Beta

Source: OJ L, 2025/1190, 18.6.2025

EN

Recital 12 Comprehensive criteria for TLPT providers

Conventional penetration tests provide a detailed and useful assessment of technical and configuration vulnerabilities means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; often of a single system or environment in isolation, but unlike intelligence led red team means the testers, internal or external, contracted for, or assigned to, a TLPT; test, do not assess the full scenario of a targeted attack against an entire entity, including the complete scope of its people, processes and technologies. During the selection process of the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems providers, financial entitiesas defined in Article 2, points (a) to (t) should therefore ensure that those providers have the requisite skills to perform intelligence-led red team means the testers, internal or external, contracted for, or assigned to, a TLPT; tests, and not only penetration tests. It is therefore necessary to lay down comprehensive criteria for testers, both internal and external, and threat intelligence means information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; providers, always external. Where the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems providers belong to the same company, the staff assigned to a TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems should be adequately separated.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

dora@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod