Threat Intelligence-Led Penetration Testing (TLPT)
DORA. TIBER-EU. CBUAE. SAMA. The Mandates Are in Force. The Evidence Package Starts Here.
Regulators across Europe, the GCC, and Africa no longer accept generic annual penetration tests as evidence of operational resilience. The standard has moved. Significant financial institutions, critical infrastructure operators, and systemically important entities are now required to conduct penetration testing that is built on real threat intelligence, executed by certified independent testers, and documented to evidentiary standards that satisfy regulatory review.
Evaluris delivers end-to-end TLPT engagements — from threat intelligence profiling to final regulatory-submission evidence package — aligned to DORA Article 26, TIBER-EU, and the equivalent frameworks governing financial institutions across the GCC and Africa.
What Makes TLPT Different From Penetration Testing
A conventional penetration test applies standard methodology against your environment and finds what it finds. Threat intelligence-led penetration testing begins with a different question: given who you are, where you operate, what systems you run, and which threat actors have a documented history of targeting organizations like yours — what would a real adversary actually do to you?
TLPT answers that question by building your attack scenarios from real threat intelligence. The TTPs tested are not selected from a generic framework checklist. They are selected from an intelligence-driven profile of the specific adversary groups, campaigns, and attack patterns most relevant to your organization — producing test results that reflect your real-world threat exposure, not an idealized methodology.
DORA Article 26 requires that TLPT is conducted by certified, insured, independent testers who can demonstrate that their methodology satisfies EBA RTS standards. Evaluris engagements are structured to produce documentation that meets that bar.
TLPT Under DORA Article 26
The Digital Operational Resilience Act (DORA) entered full application in January 2025. For significant financial entities in the EU — banks, insurers, investment firms, payment processors, and their critical ICT third-party providers — DORA Article 26 mandates:
- •Threat-led penetration testing every three years at minimum
- •Execution by certified, independent, insured testers meeting EBA RTS competency standards
- •A Threat Intelligence phase conducted prior to testing, informing attack scenario design
- •Coverage of live production systems — not sandboxed environments
- •A complete evidence package including threat intelligence report, test scope documentation, execution records, and remediation evidence
- •Regulator notification before commencement and result reporting after completion
Evaluris TLPT engagements produce every component of that evidence package to the standard DORA and the EBA RTS require.
TLPT Under TIBER-EU
TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) is the European framework for intelligence-led red team testing of financial market infrastructure. Evaluris TIBER-EU engagements follow the three-phase structure:
Preparation Phase — scope definition, tester accreditation validation, and regulator notification.
Threat Intelligence Phase — production of a Targeted Threat Intelligence (TTI) report profiling your organization's specific threat landscape. Identifies the threat actors, campaigns, and TTPs most likely to be deployed against you based on your sector, geography, technology stack, and publicly known operational profile.
Red Team Phase — red team engagement constructed around the TTI findings, testing whether your organization's defenses would detect and contain the specific attack patterns identified in the intelligence phase.
GCC Framework Coverage
CBUAE (UAE): Annual independent VAPT mandatory for licensed financial institutions. TLPT-standard engagements for Tier 1 institutions.
VARA (UAE): Security testing required before every new system or product launch. Red team exercises for licensed virtual asset service providers.
SAMA (Saudi Arabia): Biannual penetration testing with evidence submission to senior management. Advanced red team requirements for systemically important institutions.
CBB (Bahrain): Annual penetration testing with formal report submission to the regulator by fixed dates. TLPT-equivalent requirements for significant entities.
QCB (Qatar): Annual independent penetration testing with regulator evidence requirements.
CBK CORF 2025 (Kuwait): Mandatory testing extended to APIs, IoT, and open banking infrastructure from December 2025.
Compliance Alignment
| Framework | Requirement |
|---|---|
| DORA Art. 26 | EU — TLPT every 3 years — live production systems |
| TIBER-EU | EU / ECB — Intelligence-led red team — 3-phase structure |
| CBest | UK — CREST-aligned intelligence-led testing |
| iCAST | Hong Kong — Intelligence-led cyber attack simulation testing |
| CBUAE | UAE — Annual VAPT + TLPT for Tier 1 |
| SAMA | Saudi Arabia — Biannual + advanced red team |
| VARA | UAE — Pre-launch + ongoing red team |
| CBB | Bahrain — Annual with regulator submission |
| FSCA/PA Joint Standard 2 | South Africa — Annual for internet-facing systems (binding June 2025) |
Deliverables
- Targeted Threat Intelligence (TTI) Report — sector-specific, organization-specific threat actor profiling and attack scenario design rationale
- TLPT Scope Documentation — defined engagement scope aligned to regulatory requirements
- Red Team Execution Record — complete immutable audit trail of all actions taken during the engagement
- Findings Report — vulnerabilities and detection gaps identified during execution, CVSS-scored and MITRE ATT&CK-mapped
- Remediation Evidence Record — documentation of remediation actions for regulatory evidence package
- Regulatory Submission Package — compiled evidence documentation formatted for submission to the applicable regulator
- Executive Summary — board and regulator-ready narrative of engagement outcomes
- Retest Window — post-remediation verification and evidence update
Ready to scope this engagement?
Tell us about your environment, regulatory drivers, and timeline. We will align methodology, scope, and evidence requirements before testing begins.