Professional TLPT for DORA Compliance
At Trilight Security, we provide DORA-aligned Threat-Led Penetration Testing services for financial entities across the EU, including banks, insurers, payment institutions, investment firms, crypto-asset service providers, and CCPs subject to TLPT obligations under Article 26 of DORA. The DORA TLPT RTS (Commission Delegated Regulation EU 2025/1190) was published on 18 June 2025 and became directly applicable across all EU Member States on 8 July 2025, making TLPT a live regulatory obligation rather than a future requirement. Our certified red team and threat intelligence professionals deliver the full TLPT lifecycle — from threat intelligence production and scenario development through red team execution to mandatory purple teaming — producing the supervisory attestation evidence your competent authority requires. Get in touch with Trilight Security to discuss your TLPT obligation, timeline, and scope.
What Makes TLPT Different From Standard Penetration Testing Services
TLPT is not penetration testing at larger scale — it is a fundamentally different type of exercise. TLPT consists of two distinct phases carried out by separate, specialised teams: Threat Intelligence and Red Teaming.
Threat Intelligence (TI)
The Threat Intelligence provider must always be external to the financial entity — this is a hard requirement under both DORA and TIBER-EU, regardless of whether internal testers are used for the red team phase. Our threat intelligence team produces the bespoke Targeted Threat Intelligence (TTI) report that defines the realistic attack scenarios for the engagement — identifying the threat actors most relevant to your organisation, mapping their TTPs, and translating this into actionable attack scenarios for the red team.
Red Team (RT)
We provide the external red team capability to execute the simulated attacks defined in the threat intelligence scenarios — targeting your critical infrastructure functions (CIFs) across digital, physical, and human attack vectors. DORA requires external testers for credit institutions classified as significant, and mandates that every third TLPT engagement uses an external red team regardless of entity type. Our red team operates covertly against your live production environment under the coordination of your Control Team, without the Blue Team’s awareness.
Our Offering
Combined TI + Red Team
The threat intelligence and red team functions can come from the same company, provided the staff assigned to each team are adequately separated and remain independent throughout the engagement. We offer a fully managed TLPT engagement covering both the Threat Intelligence Provider and Red Team Tester roles — delivering the complete test under a single engagement framework while maintaining the mandatory separation between teams.
TLPT Readiness Assessment
Before committing to a full TLPT engagement, many financial entities benefit from a structured readiness review that maps their current security testing programme against DORA Article 26 requirements, identifies gaps in documentation and governance, assesses Control Team readiness, and produces a gap report and remediation roadmap. This is particularly valuable for entities that have received a TLPT notification letter from their national competent authority.
Purple Teaming
Under DORA, purple teaming is compulsory — working together with and training the Blue Team is integrated into the regulation. The mandatory purple teaming phase brings the red team and the financial entity’s defenders together to replay attack scenarios, validate detection and response capabilities, identify defensive gaps, and produce the joint learning output required for the attestation. We facilitate and execute the full purple teaming exercise as part of every TLPT.
Why TLPT Now?
Commission Delegated Regulation EU 2025/1190, supplementing Article 26 of DORA and setting the RTS for TLPT, became directly applicable across all EU Member States on 8 July 2025. This is no longer a forthcoming obligation — regulators are now sending official notification letters to entities that are in scope of DORA TLPT. Receiving a notification letter triggers a formal timeline: the financial entity must form a Control Team, engage a TI Provider and Red Team Tester, execute the full TLPT lifecycle, and submit results to the competent authority — all within the regulatory timeframe.
Beyond compliance, TLPT delivers strategic security value that standard testing cannot. Unlike typical pen tests, TLPT runs for months, uses bespoke threat intelligence tailored to your specific threat landscape, and tests by any means including social engineering and physical intrusion — producing a realistic picture of organisational resilience that no vulnerability scan or application penetration test can replicate. The mandatory purple teaming closure phase transforms the exercise from a point-in-time assessment into a measurable improvement in your Blue Team’s detection and response capabilities.
