Services DORA TLPT & Penetration Testing
+44 20 3996 1505

DORA Threat-Led Penetration Testing (TLPT) Services

DORA Article 26 requires significant financial entities to undergo Threat-Led Penetration Testing (TLPT) at least every three years. TLPT under DORA is closer to than to standard CREST pen testing, intelligence-led, scenario-driven, and scoped against the production environment, with a structured threat intelligence phase preceding the red team activity.

RedSecLabs delivers DORA TLPT and the wider DORA penetration testing programme that significant and non-significant DORA-in-scope entities require. Our methodology is aligned to framework, our consultants are CREST-accredited, and our delivery model includes the threat intelligence generation, control gate management, and competent authority engagement that TLPT specifically demands.

We also deliver the proportionate DORA penetration testing programme that non-TLPT-threshold entities still require under Articles 24-25, so smaller DORA-in-scope firms do not over-invest in TLPT they do not need but still meet their testing obligations.

CREST Certified Pen Test Provider ISO Certified OSCP Certified Industry Certification

Free Security Quote

Just a few questions to scope your project. We respond the same business day.

UK-based CREST member · QSA-aligned methodology · Same-day scoping response · Executive + technical reports · Retest included
DORA Art. 26
TLPT mandate
Methodology aligned
CREST
Member company
3 years
TLPT minimum cadence

What is DORA TLPT

Threat-Led Penetration Testing (TLPT) under DORA Article 26 is a structured red team exercise built on real threat intelligence about adversaries likely to target the entity. It tests the entity's production environment, integrates a threat intelligence (TI) phase before the active testing, and includes a control team gate-keeping the exercise to prevent operational disruption.

TLPT is not optional for entities the competent authority designates as significant. The Regulatory Technical Standards (RTS) define the categories of entity required to undergo TLPT, and competent authorities have discretion to extend the requirement to other entities. Significance is determined based on size, complexity, systemic importance, and the role the entity plays in the financial system.

For entities below the TLPT threshold, DORA Articles 24-25 still require a comprehensive testing programme covering vulnerability assessments, network security assessments, scenario-based testing, compatibility testing, performance testing, end-to-end testing, and penetration testing.

What our DORA TLPT engagements deliver:

-aligned threat intelligence generation phase

Red team exercise against the production environment

Control team coordination and gate-keeping

Final report meeting RTS evidence requirements

Purple team replay to upskill defenders

Competent authority submission support

Below the TLPT threshold, our DORA penetration testing programme covers Articles 24-25 testing obligations using a proportionate methodology that is more cost-effective and less operationally disruptive than full TLPT.

Why DORA TLPT is different to standard pentesting

A typical CREST penetration test is scope-driven, vulnerability-focused, and conducted in a defined window against a specific target. DORA TLPT is intelligence-led, adversary-modelled, and tests the entity's end-to-end resilience including detection, response, and recovery, not just the technical vulnerabilities.

TLPT also includes phases standard pentesting does not: a formal threat intelligence phase producing the threat scenarios; a control team that gate-keeps the exercise; production-environment testing rather than test-environment; and a purple team phase where the red team replays the exercise with defenders present to upskill the blue team.

Common DORA testing pressures:

TLPT requirement triggers in-scope significance designation

3-year TLPT cadence overlapping with audit cycles

Competent authority gate-keeping of TLPT scope and methodology

Threat intelligence quality determining TLPT scenario validity

Production environment testing risk management

Article 24-25 testing for non-TLPT-threshold entities still substantial

DORA TLPT is the most demanding category of penetration testing in financial services regulation today. Done well, it produces resilience evidence that holds up to supervisor scrutiny and substantively improves the entity's actual security posture. Done poorly, it produces compliance theatre and wastes a 3-year testing budget.

Who needs DORA TLPT or DORA pentesting

DORA testing requirements vary by entity significance and category. In practice we work with:

Banks and credit institutions

Asset managers and fund admins

Payment institutions and EMIs

Investment firms and CCPs

Insurance and reinsurance

Crypto-asset service providers

Critical ICT third-party providers

Market infrastructure operators

If your competent authority has designated you as significant, TLPT applies. If you are below the threshold, Articles 24-25 testing still applies and our proportionate methodology covers it. We confirm applicability during scoping.

How we deliver DORA TLPT

Eight-stage TLPT delivery aligned to methodology, adapted to DORA-specific requirements including competent authority engagement and the RTS evidence pack.

01

Scoping & Significance Confirmation

We confirm your DORA TLPT applicability with reference to the RTS criteria and your competent authority's designation. For entities below the threshold, we scope a proportionate DORA Article 24-25 testing programme instead.

02

Threat Intelligence Generation

-aligned threat intelligence phase producing the threat scenarios that the red team will execute. Open-source intelligence, dark web sources, sector ISAC inputs, and historical incident data feed the scenario design.

03

Test Plan & Control Team Setup

Detailed test plan covering scope, in-scope production systems, scenario logic, and control gates. Control team established to gate the exercise and contain operational risk during testing.

04

Competent Authority Engagement

Notification and methodology pre-clearance with your competent authority as required by DORA. We have direct experience engaging with multiple EU and UK regulators on TLPT programmes.

05

Red Team Execution

Multi-month red team exercise executing the threat scenarios against the production environment. Initial access through to objective achievement, exercised with realistic adversary tradecraft.

06

Detection & Response Observation

Throughout the exercise, the blue team's detection and response capability is observed against the executed scenarios. This is one of the most valuable outputs of TLPT, the data on what your defenders actually see and what they miss.

