25. 06. 2025 Simone Ragonesi DORA, Offensive Security, Red Team, TLPT

Why TLPT Is the Future of Financial Sector Cybersecurity

In the ever-evolving cyber threat landscape, financial institutions no longer have the luxury of relying on standard penetration tests or traditional assessments. As attackers grow more sophisticated and persistent, defenders must shift from theory to real-world simulation.

This is exactly where Threat-Led Penetration Testing (TLPT) enters the picture, and with the EU’s Digital Operational Resilience Act (DORA) coming into force, it’s no longer optional.

At our company, we’ve embraced TLPT not just as a regulatory requirement but as a strategic security practice. Here’s why.

What TLPT Really Means

TLPT is not your typical pentest. It’s modeled on the TIBER-EU framework, which means the test is informed by real threat intelligence and tailored to your specific operational and digital footprint.

The objective isn’t just to find vulnerabilities, but to mimic how an actual attacker would breach your systems and test your ability to detect and respond.

Where traditional assessments ask, “What vulnerabilities do we have?”, TLPT asks, “Can an advanced threat actor disrupt our most critical services without being caught?”

This is basically adversary simulation taken to the next level.

DORA and the Shift to Mandatory TLPT

The EU’s adoption of Regulation 2025/1190 under DORA makes TLPT a legal requirement for certain financial entities starting July 2025. The bar is high: entities must conduct a full TLPT at least once every three years, and this isn’t something you can check off with a scan and a report.

If you’re a bank, insurance company, trading venue, payment processor, crypto exchange or even a critical third-party ICT provider that provides services to the financial sector, you may fall under this mandate.

Supervisory authorities will determine eligibility based on systemic relevance, size, interconnectivity, and ICT risk exposure.

And here’s the critical part: these tests are expected to be carried out on production systems.

How TLPT Works (and What Makes It So Demanding)

A TLPT is not a single activity but a tightly orchestrated operation broken into multiple phases:

Scoping the attack surface: Identifying your critical functions and mapping out where you’re most exposed.
Gathering real threat intelligence: Not just public OSINT, but contextual intelligence.
Credentials on dark web markets, domain impersonation, leaked documents, physical access pathways.
Red teaming: Actual exploitation of your environment using adversary TTPs.
Blue teaming: Running your detection and response capabilities, preferably without knowing the test is ongoing.
Debriefing and remediation: Analyzing findings, assigning actions, and reporting back to regulators.

At its core, the entire exercise is focused on emulating real, advanced persistent threats as accurately as possible, whether by replicating the TTPs of specific adversary groups, or by leveraging common techniques typically used to target organizations within the financial sector taxonomy.

The tests are confidential, supervised, and carry reputational and operational risks if not handled carefully. That’s why only a handful of providers are truly equipped to do this properly.

Where We Come In: TLPT-Enabled and Ready

Our team has been building TLPT readiness long before the ink dried on DORA. We’re one of the few red teams with the experience and structure to carry out full-spectrum TLPT engagements, thanks to our continuous feedback loop derived from ongoing purple teaming exercises with our attacker-centric SOC:

We operate with clear separation of duties, formalized control teams, and properly vetted internal red-team operators.

We’ve executed red team engagements in live production environments, always with a strict chain of custody, covert coordination, and zero disruption.

Our threat intelligence collection (enabled in part by SATAYO, our proprietary TI platform) combines open-source, technical, and deep/dark web reconnaissance, aligning directly with the intelligence phase requirements of TLPT.

We’ve coordinated with national TLPT authorities and understand the nuances of attestation, mutual recognition, and supervisory cooperation.

Post-engagement, we support full remediation plans with prioritized actions, root cause analysis, and executive-level reporting that satisfies Annex VIII attestation needs.

Being “TLPT-enabled” isn’t a title we take lightly – it reflects real-world capability, readiness, and a compliance posture aligned with the highest regulatory standards in Europe.

Why TLPT Is More Than Compliance

Yes, DORA makes TLPT mandatory for many. But even beyond the law, TLPT offers rare insight: it reveals how your organization responds under pressure when facing an intelligent, persistent adversary. It tests your assumptions about detection, response, and resilience… and it does so in the most realistic way possible.

And unlike theoretical risk assessments or compliance box-ticking, TLPT engages both your technical teams and your business leaders. The findings can touch everything: SOC processes, incident escalation flows, MFA configuration, external exposure, even your physical building security.

When done right, TLPT is transformative. It’s not just a test but a great turning point.

Looking Ahead

As the first wave of DORA compliance deadlines approach, many financial entities are still coming to grips with what TLPT entails. If you’re unsure whether you qualify, or how to prepare, our team is here to help you assess readiness, scope effectively, and, if needed, execute or support your TLPT project end to end.

We simulate the enemy, challenge assumptions, and help you prove resilience under fire.

Let’s talk!