TIBER-EU: Threat Intelligence-Based Ethical Red Teaming framework

TIBER-EU is the European Central Bank's framework (2018, v2.0 in 2023) for intelligence-led red teaming of financial institutions. It's the methodological foundation for DORA's mandatory TLPT regime (since 2025), but pre-dates DORA and has been adopted in 12+ national implementations (TIBER-DE, TIBER-NL, TIBER-BE, etc.). This page explains the framework's six phases, the role of test and threat intelligence providers, accreditation processes, costs, and how Matproof Sentinel supports continuous baseline scanning between TIBER engagements.

Run free scan

Written by Malte Wagenbach

Founder of Matproof Security. Specialized in AI-driven penetration testing and EU compliance (DORA, NIS2, ISO 27001, SOC 2).

Last reviewed: May 17, 2026

Why TIBER-EU matters in 2026

Until DORA, TIBER-EU was voluntary at the EU level, though some national authorities (notably DNB in the Netherlands, BdF/ACPR in France, BaFin/Deutsche Bundesbank in Germany) required it for specific institutional categories. From January 17, 2025, the DORA TLPT regime — explicitly built on TIBER-EU — became mandatory for designated financial entities across the EU. Even financial entities not designated for mandatory TLPT often perform TIBER-EU exercises voluntarily because: (a) it's the « gold standard » for cyber resilience testing, (b) cyber insurance underwriters increasingly prefer TIBER-tested entities, (c) major counterparties (banks, asset managers) include TIBER coverage in their counterparty due diligence questionnaires.

TIBER-EU v2.0 (ECB, 2023) is the methodological foundation for DORA TLPT — understanding TIBER is essential for understanding what TLPT requires.
12+ national TIBER implementations exist: TIBER-DE (Bundesbank), TIBER-NL (DNB), TIBER-BE (NBB), TIBER-IT (Banca d'Italia), TIBER-FR (BdF/ACPR), TIBER-IE (CBI), and more.
Threat-led: each engagement is built on bespoke threat intelligence specific to the target institution — not generic attack scenarios.
Tests live production: TIBER explicitly requires testing on production systems (distinguishing it from standard pentests on staging).
Covert: only a small White Team (typically CISO, COO, CIO, plus 1-2 operations leads) knows tests are happening. Blue Team (SOC, IR) must operate naively.
Cross-border: a TIBER engagement at a multinational bank can require coordination with multiple national supervisors and Mutual Recognition arrangements.
Pool testing: TIBER permits multiple institutions to coordinate against shared critical third-party providers, splitting costs while maintaining individual test confidentiality.

TIBER-EU phases and Matproof's complementary role

Phase 1 — Generic Threat Landscape (weeks -10 to -8): TIBER Cyber Team (TCT) at the national authority publishes a generic threat landscape report for the financial sector.
Phase 2 — Specific Threat Intelligence (weeks -8 to -4): Accredited TI provider builds institution-specific threat profile, attacker TTPs, and targeting report.
Phase 3 — Red Team Test (weeks 0 to 12): Accredited red team executes covert campaign against production. Multiple flags (« business impact targets ») are agreed in advance.
Phase 4 — Closure (weeks 12 to 16): Debrief workshop, lessons learned, remediation plan. Blue Team and Red Team finally meet.
Phase 5 — Reporting (weeks 16 to 20): Final report shared with TCT, board, and (under DORA TLPT) competent authority.
Phase 6 — Validation (ongoing): Verification that remediation has been implemented. Sometimes a follow-up « retest » of key findings.
Where Matproof Sentinel adds value: continuous scanning between TIBER engagements (which run every 3 years under DORA TLPT, less frequently in voluntary cases). Sentinel keeps baseline hygiene high so TIBER red teams find sophisticated issues rather than misconfigurations.
Pre-engagement use: Sentinel reports can inform the Threat Intelligence phase by showing what's externally visible/known — helping the TI provider build a more realistic attacker view.
Important boundary: Matproof Sentinel is NOT a TIBER-EU accredited provider. We do not perform TIBER engagements. We provide complementary continuous coverage.

Sample finding

Info

Example TIBER campaign: ATM network compromise via third-party maintenance vendor

Anonymized TIBER-DE engagement at a European retail bank (2023). Red team identified that ATM maintenance was outsourced to a third-party vendor with admin access to the bank's ATM management network. The vendor's helpdesk system had a 2-year-old unpatched RCE vulnerability. Red team exploited the helpdesk, pivoted to the vendor's domain controller, used cached credentials to access the bank's ATM VLAN, and demonstrated capability to remotely cash-dispense from ATMs — without ever directly compromising the bank's perimeter. Total time from initial access to ATM control: 6 weeks.

Fix: TIBER findings drive systemic change: (a) vendor risk management overhaul — Art. 28 DORA-style critical third-party register with continuous monitoring of vendor security posture, (b) network segmentation review — direct vendor access to ATM VLAN eliminated, replaced with gated bastion hosts, (c) joint TIBER exercises with critical vendors going forward (pool testing under TIBER-EU framework), (d) detection rule additions for the specific lateral movement pattern. Importantly, the « fix » is not just patching the helpdesk RCE — it's redesigning the trust relationship with the vendor.

