Is Threat-Led Penetration Testing the new penetration testing?

EU DORA defines TLTP as “a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems”¹. The key phrase in this definition is “intelligence-led (red team) test”. Therefore, TLTP is a form of red teaming, a simulation of a real-world attack to test an organisation’s defences.
Before EU DORA, the term TLTP was used in 2018 by the G-7 in their publication, G-7 Fundamental Elements for Threat-Led Penetration Testing. The G-7’s aim was to “provide entities with a guide for the assessment of their resilience against malicious cyber incidents through simulation”. In that publication it is also acknowledged that TLTP “may be referred to as Ethical Red Teaming”⁵.

In essence, TLPT is therefore a flavour of red teaming which is threat-intelligence driven. TLPT is similar to Singapore’s Adversarial Attack Simulation Exercises (AASE), the United Kingdom’s CBEST intelligence-led penetration testing, or Hong Kong’s Intelligence-led Cyber Attack Simulation Testing (iCAST).

Despite the similarity in name, Theat-Led Penetration Testing is however not to be confused with “regular” penetration testing. EUDORA for example mandates both penetration testing² and TLTP³, FINMA does the same in Circular 2023/1 (but uses the term ‘red teaming’ instead of TLTP).

In what ways does the TLPT approach differ from regular penetration testing?

1. TLPT is an organisation-wide assessment, neither solely focused on a single system/application, nor limited to the cyber risk dimension. The human and physical dimensions are also considered: “Intelligence-led red team tests differ from conventional penetration tests, which provide a detailed and useful assessment of technical and configuration vulnerabilities often of a single system or environment in isolation, but contrary to the former, do not assess the full scenario of a targeted attack against an entire entity, including the complete scope of its people, processes and technologies”⁴.
2. In addition, the “secrecy of a TLPT is of utmost importance to ensure that the conditions of the test are realistic”⁴. Contrary to penetration testing, defensive controls are indeed challenged in TLPT assessments: personnel from the Security Operations Centre (SOC) (also referred to as the blue team) is not made aware of the exercise and the operators (also referred to as ‘the red team’) operate in a covert manner. This implies progressing at a slower pace than when performing ethical hacking in the context of a conventional penetration test. Furthermore, it requires the careful development of a tailored set of techniques designed to evade detection by the blue team.
3. As such, TLPT assessments typically require more time and effort than a penetration test, and this is enforced in the context of EU DORA: “The RTS requires the active red teaming test to be a minimum of 12 weeks”⁴.
4. Penetration testing typically takes place within test environments due to risk considerations. However, as TLPT is meant to mimic real cyber-attacks, it “shall be performed on live production systems”³. As testing in production comes with inherent risks (e.g., disruption, data leakage, compliance violations), it is “essential that the testers and threat intelligence providers have the highest level of skills and expertise”⁴.
5. Unlike penetration testing, which aims to find in a systematic manner an exhaustive list of vulnerabilities in the in-scope systems/applications, TLPT is objective-oriented. This means that the red team will try to find one attack path towards business tangible objectives (also referred to as flags): this is an opportunistic approach, mimicking actual cyber-attacks.
6. Such flags are defined as part of threat scenarios which are derived from a threat intelligence report tailored to the assessed organisation. This report is produced at the beginning of the TLPT testing phase and helps to ensure the credibility of the simulated attack, which is not relevant for traditional penetration testing.
7. TLPT also goes beyond the identification of vulnerabilities: in the context of EU DORA, a purple teaming exercise is mandatory⁴. This consists of a collaborative workshop between the red and the blue teams in the closure phase, “based on vulnerabilities identified during the test and, where relevant, on issues that could not be tested during the active red team testing phase”⁴. The aim of such an exercise is to maximise the learning experience for the assessed organisation.

Penetration testing and TLPT are distinct, complementary security assessment types. Both serve their purpose:

• Penetration testing for in-depth technical testing of specific systems/applications, often considered in isolation
• TLPT for a realistic attack simulation, challenging the organisation’s preparedness with regard to its threat landscape in a controlled and holistic manner (including its incident detection and response capabilities).

Whilst penetration testing has been here for decades already, TLPT (or any form of red teaming, generally speaking) is a newer concept for some organisations, and the organisation and the management must take time to prepare for a TLTP exercise. In particular, such organisations may be interested in the TIBER-EU framework, as it provides a uniform and high-quality standard for implementing TLPT, aligned with EU DORA requirements.⁶

Beyond regulatory compliance, TLPT delivers outcomes that matter to management and the business. It provides an evidence‑based view of real risk exposure across cyber, physical and human dimensions, anchored in end‑to‑end attack path(s) and business‑tangible impacts rather than a long list of technical findings. For example, a TLPT exercise can highlight:

• how a toxic combination of seemingly minor issues can enable a major compromise
• gaps in detection and prevention controls – despite “all-green” security monitoring dashboards
• that reliance on technology alone (e.g., cybersecurity products) is insufficient without resilient processes and prepared people.

That is why TLPT results typically draw management attention and can help to bootstrap cross functional remediation programmes to ultimately enhance the organisation's security posture.

Time to act

From the UK's CBEST to Singapore's AASE, via Hong Kong’s iCAST and now EU's DORA, regulation mandating TLTP is growing all around the world, because regulators recognise the value and insights it provides. In the case of EU DORA, the regulator not only mandates it but must also be involved during the execution, demonstrating the importance of TLTP.

It has become standard practice for testing organisational resilience to cyber-attacks in a realistic yet risk-controlled manner.

At Deloitte, we combine threat intelligence expertise, regulatory knowledge, and proven red teaming capabilities to help you assess your cyber-attack readiness. If you would like to have an initial conversation about TLPT and Deloitte’s approach to making it a success, please get in touch with our experts. We are glad to help you with any of your offensive security needs.