TLPT — Threat-Led Penetration Testing under DORA Article 26
TLPT (Threat-Led Penetration Testing) is the most rigorous form of cyber testing required under DORA — mandatory every 3 years for financial entities designated by their competent authority. Built on the TIBER-EU framework, TLPT engages an accredited red team to simulate sophisticated, real-world threat actors against live production systems. This page explains the scope, methodology, RTS requirements (Commission Delegated Regulation 2024/1774), accredited providers, and how Matproof Sentinel supports continuous testing between TLPT cycles.
What TLPT is — and what it isn't
TLPT is fundamentally different from a standard penetration test. A standard pentest examines a defined scope using known testing methodologies — it tells you what's broken. TLPT simulates an actual adversary: dedicated threat intelligence builds attacker profiles specific to your institution, then an accredited red team executes a covert campaign against live production systems with the explicit goal of achieving pre-defined business impact (e.g., access to customer data, disruption of payment systems, manipulation of regulatory reporting). It tests not just technical controls but the entire detection-response chain: SOC vigilance, incident response procedures, escalation paths, and even board-level decision-making under pressure. Only a narrow population of financial entities is required to conduct TLPT — typically G-SIBs, central counterparties, central securities depositories, and entities whose disruption could pose systemic risk. Other entities can voluntarily perform TLPT as a defensive maturity exercise.
- DORA Article 26 + Commission Delegated Regulation (EU) 2024/1774 (RTS on TLPT) mandate TLPT at least every 3 years for in-scope financial entities, designated by competent authorities.
- Scope must cover all critical or important functions and supporting ICT systems — not just internet-facing infrastructure.
- Tests are conducted on LIVE PRODUCTION systems, not staging — this distinguishes TLPT from standard pentests.
- Threat intelligence phase precedes the red team phase — typically 4-6 weeks of TI work building attacker profiles, TTPs, and bespoke campaign plans.
- Red team phase typically runs 12 weeks of covert testing — only a tiny « White Team » inside the institution is aware tests are happening.
- Mandatory pooled testing: TLPT must include critical third-party ICT service providers if their disruption would materially affect the entity.
- Cost range: €150,000–€500,000 per TLPT cycle (3-year cadence). Test providers AND threat intelligence providers must be accredited.
TLPT lifecycle and Matproof's role
- Preparation phase (weeks -8 to -2) — White Team formed, scope defined (« critical and important functions » per DORA Art. 8), legal agreements, communication protocols.
- Threat intelligence phase (weeks -6 to -2) — accredited TI provider profiles adversaries, develops attacker personas, builds bespoke TTP playbook. Output: TLPT « Threat Intelligence Targeting Report ».
- Red team phase (weeks 0 to 12) — accredited red team executes covert campaign against production. Initial access vectors include phishing, supply chain, exposed services, insider scenarios.
- Detection-response observation — Blue Team (SOC, IR) operates without knowing tests are underway. White Team observes detection rates, response time, escalation accuracy.
- Closure phase (weeks 12-16) — debrief workshop with Blue Team, lessons learned, remediation roadmap. White Team and Blue Team finally meet.
- Reporting (weeks 16-20) — final TLPT report to competent authority, including remediation plan with timelines.
- Where Matproof Sentinel fits — Sentinel does NOT replace TLPT. It provides continuous baseline coverage between 3-year cycles: surface scans, OWASP testing, supply chain monitoring. This keeps your « easy wins » findings cleaned up so the TLPT red team is forced to use sophisticated techniques (raising the realism and value of the test).
- Between-cycle preparation — Matproof Sentinel reports can serve as input to the TLPT scoping phase, showing the White Team what's already known vs. what would be novel for the red team to discover.
- Critical: Matproof Sentinel is NOT an accredited TLPT provider. We do not perform TLPT engagements. We complement them.
Sample finding
Example TLPT-style finding: full attack chain from phishing to wire transfer authorization
A real TLPT campaign at a Tier 2 European bank achieved this chain over a 9-week window: (1) Spear-phishing campaign targeting 24 employees with finance/treasury access — 3 clicked, 1 entered credentials; (2) MFA bypass using session hijacking via cloned auth portal; (3) Persistence via OAuth refresh token in target's M365 tenant; (4) Lateral movement to payments engineer via Teams; (5) Discovery of SWIFT terminal access procedures in OneNote; (6) Social engineering of a treasury operator under pretext of « audit drill »; (7) Successful initiation of a €50K test wire transfer (intercepted before execution per pre-agreed safety net). Detection by SOC happened only at step 7, despite numerous signals in steps 1-6.
Fix: TLPT findings are not « fixed » individually — they drive systemic improvements: (a) phishing-resistant authentication (FIDO2 hardware keys for high-risk roles), (b) SOC playbook updates for new attacker TTPs identified, (c) treasury procedure changes (verbal verification protocol, segregation of duties), (d) detection rule additions for the specific OAuth refresh token persistence pattern observed. Findings are typically classified by ECB on a 5-point scale (negligible to critical) and remediation timelines are agreed with the competent authority.
