With the entry into force of the Digital Operational Resilience Act (DORA), which makes Threat-Led Penetration Testing (TLPT) mandatory for certain financial entities from 2025, many banks now have to align their security exercises with regulatory expectations while incorporating realistic threat scenarios.

Articles 26 and 27 of DORA require a combination of threat intelligence and type-specific exercises Red Team, in order to simulate authentic attacks and assess operational resilience.

A major European bank has asked Intrinsec to assist it in preparing its first TLPT cycle, drawing on Intrinsec's 30 years of cyber expertise, its dedicated Cyber Threat Intelligence (CTI) unit and its specialized Red Team.

Goals

Approach

1/Defining the scope based on threat intelligence

The team Intrinsec's CTI conducted a thorough analysis of OSINT and internal data, focusing on:

• Identifying leaked credentials and sensitive data exposures in open sources and on marketplaces.
• Mapping high-risk relationships with third-party providers and Shadow IT applications.
• Profiling the realistic tactics of attackers based on the MITRE ATT&CK framework and recent behaviors of malicious actors specific to financial institutions.

  This made it possible to design three credible TLPT scenarios reflecting real risks, thus ensuring maximum relevance to the bank's operational reality.

2/Execution by the Red Team with assistance

The Red Team led the exercise from start to finish, combining social engineering, lateral movement and privilege escalation to emulate advanced persistent threats (APTs).

Controlled interventions (leg-ups) were planned with the bank's control team to maintain operational continuity while validating critical attack trajectories.

The team operated stealthily to test the detection effectiveness and responsiveness of the SOC (Security Operations Center).

3/Collaborative reports and recommendations

Following the exercise, Intrinsec submitted a comprehensive and pragmatic report, tailored to both decision-makers and technical teams, which included:

• Descriptions of attacks related to critical assets and the bank's compliance requirements.
• An analysis of gaps in incident detection and management coverage.
• Specific improvements to the SOC manual and tactical recommendations to enhance operational resilience.

Results

• • Successful alignment of the TLPT scope with DORA requirements and supervisor expectations.
  • Demonstrated response to regulatory requirements for multi-vector resilience testing.
  • Tangible improvement of internal processes, reducing the risks associated with identity leaks and shadow IT.
  • Enhancing SOC detection capabilities through lessons learned from realistic attacks.
  • Building a solid foundation for future DORA compliance cycles.
    
    

More information

For banks preparing their first or subsequent TLPT under the DORA directive, Intrinsec offers a proven methodology to transform regulatory obligations into operational improvements, thereby ensuring measurable, actionable and sustainable cybersecurity resilience.