DORA non-compliance can be punished under national laws — for example, Germany’s banking act provides for fines for missing TLPT obligations. Beyond regulatory penalties, completion of TLPT and receipt of the supervisory attestation increasingly differentiates financial entities in enterprise vendor due diligence, cyber insurance underwriting, and institutional client onboarding processes.
Who Needs TLPT Under DORA?
DORA covers a range of financial entities, including credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, trading venues, and many more — all required to undergo penetration testing assessments. Only those considered significant and possessing mature IT systems are required to undergo TLPT.
Specifically, the entities most likely to receive TLPT notification letters include:
- Credit institutions — particularly those classified as Global Systemically Important Institutions (G-SIIs) or Other Systemically Important Institutions (O-SIIs). Significant credit institutions must always use external testers.
- Central Counterparties (CCPs) and Central Securities Depositories (CSDs)
- Insurance and reinsurance undertakings meeting the significance threshold
- Investment firms classified as significant under NCA criteria
- Crypto-asset service providers (CASPs) and issuers of asset-referenced tokens meeting size thresholds
- Payment institutions and e-money institutions meeting the significance criteria
- ICT third-party service providers designated as critical under the DORA framework
If your organisation has received a notification letter, or expects to based on its size and systemic importance, contact us to begin the readiness and scoping process.
TLPT Engagement Process
The TLPT lifecycle under DORA consists of several clearly defined phases. Our engagement follows the TIBER-EU framework aligned to the DORA TLPT RTS, covering all mandatory stages:
- Phase 1 — Preparation & Scoping: We work with your Control Team to define the engagement scope — identifying Critical Infrastructure Functions (CIFs) and the systems, processes, and people that support them. We establish communication protocols with the competent authority's TLPT Cyber Team (TCT), confirm the test plan, and ensure all regulatory preconditions are met before testing begins. The Blue Team is not informed of the engagement at this stage.
- Phase 2 — Threat Intelligence Production: Our TI Provider team produces the bespoke Targeted Threat Intelligence (TTI) report — a detailed analysis of the threat actors most likely to target your organisation, their documented TTPs, the attack vectors most relevant to your CIFs, and realistic attack scenarios translated into operational red team objectives. This report drives every subsequent phase of the engagement and is reviewed and approved by the Control Team and TCT before red team execution begins.
- Phase 3 — Red Team Execution: Our red team executes the attack scenarios defined in the TTI report against your live production environment — covertly, without Blue Team awareness, and by any means specified in the agreed scope including technical, social engineering, and physical vectors. We document all attack paths, evidence of access, lateral movement, and data reached, producing the Red Team Report required for the attestation process.
- Phase 4 — Mandatory Purple Teaming: The TIBER-EU update aligned to DORA RTS makes purple teaming mandatory in the TLPT closure phase. We facilitate structured purple teaming sessions in which the red team and Blue Team replay the attack scenarios together — validating which attacks were detected, which were missed, what the response looked like, and what specific defensive improvements should be prioritised. The purple team output feeds directly into the supervisory attestation documentation.
- Phase 5 — Reporting & Supervisory Submission: We produce the full documentation set required for supervisory submission — including the TTI report, Red Team Report, purple team findings, and the Remediation Plan. Your Control Team submits the complete package to the competent authority's TCT for review. Where the TLPT was performed in accordance with TLPT/TIBER-EU requirements, the supervisory authority may issue a formal attestation — the regulatory output that confirms DORA Article 26 compliance to auditors, counterparties, and the market.
- Phase 6 — Remediation Support: We support your technical and operational teams in addressing the vulnerabilities and defensive gaps identified during the engagement, including retest validation of critical findings and advice on detection engineering improvements surfaced during purple teaming.
Our Benefits
Financial Services Expertise
Our team has extensive experience working with financial institutions — banks, insurers, payment processors, and regulated fintechs — across the EU and beyond. We understand the governance structures, regulatory communication requirements, and operational sensitivities that make TLPT in the financial sector fundamentally different from standard offensive security engagements.
