Threat-led penetration testing
on one defensible engagement record
Run TLPT engagements under TIBER-EU, DORA, CBEST, and iCAST without three separate tools and an inbox of attestation drafts. Manage scoping, threat intelligence input, red team execution, blue team observation, replay, and the joint attestation pack on the same engagement record auditors and competent authorities will eventually read.
No credit card required. Free plan available forever.
Threat-led penetration testing on one defensible engagement record
Threat-led penetration testing is the most demanding part of the regulator-aligned testing canon. Under DORA Articles 26 and 27, in-scope financial entities run TLPT at least every three years against live production systems supporting their critical or important functions, informed by targeted threat intelligence and reviewed in a joint replay session with the blue team. The DORA regulatory technical standards on TLPT reference TIBER-EU as the methodology of record, and adjacent schemes (CBEST, STAR-FS, iCAST) follow the same intelligence-led structure with scheme-specific accreditation rules.
Most TLPT programmes spend more time assembling the attestation pack than running the test. Scoping documents live in a folder, the threat intelligence brief in a PDF, the red team findings in another tool, the replay outcomes in workshop notes, and the joint attestation in an email thread. SecPortal pulls the entire cycle onto one engagement record so the white team, the control team, the threat intelligence provider, the red team provider, the blue team, and the competent authority all read from the same source. The next TLPT cycle, three years later, starts as a continuation rather than a reconstruction.
Six pillars of a TLPT programme that survives between cycles
One engagement record from scope to attestation
Scoping documents, threat intelligence briefs, red team findings, blue team observations, replay notes, and the joint attestation pack all live on one engagement. Auditors and competent authorities read a single record rather than reassembling the cycle from email threads, separate Word documents, and quarterly slide decks.
Threat intelligence attached to the test
The targeted threat intelligence brief from a TIBER-accredited or CBEST-accredited intelligence provider attaches to the engagement at scoping. Red team objectives reference the brief, and every finding ties back to a scenario so the link between intelligence input and tested impact is explicit on the record.
MITRE ATT&CK tagging from day one
Every red team finding tags against MITRE ATT&CK tactics and techniques as it is logged. The replay session, the report, and the attestation pack all read from the same tag set, which is the vocabulary the TIBER-EU and DORA regulatory technical standards reference.
Replay captured on the same record
The blue team replay is documented against the same findings the red team produced. Detection observations, control gaps, and remediation actions attach to the original attack path so the joint understanding between teams is preserved as evidence rather than as memory.
White team and competent authority delivery
The branded client portal serves the white team, the control team, and the competent authority as readers of the same engagement. Each role gets a defensible view of the test rather than an emailed PDF that drifts from the live record after delivery.
Audit-ready attestation export
Export the engagement to a structured artefact: scoping document, threat intelligence brief, scenario list, red team findings with evidence, replay observations, remediation status, and the joint attestation summary. The same export answers the next supervisory question without rebuilding the story by hand.
TLPT lifecycle phases on one engagement record
The TIBER-EU, CBEST, and DORA TLPT cycles share the same five phases. The deliverables are named differently across schemes, but the structure of preparation, intelligence, red teaming, replay, and closure is consistent. The point of pulling all five onto one engagement record is that the artefacts produced in one phase are readable inputs to the next, instead of separate documents that have to be cross-referenced by hand.
| Phase | What lives on the engagement record |
|---|---|
| Preparation | Identify critical or important functions in scope, designate the white team and control team, appoint the TIBER cyber team or competent authority liaison, and contract the threat intelligence and red team providers. Capture all of this on the engagement record so the authority and the auditor read one source instead of contract folders. |
| Targeted threat intelligence | A TIBER-accredited or CBEST-accredited intelligence provider produces a targeted threat intelligence brief identifying threat actors, their motivation, and their plausible attack paths against the in-scope functions. The brief attaches to the engagement and informs red team scenarios directly. |
| Red teaming | Operators execute the agreed scenarios against live production systems supporting in-scope functions. Findings are logged against the engagement with payloads, request and response evidence, screenshots, and ATT&CK technique tags. Stop-test conditions and rollback steps are recorded on the same record so the operational risk is contained. |
| Replay | The blue team and the red team meet to walk each attack path. The blue team captures what was detected, what was missed, and where the control gap sat. Observations attach to the original red team finding so detection improvements and remediation actions remain tied to the test that surfaced them. |
| Closure and attestation | Produce the TLPT report, the replay summary, the remediation plan, and the joint attestation. Deliver to the white team, the control team, and the competent authority through the branded portal. Retain the structured export so the evidence chain to the next cycle, three years later, is intact. |
Where TLPT programmes usually break
Five failure modes show up across most TLPT programmes that have not yet pulled the cycle onto a single engagement record. Each one is a structural problem with a structural fix on the same record.
