In a context where cyberattacks are becoming more sophisticated, targeted and persistent, traditional security approaches are reaching their limits.
Identifying technical vulnerabilities remains essential, but this alone is not enough to assess an organisation’s actual ability to respond to a major attack.
In practice, the question is no longer simply whether a vulnerability exists, but whether the organisation is capable of detecting an intrusion, responding effectively and maintaining its essential operations in real-world conditions.
Threat-Led Penetration Testing (TLPT) has emerged precisely to address this challenge. This advanced approach to security testing aims to simulate realistic attacks on an organisation’s critical functions, based on threat intelligence.
In this article, we present the principles of TLPT, its objectives, regulatory framework and methodology, in order to better understand how it has become a pillar of operational resilience today.
Comprehensive Guide to Threat-Led Penetration Testing (TLPT)
- What is Threat-Led Penetration Testing (TLPT)?
- Why TLPT has Become the Standard
- TLPT and DORA: Requirements, Scope and Frequency
- When should TLPT be used?
- TLPT, Pentest and Vulnerability Assessment
- The Foundations of a Successful TLPT
- Exploitation and Restitution of a TLPT: Phases, Duration and Terms and Conditions
- Performing a TLPT not Based on TIBER
- How to Choose a TLPT Provider?
- Carrying out a TLPT with Vaadata
What is Threat-Led Penetration Testing (TLPT)?
Threat-Led Penetration Testing is an advanced security test driven by Threat Intelligence. It involves simulating realistic attacks targeting an organisation’s critical or important functions in order to assess its ability to detect, contain and respond to major security incidents.
Unlike traditional penetration tests, which are mainly focused on identifying technical vulnerabilities, TLPT takes an approach centred on threats and business impact. Its objective is to measure actual operational resilience in the face of credible and representative attack scenarios.
The scenarios are constructed using threat intelligence data. They take into account the threat actors, their motivations, tactics, techniques and procedures in order to replicate attacks similar to those observed in the real world.
Furthermore, TLPT is part of a European regulatory and methodological framework. In the context of DORA, it constitutes a formalised exercise for certain critical financial entities, while the TIBER-EU framework defines the operational principles for conducting these tests in a secure and structured manner.
By simultaneously evaluating technologies, processes and teams, TLPT goes beyond simple system testing. It also makes it possible to assess the effectiveness of detection, incident response and internal coordination capabilities.
Why TLPT has Become the Standard
Contemporary cyber threats are organised, targeted and persistent. Ransomware groups, ransomware-as-a-service operators and other malicious actors combine advanced techniques, social engineering and exploitation of business processes to achieve their goals.
In the face of these threats, traditional penetration testing remains useful, but has its limitations. It can identify vulnerabilities, but cannot assess an organisation’s ability to withstand a full-scale attack, from initial intrusion to business impact.
TLPT marks a real paradigm shift. It abandons a vulnerability-centric approach in favour of a threat-driven approach focused on critical functions and operational resilience.
Scenarios are designed according to the specific context of the organisation and target the most sensitive assets and processes. This focus allows for concrete and actionable lessons to be learned, concentrating efforts where the risk is actually highest.
TLPT and DORA: Requirements, Scope and Frequency
DORA’s approach on threat-led penetration testing (TLPT)
With the DORA regulation coming into force on 17 January 2025, threat-led penetration testing is taking on a major regulatory dimension for some financial entities.
Article 26 of DORA defines TLPT as the most advanced level of digital operational resilience testing. It requires the simulation of realistic cyber attacks, based on credible scenarios that represent real risks.
Unlike self-managed exercises, the TLPT required by DORA is strictly regulated. It is supervised by the competent authorities via the TIBER Cyber Teams. In France, this supervision is carried out by the Banque de France, the ACPR and the AMF.
DORA also requires TLPT to be carried out on real production systems in order to assess the organisation under actual operating conditions.
