DORA introduces requirements for threat-led penetration testing (TLPT) for the most critical financial entities. We explain what the requirement means and help you build the continuous attack-surface and vulnerability foundation that makes the tests meaningful.
Run a free domain scan All checks βWe explain DORA's advanced testing requirement: threat-led penetration testing (TLPT) under the TIBER-EU model, how often it's required, who's covered, and β most importantly for most β how you build the continuous attack-surface, exposure and vulnerability picture that a meaningful TLPT builds on.
TLPT is the heaviest test form in DORA and required only of certain entities, but the direction applies to all: testing should be threat-led and recurring, not an annual checkbox. A continuous picture of your real attack surface is the foundation for both TLPT and ongoing risk management.
Do you perform TLPT yourselves?
We deliver the continuous attack-surface and vulnerability foundation and the input for a TLPT. A formal TLPT is performed by accredited red teams under TIBER-EU.
Does TLPT apply to all financial companies?
No β only the most critical entities under DORA. But the threat-led, recurring approach is relevant to all.
How often is it required?
TLPT is required recurringly (typically every three years for affected entities), but the underlying monitoring should be continuous.
Run a free scan or order a full Security Assessment β prioritised, not noise.
Run a free domain scan