TIBER-EU
threat-led penetration testing for financial entities

TIBER-EU in context: the European framework for threat-led penetration testing

TIBER-EU stands for Threat Intelligence-Based Ethical Red Teaming, European Union. It is the framework published by the European Central Bank in 2018 that sets a common methodology for threat-led penetration testing across the European financial system. The ECB and the national competent authorities adopted TIBER-EU so that red team tests run on critical financial entities follow a consistent structure, are comparable across jurisdictions, and produce evidence the supervisor can rely on. Most national implementations carry their own jurisdiction-specific names (TIBER-NL, TIBER-DE, TIBER-IE, TIBER-IT, and others) but they share the same phases, role separation, and attestation requirements.

TIBER-EU sits inside a wider regulatory picture. Under the Digital Operational Resilience Act, in-scope financial entities run threat-led penetration testing at least every three years on systems supporting critical or important functions, and the regulatory technical standards for DORA TLPT explicitly reference TIBER-EU as the reference methodology. Where an entity is not in DORA TLPT scope, TIBER-EU is still adopted voluntarily as the defensible methodology for a credible red team test. For UK financial services, the CREST STAR FS scheme operated alongside CBEST plays a similar role under the Bank of England and the Financial Conduct Authority.

Who runs TIBER-EU and where it applies

TIBER-EU applies primarily to financial entities supervised in the European Union, but the framework is publicly available and is adopted voluntarily by other organisations in the sector. The cadence and depth scale with the size and systemic relevance of the entity, and the inclusion list for each cycle is set by the national competent authority. Critical ICT third-party providers supporting the in-scope functions are pulled into the scoping conversation and may be tested in coordination with the entity.

The Generic Threat Landscape: where every TIBER-EU test starts

Every TIBER-EU test starts from a Generic Threat Landscape, or GTL, produced for the jurisdiction by the TIBER cyber team and the intelligence community supporting it. The GTL is the reference document that profiles the threat actors plausibly targeting the financial sector in the jurisdiction, the prevailing tradecraft, and the attack patterns the supervisor expects to see reflected in test scenarios. The GTL feeds the entity scope and the Targeted Threat Intelligence report that follows.

Roles and segregation of duties: white, control, blue, red, and TI

Role separation is the structural feature that makes TIBER-EU credible. The framework names five roles, with explicit boundaries between who knows about the test, who runs the test, who oversees the test, and who defends against it. The audit of who knew what and when is part of the attestation, so the role record is captured before launch and maintained throughout the engagement.

Phase 1: Preparation

Preparation is the longest phase by elapsed time and the phase that most determines whether the test is defensible. The launch document, the procurement of accredited providers, the legal pack, and the rules of engagement all sit in preparation, and the national TIBER cyber team is engaged early so the supervisor expectations are baked into the plan rather than discovered later.

Phase 2: Testing (Targeted Threat Intelligence and red team execution)

Testing is what most readers picture when they hear TIBER-EU. The threat intelligence provider builds the Targeted Threat Intelligence report from the GTL and the entity scope. The red team builds the test plan from the TTI, with scenarios and flags. The white team approves and the controlled red team execution runs against live production. Operator notes, evidence per flag, and timestamps are captured during execution rather than reconstructed afterwards.

Tagging every red team finding by tactic and technique sharpens the test report and the replay conversation. The MITRE ATT&CK framework page covers how to tag findings end to end, the threat-led penetration testing workflow covers the TLPT cycle end to end on a single engagement record, and the red teaming workflow keeps the timeline, attack paths, and operator notes structured rather than scattered across chat history.

Phase 3: Closure (replay, attestation, and lessons learned)

Closure is what separates TIBER-EU from a normal red team engagement. The replay phase pairs the red team and the blue team, walks the attack path together, identifies the detection and response gaps, and agrees the remediation. The joint attestation, signed by the entity, the red team provider, and the threat intelligence provider, goes to the TIBER cyber team and the supervisor as the formal record that a TIBER-EU test was completed.

For the operational side of the remediation work after the attestation, the remediation tracking workflow keeps owners, deadlines, and retest evidence linked to the engagement record so the supervisor cycle does not turn into a second forensic exercise twelve months later.

TIBER-EU and DORA: how they fit together

DORA Article 26 introduces threat-led penetration testing as a formal expectation for in-scope financial entities, and the regulatory technical standards on TLPT specify that TIBER-EU is the reference methodology. In practice this means the TIBER-EU attestation pack is the evidence record that satisfies the DORA TLPT requirement. Entities that ran TIBER-EU before DORA can carry that history forward; entities new to TLPT under DORA build the programme on the TIBER-EU methodology from launch.

For the wider DORA programme around TLPT (the ICT risk framework, incident reporting, and the third-party register), the DORA framework page covers the surrounding articles. For the supervisor expectations on the broader resilience programme, the NIS2 framework page covers risk measures and incident reporting that often run alongside TIBER-EU at group level.

TIBER-EU vs CBEST, GBEST, CREST STAR FS, and HKMA iCAST

TIBER-EU is the European Union framework, but it is not the only intelligence-led red team scheme used in financial services. CBEST is the long-running scheme operated by the Bank of England and the Financial Conduct Authority for UK financial entities, and GBEST is the UK government variant. CREST STAR FS is the CREST scheme used alongside CBEST. In Hong Kong, the HKMA C-RAF Cyber Resilience Assessment Framework runs iCAST as the intelligence-led testing pillar for Authorised Institutions whose tier and maturity profile make controlled offensive testing proportionate. The frameworks share the structural ideas: a generic threat landscape, accredited providers, a small white team, role separation, controlled execution, replay, and a joint attestation. They differ in jurisdiction, accreditation body, and some procedural detail. Many groups operating across multiple jurisdictions run more than one scheme, mapping the common artefacts across the frameworks rather than building separate evidence packs.

Evidence the supervisor (and your board) actually want

TIBER-EU programmes that fail review usually fail because the artefacts are scattered across drives, secure email threads, and screenshots. Build the closure pack as the work happens, retain raw evidence alongside the structured record, and tie every artefact back to the phase, the role that produced it, and the approver who signed it off. The attestation reads the way the underlying record reads.

Where SecPortal fits in the TIBER-EU workflow

SecPortal is the operating layer for the TIBER-EU engagement, not a replacement for the national TIBER cyber team, the threat intelligence provider, or the red team. The platform handles scope, role records, findings, replay notes, attestation artefacts, and the closure pack so the work runs as a structured workflow rather than a long encrypted email thread. Compliance tracking maps the TIBER-EU evidence pack to DORA, NIS2, and ISO 27001 for entities that have to satisfy more than one regime from the same body of work.

TIBER-EU is a multi-month engagement, not a one-week test. The first cycle for a new in-scope entity typically takes between nine and twelve months from launch to attestation, with preparation alone taking three or more months. Subsequent cycles run faster because the white team, the providers, and the evidence patterns are reusable. Running the work as a managed workflow pays off most over time: prior TTI reports, prior red team findings, and prior remediation timelines stay linked, so each cycle is an iteration rather than a rebuild. For consultants delivering TIBER-EU work to multiple clients, the security consultants workspace bundles the platform with branded client portals and AI report generation so the deliverable looks as polished as the work behind it.

For programmes that want continuous detection and trend evidence between TIBER-EU cycles, the continuous monitoring capability and attack surface management capability produce the cadence and coverage record that TLPT programmes are expected to keep between formal tests.