improving cyber resilience, but only if conducted in a safe and professional manner. That’s why DORA doesn’t just mandate that you do a TLPT – it effectively mandates that you do it right, with the right people.

This is the first of a series of blog articles around DORA, so please keep your eyes on our blog section for the next instalments.