TIBER-EU / DORA RTS Alignment
Our methodology is aligned to the TIBER-EU framework as updated in February 2025 to reflect DORA TLPT requirements, and to Commission Delegated Regulation EU 2025/1190 effective July 2025. TIBER-EU can be used to perform DORA TLPT tests — our engagement structure, documentation, and reporting outputs are designed to satisfy supervisory authority requirements.
Mandatory Separation of Teams
We maintain strict operational separation between our Threat Intelligence Provider and Red Team Tester functions — separate personnel, separate documentation chains, and separate lines of communication with the Control Team — satisfying the independence requirements under DORA Article 27 and the TIBER-EU framework.
DORA Article 27 Provider Requirements
DORA Article 27 requires TLPT providers to demonstrate reputability, technical expertise, accreditation or adherence to codes of conduct, independent assurance, and professional indemnity insurance. We hold the certifications and operate under the professional standards that satisfy these requirements.
TLPT Methodologies
Our TLPT engagements follow the TIBER-EU framework (updated February 2025, aligned to DORA TLPT RTS) as the governing operational methodology, supplemented by the DORA TLPT RTS (Commission Delegated Regulation EU 2025/1190, effective 8 July 2025) for all regulatory compliance requirements. Threat intelligence production follows TIBER-EU’s Targeted Threat Intelligence (TTI) methodology. Red team execution applies the MITRE ATT&CK Framework for TTP mapping and adversary emulation planning across all relevant attack domains — Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, and Impact. Purple teaming follows the structured replay methodology mandated by DORA and the updated TIBER-EU guidance.
Where relevant, jurisdictional TIBER implementations are applied — including TIBER-DE, TIBER-NL, TIBER-BE, TIBER-DK, and others — to satisfy mutual recognition requirements across EU Member States.
Tools
Our red team toolset for TLPT engagements is selected to accurately replicate the TTPs of the specific threat actors identified in the bespoke threat intelligence report. For command and control infrastructure we use Cobalt Strike and Havoc. Adversary simulation and post-exploitation use Metasploit, Impacket, and custom tooling developed for specific TTP replication. Active Directory and identity attack paths use BloodHound, SharpHound, and Rubeus. Physical and social engineering components use operational tradecraft tailored to the target environment. OSINT and reconnaissance use Maltego, SpiderFoot, and open-source intelligence frameworks. All tools and techniques are documented in the Red Team Report with full TTP-to-MITRE ATT&CK mappings.
Our Certifications
Deliverables
Every TLPT engagement produces the complete documentation set required for supervisory submission and attestation:
- TLPT Test Plan: The formal engagement document agreed with your Control Team and the competent authority's TLPT Cyber Team — covering scope, CIFs, communication protocols, rules of engagement, and timeline.
- Targeted Threat Intelligence (TTI) Report: The bespoke threat intelligence report identifying the threat actors relevant to your organisation, their TTPs, and the attack scenarios that will drive red team execution.
- Red Team Report: Full documentation of all attack paths executed, techniques used (mapped to MITRE ATT&CK), access and data reached, evidence packages, and the gap analysis between attack execution and Blue Team detection.
- Purple Team Report: Structured output from the mandatory purple teaming sessions — documenting which attacks were detected, response timelines and quality, detection gaps identified, and prioritised defensive improvement recommendations.
- Remediation Plan: A structured plan addressing all vulnerabilities and defensive gaps identified across the engagement, with prioritisation, recommended actions, and timelines.
- Executive Summary: A non-technical summary of the engagement, findings, and recommendations for Board-level and senior management audiences.
- Supervisory Submission Package: The complete documentation set formatted for submission to your national competent authority's TLPT Cyber Team, structured in accordance with TIBER-EU and DORA RTS requirements.
Upon successful review by the competent authority, your organisation receives a formal TLPT Attestation — the regulatory confirmation of DORA Article 26 compliance.
Penetration Test Report Sample
Penetration testing is a must for any business using digital services. We use different comprehensive tools, methodologies, and models for pentesting. DOWNLOAD our penetration test report sample and learn more.
