Threat-Led Penetration Testing (TLPT) has become one of the most advanced cyber resilience exercises conducted in the financial sector. With the entry into application of the Digital Operational Resilience Act (DORA) in January 2025, these exercises now form part of the regulatory framework for certain financial institutions across the European Union.
TLPT represents a significant evolution in the way organisations assess cybersecurity readiness. Unlike traditional security testing, these exercises aim to simulate realistic cyber attacks targeting services that are critical to the functioning of financial institutions.
At first glance, the methodology appears highly sophisticated. It combines threat intelligence analysis, advanced attack simulation, structured governance, and regulatory supervision. Exercises can span several months and involve multiple specialised teams.
Yet one of the most interesting observations from these exercises is that they often highlight the importance of fundamental cybersecurity capabilities. While TLPT scenarios are designed around sophisticated threat actors, the lessons that emerge frequently relate to visibility, coordination, and operational readiness.
In other words, advanced cyber resilience testing often reinforces the importance of strong fundamentals.
Designing realistic conditions
A TLPT exercise begins well before the simulated attack itself.
Preparation takes place within a very restricted circle inside the organisation. A small internal coordination group, commonly referred to as the Control Team, oversees the preparation of the exercise. This group interacts with external providers responsible for threat intelligence and attack simulation, and coordinates with supervisory authorities when required.
Beyond this limited group, however, the organisation continues operating normally.
Operational defensive teams are intentionally not informed that the exercise will occur or when it will begin. Security operations centres, incident response teams, and other operational functions therefore perform their duties without knowing that simulated attack activity may appear in their environment.
This design is intentional.
The objective of TLPT is not to surprise the organisation as a whole, but to observe how its defensive capabilities operate under realistic conditions. By allowing operational teams to react naturally to events, the exercise provides insight into how detection and response mechanisms function in practice.
Once the test begins, a specialised Red Team simulates the behaviour of a realistic attacker. Their objective is not simply to identify vulnerabilities but to determine whether an attacker using credible methods could reach systems or processes supporting critical services.
The defensive teams, often referred to as the Blue Team, investigate the events they observe just as they would during a real incident.
This dynamic makes TLPT particularly valuable as a resilience exercise.
From technical vulnerabilities to business impact
Many organisations already conduct regular penetration tests. These assessments are designed to identify vulnerabilities in applications, infrastructure, or networks, and they remain an important component of cybersecurity programmes.
TLPT takes a different perspective.
Rather than focusing on individual systems, the exercise focuses on the potential impact on the organisation’s critical services.
In practical terms, this means that simulated attackers aim to reach systems or processes supporting functions that are essential to the institution. Examples may include payment services, trading platforms, customer account management systems, or other operational capabilities that are fundamental to the organisation’s activities.
The objective is not necessarily to exploit every possible weakness. Instead, the exercise seeks to determine whether a realistic attack path could lead to meaningful operational consequences.
As a result, TLPT exercises simultaneously evaluate three key cybersecurity capabilities.
Protection, which reflects how resistant systems are to intrusion.
Detection, which measures whether suspicious behaviour is identified in a timely manner.
Response, which assesses how effectively the organisation can investigate and contain potential incidents.
By combining these perspectives, TLPT provides a more comprehensive view of cyber resilience.
Identifying critical services
One of the most important steps in preparing a TLPT exercise is identifying the services that are critical to the organisation.
Under DORA, these are referred to as critical or important functions.
Determining these functions requires organisations to analyse their operations from a business perspective rather than purely a technical one. Financial institutions typically manage complex technology environments with numerous interconnected systems and dependencies. Understanding which of these systems ultimately support critical services can require careful analysis.
Payment infrastructure, trading systems, and customer data platforms are often obvious examples. However, the dependencies supporting those services may extend further into identity management systems, integration layers, infrastructure platforms, or external service providers.
This mapping exercise plays an important role in the TLPT process. By focusing on functions that are essential to the organisation, the exercise ensures that the simulated attack scenarios are aligned with real operational risk.
Building credible attack scenarios
Once the critical services have been identified, the next step is to design realistic attack scenarios.
This work typically begins with threat intelligence analysis. Specialists study the global threat landscape and identify attacker groups known to target financial institutions. These may include cybercriminal groups motivated by financial gain or more advanced threat actors using sophisticated intrusion techniques.
The objective is not to construct extreme or unrealistic scenarios. Instead, the goal is to develop attack paths that reflect credible behaviour observed in real cyber incidents.
