Tested against the threat that’s actually coming for you.
Most testing asks whether you can be broken into. Threat-led penetration testing asks a sharper question: could the specific adversaries who target your industry reach what matters most — and would you even notice? For regulated financial firms, it’s now the law.
Intelligence first. Then the attack.
A standard pen test works from a scope. Threat-led penetration testing (TLPT) works from real threat intelligence: who would actually come for a firm like yours, what they’re after, and how they operate. A red team then emulates those specific adversaries against your live production systems, across technology, people and process, while your defenders are none the wiser.
It tests the whole chain, not a checklist: can they get in, move, and reach the crown jewels, and would your team catch them in time? It’s the closest thing to a real attack you can run on purpose.
Standard pen test vs threat-led.
A standard pen test answers “where am I vulnerable?” Threat-led testing answers a harder pair of questions: would the people actually coming for me get in, and would I notice?
- Works from an agreed scope
- Tests for known classes of weakness
- Often against staging, time-boxed
- Measures what’s vulnerable
- Works from real threat intelligence
- Emulates the specific adversaries who target you
- Against live production, end to end
- Measures whether you’d detect and respond
DORA made it mandatory.
The Digital Operational Resilience Act (DORA) is EU regulation that came into force on 17 January 2025. It sets one rulebook for how financial firms manage technology and cyber risk, and it requires the most significant entities to prove their resilience with advanced testing. In practice, that means threat-led penetration testing, at least every three years, following the TIBER-EU framework.
Banks, insurers, investment firms, payment and e-money institutions, crypto-asset service providers, and the critical technology providers they depend on. Not every entity must run TLPT; regulators identify the significant ones. But DORA raises the bar for all of them.
TIBER-EU, CBEST, and the rest.
Threat-led testing isn’t new. Regulators have run it for years under named frameworks. They differ in the detail, but share one shape: real intelligence, a controlled red team against production, measured by how well you detect and respond.
TIBER-EU
The framework for intelligence-led red teaming across the EU, and the basis DORA points to for threat-led testing. National versions (TIBER-DE, TIBER-NL, TIBER-IE and others) tailor it to each country.
CBEST
The UK’s framework for intelligence-led testing of financial firms: one of the originals, and the model much of this approach is built on.
And beyond
Frameworks like CORIE (Australia) and iCAST (Hong Kong) follow the same idea: real intelligence, a controlled red team, measured against your ability to detect and respond.
Three phases, tightly controlled.
- 01
Threat intelligence
We build a picture of the adversaries who would realistically come for an organisation like yours (who they are, what they want, how they operate) and turn it into the scenarios worth emulating.
- 02
Red team
Operators emulate those specific adversaries end to end against your live systems, by hand, under strict rules of engagement, with only a small control group aware it’s happening.
- 03
Purple & close
We replay every move with your defenders, turning each attack into a detection you keep, and hand you a clear, prioritised path to closing the gaps.
Throughout, it’s safe by design: scoped, rules-bound, and run so a controlled test never becomes a real outage.