Expert Analysis of Recent SaaS Attacks That Shocked Global Brands. Watch now

bishopfox-logo-grey
Get Started

Achieving DORA Threat-Led Penetration Testing Requirements

Gain in-depth view into DORA’s threat-led penetration testing framework with practical guidance on how to integrate offensive security services.

As the compliance deadline for the EU's Digital Operational Resilience Act (DORA) approaches in January 2025, financial institutions and their ICT providers must prepare to meet the regulation’s stringent Threat-Led Penetration Testing (TLPT) requirements.

We provide an in-depth overview of DORA’s TLPT framework, offering practical guidance on how to integrate offensive security services to meet regulatory demands and ensure resilience against cyber threats through penetration testing. 

Attendees will gain a clear roadmap for achieving DORA compliance through a strategic approach to testing, threat intelligence, and vulnerability remediation.

Key Takeaways:

  • Detailed breakdown of DORA’s TLPT requirements and their implications financial services and ICT providers
  • How to design and implement a compliant TLPT framework that enhances organizational resilience
  • Key offensive security services that organizations should seek to fulfill DORA requirements
  • Best practices for selecting external testers and aligning testing processes with regulatory standards

Lesson Learned from the session

Understanding DORA and Its Importance

  • DORA is a Law, Not a Guideline – It establishes strict cyber resilience requirements for financial entities and their ICT service providers operating in the EU.
  • The Growing Cyber Threat Landscape – Financial institutions are highly interconnected, creating systemic cyber risks.
  • Recent Supply Chain Attacks & Ransomware Evolution – Events like the SolarWinds attack and sophisticated ransomware groups (LockBit, BlackCat, Black Basta) highlight the urgent need for improved security measures.

Who Must Comply with DORA?

  • Banks, credit institutions, insurance companies, trading firms, investment funds, pension funds
  • Crypto-asset service providers, exchanges, and other financial entities
  • ICT third-party service providers (e.g., cloud providers, core banking software vendors

Key Deadlines

  • January 2023 – DORA came into force
  • January 17, 2025 – Deadline for financial institutions to be fully DORA-compliant

Core Pillars of DORA Compliance

  • ICT Risk Management – Institutions must create robust risk frameworks to anticipate and mitigate cyber threats.
  • Third-Party Risk Management – Institutions must vet and monitor external service providers for security risks.
  • Digital Operational Resilience Testing (DORT) – Requires vulnerability assessments, penetration testing, and TLPT.
  • Incident Reporting – Organizations must have monitoring and reporting procedures for cyber incidents.
  • Threat-Led Penetration Testing (TLPT) – The most advanced form of resilience testing, requiring real-world attack simulations.

What is TLPT and How is it Different?

  • More Than a Standard Penetration Test – TLPT is a goal-oriented, adversary emulation approach similar to red teaming.
  • Testing Must Be Based on Real-World Threats – Organizations must use threat intelligence to mimic actual attackers, such as ransomware groups or APT actors.
  • Annual Security Testing Required – Every three years, an external third party must conduct TLPT. Internal teams may conduct up to two of the three required tests.

Implementing TLPT - Various Approaches:

  • Red Teaming: Simulating a full-scale cyberattack against an organization’s critical systems to test defensive capabilities.
  • Purple Teaming: A collaborative approach where red teams and blue teams work together to improve detection and response.
  • Strategic Threat Intelligence: Attack scenarios should mirror real-world adversary tactics, using frameworks like MITRE ATT&CK.

Third-Party Risk & Exit Strategies

  • Organizations must maintain a third-party risk register and classify vendors based on risk levels.
  • Exit Strategies Are Mandatory – Organizations must have a backup plan in case a critical vendor is breached or unavailable.
  • Contractual Clauses Matter – DORA mandates that vendor contracts include security requirements and termination clauses for non-compliance.

DORA Compliance: Practical Next Steps

  • Conduct a Gap Analysis – Identify where your organization is non-compliant and develop a roadmap.
  • Create a Risk Register – Document all third-party vendors and evaluate their security postures.
  • Develop a TLPT Plan – Align testing programs with real-world threat intelligence and red teaming.
  • Ensure Executive Buy-in – Senior management is responsible for overseeing compliance efforts.
  • Leverage External Expertise – Work with accredited TLPT providers like Bishop Fox to meet DORA’s rigorous testing requirements.

Final Thoughts from the Experts

  • DORA presents a huge opportunity – Compliance isn’t just a legal necessity; it’s a chance to improve overall cybersecurity.
  • “You get what you put into this.” – Organizations should embrace TLPT as a valuable security practice rather than just a compliance checkbox.
  • Third-Party Testing is Key – External testing ensures independence, credibility, and regulatory approval.
Trevin Edgeworth

About the speaker, Trevin Edgeworth

Red Team Practice Director

Trevin Edgeworth is the Red Team Practice Director at Bishop Fox, where he focuses on building and leading best-in-class adversary emulation services to help customers of all sizes and industries strengthen their defenses against current and emerging threats.

Trevin has over 20 years of security experience; he has built and overseen red team programs for several Fortune 500 companies, including American Express, Capital One Financial, and Symantec Corporation. Other accomplishments include leading a security organization as Chief Security Officer (CSO) for a major security company. Trevin has led a variety of security functions in his career, including cyber threat intelligence, hunt, deception, insider threat, and others.

Trevin is an active member of the security community. He has presented at several industry conferences and been interviewed by leading publications on topics such as red teaming and threat intelligence.

More by Trevin
Rob Ragan

About the speaker, Rob Ragan

Principal Technology Strategist

Rob Ragan is a Principal Researcher at Bishop Fox. Rob focuses on pragmatic solutions for clients and technology. He oversees strategy for continuous security automation. Rob has presented at Black Hat, DEF CON, and RSA. He is also a contributing author to Hacking Exposed Web Applications 3rd Edition. His writing has appeared in Dark Reading and he has been quoted in publications such as Wired.

Rob has more than a decade of security experience and once worked as a Software Engineer at Hewlett-Packard's Application Security Center. Rob was also with SPI Dynamics where he was a software engineer on the dynamic analysis engine for WebInspect and the static analysis engine for DevInspect.

More by Rob
Matt Twells

About the speaker, Matt Twells

Senior Solutions Engineer

Matthew Twells was a Senior Solutions Engineer at Bishop Fox focused on technical scoping of client engagements, training and development, and sales enablement. He graduated from the University of Reading in Reading, England with a B.A. (Hons) in Economics, and has spent time working in the British Army as a Secure Communications Engineer, working with the National Health Service as part of the Cyber Defense Operations Center (CDOC) team during the COVID-19 pandemic and subsequently in a variety of cybersecurity consulting, technical project management, internal audit, and penetration testing roles over the last 7 years.

More by Matt

Extend Your Knowledge

Check out these related resources.

Computer with financial services and security icons and blog title Navigating Dora compliance.
Industry

Sep 17, 2024

Navigating DORA Compliance: A Comprehensive Approach to Threat-Led Penetration Testing

By Bishop Fox Researchers

Headshot of Harley Geiger, counsel at Venable LLP and title of blog
Industry

Aug 28, 2024

Offensive Security Under the EU Digital Operational Resilience Act (DORA)

By Harley Geiger

Preview of Bishop Fox Red teaming Guide cover page on dark purple background.
Guide

Getting Red Teaming Right: A How-to Guide

Read our eBook to learn how Red Teaming can provide the ultimate training ground for your defenses, assessing how well (or not) intrusions are detected and how an attacker can move throughout your network to achieve exfiltration.

Learn More

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.