Annex IV | Content of the red team test plan (Article 11(1))

The red team test plan shall contain information on all of the following:

communication channels and procedures;
the tactics, techniques and procedures allowed and not-allowed for use in the attack, including ethical boundaries for social engineering;
the risk means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident; management measures to be followed by the testers;
a description for each scenario, including:
1. the simulated threat actor;
2. their intent, motivation and goals;
3. the target function(s) and the supporting ICT system or systems;
4. the targeted confidentiality, integrity, availability and authenticity aspects;
5. flags;
a detailed description of each expected attack path, including pre-requisites and possible leg-ups to be provided by the control team, including deadlines for their provision and potential usage;
the scheduling of red teaming activities, including time planning for the execution of each scenario, at a minimum split according to the three phases a tester takes throughout the testing phase, respectively entering financial entitiesas defined in Article 2, points (a) to (t)’ ICT systems, moving through the ICT systems and ultimately executing actions on objectives and eventually extracting itself from the ICT systems (in, through, and out phases);
particularities of the financial entitiesas defined in Article 2, points (a) to (t)’ infrastructure to be considered during testing;
if any, additional information or other resources necessary to the testers for executing the scenarios.