Reference: DORA Art. 26 · Commission Delegated Regulation 2024/1774 (RTS on TLPT) · TIBER-EU Framework v2.0 · MITRE ATT&CK Enterprise
TLPT vs other pentest types
| — | Free scan | Matproof Sentinel | Traditional consultancy |
|---|---|---|---|
| Automated scan engine | ✓ (3-min preview) | ✓ Full scan | ✗ Manual only |
| OWASP Top 10 coverage | Partial | ✓ Complete | ✓ Complete |
| Proof-of-exploit evidence | ✗ | ✓ Per finding | ✓ Per finding |
| Regulatory mapping (DORA/NIS2/ISO 27001) | ✗ | ✓ Automated | ✓ Manual |
| Audit-ready PDF report | ✗ | ✓ Instant | ✓ 2–4 weeks delivery |
| Continuous / recurring scans | ✗ | ✓ Per deploy | ✗ Annual engagement |
| Time to first result | ~3 min | ~30 min full scan | 2–4 weeks |
| Price | €0 | From €149 | €8,000–€25,000 |
| Source code review (SAST) | ✗ | ✓ On Growth plan | ✓ Scoped engagement |
| API testing (REST/GraphQL) | ✗ | ✓ Automated | ✓ Manual |
Where Matproof fits in the TLPT ecosystem
- 1 full pentest scan
- AI-prioritized findings with CVSS 3.1
- Proof-of-exploit per finding
- Audit-ready PDF report
- Regulatory mapping (DORA, NIS2, ISO 27001)
- Unlimited scans (up to 3 domains)
- Continuous monitoring
- CI/CD integration (GitHub, GitLab)
- All regulatory mappings
- Priority support
- Unlimited scans + domains
- Authenticated / White-Box testing
- API & cloud infrastructure tests
- Dedicated security account manager
- 24h SLA response time
Frequently asked questions about TLPT
Is my financial entity required to perform TLPT?
Not all entities are. Under Article 26(8) DORA, only entities designated by their national competent authority must perform TLPT — typically based on size, criticality, and systemic importance. The European Supervisory Authorities (ESAs) published « common selection criteria » in 2024 to harmonize national designations. Typical mandatory population: G-SIBs, large central counterparties (CCPs), large central securities depositories (CSDs), major payment institutions, large insurance groups. Smaller financial entities can voluntarily perform TLPT to demonstrate maturity.
How often is TLPT required?
At least every 3 years for designated entities (DORA Art. 26(2)). Competent authorities can require more frequent testing if justified by risk profile. Each TLPT cycle includes preparation, threat intelligence, red team execution, and closure phases — typically 12-16 weeks of active testing plus 4-8 weeks of preparation and reporting.
Who can perform TLPT tests?
Only accredited providers per the RTS on TLPT (Commission Delegated Regulation 2024/1774). The accreditation criteria include: 5+ years of relevant red-team experience, minimum team size, certifications (CRT, CCT, CESG), professional indemnity insurance, clean background checks for testers. Two separate accreditations exist: « test provider » (red team) and « threat intelligence provider » (TI). Lists of accredited providers are maintained by competent authorities — for the EU, ECB maintains the central register.
What's the difference between TLPT and TIBER-EU?
TIBER-EU (Threat Intelligence-Based Ethical Red Teaming, ECB 2018) is the methodological framework. TLPT (Threat-Led Penetration Testing under DORA, 2024) is the mandatory implementation built on TIBER-EU. Functionally they're nearly identical. The key shift: under DORA, TLPT is regulatory mandatory for designated entities; previously TIBER was voluntary or required by national supervisors at their discretion. The RTS on TLPT formalizes scope, accreditation, reporting, and threshold criteria — but methodologically still derives from TIBER-EU v2.0.
What does TLPT cost?
Typical pricing 2025: €150,000–€500,000 per TLPT cycle. Breakdown approximately: threat intelligence phase 20-30 % of total (€30k-150k), red team phase 60-70 % of total (€100k-350k), management and reporting 10-15 %. Pricing varies based on entity size, scope complexity, third-party scope inclusion, and number of critical systems. Multi-day workshops with the White Team add overhead. Some entities pool TLPT costs through joint testing arrangements permitted by Art. 26(4) DORA.
Can Matproof Sentinel be part of a TLPT?
Not directly as a test provider — Matproof Sentinel is not an accredited TLPT provider per the RTS. However, Sentinel provides significant value adjacent to TLPT: (1) baseline scanning to ensure surface vulnerabilities are remediated before TLPT engagement, raising the difficulty (and therefore realism) of the red team test, (2) continuous monitoring between 3-year cycles, (3) input to the scoping phase showing the White Team what's already known about the attack surface. Many entities use Sentinel year-round and engage an accredited TLPT provider once per cycle.
What happens to TLPT findings? Are they shared with regulators?
Yes. TLPT reports must be shared with the competent authority (DORA Art. 26(6)). The report includes: scope, methodology, summary findings, criticality ratings, and a remediation plan with timelines. Competent authorities use TLPT findings to (a) verify resilience claims in regular supervision, (b) identify systemic patterns across the financial sector, (c) require remediation enforcement if deemed insufficient. TLPT findings are NOT typically published publicly — they're shared bilaterally with the supervisor.
How should we prepare for our first TLPT?
Start 12+ months before the expected testing window. Steps: (1) Clean up surface vulnerabilities via continuous scanning (Matproof Sentinel or equivalent) — eliminates low-hanging fruit. (2) Conduct internal red team exercises or commission a smaller-scale « TIBER-lite » to test SOC capabilities. (3) Update incident response playbooks based on results. (4) Form your White Team early — typically CISO, CIO, COO, and a small operations team. (5) Engage accredited providers 6+ months ahead — they have limited capacity. (6) Brief the board on what to expect during the testing window (« We are about to be attacked. Trust the White Team »).
Go deeper — related blog articles
Get baseline coverage between your TLPT cycles
TLPT happens every 3 years. Threats happen every day. Run a free Matproof Sentinel scan to see what's exposed right now — and to make sure your TLPT red team has to actually work hard to find findings.
Run free baseline scan