The scope of the test is clearly defined. It must cover critical or important functions, as well as third-party ICT service providers that contribute directly to them. The objective is not to audit the entire information system, but to demonstrate the ability to cope with a major cyberattack.
DORA also introduces a principle of proportionality. The minimum frequency is set at one exercise every three years, with the possibility of adjustment according to the risk profile.
The TIBER-EU framework
The TIBER-EU framework is the European methodological reference framework for the implementation of TLPTs. Although not formally imposed by DORA, it has established itself as a de facto standard within the European Union.
Initially designed by the Eurosystem for the financial sector, it ensures that tests are conducted with rigour, realism and consistent governance. It is based on a structured process covering the preparation, execution and closure of tests, and facilitates the mutual recognition of exercises between Member States.
When should TLPT be used?
TLPT is intended for organisations facing significant operational, business or regulatory challenges. It becomes relevant when the objective goes beyond technical robustness alone and encompasses the entire security system.
Within the NIS2 and DORA frameworks, the ability to detect, contain and manage significant incidents becomes a key criterion. Even when not explicitly required, TLPT is an effective way to demonstrate operational control of cyber risk.
TLPT is also particularly well suited to assessing critical or important functions. Unlike a purely technical test, it simulates complete attack chains targeting specific business objectives, combining several vectors simultaneously.
TLPT, Pentest and Vulnerability Assessment
An organisation’s security is not limited to detecting technical vulnerabilities. Depending on the approach chosen, a test can cover a wide scope with limited depth, or focus on critical functions to assess operational resilience.
This logic can be represented by an inverted pyramid. At the base is the broadest coverage with minimal depth, while at the top are the most targeted and in-depth exercises.
Vulnerability Assessment
Vulnerability assessment forms the basis of any security approach. It aims to analyse the entire IT infrastructure, including workstations, servers and applications, in order to identify and map known vulnerabilities.
While vulnerability assessment ensures a minimum level of security hygiene, it offers little context for risk. Identifying a flaw does not allow you to measure its potential impact on critical functions or business continuity.
In-depth penetration test
An in-depth penetration test allows you to validate whether certain vulnerabilities can be exploited within a targeted perimeter, such as a specific application or system.
It tests the technical robustness and security of the targeted components, but does not replicate the complex and realistic threat scenarios that the organisation could face, nor the coordination of defence teams. It remains an essential tool for measuring local technical security, but does not provide a complete picture of operational resilience.
TLPT
At the top of the pyramid are TLPT and advanced red teaming exercises. These tests target critical or important functions and simulate realistic threat-based scenarios to measure the ability of defence teams to detect and respond to complex intrusions.
The goal is not to find all technical vulnerabilities, but to understand the operational impact of an attack and simultaneously evaluate technologies, processes and teams. TLPT thus transforms a technical exercise into a tool for organisational resilience, complementary to pentests.
The Foundations of a Successful TLPT
Threat Intelligence: identifying relevant threats
Threat intelligence is the starting point for any TLPT. It never starts from scratch. It is based first and foremost on the Generic Threat Landscape (GTL), a reference corpus developed by the relevant authorities, describing the threats facing a given sector.
This foundation makes it possible to identify the main categories of adversaries likely to target the organisation. These may include financially motivated ransomware groups, actors specialising in complex fraud, or actors with ideological, geopolitical or state-sponsored motives.
Based on this generic foundation, the analysis is refined to produce a Targeted Threat Intelligence Report (TTIR). This deliverable is central to the TLPT approach. It contextualises threats according to the organisation’s profile: sector, size, exposure, location and role in the ecosystem.
The aim is to rule out unrealistic scenarios and focus on credible and plausible attacks.
Each identified threat is then translated into Tactics, Techniques and Procedures (TTP). This step allows the strategic analysis to be directly linked to the technical actions implemented by the Red Team.
On this basis, several end-to-end attack scenarios are developed. They must cover confidentiality, integrity and availability. A Scenario X can be added to this framework in order to explore emerging or atypical threats.