FAQ
TLPT is DORA’s official definition: a framework that mimics the tactics, techniques, and procedures of real-life threat actors perceived as posing a genuine cyber threat, delivering a controlled, bespoke, intelligence-led red team test of a financial entity’s critical live production systems. It is a mandatory requirement under DORA Article 26 for financial entities meeting the significance threshold.
The main difference is scope: TLPT covers the entire organisation — digital, physical, and human attack surfaces. Standard pentesting generally covers a specific system or environment. TLPT also takes procedures and people into account, most stakeholders are unaware the test is happening, and it typically takes three to four months to execute. It also produces a supervisory attestation rather than just a pentest report, and mandatory purple teaming is required at the close.
Only financial entities considered significant and possessing mature IT systems are required to undergo TLPT — including Global Systemically Important Institutions, Other Systemically Important Institutions, and equivalent significant entities across credit institutions, CCPs, CSDs, insurers, investment firms, CASPs, and payment institutions. After the TLPT RTS became effective on 8 July 2025, regulators began sending official notification letters to in-scope entities. If you have received a notification letter or believe you meet the criteria, contact us to begin scoping.
DORA mandates TLPT at least every three years for most financial entities, with competent authorities able to adjust frequency based on risk profile. Upon completion, the financial entity must submit results to the competent authority, which issues an attestation if requirements are met.
DORA allows internal testers to conduct TLPT, but every third TLPT must be conducted by an outside party. In practice, this means hiring an independent testing party once every nine years or so. Any threat intelligence used for TLPT must always be provided by an independent external party — this is a hard requirement regardless of whether internal or external testers are used for the red team phase. Significant credit institutions must always use external testers.
The Threat Intelligence Provider produces the bespoke Targeted Threat Intelligence (TTI) report that drives the entire engagement — identifying the threat actors most relevant to the financial entity, their documented TTPs, and translating this into realistic attack scenarios for the red team. The Threat Intelligence provider must always be external to the financial entity regardless of whether internal testers are used for the red team phase.
Yes. The updated TIBER-EU framework, aligned to DORA TLPT, makes purple teaming mandatory in the TLPT closure phase. This means working together with and training the Blue Team is integrated into the DORA regulation — unlike the previous TIBER-EU guidance which only strongly recommended it.
TLPT standards for DORA were developed in accordance with the TIBER-EU framework, which was updated on 11 February 2025 to align with DORA’s Regulatory Technical Standards for TLPT. In practice, TIBER-EU can be used to perform DORA TLPT tests. TIBER-EU also has national implementations — TIBER-DE, TIBER-NL, TIBER-BE, TIBER-DK, and others — that enable mutual recognition of completed TLPT engagements across EU Member States.
Mutual recognition allows a TLPT completed in one EU jurisdiction to be recognised by competent authorities in other jurisdictions where the same financial entity operates — avoiding the need to conduct separate, parallel TLPT exercises for each national regulator. For financial groups with operations across multiple EU Member States, structuring the TLPT to qualify for mutual recognition significantly reduces the compliance burden. Our engagements are structured from the outset to satisfy mutual recognition requirements.
TLPT execution typically takes three to four months, spread over a longer period including preparation, threat intelligence production, red team execution, purple teaming, and reporting. Total engagement duration from kick-off to attestation submission is typically six to nine months. Pricing depends on the scope of Critical Infrastructure Functions, the number of systems and locations in scope, the complexity of the threat landscape, and whether combined TI+RT or separate provider roles are engaged. Contact us for a scoping call and indicative budget range.
The complete submission package includes the TLPT Test Plan, Targeted Threat Intelligence (TTI) Report, Red Team Report, Purple Team Report, and Remediation Plan. Where the TLPT was performed in accordance with TLPT/TIBER-EU requirements, the supervisory authority may issue a formal attestation — the document that confirms DORA Article 26 compliance and can be shared with auditors, counterparties, and institutional partners.
The process begins with a scoping call to assess your DORA TLPT obligation, confirm whether you have received or expect a notification letter, map your Critical Infrastructure Functions, and agree on the engagement timeline. We then produce a formal Test Plan for submission to your competent authority’s TLPT Cyber Team before any testing activity begins. Contact us to schedule the initial scoping call.
Our Recognition
