TIBER-EU (Threat Intelligence-Based Ethical Red-teaming) is the European framework for intelligence-led Red Team published by the ECB in 2018. Under DORA, TLPT (Threat-Led Penetration Tests) inherit the TIBER methodology and make it mandatory every 3 years for designated financial entities. The exercise runs on production systems, typically lasts 12-20 weeks, requires accredited independent external providers (TI provider + RT provider), a White Team that knows about the exercise and a Blue Team subjected to the test without warning. Indicative cost: €80,000-€250,000 depending on scope and complexity. It's the most demanding and realistic resilience test in the financial sector.
What TIBER-EU is
TIBER-EU stands for Threat Intelligence-Based Ethical Red-teaming, a framework published by the European Central Bank in 2018 to coordinate the execution of Red Team exercises based on threat intelligence on production systems of European financial entities.
The framework defines:
- Harmonised methodology for all European exercises
- Roles and responsibilities of each participant
- Accreditation requirements for providers
- Phase structure and deliverables
- Cooperation mechanisms between national supervisors
TIBER-EU was voluntary during 2018-2024 and was adopted by national central banks through local implementations (TIBER-NL, TIBER-FR, TIBER-DE, etc.). In Spain, TIBER-ES is coordinated by the Banco de España.
With DORA entering into force (17 January 2025), part of the TIBER-EU practice became mandatory for designated financial entities under the TLPT label.
TIBER-EU vs TLPT (DORA terminology)
| Concept | TIBER-EU | TLPT under DORA |
|---|---|---|
| Origin | ECB framework (2018) | EU Regulation 2022/2554 |
| Application | Voluntary | Mandatory for designated entities |
| Frequency | Recommended | At least every 3 years |
| Tested systems | Production | Production (DORA article 26.2) |
| Provider accreditation | Recommended | Mandatory under RTS published by the ESAs |
| Mutual recognition | Voluntary between countries | Mandatory between Member States |
| Output | Private report to entity and supervisor | Report to competent authority and, when applicable, to the ESAs |
Bottom line: TIBER-EU is the base methodology; TLPT is TIBER-EU made mandatory under DORA with some specific adaptations.
Who does it apply to?
Designated financial sector entities
DORA delegates to the national competent authority the designation of financial entities required to perform TLPT, based on:
- Size and market footprint
- ICT and operational risk profile
- Systemic role in the financial sector
- Critical services provided to other financial entities
In practice, the typical mandatory parties are:
- Systemic banks (G-SIIs and O-SIIs)
- Large insurers and reinsurers
- Market managers and market infrastructures (CCPs, CSDs)
- Certain large payment and e-money institutions
- Central counterparties
Non-designated entities remain subject to the general testing programme under DORA's pillar 3, which includes pentesting and other tests, but no formal TLPT.
Critical ICT providers (CTPP)
Designated CTPPs may be included in the scope of the contracting financial entity's TLPT, with mandatory cooperation. This is a significant change: cloud hyperscalers, critical SaaS providers and managed service providers may be subjected to coordinated Red Team tests.
The 4 phases of a TIBER exercise
| Phase | Duration | Key activities |
|---|---|---|
| 1. Preparation | 4-6 weeks | White Team setup, scope definition, TI and RT provider selection, Generic Threat Landscape (GTL) |
| 2. Threat Intelligence | 3-5 weeks | Targeting research, Targeted Threat Intelligence Report (TTI), realistic scenarios and TTPs |
| 3. Red Teaming | 10-14 weeks | Execution on production, multiple campaigns and scenarios, documentation of executed TTPs |
| 4. Closure & Replay | 3-5 weeks | Final Report, replay with Blue Team, lessons learned, remediation plan |
Each phase is detailed below.
Phase 1: Preparation
Setup of the White Team (minimum 3-5 people: CISO, business continuity lead, fraud lead, internal communications). The White Team is the only internal team that knows about the exercise.
Scope definition:
- Critical or important functions selected
- Specific systems, applications and infrastructure
- Crown jewels defined (the assets whose compromise confirms a successful exercise)
- Rules of engagement and out-of-scope items
Selection of:
- Accredited TI provider (Threat Intelligence)
- Accredited RT provider (Red Team), which must be independent from the TI provider
Production of the Generic Threat Landscape (GTL): a national supervisor document on general threats to the country's financial sector.