Based on this intelligence, the Red Team prepares an attack plan describing how an attacker could attempt to move through the environment.
Typical techniques used in such simulations may include:
- Phishing or social engineering.
- Credential compromise.
- Abuse of trusted relationships between systems.
- Lateral movement within the internal network.
- Attempts to access systems supporting critical services.
All actions are conducted within a carefully controlled framework to ensure that the exercise remains safe for production systems.
This balance between realism and operational safety is a key characteristic of TLPT exercises.
Observing detection and response
The most revealing phase of the exercise occurs when simulated attack activity begins interacting with the organisation’s environment.
Security monitoring tools may generate alerts. Analysts may observe unusual system behaviour. Some events may initially appear insignificant or ambiguous.
At this stage, the organisation’s detection and response capabilities are being exercised in real time.
Detection itself is not considered a failure of the exercise. On the contrary, identifying suspicious activity early can demonstrate that monitoring capabilities are functioning effectively.
What matters most is how the organisation interprets and escalates the signals it observes.
TLPT exercises often provide insight into operational aspects of cybersecurity, such as how alerts are analysed, how incidents are escalated, and how teams coordinate during investigations.
These aspects are particularly important because cybersecurity resilience depends not only on technology but also on processes and human decision making.
Lessons observed across exercises
Across different TLPT programmes in Europe, certain recurring observations have emerged.
In many cases, the most valuable insights relate to operational visibility and coordination. For example, organisations may identify areas where monitoring coverage could be improved, where logging is distributed across multiple systems, or where escalation processes could be clarified.
Other observations may relate to communication between teams or the speed at which information flows between operational and decision-making levels.
These findings do not necessarily reflect weaknesses in security controls. Rather, they illustrate the complexity of operating large technology environments and coordinating responses across multiple teams.
In this context, TLPT exercises provide a structured way to observe how cybersecurity capabilities operate under realistic conditions.
As one cybersecurity practitioner involved in several resilience programmes explained:
“Threat-led testing is valuable because it allows organisations to observe how their capabilities work together in practice, not only how they are designed on paper.”
This perspective highlights the broader purpose of the exercise.
TLPT in the European regulatory context
The introduction of DORA has strengthened the role of threat-led testing within the European financial sector.
Under the regulation, certain financial entities, particularly those considered systemically important, are required to perform TLPT exercises periodically. These exercises contribute to ensuring that institutions providing essential financial services maintain strong operational resilience.
In Luxembourg, supervisory authorities such as the Commission de Surveillance du Secteur Financier (CSSF) place increasing emphasis on ICT risk management and operational resilience.
Luxembourg hosts a diverse financial ecosystem including banks, investment firms, payment institutions, and financial infrastructure providers. As these institutions rely heavily on digital systems, ensuring their resilience against cyber threats is a key priority.
Within this context, TLPT exercises complement other regulatory measures designed to strengthen the sector’s ability to prevent, detect, and respond to cyber incidents.
Beyond compliance
Although TLPT exercises are now embedded in regulatory frameworks, their value extends beyond compliance.
For many organisations, these exercises provide a rare opportunity to observe cybersecurity operations under realistic conditions. They allow institutions to test not only technical controls but also the effectiveness of operational processes and collaboration between teams.
TLPT can also support discussions between technical teams and senior management. By demonstrating how a realistic attack could affect critical services, the exercise helps translate cybersecurity risk into operational and business terms.
This perspective can help organisations prioritise improvements in areas that have the greatest impact on resilience.
Reinforcing the importance of fundamentals
Despite the advanced techniques involved in these exercises, the lessons they produce often reinforce fundamental principles of cybersecurity.
Organisations that perform well during TLPT exercises typically demonstrate strong visibility across their environments, well-defined incident response processes, and effective coordination between teams.
They also maintain a clear understanding of the systems and dependencies that support their critical services.
These capabilities may appear straightforward but implementing them consistently across large organisations requires sustained effort.
TLPT exercises provide a structured way to validate these capabilities in realistic conditions.
In doing so, they highlight an important aspect of cyber resilience.
Advanced security technologies and sophisticated testing methodologies are valuable tools. However, their effectiveness ultimately depends on how well organisations understand their systems, monitor their environments, and coordinate their response when unusual activity occurs.
For financial institutions operating in an increasingly complex threat landscape, maintaining these fundamentals remains a central component of operational resilience.
What we think
The most advanced cyber‑attacks rarely reveal a failure of technology. They expose whether an organisation has mastered the fundamentals: visibility, coordination, and the ability to respond when it truly matters.