Reference: TIBER-EU Framework v2.0 (ECB) · DORA Art. 28 (Third-party risk) · MITRE ATT&CK T1078.002 Valid Accounts — Domain Accounts

TIBER-EU vs other testing frameworks

—	Free scan	Matproof Sentinel	Traditional consultancy
Automated scan engine	✓ (3-min preview)	✓ Full scan	✗ Manual only
OWASP Top 10 coverage	Partial	✓ Complete	✓ Complete
Proof-of-exploit evidence	✗	✓ Per finding	✓ Per finding
Regulatory mapping (DORA/NIS2/ISO 27001)	✗	✓ Automated	✓ Manual
Audit-ready PDF report	✗	✓ Instant	✓ 2–4 weeks delivery
Continuous / recurring scans	✗	✓ Per deploy	✗ Annual engagement
Time to first result	~3 min	~30 min full scan	2–4 weeks
Price	€0	From €149	€8,000–€25,000
Source code review (SAST)	✗	✓ On Growth plan	✓ Scoped engagement
API testing (REST/GraphQL)	✗	✓ Automated	✓ Manual

Continuous coverage between TIBER cycles

Single Run

€149 one-time

1 full pentest scan
AI-prioritized findings with CVSS 3.1
Proof-of-exploit per finding
Audit-ready PDF report
Regulatory mapping (DORA, NIS2, ISO 27001)

Unlimited scans (up to 3 domains)
Continuous monitoring
CI/CD integration (GitHub, GitLab)
All regulatory mappings
Priority support

Start Starter →

Growth

€799 / month

Unlimited scans + domains
Authenticated / White-Box testing
API & cloud infrastructure tests
Dedicated security account manager
24h SLA response time

Contact for Growth →

Frequently asked questions about TIBER-EU

Is TIBER-EU mandatory?

TIBER-EU itself is a framework — not a regulation. However, DORA Article 26 (effective January 17, 2025) makes TLPT mandatory for designated financial entities, and TLPT is methodologically built on TIBER-EU. Effectively: if you're designated for TLPT, you're doing TIBER-EU in all but name. National authorities can additionally require TIBER for specific entity types — DNB in the Netherlands has been particularly active in this regard since 2019.

What's the difference between TIBER-EU and the national TIBER implementations?

TIBER-EU is the framework published by ECB. National implementations (TIBER-DE, TIBER-NL, TIBER-BE, etc.) are local adaptations that specify: which national authority hosts the TIBER Cyber Team (TCT), which entities are in scope, accreditation processes for providers, cross-border test coordination. The core methodology is consistent across implementations — Mutual Recognition agreements ensure a TIBER engagement at a multinational bank doesn't have to be repeated in each country.

Who are the accredited TIBER-EU test providers?

Test provider accreditation is granted by national authorities (typically the TCT at the central bank). Common accredited providers across the EU include: NCC Group, F-Secure (now WithSecure), Mandiant, KPMG Threat Intelligence, BDO, Trustwave SpiderLabs, Deloitte (in some jurisdictions). The list of currently accredited providers per country is maintained by each national TCT. For threat intelligence, common providers include: Mandiant, CrowdStrike, Recorded Future, S2W, Group-IB.

How much does a TIBER engagement cost?

Typical 2025 pricing for a full TIBER engagement: €150,000–€500,000. Breakdown: generic threat landscape phase is included in TCT supervisory cost (no entity fee). Specific TI phase €30,000–€150,000. Red team phase €100,000–€350,000. Some entities lower costs through Pool Testing (multiple institutions sharing red team engagement against a common critical third party). Costs are higher than standard penetration tests because: (1) live production testing risk premium, (2) extended duration, (3) accreditation/insurance overhead for providers.

How long does a TIBER engagement take?

End-to-end: 20-24 weeks. Generic threat landscape: pre-existing (TCT publishes annually). Specific threat intelligence: 4 weeks. Red team execution: 12 weeks (this is the « test window »). Closure and debrief: 4 weeks. Reporting: 4 weeks. The 12-week red team window is what's typically referred to colloquially as « the TIBER test » but it's only one phase.

Can a financial entity outside the EU do TIBER-EU?

TIBER-EU as a framework is published openly and can be voluntarily adopted by any financial entity worldwide. However, official « TIBER-EU » branded engagements (with TCT oversight, accredited providers, Mutual Recognition) require involvement of a TIBER Cyber Team at an EU national authority. Several non-EU jurisdictions have adopted similar frameworks: CBEST (UK, Bank of England), iCAST (Hong Kong, HKMA), CORIE (Australia, RBA), GLEAM (Saudi Arabia). These are interoperable in spirit but require separate formal engagements.

Can Matproof Sentinel substitute for a TIBER engagement?

No. TIBER and Matproof Sentinel serve different purposes. TIBER simulates a sophisticated, sustained, intelligence-led adversary over months. Matproof Sentinel performs continuous, automated, technical scanning — it finds known vulnerability classes quickly and at scale. The two complement each other: Sentinel runs daily to keep your hygiene high, TIBER runs every 3 years to test resilience against advanced adversaries. Substituting Sentinel for TIBER would not satisfy DORA Art. 26 if you're designated for TLPT.

What's the relationship between TIBER-EU and SREP/SSM cyber exercises?

Different. The SSM (Single Supervisory Mechanism) cyber exercises are supervisory stress tests conducted by ECB Banking Supervision on directly supervised banks — they test crisis response and decision-making, not technical defenses. TIBER-EU tests technical and detection-response capabilities through realistic adversarial simulation. A typical large bank may be subject to both: SSM exercises every year, TIBER (now TLPT) every 3 years. Findings from each feed into the SREP (Supervisory Review and Evaluation Process) but they're separate exercises.

Go deeper — related blog articles

Stay TIBER-ready year-round with continuous scanning

TIBER engagements happen every 3 years. Attackers don't wait. Run a free Matproof Sentinel scan to see what's exposed right now — and to make your TIBER red team work harder.