Phase 2: Threat Intelligence
The TI provider delivers the Targeted Threat Intelligence Report (TTI):
- Targeting research specific to the entity
- Relevant threat actors (APTs, cybercrime groups, hacktivists) with TTPs documented per MITRE ATT&CK
- External footprinting of the entity (OSINT, leaked data, reconnaissance)
- Realistic scenarios proportional to the threat profile
- Indicators and contextual data the RT provider will use
The TTI must be realistic, specific and actionable. It gets validated with the national supervisor before moving to the next phase.
Phase 3: Red Teaming
The RT provider executes the exercise on production for 10-14 weeks, in some cases up to 20 weeks. Campaigns may include:
- Advanced reconnaissance and infrastructure development
- Initial access: targeted spear-phishing, identified exposures, leaked credentials, attacks against the cloud and on-prem attack surface
- Persistence and privilege escalation
- Lateral movement across on-prem and cloud infrastructure
- Targeting critical applications and financial backend
- Simulated exfiltration or impact on crown jewels
- Actions on SWIFT infrastructure, core banking, payment systems, depending on scenario
Everything runs under:
- Strict rules of engagement
- Constant communication with the White Team
- Defined stop conditions (which halt the exercise if there's risk of unauthorised operational impact)
Phase 4: Closure & Replay
- Final Report: detailed description of executed TTPs, MITRE ATT&CK mapping, evidence, findings, severity
- Replay with Blue Team: the Blue Team learns about the exercise in this phase and reviews the report; what it detected, what it didn't, and why
- Consolidated lessons learned
- Remediation plan with prioritisation
- Report to the supervisor (national competent authority under DORA)
Roles and actors
White Team
Internal team of the entity that knows about the exercise. Responsible for approving scope and rules of engagement, coordinating with TI/RT providers, activating stop conditions if there's risk and communicating with the supervisor.
Minimum: CISO, business continuity lead, fraud lead, communications officer.
Blue Team
The rest of the organisation: SOC, incident response team, IT, application teams. They don't know the exercise is happening. Their work during the exercise is exactly the usual: detect and respond.
Control Team
Small group bridging the Blue Team and White Team, appointed afterwards to coordinate the replay.
Accredited TI provider
External firm producing the TTI. Must be accredited under the RTS published by the ESAs, be independent from the RT provider, have documented methodology and proven experience.
Accredited RT provider
External firm executing the Red Team. Must be accredited, be independent from the TI provider, have a team with senior profiles (CRTO, OSEP, OSCE3, OSCP, eCPTX, GREM, GXPN…), demonstrate prior experience in production exercises and meet operational security requirements.
National supervisor / TIBER-XX cyber team
Team within the national central bank or competent authority that coordinates the exercise. In Spain, Banco de España (TIBER-ES).
Threat Intelligence in TIBER: what gets delivered
The TTI Report must include, at minimum:
- Executive summary of the threat profile
- Relevant threat actors with specific motivation, capability and intent
- TTPs mapped to MITRE ATT&CK
- External footprinting: domain, exposed IPs, visible cloud infrastructure, employee profiles, leaked data, repository leaks
- Relevant supply chain information
- Detailed scenarios with narrative, objectives, success metrics
- Observable indicators that the RT provider can use
Expected quality: a specific threat intelligence product, not a generic OSINT compilation.
Typical Red Team scenarios in banking
Some scenario archetypes seen in real TIBER exercises:
- SWIFT operator compromise via spear-phishing and persistence → attempted fraudulent transfer on a crown jewel
- Compromise of an MSP managing infrastructure → lateral movement to core banking
- Initial access via exposed cloud application → escalation to payment systems
- Compromise of DEV/QA environment with collateral access to PROD → attack on critical applications
- Simulated insider threat with compromised accounts → customer data exfiltration
Each scenario is built on realistic TTPs from the entity's threat landscape, not invented.