Threat intelligence written, then forgotten
Many programmes treat the targeted threat intelligence brief as a one-off document, read at scoping, then quietly ignored when scenarios get adapted in flight. The result is a red team that drifts from the intelligence and a report that cannot trace findings back to the original threat actor model. Tying scenarios and findings to the intelligence record on the engagement keeps the link explicit.
Replay run as a meeting, not a record
Replay sessions often happen as a half-day workshop with notes on a whiteboard and a follow-up email summary. The detection gaps the blue team identified do not survive the workshop in any defensible form. Capturing replay observations against the original finding makes the joint walkthrough an evidence artefact rather than a meeting outcome.
Attestation reassembled by hand each cycle
TLPT cycles are typically three years apart. By the time the next cycle starts, the previous attestation pack has aged into a folder no one can confidently re-enter. Treating the engagement export as the canonical attestation makes the next cycle a continuation, not a reconstruction.
Stop-test triggers tracked off-record
Live production red team tests need explicit stop-test conditions, rollback steps, and an escalation path. When these live in a separate document or chat, the operational risk control breaks the moment a tester needs them in a hurry. Recording them on the engagement keeps the safety controls on the same record as the test.
White team and control team blind to each other
The white team running the test internally and the control team representing the regulator both need a defensible view of the engagement. When one sees email summaries and the other sees status calls, the joint attestation arrives with surprises. The branded portal serves both roles from the same record so the joint sign-off is a workflow rather than a negotiation.
What the joint attestation pack contains
Treat the structured engagement export as the joint attestation artefact. The same export answers the next supervisory cycle and the next TLPT cycle without rebuilding the pack from emails, slide decks, and a folder of PDFs.
- Scoping document defining critical or important functions in scope, in-scope production assets, and the test window
- Targeted threat intelligence brief from the accredited intelligence provider, attached to the engagement at scoping
- Scenario list mapped to MITRE ATT&CK tactics and techniques and tied to the threat intelligence brief
- Red team findings with payload, request and response, screenshot, and affected-asset evidence
- Stop-test conditions, rollback steps, and escalation contacts as part of the engagement record
- Blue team replay observations attached to each red team finding (detected, missed, control gap, remediation action)
- Remediation plan with owner, severity, SLA target, and current status per finding
- Joint attestation from the red team, the blue team, the white team, the control team, and the competent authority
- AI-generated TLPT executive summary, technical writeup, and replay summary drawn from the live findings
One engagement record, six different stakeholders
TLPT is multi-stakeholder by design. The white team, the control team, the threat intelligence provider, the red team provider, the blue team, and the eventual auditor each need a different view of the same record. SecPortal serves all six from the same engagement and finding entries so the evidence stays consistent and the views stay role-appropriate.
| Role | What they see |
|---|---|
| White team | A small, named group inside the financial entity who knows the test is happening and protects the operational secrecy. The white team sees the live engagement record, manages stop-test escalation, and signs the attestation. The portal gives them a real view rather than chase emails. |
| Control team | The competent authority team (TIBER cyber team, CBEST sponsor, or equivalent) overseeing the test. They read scope, threat intelligence, scenario mapping, replay outcomes, and the joint attestation from the same record the white team reads, which makes oversight a reading exercise rather than a reconstruction. |
| Threat intelligence provider | TIBER-EU or CBEST accredited provider producing the targeted threat intelligence brief. Their deliverable attaches to the engagement at scoping and is the input against which the red team scenarios and the eventual replay are evaluated. |
| Red team provider | Accredited red team provider executing the engagement. Operators log findings, payloads, evidence, and ATT&CK technique tags against the engagement as the test runs, so the report is a snapshot of the live record rather than a reconstruction once the test ends. |
| Blue team | Internal defenders unaware the test is happening until the replay phase. After the test, the blue team reviews each red team finding, captures what was detected and missed, and attaches the replay observations to the original finding so the joint understanding is preserved. |
| Auditor and supervisor | External auditors, internal audit, and supervisory authorities asking for the next cycle of evidence. The structured engagement export answers their questions about scoping, threat intelligence, scenario coverage, findings, replay, remediation, and attestation without an evidence-assembly project. |
TLPT scheme coverage: TIBER-EU, DORA, CBEST, iCAST
The same engagement record handles the major intelligence-led schemes. The scheme-specific differences sit in the accreditation rules for the threat intelligence and red team providers, the deliverable templates, and the supervisory contact, all of which are configurable on the engagement.
