Banking Penetration Testing: DORA, TLPT, BAIT & EU Banking Supervision
European banks face the most demanding cybersecurity supervisory regime: DORA Art. 24 (annual pentest) and Art. 26 (TLPT every 3 years for systemic banks), BaFin BAIT §9.4 (Germany), ACPR guidelines (France), Banca d'Italia Circolare 285/2013 (Italy), DNB Goede Praktijk (Netherlands). Matproof Sentinel provides ongoing baseline pentest with explicit mapping to all major EU banking supervisory frameworks, from €149.
Why banks face the strictest pentest regime in EU
European banks operate under intersecting cybersecurity supervisory regimes: at EU level, DORA (Digital Operational Resilience Act) mandates annual pentests for all banks (Art. 24) and Threat-Led Pentests for designated significant institutions every 3 years (Art. 26). At national level, BaFin BAIT in Germany, ACPR/AMF in France, Banca d'Italia in Italy, DNB in Netherlands, Banco de España in Spain — each adds its own examination cycles and IT inspection requirements. Beyond regulatory compliance, banks are high-value targets: average breach cost in banking is €5.85M (IBM Cost of a Data Breach Report 2024). Specific banking attack patterns include: SWIFT-related fraud (CSP CSCF compliance), correspondent banking corridor compromises, ATM network attacks via third-party vendors, and ICT third-party risks (Art. 28 DORA — critical third-party register).
- DORA Art. 24: mandatory annual pentest for all credit institutions, payment institutions, e-money institutions — including ICT systems supporting critical functions.
- DORA Art. 26 TLPT: Threat-Led Pentest every 3 years for designated banks — typically G-SIBs (Deutsche Bank, BNP Paribas, ING, Santander, UniCredit, Intesa Sanpaolo, etc.) and significant institutions per ECB criteria.
- BaFin BAIT (Germany): §9.4 mandates annual technical testing for German credit institutions; §6.3 covers application security; §44 KWG enables special audits.
- ACPR (France): Annual SREP cybersecurity assessment for French banks; Banque de France TIBER-FR for systemic institutions.
- Banca d'Italia (Italy): Circolare 285/2013 (Disposizioni in materia di rischio operativo) requires annual technical assessments; TIBER-IT framework for significant Italian banks.
- DNB (Netherlands): Goede Praktijk Informatiebeveiliging 2024 mandates annual pentests for Dutch banks; TIBER-NL is the most mature European TIBER implementation.
- SWIFT CSP CSCF v2024: 31 mandatory controls including penetration testing of SWIFT infrastructure within bank's environment.
What we specifically test in a banking application
- Online banking authentication: multi-factor authentication (MFA) compliance with PSD2 RTS, photoTAN/pushTAN security, biometric authentication implementation.
- Wire transfer authorization flow: dual authorization (4-eye principle), authorization split between systems, signature verification for high-value transfers.
- ATM network: third-party maintenance vendor access controls (per Art. 28 DORA), ATM management network segmentation, remote attack vectors.
- Correspondent banking: SWIFT messaging integrity, CBPR+ compliance for ISO 20022 migration, sanctions screening bypass attempts.
- Mobile banking apps: Android/iOS app pentest (root/jailbreak detection, SSL pinning, sensitive data in memory, screenshot prevention).
- Trading platforms: market data integrity, order routing logic, race conditions in high-frequency trading systems.
- API gateway: Open Banking APIs (Berlin Group NextGenPSD2 for SCA-compliant access), corporate banking APIs, real-time payment rails (SCT Inst, TIPS).
- Customer portal: account access controls, IDOR (Insecure Direct Object Reference) on account details and statements, privilege escalation between role tiers.
- Anti-fraud systems: rules engine bypass attempts, account takeover via session hijacking, social engineering resistance (call center, chat).
- ICT third-party risk (Art. 28 DORA): critical third-party register completeness, contract clauses for testing, exit strategy verification.
Sample finding
ATM network compromise via third-party maintenance vendor — Art. 28 DORA
Our pentest of a European retail bank identified that ATM maintenance was outsourced to a third-party vendor with admin access to the bank's ATM management network. The vendor's helpdesk system had a 2-year-old unpatched RCE vulnerability (CVE not yet identified at discovery). The test exploited the helpdesk, pivoted to the vendor's domain controller, used cached credentials to access the bank's ATM VLAN, and demonstrated capability to remotely cash-dispense from ATMs — without ever directly compromising the bank's perimeter. Total time from initial access to ATM control: 6 weeks (simulated TLPT-style engagement). This represents a classic Art. 28 DORA scenario — critical third-party with insufficient security testing.
Fix: Immediate action: emergency patching of vendor helpdesk system; vendor security review per Art. 28 DORA. Systemic actions: implement Art. 28 DORA critical third-party register with continuous security posture monitoring of all vendors with privileged access; network segmentation review — direct vendor access to ATM VLAN eliminated, replaced with gated bastion hosts with MFA; joint TIBER-style exercises with critical vendors going forward (pool testing under TIBER-EU framework); detection rule additions for the specific lateral movement pattern. The fix is not just patching — it's redesigning the trust relationship with the vendor.
