TLPT: Threat Led Penetration Testing Explained
Threat Led Penetration Testing (TLPT), also known as threat-led pentesting, is the most realistic form of cybersecurity validation available today. TLPT combines current threat intelligence, red teaming tactics, and business risk analysis to simulate attacks that your organization is most likely to face. Unlike generic pentesting, TLPT tests not just your systems for vulnerabilities, but also your ability to detect, respond to, and contain those attacks in real time.
At its core, TLPT helps organizations understand how their critical systems, people, and processes hold up against modern, targeted cyber threats.
What Is TLPT? A Plain-Language Definition
Threat Led Penetration Testing (TLPT) is a controlled, intelligence-led red-team exercise that emulates a specific, realistic adversary against an organization’s live production systems to test how well people, processes, and technology detect and respond to a genuine attack.
In short:
- What it is — a goal-oriented attack simulation driven by tailored threat intelligence about who would realistically target you and how.
- What it tests — not just exploitable vulnerabilities, but your detection, response, and containment under attack conditions that mirror a real breach.
- Where it runs — against production systems, with a small, trusted internal group (the “Control Team”) aware, while the defenders (“Blue Team”) respond as they would to a real incident.
- Who mandates it — financial-sector frameworks such as the ECB’s TIBER-EU and the EU’s DORA regulation, alongside the UK’s CBEST scheme.
The defining feature is the word threat-led: the scenario is not a generic checklist but a bespoke profile of the attackers most likely to come after your business, built from current threat intelligence and mapped to your real risk exposure.
Who Needs Threat Led Pentesting?
TLPT is not just for big banks anymore. Under frameworks like DORA (delivered via the ECB’s TIBER-EU framework) and the UK’s CBEST, the financial entities required to conduct TLPT are those that supervisory authorities identify as significant — typically large banks, core market infrastructure, and other systemically important institutions. Beyond that regulated core, the value of threat-led testing extends to:
- Critical infrastructure providers (energy, transportation, healthcare)
- Large enterprises managing sensitive data or operations
- Technology companies supporting national or regional infrastructure
- Any business with board-level concern about cyber resilience
If your organization handles high-value data, provides essential services, or faces persistent threats from well-resourced adversaries, TLPT is an essential tool in your security arsenal.
What Drives the Demand for TLPT?
The demand for threat led penetration testing is rising, driven by several key factors:
- Regulatory compliance: DORA — delivered through the ECB’s TIBER-EU framework — requires TLPT for identified significant financial entities, and the UK’s CBEST applies a comparable intelligence-led model. Broader regimes such as NIS2 require robust cyber risk management and security testing without mandating TLPT specifically. For in-scope firms, failure to meet these obligations can lead to penalties or loss of trust.
- Realistic risk assessment: TLPT maps cybersecurity gaps to actual business risk, helping boards and leadership teams make informed decisions.
- Detection and response validation: Classic pentests check if you’re vulnerable; TLPT checks if you can stop an attack in progress. It validates both technology and human readiness.
- Rising threat sophistication: Cybercriminals, nation-state actors, and organized groups are more capable than ever. TLPT ensures your defenses evolve to match.
The Phases of a TLPT Engagement
Under the ECB’s TIBER-EU framework — the model used to deliver DORA TLPT — a test runs in three formal phases: Preparation, Testing, and Closure, with an optional Generic Threat Landscape phase up front. In practice, providers sub-divide those formal phases into a more granular delivery narrative. Below, the granular steps are grouped under their official TIBER-EU phase so you can see both views at once.
Generic Threat Landscape (optional, before Preparation). The relevant authority or framework body may produce a sector-wide threat landscape that informs the engagement. This sets the baseline for who is realistically attacking your sector before any single test begins.
Phase 1 — Preparation. Scoping defines the critical functions and live systems in play, the rules of engagement, and the teams. Note a key DORA-RTS terminology change: the small, trusted internal group that manages the test is now called the Control Team (formerly “White Team”). The Blue Team — your defenders — is deliberately kept unaware so their response is genuine.