07

Purple Team Replay

Post-exercise, the red team replays the scenarios with the blue team present, walking through every step, what triggered detection (or did not), and what response capabilities need improvement. Upskills defenders directly.

08

RTS Evidence Pack & Reporting

Final report meeting Article 26 RTS evidence requirements. Submission support to your competent authority. Board-level summary for the risk committee. Remediation roadmap for findings.

Typical TLPT programmes run 4 to 8 months from scoping through to purple team replay. Article 24-25 proportionate testing programmes compress significantly. All work is fixed-fee with controlled-scope change management.

What you receive

Every DORA TLPT engagement delivers:

  • -aligned threat intelligence report
  • Red team execution report meeting RTS evidence requirements
  • Detection and response observation log
  • Purple team replay debrief and upskill outcomes
  • Findings with prioritised remediation roadmap
  • Competent authority submission pack
  • Board-level summary for the risk committee
  • Annual programme refresh option

Industries We Serve

We deliver this service across these industries:

Banking
Asset Management
Payments
Capital Markets
Insurance
ICT Third-Party Providers
Crypto-asset Services
Market Infrastructure

Why RedSecLabs for DORA TLPT

DORA TLPT brings together two practices most firms separate: red team execution and regulatory engagement. We deliver both. Our consultants are CREST-accredited and have delivered red team exercises across UK financial services for over a decade. Our regulatory team has engaged directly with multiple EU and UK competent authorities on TLPT programmes. Fixed-fee, single contract, evidence pack designed for supervisor scrutiny.

methodology aligned
CREST member company
Senior red team consultants only
RTS evidence pack experience
Purple team replay built in
Direct competent authority engagement

Speak to a DORA TLPT specialist

Book a 30-minute scoping call. We will confirm your TLPT applicability, identify your competent authority's position, and quote a fixed-fee programme within 48 hours.

Book a Scoping Call Contact Us

Where to next

Related services and industry packages worth exploring.

DORA Compliance master

DORA for UK firms

Red Team Assessment

For non-DORA threat-led testing

Financial Services package
Related reading

From the RedSecLabs research blog

From the blog

DORA Penetration Testing Requirements Guide

Detailed walkthrough of DORA testing obligations.

Read on the RedSecLabs blog

Frequently Asked Questions

TLPT under DORA Article 26 is mandatory for entities the competent authority designates as significant under the RTS criteria. Other entities still have testing obligations under Articles 24-25 but the methodology is proportionate. We confirm your applicability during scoping using the current RTS criteria and your competent authority's communicated stance.

DORA Article 26 sets the minimum cadence at every three years. Competent authorities can require more frequent testing for higher-risk entities. Most significant entities plan TLPT cycles to align with their wider operational resilience testing programme.

DORA Articles 24-25 require a comprehensive testing programme covering vulnerability assessments, network security assessments, scenario-based testing, compatibility testing, performance testing, end-to-end testing, and penetration testing. The programme is proportionate to the entity's size, risk profile, and ICT complexity. We deliver this as a coordinated annual programme rather than disconnected one-off tests.

Yes. Notification of TLPT, methodology pre-clearance, and submission of the final evidence pack are all included. We have engaged directly with multiple EU and UK competent authorities on TLPT and DORA programmes and bring that experience to every engagement.

TLPT and DORA testing engagements are scoped to your significance designation, ICT complexity, in-scope environments, and any specific competent authority requirements. We confirm fixed-fee scope within 48 hours of a scoping call. TLPT programmes are multi-month engagements; Article 24-25 testing compresses materially.
Before you decide
Download a sample report
A redacted RedSecLabs penetration test report. See the format, depth, and clarity your team will receive.
Talk to us
Book a scoping call
A 30-minute call covers realistic effort, timeline, and a fixed-scope quote. CREST-aligned methodology, UK-based testers.
What you receive

Every engagement includes

  • Scoping call. A 30-minute call to define scope, timeline, and authorisation boundaries.
  • Test plan. Written test plan covering targets, methodology, and rules of engagement.
  • Technical report. Detailed findings with reproduction steps, evidence, and remediation guidance.
  • Executive summary. Board-ready summary with risk ratings and business impact.
  • Audit-ready evidence. Findings letter formatted for auditors, customers, and supervisory authorities.
  • Retest letter. Free retest of remediated findings within agreed window. Confirmation letter included.
  • Remediation call. A call with our lead tester to walk through findings and remediation strategy.
How we deliver

Our process, end to end

  1. 1
    Scoping call & fixed-scope quote
    A 30-minute call. We define scope, targets, timeline. You get a fixed-scope quote within one working day.
  2. 2
    Test plan & authorisation
    Written test plan covering methodology, targets, and rules of engagement.
  3. 3
    CREST-aligned execution
    Senior tester runs the engagement. Critical findings flagged immediately during testing.
  4. 4
    Technical + executive report
    Detailed technical findings with reproduction steps. Board-ready executive summary.
  5. 5
    Remediation call & retest
    Walkthrough with our lead tester. Retest of remediated findings within the agreed window.
Engagement scope

What shapes the quote

Small scope
Focused scope, smaller surface. 5-7 working days.
Medium scope
Multi-role, several integrations. 8-12 working days.
Enterprise scope
Complex environment, compliance evidence. 12-25 working days.
Fixed-scope quote within 1 working day
No surprise invoices. We commit to a number before you commit to us.
📞 Call us Book a call