Threat modelling
Threat modelling extends threat intelligence by translating strategic scenarios into concrete operational objectives.
In accordance with DORA, this phase begins with the identification of Critical or Important Functions (CIFs).
Once the CIFs have been defined, the analysis moves down to the processes, sensitive assets and technologies that support them. This approach ensures a direct link between business issues and attack scenarios, avoiding purely technical tests that are disconnected from operational reality.
Modelling also incorporates analysis of the organisation’s digital footprint. In particular, it includes the identification of exposed assets, similar domains, typosquatting attempts and leaks of exploitable information. These elements often constitute realistic entry points for initial attacks.
A key point lies in the definition of flags. These objectives represent the success of an attack on a CIF. They make it possible to measure the real impact in terms of confidentiality, integrity or availability, and to link technical actions to business consequences.
Third-party ICT service providers are also included when they contribute to the functioning of a CIF. This consideration is essential to reflect the reality of modern attack chains.
Definition of realistic attack scenarios
Scenario design is at the heart of TLPT. Each scenario is defined from start to finish, from the initial entry point to the achievement of a flag. It simultaneously combines human, organisational and technical dimensions.
In accordance with DORA and TIBER-EU requirements, at least three distinct scenarios are selected. They must cover the triad of Confidentiality, Integrity and Availability.
One scenario targets the exfiltration of sensitive data. Another tests the alteration of critical data. The third simulates the interruption of an essential service. These scenarios are validated by the Control Team and, where applicable, by the supervisory authority.
A Scenario X may be added to this selection. It tests the organisation’s ability to adapt to unexpected operating modes without creating artificial complexity.
The selection generally follows a longlist/shortlist process.
An extensive list of scenarios is first proposed, then reduced to a final validated scope. If a CIF depends on a third-party ICT service provider, at least one scenario must include this third party.
Before the test is launched, a risk analysis is carried out in order to control the potential impacts on critical environments. The whole process is formalised in a Scoping & Specification Document (SSD), approved by management and validated by the competent authority.
Exploitation and Restitution of a TLPT: Phases, Duration and Terms and Conditions
Testing phase
The testing phase corresponds to the operational execution of the TLPT by the Red Team. Unlike a traditional pentest, it is a long-term process designed to replicate the persistence and discretion of a real attacker.
It begins with a two- to three-week preparation phase. This stage involves developing the Red Team Test Plan (RTTP), which defines the scenarios, rules of engagement and risk control mechanisms.
The active test then runs for a minimum of twelve weeks. Attacks are carried out covertly, without prior notification to the Blue Team, in order to assess actual detection and response capabilities. The scenarios follow an ‘In – Through – Out’ logic: reconnaissance, initial intrusion, lateral movement, persistence, then achievement of objectives or exfiltration.
Throughout this phase, governance is strictly supervised. Regular follow-up meetings bring together the Red Team, the Control Team and, where applicable, the supervisory authority. These meetings enable progress to be monitored and operational risks to be controlled.
Conducted exclusively on production systems, this test is at the heart of the resilience assessment. Above all, it measures the organisation’s ability to detect, contain and manage a credible and prolonged attack, going well beyond simply discovering vulnerabilities.
The concept of Leg-ups
Leg-ups are a key mechanism of TLPT. They allow a scenario to continue when the Red Team is blocked too early or detected prematurely.
The aim is not to distort the test, but to maximise its educational value. Leg-ups allow time to be compressed while maintaining the realism of the attack.
The TIBER-EU framework distinguishes between three types of leg-ups:
- time-saving leg-ups,
- information leg-ups,
- and controlled access leg-ups.
Their activation is strictly regulated. It is decided with the Control Team and subject to the non-objection of the supervisory authority. Leg-ups are anticipated and documented during the preparation phase in order to avoid premature termination of the test.
