Glossary
What Is TLPT?
TLPT (Threat-Led Penetration Testing) is the EU-mandated category of advanced penetration testing for significant financial entities under DORA Articles 26-27. It's a red-team-style exercise informed by current threat intelligence, conducted on live production systems, performed by certified external testers, and required at least every three years.
How TLPT differs from regular pentesting
| Standard pentest (DORA Art. 24) | TLPT (DORA Art. 26-27) | |
|---|---|---|
| Who | All in-scope entities | Significant entities only |
| Frequency | At least annually | At least every 3 years |
| Scope | ICT supporting critical functions | Critical functions on live production |
| Method | Penetration testing | Red team + threat intelligence |
| Tester | Internal or external | Certified external testers |
How TICTF/TIBER-EU relates
TLPT is modelled on TIBER-EU (Threat Intelligence-based Ethical Red Teaming), an ECB framework already used by several national central banks. Most TLPT implementations will follow TIBER-EU's three phases: Generic Threat Landscape report → Targeted Threat Intelligence → Red Team Test → Closure (purple-teaming and remediation).
Does SQUR do TLPT?
No. SQUR covers DORA Article 24 (annual testing including penetration testing). TLPT requires external threat-intelligence providers, certified red-team testers, and testing on live production systems — a fundamentally different engagement model. We refer significant-entity TLPT engagements to specialist firms.
Frequently asked questions
Who is a "significant financial entity" under DORA?
Defined by ECB/EBA criteria including size, systemic importance, complexity, and interconnectedness. The exact list is built per supervisory authority. If you're a large bank, a globally-systemic insurer, or a CCP/CSD, you're likely in scope. Smaller institutions may be designated significant by their NCAs.
Can we do TLPT in-house?
No. Article 26-27 requires external certified testers and external threat-intelligence providers. The certified-tester requirement specifically excludes the entity's own staff or anyone with conflicts of interest from being on the red team.