DORA TLPT: What Threat-Led Penetration Testing Actually Looks Like

If you operate a financial entity in the EU classified as "significant" under DORA (that includes the largest crypto exchanges, stablecoin issuers, and qualifying custodians), you are in scope for threat-led penetration testing (TLPT) every three years. This is not a standard Web3 pentest with a different name. The methodology, the scope, the budget, and the supervisor involvement are different. This piece walks through what TLPT actually looks like.

What DORA Article 26 requires

The text of Article 26 establishes TLPT as a periodic obligation for significant entities. The implementing technical standards (RTS) align it with TIBER-EU, the EU's existing framework for intelligence-led red-team testing of financial market infrastructure, originally developed by the ECB.

The headline requirements:

1. Threat intelligence-led: tests must simulate the tactics, techniques, and procedures (TTPs) of a specific threat actor that is realistically capable of targeting your firm.
2. Live production systems: TLPT runs against production, not staging. The scope includes critical functions and supporting ICT systems.
3. Independent testers: testers must meet certification, independence, and methodology requirements (Article 27).
4. Supervisor involvement: the test plan is shared with the supervisor; sometimes a "white team" within the firm coordinates with the supervisor and the testers.
5. Three-year cadence: the cycle repeats, with the threat intelligence refreshed each round.

How TLPT differs from a standard pentest

A standard Web3 penetration test is scoped, time-boxed, and looking for exploitable findings across an in-scope surface (a dApp, an API, a node, a custody system). The deliverable is a findings report.

TLPT is a different exercise:

• Scope is the firm's critical functions, not a list of systems. The testers map which systems support those functions and decide where to focus.
• The starting point is threat intelligence, not a system inventory. A TI provider produces a brief on the actors plausibly targeting the firm, their typical TTPs, and the likely entry vectors. The red team then plays one of those actors.
• Detection is part of the test. The blue team (your security operations) is not informed in advance: TLPT measures both the resilience of systems and the detection-and-response capability of the SOC.
• The deliverable is a debrief, not just findings. A purple-team session reconstructs the attack chain, what was detected, what wasn't, and what the response looked like end-to-end.

In practice, TLPT for a large CASP can run 6–12 months end-to-end (threat intelligence + planning + execution + debrief). The execution phase alone is typically 12–16 weeks.

What gets tested

TLPT scope is decided at the firm level, but for a typical CASP it includes:

• Customer-facing platforms (web, mobile, API).
• Trading infrastructure (order matching, market data, FIX gateways).
• Custody and signing infrastructure (KMS, HSM, signer infrastructure, hot/cold/warm wallet boundaries).
• Supporting cloud and identity infrastructure (IAM, secret management, CI/CD, internal tooling).
• Operational human surfaces (phishing of operations and engineering teams, supplier supply chain).

The point is not to run a vulnerability scan over each: vulnerability assessments under DORA Article 25 already cover that. TLPT is about whether a determined adversary can chain access across all of those surfaces to reach a high-value objective.

What an engagement looks like

A TIBER-EU-aligned TLPT engagement has five phases:

1. Preparation (4–8 weeks): supervisor engagement, white-team setup, scope definition, contractual scaffolding.
2. Threat intelligence (4–6 weeks): a TI provider produces the targeting brief (which actors, which TTPs, which crown jewels) that drives the test plan.
3. Red-team execution (12–16 weeks): the red team operates against production, with the white team coordinating and the supervisor informed of major events.
4. Closure (2–4 weeks): findings are written up, the attack chain is reconstructed.
5. Purple team and remediation (ongoing): the red team and the blue team review the engagement together, gaps are tracked, remediation is planned.

Budget realities

TLPT is the most expensive testing exercise in any financial firm's calendar. Budget realities:

• A small TIBER-style TLPT for a regional bank typically lands at €200k–€500k all-in.
• A large CASP TLPT can exceed €1M when the threat intelligence, red team, and white-team coordination are all priced.
• Costs scale with scope (number of critical functions in scope) and duration.
• The cost is not optional for in-scope entities: it is a regulatory requirement under DORA.

What to start now if you'll be in scope

If your firm is heading toward "significant" classification under DORA (large balance sheet, large user base, large custody exposure, or designation by your supervisor), start preparing now. Specifically:

• Establish a white team. A small group inside the firm that knows the TLPT is happening and coordinates with the testers and the supervisor. Without it, TLPT cannot run.
• Document your critical functions. TLPT scope is built from this; if it doesn't exist, the test plan is a guessing game.
• Run pre-TLPT vulnerability assessments. Under DORA Article 25 you owe these annually anyway. Doing them well dramatically improves your TLPT outcome: most TLPT findings start as un-remediated vulnerability assessment findings.
• Build the detection capability. TLPT measures detection. A TLPT against a SOC that doesn't detect anything generates the same findings every cycle.

For most CASPs, the journey from "we're under MiCA" to "we passed our first TLPT" is 18–24 months. If you are scoping that path, a pentest engagement on the production surface is the natural starting point, both because DORA Article 25 mandates it, and because it is the first place TLPT findings will surface in three years' time.