Security check

DORA TLPT: threat-led penetration testing, concretely

DORA introduces requirements for threat-led penetration testing (TLPT) for the most critical financial entities. We explain what the requirement means and help you build the continuous attack-surface and vulnerability foundation that makes the tests meaningful.

Run a free domain scan All checks β†’
Relates to: DORA Β· art. 26–27 β€” advanced testing (TLPT) TIBER-EU Β· framework for threat-led testing NIS2 Β· art. 21 β€” testing

What we check

We explain DORA's advanced testing requirement: threat-led penetration testing (TLPT) under the TIBER-EU model, how often it's required, who's covered, and β€” most importantly for most β€” how you build the continuous attack-surface, exposure and vulnerability picture that a meaningful TLPT builds on.

Why it matters

TLPT is the heaviest test form in DORA and required only of certain entities, but the direction applies to all: testing should be threat-led and recurring, not an annual checkbox. A continuous picture of your real attack surface is the foundation for both TLPT and ongoing risk management.

How Security Guru tests it

Common mistakes

  • Assuming an annual pentest is enough for DORA's testing requirement
  • Lacking a current picture of the attack surface the test starts from
  • Testing disconnected from the current threat picture and intel
  • No follow-up that findings are actually fixed between tests

What you get in the report

  • Whether and when the TLPT requirement affects you
  • Current attack surface and exploitability-prioritised findings
  • Input for scoping a threat-led test
  • Recommended continuous foundation between formal tests

FAQ

Do you perform TLPT yourselves?

We deliver the continuous attack-surface and vulnerability foundation and the input for a TLPT. A formal TLPT is performed by accredited red teams under TIBER-EU.

Does TLPT apply to all financial companies?

No β€” only the most critical entities under DORA. But the threat-led, recurring approach is relevant to all.

How often is it required?

TLPT is required recurringly (typically every three years for affected entities), but the underlying monitoring should be continuous.

Want to know your status?

Run a free scan or order a full Security Assessment β€” prioritised, not noise.

Run a free domain scan