Red Teaming — Your Friendly Advanced Persistent Threat.
No advance warning. No happy path. We model exactly how real attackers operate against your institution — intelligence-led, to the TIBER-EU methodology, from a single team.
A standard pentest tells you which vulnerabilities exist. It doesn't tell you whether a motivated attacker can chain them together, stay undetected, and reach your critical functions. That's the question your board asks — and increasingly, it's the question your supervisor asks too.
DORA (Regulation (EU) 2022/2554) has been directly applicable since 17 January 2025, and in 2026 supervisors have moved from reviewing frameworks to active enforcement. Intelligence-led red teaming has gone from nice-to-have to obligation — and for entities designated significant, it's now written into law.
The real question is no longer whether you test, but whether the test reflects reality. This is where many programmes stumble: threat intelligence and red teaming get split across two vendors who don't coordinate. The result is generic attack scenarios, time lost at every handover, and an operation that misses your actual threat landscape.
We act as your "friendly" advanced persistent threat: an attacker with the same objectives, techniques and patience as a real actor — only on your side.
APTs, OCGs and IABs targeting your sector, mapped to MITRE ATT&CK.
Covert, scenario-based operations — TIBER-EU methodology.
Phishing, pretexting, tailgating, physical access.
Joint exercise with your blue team — measurably better detection.
Continuous, recurring operations instead of a one-off snapshot.
The difference, in plain language.
| Penetration test | Red teaming | |
|---|---|---|
| Question | Which vulnerabilities exist? | Can a real attacker reach its objective? |
| Scope | Defined system / scope | The whole institution, real attack path |
| Announcement | Known, coordinated | Covert — only the white team knows |
| Goal | Coverage & completeness | Realism & impact |
| Output | Vulnerability list | Assessment of your detection and defence |
A pentest is the right choice to secure systems at breadth. Red teaming is the right choice to learn whether your defence holds when it matters.
Threat intelligence and attack — no translation loss.
The TIBER-EU methodology separates two functions: threat intelligence, which builds the tailored threat picture and attack scenarios, and the red team, which executes those scenarios against your systems. We bring both together in a single mandate.
- →No translation loss. What reconnaissance finds, the red team tests directly.
- →More realistic scenarios. We model the actors actually attacking your sector.
- →One point of contact, one accountability — from reconnaissance to report.
Note on independence for regulatory tests: The TIBER/DORA framework requires role separation and independence. Significant credit institutions must use external testers; at minimum every third test requires an external red team. We structure every regulatory mandate so the supervisory requirements are demonstrably met.
Actually threat-led — not threat-flavoured.
"Threat-led" appears on many brochures. Behind ours is field work: for four years we've contributed to the ENISA Ad-Hoc Working Group on the Cyber Threat Landscape — the body that produces the annual ENISA Threat Landscape Report. We feed in sector observations and work with CERTs, supervisors and peers to nail down what is actually happening.
That work forces us to break threats down cleanly per vertical and horizontal — finance, energy, manufacturing, public administration, telecom, healthcare. Exactly that view flows into our attack plans: not generic APT name tags, but the actors, techniques and tradecraft that are current and relevant for your segment.
Ad-Hoc Working Group on the Cyber Threat Landscape — annual ENISA Threat Landscape Report.
Finance, energy, manufacturing, public sector, telecom, healthcare — instead of "APT in general".
Built out of necessity: actionable intelligence rather than third-party marketing slides.
The path is easy to describe and hard to walk: from the sector landscape we derive the relevant actors — APTs, OCGs, initial access brokers. From their real-world TTPs we build the attack scenarios for your test. Not the other way around.
No "oops, that scenario doesn't actually work" — especially not with the regulator at the table.
From a red team provider's perspective, one of the most important craft steps is engineering scenarios that are actually executable in the reality of your environment. This is precisely where regulator-involved red teaming differs from classical red teaming: with the Bundesbank or the ECB sitting in the TLPT test-manager meeting, it is not an option to discover mid-execution that a critical function simply is not reachable from the planned network segment because access is cloud-only — and to watch the whole scenario collapse.
Reachability of critical functions, network and identity paths, cloud vs on-prem dependencies, third-party boundaries — we walk every scenario through technically before it enters the ops phase.
A leg-up doesn't fail because the idea was wrong — it fails because the responsible stakeholder is on holiday. And simply widening the circle of people who know about the TIBER/TLPT test is not an option. We plan leg-ups with deputies, time windows and fallbacks — jointly with the white team.