The European Central Bank reference methodology for threat-led penetration testing, adopted across the euro area and several non-euro EU jurisdictions. The DORA TLPT regulatory technical standards reference TIBER-EU directly.
Articles 26 and 27 of the Digital Operational Resilience Act require designated financial entities to run TLPT at least every three years on systems supporting critical or important functions.
The Bank of England programme for systemically important UK financial entities, which predates TIBER-EU and follows the same intelligence-led red team and replay structure with UK-specific accreditation rules.
iCAST
The Hong Kong Monetary Authority intelligence-led testing scheme for in-scope authorised institutions. The lifecycle mirrors TIBER-EU with HKMA-specific accreditation and supervisory engagement.
How TLPT delivery sits on the rest of the platform
TLPT is not a separate product line. It uses the same engagement management for scope and team assignment, the same findings management for the red team output, the same AI reports for the report and replay summary, and the same branded client portal for the white team and competent authority view. The methodology layer is anchored in the MITRE ATT&CK framework for tagging and the Penetration Testing Execution Standard for general red team execution discipline.
Pair with red team delivery
The red team reporting workflow covers the tagging and narrative-style report production this page references. TLPT inherits that workflow and adds intelligence-led scoping, replay, and joint attestation on top.
Pair with evidence and project ops
Use the pentest evidence management workflow for the evidence record on each finding and the pentest project management workflow for the multi-team operational layer that runs the cycle end to end.
Anchoring TLPT in the wider research and methodology canon
TLPT scoping benefits from the broader research on severity calibration and aging pentest findings for the calibration and ageing context, and from the operational discipline described in the long-form guides on red team vs penetration test and the penetration testing methodology guide. Use those alongside this page to ground the TLPT cycle in a defensible methodology rather than a custom playbook the next cycle has to reverse engineer.
TLPT is a long, expensive, regulator-watched cycle that only pays off if the evidence survives the three years between rounds. Pulling scope, threat intelligence, scenarios, red team findings, replay observations, remediation status, and the joint attestation onto one engagement record is what makes the next cycle a continuation. The point of this workflow is to make the defensible answer the path of least resistance for everyone touching the engagement, from the operator logging the first finding to the supervisor reading the attestation pack two years later.
Frequently asked questions about threat-led penetration testing
What is threat-led penetration testing (TLPT)?
Threat-led penetration testing (TLPT) is a controlled red team exercise against live production systems supporting an organisation's critical or important functions, informed by targeted threat intelligence about plausible adversaries. It is the most demanding form of resilience testing in the regulator-aligned canon: TIBER-EU is the European reference methodology, CBEST is the UK Bank of England programme, iCAST is the Hong Kong equivalent, and the regulatory technical standards under DORA reference TIBER-EU directly. TLPT covers preparation, targeted threat intelligence, red teaming, replay with the blue team, and a joint attestation pack signed by the parties involved.
How is TLPT different from a normal red team or penetration test?
TLPT differs in three ways. First, it is intelligence-led: scenarios are built from a targeted threat intelligence brief produced by an accredited provider rather than from a generic methodology. Second, it is regulator-aligned: TIBER-EU, CBEST, and the DORA regulatory technical standards prescribe roles (white team, control team, threat intelligence provider, red team provider, blue team) and deliverables (scoping document, intelligence brief, scenarios, findings, replay observations, joint attestation). Third, it runs against live production systems supporting critical or important functions, with explicit stop-test conditions, rollback steps, and escalation contacts. A standard pentest is rarely intelligence-led, rarely regulator-prescribed, and usually scoped against a staging environment.
Who is required to run TLPT under DORA?
