Threat-Led Penetration Testing: What It Brings and What to Watch Out For

Unlike traditional penetration testing, Threat-Led Penetration Testing (TLPT) mimics the tactics, techniques, and procedures (TTPs) of real threat actors. The methodology is intelligence-driven and tailor-made for each organization’s unique risk profile.

Under DORA, selected financial institutions in the EU are required to conduct TLPT at least every three years. This isn't just an IT checkbox; it’s a strategic exercise mandated by regulators to validate the resilience of production systems.

In the Czech Republic, TLPT is governed by the Czech National Bank (ČNB), which fully adopted the TIBER-EU framework into its local TIBER-CZ program. Institutions don’t self-elect to undergo testing – they are selected directly by ČNB, with the emphasis on those with the potential to impact the stability of the nation’s economy as a whole.

It’s a Long and Complex Process – More Than Meets the Eye

The complexity and duration of the TLPT journey are often underestimated. In practice, it can span over a year, involving multiple phases such as threat intelligence gathering, scenario scoping, vendor selection, procurement, execution of the red team engagement, and detailed post-test reviews. Each step is carried out under the close supervision of a ČNB-appointed Test Manager, ensuring adherence to regulatory expectations and alignment with the institution’s risk profile.

A key requirement is hiring two independent providers. The operation consists of the following main teams:

• Threat Intelligence Provider – responsible for creating realistic threat scenarios based on the institution’s specific context and threat landscape.
• Red Team Provider – executes the actual testing, simulating attacks based on the scenarios crafted by the intelligence provider.
• TIBER Cyber Team – the team within the overseeing authority that makes sure the test meets the quality and safety requirements defined by TIBER-EU.
• Control Team – a small team within the target institution who are the only ones who know that a test is happening and coordinate efforts with other teams.

Before testing can begin, both providers must be pre-approved by the ČNB, and their compliance must align with TIBER-EU and DORA requirements. Once approved, they can be officially onboarded, and the test preparation phase can move forward.

[.infobox]According to IMF and Kroll, the number of cyberattacks has nearly doubled since the pandemic, driven by rapid digitalization. Almost a quarter of all incidents target the financial sector, with banks being the most affected. Severe attacks can lead to losses of up to USD 2.5 billion – more than four times the level observed in 2017.[.infobox]

What TLPT Brings to Your Organization

Investing in TLPT isn’t just about compliance – it’s about building trust and resilience. Here's what you gain:

• Regulatory confidence
  You demonstrate maturity and readiness to regulators.
• Certifications and audit-readiness
  Supports DORA, ČNB rules, ISO 27001, and national cyber laws.‍
• Improved defenses
  Enhances readiness against real-world attacks.
• Risk reduction
  Identifies and mitigates vulnerabilities before attackers exploit them.
• Control validation
  Test the effectiveness of your current security controls.‍
• People and processes
  Goes beyond tech; evaluates human and procedural factors too.‍
• Lessons learned
  Offers deep insights to refine your cyber resilience program.

[.infobox]Undergoing TLPT is not a pass/fail exam. Thanks to its sheer complexity and scope, the goal of the testing is to reveal the strengths and weaknesses of the cyber defense and resilience measures you implement. The primary output of the testing is a profound understanding of the types of threats your organization faces and how well-prepared you are to address them.[.infobox]

Heard about the Zero Trust concept and want to implement it in your environment? Read our article and learn how to.

How Testing Is Done: Methodology in Focus

TLPT  requires teams to use complex methodologies, frameworks, and approaches needed to gather data and execute the test itself. These include:

• Professional Intelligence Gathering tactics such as OSINT (Open Source Intelligence) or HUMINT (Human Intelligence) with the ability to analyze the gathered information in the context of the industry or even geopolitical climate.
• Red Team Testers employ a combination of soft skills, such as social engineering, and hard skills, like exploit development and vulnerability analysis.
• To emulate real threat actors, tests are done within the MITRE ATT&CK® that explains attacker goals (Tactics), the ways to achieve them (Techniques), and specific steps taken (Procedures). And then connect them to a Cyber Kill Chain that breaks attacks into stages – Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, and Actions on Objective.

Testing starts only after detailed threat intelligence and rules of engagement are approved. A successful Red Team Engagement relies heavily on secrecy. It is crucial to ensure that the target institution’s Security Team is not aware of the test, and the guidelines even suggest that members of the testing team use code names for the target organization during testing.

Let the Pros Guide You Through it: Trask is Your Trusted TLPT Partner

With over 30 years of IT experience, we are ready to help you navigate the complexities of TLPT.  Reach out to us and take advantage of our offer:

• Risk Management Services
• Threat Intelligence Services (analysis, scenarios, reports)
• Red Team Services
• TLPT Consultancy
• In-house Consultants embedded directly into your TLPT Control Team

Authors

David Bálik, Senior Security Engineer at Trask.

‍

Daniel Baláž, Senior Security Engineer at Trask. You can reach out to our expert's LinkedIn here.