Phase 2 — Testing. This is where the engagement comes to life, in two steps:
- Targeted Threat Intelligence. An external Threat Intelligence Provider (mandatory under the framework) builds a Targeted Threat Intelligence (TTI) report — a profile of the adversaries, tactics, and attack paths most relevant to you.
- Red Team Testing. External Red Team Testers run an intelligence-led attack against live production systems, emulating the profiled adversary end to end: initial access, lateral movement, and action on objectives, while staying stealthy.
Phase 3 — Closure. The test wraps up with the analysis that turns activity into improvement:
- Replay and purple teaming. Both are now mandatory. The Red Team and Blue Team walk through the attack together so defenders learn exactly what was missed and why.
- Reporting and remediation. Deliverables include a Red Team Test Report, a Blue Team Test Report, and a Test Summary Report, followed by a prioritized remediation plan.
A practical note on testers: the framework allows an external Red Team to be required at least every third test, with an internal red team permitted in between under defined conditions, and the external Threat Intelligence Provider is mandatory throughout.
Intelligence-Led vs Threat-Led Penetration Testing
You will see the terms intelligence-led penetration testing and threat-led penetration testing used almost interchangeably — and for good reason. They describe the same style of engagement: a bespoke, threat-intelligence-driven red-team test against live systems, scoped around a realistic adversary rather than a generic checklist. The difference is mostly which framework’s vocabulary you are reading.
- Intelligence-led is the language of the UK’s CBEST scheme, run under the Bank of England, which pioneered the model for the UK financial sector.
- Threat-led is the language of the EU’s TIBER-EU framework and the DORA regulation, which use “Threat-Led Penetration Testing (TLPT)” as the formal term.
If a regulator, RFP, or internal stakeholder asks for an intelligence-led pentest and another asks for threat-led penetration testing, you are being asked for the same fundamental exercise. What changes between schemes is the governing body, the documentation, and some procedural detail — not the core methodology of intelligence, stealthy red-team execution, and detection-and-response validation.
TLPT Under DORA: What Articles 26-27 Require
For EU financial entities, TLPT is governed by the Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554), specifically Articles 26 and 27. Article 26 sets out the obligation, scope, and cadence of advanced testing based on TLPT; Article 27 covers the requirements for the testers and threat-intelligence providers who carry it out. DORA TLPT is delivered through the ECB’s TIBER-EU framework.
A few points are widely misunderstood, so it is worth being precise:
- Not every regulated firm has to do it. TLPT under DORA is mandatory only for financial entities that competent authorities identify as significant — not for every regulated firm. Identification is risk-based, weighing impact (including systemic importance), the entity’s ICT risk profile, and its maturity and resources. Microenterprises are excluded. The clearest mandatory candidates are large, systemically important institutions and core market infrastructure; smaller, low-complexity entities are unlikely to be identified.
- At least once every three years. Identified entities must carry out advanced testing by means of TLPT at least every three years (Article 26(1)). A competent authority may require greater frequency where an entity’s risk profile, incident history, or the threat landscape justifies it.
- Against live production systems. TLPT targets the entity’s critical or important functions on production systems — not a staging clone — which is precisely what makes the detection-and-response findings meaningful.
- The timeline. DORA has applied since 17 January 2025, and the TIBER-EU framework was aligned to the DORA RTS on TLPT on 11 February 2025. There is no single EU-wide first-test deadline: each identified entity runs its first TLPT on a schedule agreed with its authority, and the three-year clock starts on completion of that first test.
A test run after DORA’s application date under a DORA-aligned (TIBER-EU) framework counts toward the entity’s three-year cycle. For firms that fall in scope, a standing capability for advanced, intelligence-led testing — rather than a one-off scramble — is the pragmatic answer; this is where an ongoing program such as continuous security earns its keep, keeping detection and response ready between formal tests.
