Red Teaming · TIBER-DE · DORA TLPT

Red Teaming — Your Friendly Advanced Persistent Threat.

No advance warning. No happy path. We model exactly how real attackers operate against your institution — intelligence-led, to the TIBER-EU methodology, from a single team.

TIBER-EU Methodology·DORA TLPT completed 2024·Banks & critical infrastructure·~10 years offensive security
The problem

A standard pentest tells you which vulnerabilities exist. It doesn't tell you whether a motivated attacker can chain them together, stay undetected, and reach your critical functions. That's the question your board asks — and increasingly, it's the question your supervisor asks too.

DORA (Regulation (EU) 2022/2554) has been directly applicable since 17 January 2025, and in 2026 supervisors have moved from reviewing frameworks to active enforcement. Intelligence-led red teaming has gone from nice-to-have to obligation — and for entities designated significant, it's now written into law.

The real question is no longer whether you test, but whether the test reflects reality. This is where many programmes stumble: threat intelligence and red teaming get split across two vendors who don't coordinate. The result is generic attack scenarios, time lost at every handover, and an operation that misses your actual threat landscape.

What we do

We act as your "friendly" advanced persistent threat: an attacker with the same objectives, techniques and patience as a real actor — only on your side.

Adversary simulation

APTs, OCGs and IABs targeting your sector, mapped to MITRE ATT&CK.

Intelligence-led red teaming

Covert, scenario-based operations — TIBER-EU methodology.

Social engineering & physical

Phishing, pretexting, tailgating, physical access.

Purple Teaming

Joint exercise with your blue team — measurably better detection.

RTaaS

Continuous, recurring operations instead of a one-off snapshot.

Red teaming vs. pentest

The difference, in plain language.

Penetration testRed teaming
QuestionWhich vulnerabilities exist?Can a real attacker reach its objective?
ScopeDefined system / scopeThe whole institution, real attack path
AnnouncementKnown, coordinatedCovert — only the white team knows
GoalCoverage & completenessRealism & impact
OutputVulnerability listAssessment of your detection and defence

A pentest is the right choice to secure systems at breadth. Red teaming is the right choice to learn whether your defence holds when it matters.

From one team

Threat intelligence and attack — no translation loss.

The TIBER-EU methodology separates two functions: threat intelligence, which builds the tailored threat picture and attack scenarios, and the red team, which executes those scenarios against your systems. We bring both together in a single mandate.

  • No translation loss. What reconnaissance finds, the red team tests directly.
  • More realistic scenarios. We model the actors actually attacking your sector.
  • One point of contact, one accountability — from reconnaissance to report.
Note on independence for regulatory tests: The TIBER/DORA framework requires role separation and independence. Significant credit institutions must use external testers; at minimum every third test requires an external red team. We structure every regulatory mandate so the supervisory requirements are demonstrably met.
Where the threat picture comes from

Actually threat-led — not threat-flavoured.

"Threat-led" appears on many brochures. Behind ours is field work: for four years we've contributed to the ENISA Ad-Hoc Working Group on the Cyber Threat Landscape — the body that produces the annual ENISA Threat Landscape Report. We feed in sector observations and work with CERTs, supervisors and peers to nail down what is actually happening.

That work forces us to break threats down cleanly per vertical and horizontal — finance, energy, manufacturing, public administration, telecom, healthcare. Exactly that view flows into our attack plans: not generic APT name tags, but the actors, techniques and tradecraft that are current and relevant for your segment.

ENISA contributor 2021–2024

Ad-Hoc Working Group on the Cyber Threat Landscape — annual ENISA Threat Landscape Report.

Vertical & horizontal breakdown

Finance, energy, manufacturing, public sector, telecom, healthcare — instead of "APT in general".

In-house TI capability

Built out of necessity: actionable intelligence rather than third-party marketing slides.

The path is easy to describe and hard to walk: from the sector landscape we derive the relevant actors — APTs, OCGs, initial access brokers. From their real-world TTPs we build the attack scenarios for your test. Not the other way around.

Scenarios that actually work

No "oops, that scenario doesn't actually work" — especially not with the regulator at the table.

From a red team provider's perspective, one of the most important craft steps is engineering scenarios that are actually executable in the reality of your environment. This is precisely where regulator-involved red teaming differs from classical red teaming: with the Bundesbank or the ECB sitting in the TLPT test-manager meeting, it is not an option to discover mid-execution that a critical function simply is not reachable from the planned network segment because access is cloud-only — and to watch the whole scenario collapse.

Consistency review before execution

Reachability of critical functions, network and identity paths, cloud vs on-prem dependencies, third-party boundaries — we walk every scenario through technically before it enters the ops phase.

Leg-ups that actually hold

A leg-up doesn't fail because the idea was wrong — it fails because the responsible stakeholder is on holiday. And simply widening the circle of people who know about the TIBER/TLPT test is not an option. We plan leg-ups with deputies, time windows and fallbacks — jointly with the white team.

Supervisor-aware planning

TLPT test-manager meetings are not the format for surprises. We prepare scenarios, leg-ups and the attestation path so they hold up to Bundesbank, BaFin and, where relevant, ECB/SSM expectations — in substance and on paper.

Red team ≠ pentest — and regulator-involved red team ≠ red team

A pentest is allowed to find dead ends; a red team is allowed to route around them. A regulator-involved red team isn't allowed to write them into the plan in the first place. These three disciplines need different preparation — we know the transitions.