Restitution and remediation phase
The reporting phase marks the transition from offensive exercises to concrete improvements in security posture. It is based on structured deliverables covering technical, organisational and strategic aspects.
Three main reports are produced:
- the Red Team Test Report (RTTR), describing the attacks and attack paths,
- the Blue Team Report (BTR), analysing detection, response and reaction times,
- and the Test Summary Report (TSR), intended for senior management.
In accordance with DORA, a root cause analysis is systematically carried out. This identifies structural weaknesses, whether they relate to people, processes or technologies.
This analysis feeds into a formalised remediation plan. Actions are prioritised, assigned and given clear deadlines.
The results are presented at the highest level of governance, including senior management and the board of directors, to ensure a lasting and measurable commitment.
Purple Teaming
Purple Teaming is a key lever of TLPT. It transforms the exercise into a collective learning process.
Two forms are distinguished by TIBER frameworks.
- Limited Purple Teaming can be used on an ad hoc basis during active testing.
- Mandatory closure Purple Teaming takes place after the offensive phase, in accordance with DORA requirements.
This phase is based in particular on a Replay Workshop. The Red Team replays the attacks step by step, while the Blue Team analyzes what was detected, missed, or detected too late. This dialogue makes it possible to identify precisely the blind spots and areas for improvement.
The goal is never to judge the teams. Purple Teaming aims to strengthen detection, response, and coordination capabilities in the long term and to advance the overall maturity of the organisation in the face of advanced threats.
Performing a TLPT not Based on TIBER
Although TLPT is often associated with the TIBER-EU framework, this approach is not limited to the financial sector. It can be effectively applied in other sectors and for organisations of various sizes.
Any entity operating critical functions can benefit from a TLPT. The objective is to demonstrate concrete control of cyber risk, beyond traditional audits and tests.
For organisations outside the TIBER scope, it is possible to implement a lighter TLPT. This takes the form of a Red Team exercise inspired by TIBER-EU best practices.
The process remains structured — preparation, threat intelligence, offensive testing and debriefing with Purple Teaming — while adapting the scope and intensity to the organisation’s real challenges.
This approach retains the strategic and educational value of the TLPT. It offers a pragmatic and proportionate solution for medium-sized entities or those operating in less regulated environments.
How to Choose a TLPT Provider?
The choice of service provider is crucial to the success of a TLPT. It must be based on strict criteria covering technical expertise, business contextualisation, governance and ethics.
A competent service provider must demonstrate its ability to understand the organisation’s sector of activity, operational challenges and regulatory constraints. This contextualisation is essential for designing realistic and relevant scenarios.
Recognised certifications, such as CREST, are a prerequisite for advanced testing. Specialised Red Team certifications (CRTP, CRTE, CRTM, etc.) also reinforce the credibility of the teams.
Test governance is another key criterion. The service provider must have documented and traceable processes, as well as a robust information security management system, ideally ISO 27001 certified. Deliverables must be clear and distinct, in order to address both technical teams and senior management.
Finally, the service provider’s independence is essential. They must not be in a conflict of interest and must guarantee confidentiality, integrity and secure destruction of data after the exercise.
Carrying out a TLPT with Vaadata
Vaadata supports organisations in carrying out TLPTs supervised by DORA and TIBER-EU, as well as in conducting advanced Red Teaming exercises outside the regulatory framework.
These exercises have a common objective: to realistically measure detection, response and coordination capabilities in the face of targeted attacks.
As a specialist in offensive security, Vaadata works with organisations of all sizes and in all sectors. Our approach covers the entire Threat-Led and Red Team cycle: threat intelligence, threat modelling, realistic scenario design, attack execution and in-depth reporting.
Vaadata is backed by recognised certifications and accreditations, including CREST, ISO 27001 and ISO 27701. These guarantee rigorous, proportionate services that are aligned with international best practices, with a high level of security and confidentiality.
Author: Elric PALLOT – Marketing Project Manager