How to Choose the Right TLPT Provider
Selecting the right threat led pentesting provider is crucial. (For a broader checklist that applies to any high-stakes engagement, see our guide on how to choose a penetration testing company.) Here’s what to look for:
Threat Intelligence Capability
Your provider must have access to, or partner with, a qualified threat intelligence team that can profile the adversaries most relevant to your business, sector, and geography. In regulated TLPT (e.g., under TIBER-EU), the threat intelligence function is typically independent.
Red Team Proficiency
The provider must demonstrate experience in red team operations, with proven ability to emulate advanced persistent threats (APTs), conduct lateral movement, and operate undetected.
Compliance Alignment
If you’re subject to TIBER-EU, CBEST, or DORA, your provider should have credentials, references, or certifications showing compliance with those standards.
Clear Process and Transparency
Look for providers who offer structured, transparent TLPT delivery—covering scoping, intelligence gathering, red teaming, purple team workshops, and remediation support.
Industry Experience
A provider that understands the threat landscape and business environment of your sector will deliver better results. A TLPT for a bank differs significantly from one for a utility.
TLPT vs Red Teaming vs Classic Penetration Testing
It helps to think of these as points on a single testing spectrum rather than competing products. At one end, classic penetration testing answers “what is exploitable here?” against a defined scope. In the middle, red teaming answers “can we get caught?” by simulating an attacker against your defenders. At the far end, TLPT answers “how do we hold up against the specific adversary most likely to target us?” — adding tailored threat intelligence and regulatory rigor on top of the red-team model. The further right you move, the more the test mirrors a real breach, the longer it runs, and the more it stresses people and process rather than just technology. Because TLPT (like red teaming) operates with minimal prior knowledge of the target’s internals, it is largely a black-box engagement — the testers start from the outside, much as a real adversary would.
| Service | Primary Goal | Approach | Focus Area | Typical Duration | Intelligence Source | Who Scopes It |
|---|---|---|---|---|---|---|
| Classic Pentesting | Identify vulnerabilities in systems or apps | Automated + manual tests | Technical flaws | Typically days to a few weeks | Standard methodology + tester expertise | Client and provider, against a defined asset list |
| Red Teaming | Test detection and response via simulated attacks | Stealth, adversary simulation | Defensive capability | Often several weeks | Generic attacker TTPs | Client and provider, around objectives |
| Threat Led Penetration Testing (TLPT) | Test critical systems and detection with real-world threats | Stealth, intelligence-driven | Business-critical risk, regulatory alignment | Typically months, across formal phases | Targeted Threat Intelligence on a profiled adversary | Regulator/authority + Control Team, around critical functions |
TLPT combines elements of red teaming with threat intelligence and business risk focus, offering the most comprehensive view of your resilience against targeted cyberattacks.
Why TLPT Matters and What It Delivers
As cyberattacks become more sophisticated and targeted, threat led pentesting gives you confidence that your security program can handle real adversaries. A TLPT engagement delivers:
- Real-world simulation of the most likely threats your organization faces, based on current threat intelligence
- Complete testing of technology, people, and processes — not just exploitable flaws
- Validation of your detection, alerting, and incident-response capabilities under live attack conditions
- Clear, board-level evidence for risk management and security investment
- Cybersecurity priorities aligned with real business risk
- Fulfillment of regulatory requirements such as DORA (via TIBER-EU) for in-scope entities
- Improved defender knowledge and skills through collaborative purple-team exercises
Because TLPT is a threat-led, red-team-style engagement, budgeting for one starts with understanding what penetration testing costs across the wider spectrum of assessments — and recognizing that TLPT sits at the upper end of that range.
Conclusion
Threat led penetration testing (TLPT) is the evolution of security testing. It combines intelligence, technical expertise, and business focus to help organizations build true cyber resilience. Whether required by regulation or adopted as a best practice, TLPT is a vital part of defending against today’s most dangerous threats.
Ready to strengthen your defenses with threat led penetration testing? Explore our penetration testing services for a comprehensive assessment of your systems, or discover how our application security approaches help secure your critical software from real-world threats. Let BSG help you build resilience through targeted, intelligence-driven testing.