This experience isn't from a playbook — it's from years of TIBER/TLPT mandates where exactly these details decided between passing and re-doing. You don't need to relive that curve yourself.
How an operation works

Three phases.

01

Preparation

Scoping of critical and important functions, establishing the white team, clear rules of engagement (non-destructive, board-approved, kill-switch). For regulatory tests: engagement with the Bundesbank or relevant authority and validation of scope.

02

Testing

We build the tailored threat intelligence picture and run the red team operation against your live production systems — covert, scenario-based, across the full attack path.

03

Closure

Detailed analysis, replay with your blue team (purple teaming), a remediation roadmap. For regulatory tests, plus the required attestation under the regulatory technical standards (RTS).

Continuous red teaming

Don't test once — stay ready.

A one-off test shows you how things look today. But the threat landscape changes daily. Our continuous red teaming programme starts with a baseline and keeps you in the loop — without you having to scan the internet for new threats yourself.

Baseline threat intelligence

Who are you? Where do you operate? Which APTs, OCGs and other motivated actors are relevant to you? What is your technology footprint — FortiGate? Cisco? We map your real threat landscape.

Continuous monitoring

We watch for new vulnerabilities, chatter on X and other channels, and intelligence reports relevant to your profile. As soon as something matching appears, we arm up.

Real-time testing

Are you exposed? Can we breach? And do you see it? We run targeted attacks — automated, manual or both — to check in real time whether the new threat affects you. No should-could-would.

In the loop

You hear directly when a new threat emerges and how our test turned out. When emerging threats appear, you are automatically tested — with whatever it takes. You stay informed, not in the dark.

Continuous red teaming is the counterpart to the classic one-off mandate: permanent test readiness instead of a point-in-time snapshot. If you want to know what that could look like for your organisation — talk to us.

Regulatory context

TIBER-DE and DORA TLPT.

TIBER-DE

The German implementation of the TIBER-EU framework, administered by the Deutsche Bundesbank. A voluntary, intelligence-led red team test.

DORA TLPT

The mandatory version. For significant financial entities, Article 26 DORA legally requires the same type of test. Basis: Delegated Regulation (EU) 2025/1190 with the RTS, published 18 June 2025.

The point that matters: Both run on the same methodology. The TIBER-EU framework, updated in January 2025, is now the operational basis for both voluntary TIBER-DE tests and mandatory DORA TLPT. A properly executed TIBER-DE test can count as your first DORA TLPT cycle — with the three-year clock starting from completion.

In short: test to the TIBER-EU methodology voluntarily today, and you already meet the structure DORA will require of you tomorrow.
Are you even in scope?
  • DORA has applied directly since 17 January 2025 to financial entities operating in the EU.
  • You don't decide whether you must test — your competent authority does.
  • An estimated 200–250 entities EU-wide fall within scope of mandatory TLPT.
  • Cadence: at least every three years, on live systems, across critical and important functions.
  • First mandatory cycle by 17 January 2028 — standing up a programme takes 9–14 months.
  • Not planning in 2026 means falling behind.

Unsure whether your institution is in scope? Talk to us — we'll place your situation in a confidential initial call.

Experience you don't have to rebuild

We were among the first providers to complete a DORA TLPT — back in 2024. We've worked with regulated institutions, energy providers and critical-infrastructure operators for roughly ten years — across the DACH region and internationally — and run red team operations to the TIBER-EU methodology.

For confidentiality reasons we don't name tested clients — the results of such an operation belong solely to the tested entity and its authority. What we can say: we know what BaFin, the Bundesbank and the ECB/SSM expect from practice, not from a textbook.

Trusted by banks, energy providers and critical-infrastructure operators.

FAQ
What's the difference between red teaming and a pentest?+
A pentest looks for vulnerabilities within a defined scope. Red teaming tests whether a realistic attacker can reach its objective along the full attack path — covertly, and without warning to your operations.
What's the difference between TIBER-DE and DORA TLPT?+
TIBER-DE is voluntary and administered by the Bundesbank. DORA TLPT is legally mandatory for significant financial entities. Methodologically, both have run on the same updated TIBER-EU framework since January 2025.
Does an existing TIBER-DE test count towards DORA?+
Yes. A test conducted under the current TIBER-EU framework can be recognised as your first DORA TLPT cycle. The three-year clock starts from the completion date.
Can we get threat intelligence and red teaming from one provider?+
For the bulk of the mandate, yes — provided independence and separation requirements are preserved. We structure the mandate accordingly. For significant credit institutions, external testers are mandatory in any case.
How long does a regulatory test take?+
Realistically 9–14 months from scoping to attestation, depending on scope and coordination with the supervisor.
Who is our contact at the authority?+
For TIBER-DE and DORA TLPT in Germany, the Deutsche Bundesbank is the central contact (e.g. tiber@bundesbank.de, tlpt@bundesbank.de), in coordination with BaFin and, where relevant, the ECB/SSM.
TIBER-EU Methodology·DORA TLPT completed 2024·MITRE ATT&CK·~10 years offensive security·Frankfurt · Dubai · Reykjavík

Find out before someone else does.

Standing up a credible red team operation takes weeks to months — the reconnaissance, the coordination, the operation itself. Let's talk now.