Threat-Led Penetration Testing | Redscan
Contact Us

Contact Us

Please get in touch using the form below

1000 characters left
View our privacy policy

Threat-led pen testing brings together specialist offensive security skills and threat intelligence

enabling businesses to proactively uncover vulnerabilities that could otherwise be exploited by threat actors. In this article, we set out what threat-led pen testing is, how it relates to the Digital Operational Resilience Act (DORA) and the testing requirements included as part of the new EU regulation.

 

What is threat-led pen testing?

Threat-led penetration testing is a type of security assessment which follows a structured process to identify the potential ways in which an attacker could gain access to and move laterally in an organisation or extract information. Its goal is to comprehensively test a company’s people, processes, and technologies.

Threat-led pen testing takes its name from the fact that it draws on threat intelligence and expert insight into attack strategies used in the wild in order to simulate the tactics, techniques and procedures of threat actors. It goes beyond surface vulnerabilities to incorporate more complex attack vectors.

 

Threat-led pen testing and DORA

Threat-led pen testing forms a key aspect of DORA, a robust regulatory framework which aims to prevent and mitigate cyber threats by establishing a comprehensive ICT risk management framework for the EU financial industry.

Coming into full effect in January 2025, the main objective behind DORA is to enhance the IT security of financial entities such as banks, insurance companies and investment firms.

Under DORA, all companies across EU member states must build an understanding of the ICT risks facing their organisation and ensure that they are able to monitor, detect, withstand, respond to and recover from ICT-related threats and disruptions. These measures must be proportional to the potential risks.

DORA is based on five key pillars, with one being digital operational resilience testing, which involves testing and assuring technology resilience through techniques including threat-led penetration testing. While some of the requirements set out by DORA are straightforward, others are more challenging and prescriptive, demanding additional effort and resources in order to achieve compliance.

Discover our DORA compliance assessment services

 

pen testing methodology

The threat led pen testing methodology: ESMA

In July 2024, the draft regulatory technical standards (RTS) on threat-led pen testing were released. Part of the second batch of policy products under DORA, the document was issued by the European Banking Authority, European Insurance and Occupational Pensions Authority and European Securities and Markets Authority. The standards are in effect from 17 January 2025.The guidance related to threat-led pen testing includes:

 

Alignment with the EU-Tiber Framework

Threat-led pentesting for DORA will be required to follow the EU TIBER framework, except in relation to the use of purple teams and internal testers. The EU TIBER framework provides comprehensive guidance on how authorities, entities, and threat intelligence and red team providers should work together to enhance organisations’ cyber resilience through controlled cyberattacks.

 

Testing cadence

Threat led penetration testing is mandated every three years for relevant financial institutions and their critical ICT providers. This should cover all critical or important functions which must be performed on live production systems. However, because a threat-led pen test does not test all systems and applications comprehensively, organisations should also undertake vulnerability assessments and more narrow-scoped penetration testing.

 

External and internal parties can conduct TLPT

Financial entities can use external and internal testers for threat-led pen testing, although the threat intelligence provider must be external and independent. Every third test will have to be undertaken by an external party as an additional safeguard.

 

Purple teaming mandated

While purple teaming is strongly encouraged but not mandatory in the TIBER-EU frameworkthe DORA RTS mandates purple teaming at the threat-led pen testing closure stage.

 

Risk management is essential

Robust risk management at every stage of threat-led pen testing is essential, with responsibility for the conduct of the test and risk management resting entirely with the financial entity undergoing testing. Financial entities are required to assess the risk of conducting threat-led pen testing before it starts and to continually monitor this risk, updating the risk assessment as required. The RTS mandates an important way to minimise risks associated with threat-led pen testing: selecting experienced, appropriate and highly skilled testers and threat intelligence providers.

 

How Kroll can help

Field-proven pen testing and threat intelligence services play an important role in enabling compliance with regulations such as DORA, as well as ensuring long-term cyber resilience. Kroll is an award-winning provider of cyber security penetration testing services, conducting over 100,000 hours of security assessments every year. With more than 100 security qualifications, including CREST CRT, STAR, CC SAM and many more, we perform testing to the highest technical, legal and ethical standards. All of our award-winning pen test services include complete post-test care, actionable outputs, prioritised remediation guidance and strategic security advice to help you make long-term improvements to your cybersecurity posture.

Every pen test we undertake is fuelled by frontline incident response intel and insights from elite analysts. Leveraging frontline threat intelligence from handling thousands of cyber incidents every year, our team delivers more visibility against emerging threats and offers actionable steps to minimize risk and protect against operational and reputational damage. Our cyber threat intelligence analysts leverage their combined experience in the U.S. Secret Service, the FBI, Fortune 100 and the National Cyber Forensic Training Alliance (NCFTA) to follow even the most obfuscated or opaque data trails. By cross-correlating a variety of open source, private feeds and dark web data with frontline data collected from thousands of incidents, our team filters out false positives, duplicates and general noise to enable timely, meaningful and actionable intelligence.

 

Discover our pen testing services