Under DORA Articles 26 and 27, financial entities designated by the competent authority as significant must run threat-led penetration testing at least every three years on systems supporting their critical or important functions. The designation considers size, systemic relevance, complexity, and overall risk profile. The regulatory technical standards on TLPT explicitly reference TIBER-EU as the methodology to use. Smaller entities outside the TLPT designation still fall under DORA's wider testing regime (vulnerability assessments, penetration tests, scenario-based exercises) on a proportionality basis, and the framework page on the Digital Operational Resilience Act covers that testing programme end to end.
How does SecPortal support a TIBER-EU or DORA TLPT programme?
SecPortal models the engagement as the canonical record. Scoping, threat intelligence brief, scenario list, red team findings, replay observations, remediation status, and the joint attestation all attach to the same engagement. Findings are tagged against MITRE ATT&CK tactics and techniques, evidence (payload, request and response, screenshot, affected asset) attaches to the finding, and stop-test conditions live on the engagement record. The branded client portal serves the white team, the control team, and the competent authority as readers of the same record, and the structured export is the attestation artefact rather than a separate document the team assembles by hand at year end.
How long does a TLPT cycle take?
Most TIBER-EU and CBEST cycles run nine to twelve months end to end. Preparation and scoping typically take four to eight weeks. The targeted threat intelligence phase is around six to eight weeks. The red team phase is usually ten to twelve weeks of active testing. The replay and closure phase, including the joint attestation, runs a further four to eight weeks. The cadence between cycles is at least three years under DORA Article 26, which means the engagement record needs to survive long enough that the next cycle starts as a continuation rather than a reset.
How does the replay phase work in practice?
The replay is a structured walkthrough where the red team and the blue team meet, with the white team and the control team observing. The red team narrates each attack path step by step. The blue team captures what was detected, what was missed, and where the control gap sat, and proposes detection or process improvements. The white team and control team validate the joint understanding. In SecPortal, replay observations attach to the original red team finding, so the detection gap and the remediation action remain tied to the test that surfaced them rather than living in workshop notes.
How does TLPT relate to CBEST, iCAST, and other intelligence-led schemes?
CBEST is the Bank of England programme for systemically important UK financial entities and predates TIBER-EU. iCAST is the Hong Kong Monetary Authority equivalent. STAR-FS is the CREST scheme for UK financial services. TIBER-EU is the European Central Bank reference methodology adopted across the euro area and several non-euro EU jurisdictions. The DORA regulatory technical standards on TLPT explicitly reference TIBER-EU. The lifecycle (preparation, targeted threat intelligence, red teaming, replay, closure) is broadly the same across schemes, with each adding scheme-specific accreditation requirements for the threat intelligence provider and the red team provider.
What goes into a TLPT joint attestation pack?
The joint attestation pack is the deliverable the parties involved sign at closure to evidence that the test ran in line with the methodology. It typically contains the scoping document, the targeted threat intelligence brief, the scenario list, the red team findings with evidence, the replay observations, the remediation plan, and a joint attestation statement signed by the white team, the red team provider, the threat intelligence provider, the blue team, and the control team or competent authority. The structured engagement export from SecPortal carries all of this as a single artefact, which is what the next supervisory cycle and the next TLPT cycle need to read from.
How it works in SecPortal
A streamlined workflow from start to finish.
Scope the TLPT engagement
Define the critical or important functions in scope, the live production assets, the test window, and the rules of engagement. Capture the TIBER-EU control team and the white team, the threat intelligence provider, and the red team provider on one engagement record.
Build the threat-led scenario
Attach the targeted threat intelligence brief and translate it into red team objectives. Tag scenarios against MITRE ATT&CK techniques so the report, the replay, and the attestation pack speak the same vocabulary as the regulator-aligned methodology.
Run the red team and capture findings
Operators log findings against the engagement as they go, with timestamps, payloads, request and response, screenshots, and tactic and technique tags. The audit trail is a side effect of the testing, not a clean-up exercise after the report.
Replay with the blue team
Walk the blue team through each attack path using the same finding records. Capture detection observations, control gaps, and remediation actions on the same engagement so the replay is documented rather than reconstructed from notes.
Produce the joint attestation pack
Generate the TLPT report, the replay summary, and the joint attestation evidence from the live findings. Deliver to the white team and the competent authority through the branded portal, and retain the structured export for the next cycle.
Run TLPT without the spreadsheet attestation pack
Scope, threat intel, red team, replay, and joint attestation on one engagement record. Start free.
No credit card required. Free plan available forever.