Reference: DORA Art. 28 (Third-party risk) · TIBER-EU Framework v2.0 · MITRE ATT&CK T1078.002 Valid Accounts — Domain Accounts · BaFin BAIT §11 IKT-Dienstleistermanagement · EBA/GL/2019/02 Outsourcing Guidelines
Banking pentest options compared
| — | Free scan | Matproof Sentinel | Traditional consultancy |
|---|---|---|---|
| Automated scan engine | ✓ (3-min preview) | ✓ Full scan | ✗ Manual only |
| OWASP Top 10 coverage | Partial | ✓ Complete | ✓ Complete |
| Proof-of-exploit evidence | ✗ | ✓ Per finding | ✓ Per finding |
| Regulatory mapping (DORA/NIS2/ISO 27001) | ✗ | ✓ Automated | ✓ Manual |
| Audit-ready PDF report | ✗ | ✓ Instant | ✓ 2–4 weeks delivery |
| Continuous / recurring scans | ✗ | ✓ Per deploy | ✗ Annual engagement |
| Time to first result | ~3 min | ~30 min full scan | 2–4 weeks |
| Price | €0 | From €149 | €8,000–€25,000 |
| Source code review (SAST) | ✗ | ✓ On Growth plan | ✓ Scoped engagement |
| API testing (REST/GraphQL) | ✗ | ✓ Automated | ✓ Manual |
Banking pentest packages
- 1 full pentest scan
- AI-prioritized findings with CVSS 3.1
- Proof-of-exploit per finding
- Audit-ready PDF report
- Regulatory mapping (DORA, NIS2, ISO 27001)
- Unlimited scans (up to 3 domains)
- Continuous monitoring
- CI/CD integration (GitHub, GitLab)
- All regulatory mappings
- Priority support
- Unlimited scans + domains
- Authenticated / White-Box testing
- API & cloud infrastructure tests
- Dedicated security account manager
- 24h SLA response time
Frequently asked questions about banking pentest
Can Matproof Sentinel replace TLPT (DORA Art. 26)?
No. TLPT (Threat-Led Pentest) requires an ECB-accredited red-team provider for designated systemic banks (typically only top 100-200 EU banks). Matproof Sentinel provides ongoing baseline pentest for DORA Art. 24 (mandatory for all banks) and continuous coverage between triennial TLPT cycles. We recommend Matproof Sentinel monthly + accredited TLPT every 3 years for systemic banks.
Is your report accepted by national banking supervisors?
Our technical report is structured for examination by BaFin (DE), ACPR (FR), Banca d'Italia (IT), DNB (NL), Banco de España (ES). It includes explicit mapping to DORA Art. 24/25/26/28, BaFin BAIT (DE), ACPR cybersecurity guidelines (FR), Banca d'Italia Circolare 285/2013 (IT), DNB Goede Praktijk Informatiebeveiliging (NL), and SWIFT CSP CSCF v2024.
Do you test SWIFT-related infrastructure?
Yes, within the bank's SWIFT environment. We test SWIFT CSP CSCF v2024 compliance (31 mandatory controls), Alliance Gateway security, message integrity controls. For SWIFT network itself, the provider Swift (formerly SWIFT) has its own Customer Security Programme (CSP) certification — we don't test the network, we test your environment's compliance.
How do you handle banking sensitive testing — no impact on production?
For sensitive environments (production banking systems), we test against staging environments with identical configuration. For perimeter (internet-facing online banking, mobile API), we run automated scans in semi-intrusive mode with explicit rate limiting and avoid destructive testing (no DoS, no actual fund movement). Our professional liability insurance is €5M.
Do you cover ICT third-party risk testing (Art. 28 DORA)?
Yes, with authorization from your third party providers. Per Art. 30 DORA, banks must have contractual rights to test (or have testing performed on) critical ICT third parties. We coordinate with your vendors for joint testing or test perimeter from outside.
Do you support ESG / sustainability cyber reporting?
Yes, our report can be structured for CSRD/ESG reporting where cyber-resilience is an environmental/governance disclosure topic. We provide quantitative metrics aligned with the EBA cybersecurity reporting framework.
What's the typical engagement model for banks?
For DORA Art. 24 baseline coverage: monthly Matproof Sentinel automated pentest. For change-driven testing: after major release or architecture change. For DORA Art. 26 TLPT (designated banks only): triennial accredited red-team test. We recommend combining Matproof Sentinel continuous + accredited TLPT periodic.
How fast can you mobilize for an urgent banking pentest?
Automated scan can start within 15 minutes of order. Full audit-ready report within 24 hours. For incident response (post-breach), we offer expedited 4-hour scan with same-day preliminary findings (Growth plan).
Go deeper — related blog articles
Audit-ready DORA Art. 24 pentest for banks
First scan in 3 minutes, complete banking pentest in 60-90 minutes with explicit DORA / BAIT / ACPR / Banca d'Italia / DNB mapping. Report from €149.
Start free scan