Differences from a standard Red Team
| Dimension | Standard Red Team | TIBER / TLPT |
|---|---|---|
| Prior intelligence | Generic or limited | Specific mandatory TTI |
| Systems | Production or staging | Mandatory production |
| Duration | 4-8 weeks | 10-20 weeks |
| Providers | Any | Accredited (independent TI + RT) |
| Supervision | Client | Competent authority + client |
| Scope | Defined by client | Defined by client with supervisor validation |
| Rules of engagement | Variable | Standardised TIBER |
| Reporting | Private to client | Client + supervisor + possible EU mutual recognition |
| Cost | €25,000-€100,000 | €80,000-€250,000 |
| Mandatory frequency | No | Every 3 years for designated entities |
Provider accreditation and selection
The ESAs (EBA, ESMA, EIOPA) published specific RTS on accreditation of TI and RT providers under DORA. Typical criteria:
- Independence: clear separation between TI and RT providers
- Experience: demonstrable prior exercises, certified profiles
- Procedures: evidence management, confidentiality, infrastructure segregation
- Quality: sample-able reports, success cases
- Conduct: absence of sanctions, managed conflicts of interest
How to choose a provider
- Verify current accreditation in the official registry.
- Request references from prior exercises in the financial sector.
- Review profiles of the assigned team (not just the company's CV).
- Evaluate documented methodology (not just "we do Red Team").
- Validate technical capability through technical meetings with the assigned team.
- Check TI ↔ RT segregation in providers that offer both services (they'll have to give up one per exercise).
Indicative timelines and cost
Timelines
| Phase | Typical duration |
|---|---|
| Preparation | 4-6 weeks |
| Threat Intelligence | 3-5 weeks |
| Red Teaming | 10-14 (up to 20) weeks |
| Closure & Replay | 3-5 weeks |
| Total | 20-30 weeks |
Cost
Order of magnitude for a mid-to-large financial entity:
| Item | Range |
|---|---|
| TI provider (full TTI report) | €25,000-€60,000 |
| RT provider (10-14 weeks on production) | €60,000-€180,000 |
| Internal coordination and White Team | equivalent to 1 FTE for 6 months |
| External total | €80,000-€250,000 |
Exercises on systemic entities with broad scope can exceed €350,000.
Frequently asked questions
Is TIBER mandatory under DORA?
DORA requires TLPT (based on TIBER-EU) for financial entities designated by the competent authority. Non-designated entities remain subject to the general pillar 3 testing programme, without mandatory formal TLPT.
How often is TLPT performed?
At least every 3 years for designated entities. Significant events (major architecture changes, severe incident, change of critical provider) can justify extraordinary exercises.
Who appoints the TI provider and the RT provider?
The financial entity selects them, but they must be accredited under the RTS published by the ESAs. The national competent authorities validate suitability. The selection is formally recorded.
Can results be shared with the regulator?
Yes, and it's mandatory under DORA: the entity must report the exercise and its results to the competent authority. For CTPPs, the ESAs may receive the report directly. There's mutual recognition between Member States to avoid duplicating exercises in cross-border groups.
What happens if the Blue Team detects the Red Team?
It's a positive exercise outcome, not a failure. How, when and with what signals it was detected gets documented. The RT provider can continue the exercise modifying TTPs (adaptability test) or restart campaigns. Early detection confirms the Blue Team works.
Can an entity run an internal Red Team and satisfy DORA?
Not for TLPT. DORA requires accredited independent external providers. An entity can complement TLPT with internal exercises (purple team, continuous exercises), but not replace it.
What requirements must the Red Team meet?
Certified profiles (CRTO, OSEP, OSCE3, OSCP, eCPTX, GREM, GXPN equivalents), prior experience in production exercises, advanced knowledge of Active Directory, cloud, financial infrastructure, evasion of modern detection (EDR, XDR, MDR) and secure operations management.
What if the financial entity is not designated?
The general pillar 3 testing programme applies: vulnerability analysis, code reviews, network tests, penetration tests. Frequency and depth are set by the national authority according to proportionality.
Run your TLPT/TIBER or advanced Red Team with Secra
At Secra we run intelligence-led Red Team exercises aligned with TIBER-EU for designated and non-designated financial entities, with certified profiles and documented methodology.
→ Learn about our Red Team service
→ Request an initial conversation, no commitment
Related reading
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.