Threat-Led Penetration Testing (TLPT) in accordance with DORA

Advanced red-teaming tests for regulated financial institutions

The European regulation DORA (Digital Operational Resilience Act) introduces a new standard for ICT risk management. It requires major financial entities to regularly conduct Threat-Led Penetration Testing (TLPT), intelligence-led threat tests that simulate the capabilities of advanced organised cyber attackers (APTs).

The goal is not just to find vulnerabilities, but to validate the entire organization's ability to detect, respond and recover from an attack that matches a realistic and coordinated scenario.

What is Threat-Led Penetration Testing and why are conventional tests not enough?

Unlike the standard TLPT penetration test:

  • Simulates an attack in all its complexity, including penetration, lateral movement, privilege escalation, persistence and data exfiltration,
  • Is driven by actual threats (threat intelligence) and sector-specific scenarios,
  • Includes a coordination phase with a defined scope, rules of engagement, identification of critical systems and determination of test objectives.

From a technical perspective, TLPT requires detailed knowledge of attack vectors and the ability to mimic the methods of real attackers exploiting zero-day vulnerabilities, social engineering, code obfuscation or supply chain attacks.


Differences between conventional penetration testing and TLPT:

ParameterPenetration testing
Threat-Led Penetration Testing (TLPT) 

The aim of the test

Identification of vulnerabilities, misconfigurations, vulnerabilities in systems

Simulation of a real attack (APT-like), test of resistance of defence mechanisms

Frequency

Min. 1 time per year for systems supporting key/important functions

Min. once every 3 years (for selected entities according to risk profile)

Test management

Internal or external team; must be independent

External team or exceptionally internal red team; must have professional certifications

Based on threats 

(TI - Threat Intel aka OSINT)Test Management

Not compulsory

Yes - the scenario must be based on the actual threat relevant to the institution

Environment

Usually testing or staging

Production systems - tested for resilience in real operation

Approval of the scope

Internally controlled

The scope shall be approved by the relevant regulator

Focus

Component testing (applications, networks, configuration weaknesses)

End-to-end simulation - includes initial penetration, lateral movement, exfiltration, detection

Consideration of third parties

Optional, often omitted

Mandatory if part of a critical function

Corrective measures

Obligation to fix identified vulnerabilities, internal verification

Mandatory development of remediation plans + verification and reporting on supervision

Reporting supervision

No - internal documentation

Yes - results, remediation plans and evidence of compliance with DORA sent to regulator

Certification test

Not required

Yes - the regulator issues a certificate of test compliance with DORA

Methodological framework

Undefined, may be based on OSSTMM, OWASP, etc.

Must conform to frameworks such as TIBER-EU

Benefits

Identifies technical weaknesses

It also tests the ability to detect, react and resist a sophisticated attacker

What requirements does DORA set out in relation to TLPT?

  • Testing must be performed based on the current threat profile, not as a one-size-fits-all scenario,
  • The test must address critical functions and systems whose failure could compromise the stability of services,
  • The organization must engage external, independent and qualified testers,
  • The results must lead to the implementation of corrective actions and possible retesting.

Institutions that are subject to DORA regulation will have to comply with requirements on both the frequency of testing and its documentation and reporting to the relevant supervisory authority (e.g. CNB, ECB). The active red-team testing phase must last for a minimum of 12 weeks.

This period is necessary to mimic hidden threat actors.

What are the requirements for testing teams?

DORA also places emphasis on the quality and qualifications of those performing advanced testing. Testers must meet strict criteria, such as:

  • They must be renowned experts, with proven technical and organisational skills and specific knowledge,
  • Testers must be certified and have passed independent audits or certificates on proper risk management in testing,
  • They must have adequate liability insurance for damage caused.


If the institution would like to use its own in-house red team, it must obtain regulatory approval and ensure the organisational independence of the in-house team (avoiding conflicts of interest). Operational threat information for the scenario must be supplied by an external provider.

How does testing work in practice?

Identify the target application and connect to the internal network. Collecting information about the target system, such as IP addresses, DNS records and other metadata. How does testing work in practice?

Analysis of available information about the application and associated systems. Determine available services, versions and other information.

Eavesdropping and collection of transmitted data to identify vulnerabilities leading to data leakage.

Scan the network to identify active hosts and ports. Scan specific application services such as APIs, GUIs.

Identification of user accounts and groups in the system. Determine the available functions and permissions in the application.

Scanning and analysis of identified vulnerabilities in the application. Security assessment of the operating system, database and other components. We will use tools such as qualys, nessus, burp suite and other standard automated and manual tools to identify vulnerabilities.

An attempt to exploit identified vulnerabilities to gain unauthorised access or leak information. Simulation of attacks on the application environment.

Continue exploring the environment after gaining access. Gathering further information and attempting to escalate permissions.

Produce a detailed report containing identified weaknesses, recommendations for improvement and evidence of the tests carried out. Delivery of the results of the report to the responsible persons in the organisation.

If the approach is successful, take action to minimise the potential consequences. Deleting the traces of testing and restoring the system to its original state.

Why work with BDO?

BDO provides TLPT services in accordance with the specific requirements of European regulators (e.g. ECB, EBA, ESMA) and proven methodologies such as TIBER-EU, CBEST or iCAST. Our methodology combines a red teaming approach, knowledge of the regulatory framework and deep technical know-how - including scenarios that reflect sectoral threats and digital attacks in the European financial space.

  • Certified red team with expert experience

Our specialists hold OSCP, CRTO, eCPPT, BSCP, CEH, CRT, CPSA, CISSP, CCISO and other certifications. They have experience in testing large banks, insurance companies and ICT providers.










  • Knowledge of DORA, NIS2 and TIBER-EU

We understand the regulatory frameworks and can tailor the TLPT test to what is required by legislation and sector oversight. We help with the overall cyber resilience strategy.

  • Independence and credibility

As an independent consultancy, we do not own our own technology and offer a truly objective assessment. Working with BDO sends a clear signal of quality and trust to regulators and clients.

Main contact persons

Martin Hořický

Martin Hořický

Partner • Digital Services
View bio
kovalcik

Marek Kovalčík

Manager • Digital Services
View bio