TLPT test-manager meetings are not the format for surprises. We prepare scenarios, leg-ups and the attestation path so they hold up to Bundesbank, BaFin and, where relevant, ECB/SSM expectations — in substance and on paper.
A pentest is allowed to find dead ends; a red team is allowed to route around them. A regulator-involved red team isn't allowed to write them into the plan in the first place. These three disciplines need different preparation — we know the transitions.
This experience isn't from a playbook — it's from years of TIBER/TLPT mandates where exactly these details decided between passing and re-doing. You don't need to relive that curve yourself.
Three phases.
Preparation
Scoping of critical and important functions, establishing the white team, clear rules of engagement (non-destructive, board-approved, kill-switch). For regulatory tests: engagement with the Bundesbank or relevant authority and validation of scope.
Testing
We build the tailored threat intelligence picture and run the red team operation against your live production systems — covert, scenario-based, across the full attack path.
Closure
Detailed analysis, replay with your blue team (purple teaming), a remediation roadmap. For regulatory tests, plus the required attestation under the regulatory technical standards (RTS).
Don't test once — stay ready.
A one-off test shows you how things look today. But the threat landscape changes daily. Our continuous red teaming programme starts with a baseline and keeps you in the loop — without you having to scan the internet for new threats yourself.
Who are you? Where do you operate? Which APTs, OCGs and other motivated actors are relevant to you? What is your technology footprint — FortiGate? Cisco? We map your real threat landscape.
We watch for new vulnerabilities, chatter on X and other channels, and intelligence reports relevant to your profile. As soon as something matching appears, we arm up.
Are you exposed? Can we breach? And do you see it? We run targeted attacks — automated, manual or both — to check in real time whether the new threat affects you. No should-could-would.
You hear directly when a new threat emerges and how our test turned out. When emerging threats appear, you are automatically tested — with whatever it takes. You stay informed, not in the dark.
Continuous red teaming is the counterpart to the classic one-off mandate: permanent test readiness instead of a point-in-time snapshot. If you want to know what that could look like for your organisation — talk to us.
TIBER-DE and DORA TLPT.
The German implementation of the TIBER-EU framework, administered by the Deutsche Bundesbank. A voluntary, intelligence-led red team test.
The mandatory version. For significant financial entities, Article 26 DORA legally requires the same type of test. Basis: Delegated Regulation (EU) 2025/1190 with the RTS, published 18 June 2025.
The point that matters: Both run on the same methodology. The TIBER-EU framework, updated in January 2025, is now the operational basis for both voluntary TIBER-DE tests and mandatory DORA TLPT. A properly executed TIBER-DE test can count as your first DORA TLPT cycle — with the three-year clock starting from completion.
In short: test to the TIBER-EU methodology voluntarily today, and you already meet the structure DORA will require of you tomorrow.
- ▸DORA has applied directly since 17 January 2025 to financial entities operating in the EU.
- ▸You don't decide whether you must test — your competent authority does.
- ▸An estimated 200–250 entities EU-wide fall within scope of mandatory TLPT.
- ▸Cadence: at least every three years, on live systems, across critical and important functions.
- ▸First mandatory cycle by 17 January 2028 — standing up a programme takes 9–14 months.
- ▸Not planning in 2026 means falling behind.
Unsure whether your institution is in scope? Talk to us — we'll place your situation in a confidential initial call.
We were among the first providers to complete a DORA TLPT — back in 2024. We've worked with regulated institutions, energy providers and critical-infrastructure operators for roughly ten years — across the DACH region and internationally — and run red team operations to the TIBER-EU methodology.
For confidentiality reasons we don't name tested clients — the results of such an operation belong solely to the tested entity and its authority. What we can say: we know what BaFin, the Bundesbank and the ECB/SSM expect from practice, not from a textbook.
Trusted by banks, energy providers and critical-infrastructure operators.
What's the difference between red teaming and a pentest?+
What's the difference between TIBER-DE and DORA TLPT?+
Does an existing TIBER-DE test count towards DORA?+
Can we get threat intelligence and red teaming from one provider?+
How long does a regulatory test take?+
Who is our contact at the authority?+
Find out before someone else does.
Standing up a credible red team operation takes weeks to months — the reconnaissance, the coordination, the operation itself. Let's talk now.