OFFCEPT
All Engagements
Real testing by experienced operators. Threat-informed scoping, actionable reporting, and verified remediation.
See Methodology

What We Do

Penetration Testing
Manual testing that finds what scanners miss
Red Team Operations
Multi-week adversary simulations
CTEM
Continuous threat exposure management
Threat Intelligence
Data breach, dark web, and credential monitoring
EDR & XDR Testing
Endpoint detection gap analysis and evasion testing
Phishing & Social Engineering
Real campaigns, not generic templates
AI & LLM Security
Testing AI systems and LLM integrations
Zero-Day Research
Hunting undiscovered vulnerabilities
Reverse Engineering
Binary analysis, malware, and firmware
How We Work
From scoping to verified remediation in four phases. Every engagement follows the same structure, adapted to your threat landscape.
Full Breakdown

The Process

01 Scoping & Threat Model
Profile threat actors, map attack surface, define objectives
02 Testing & Exploitation
Manual testing, chained vulnerabilities, real attack paths
03 Reporting & Debrief
Proof, impact, remediation path, live walkthrough
04 Remediation & Validation
Re-test fixes, confirm they work, measurable improvement

Latest Posts

[Advisory]

TIBER-EU and DORA: What Financial Institutions Need to Understand Before the Notification Arrives

[Advisory]

NIS2 Compliance in Portugal: Evidence Over Documentation

[Technical Research]

Killing EDR visibility at the kernel: BYOVD

[Technical Research]

ACL Abuse Havoc, a BOF toolkit for AD ACL exploitation via Havoc C2

About OFFCEPT
Built by operators who spent years breaking into networks before building a company around it.
Learn More

Company

About Us
Our team, certifications, and story
Contact
Get in touch with our operators
Let's Talk
← Back
Advisory29 May 202612 min read

TIBER-EU and DORA: What Financial Institutions Need to Understand Before the Notification Arrives

TIBER-EU and DORA: threat intelligence-based red teaming for EU financial institutions

DORA has been in force since January 2025. The TLPT regulatory technical standards became active in July 2025. The ECB published its TIBER-EU implementation guide for significant institutions in November 2025.

Regulators are already sending notification letters to entities in scope.

If you are the CISO of a regulated financial entity in the EU and you do not have a TLPT plan, this post is for you.

What TIBER-EU Actually Is

TIBER-EU stands for Threat Intelligence-Based Ethical Red Teaming. It is the European framework, developed by the ECB, that defines how a serious cyber resilience test is conducted: with real threat intelligence, an external red team, and simulated attacks against live production systems.

It is not a penetration test. It is not a compliance audit. It is a controlled simulation of a real attack, carried out by professional adversaries, based on what actual threat actors would do against your organisation right now.

The practical difference: a standard penetration test asks "do vulnerabilities exist?" A TIBER-EU TLPT asks "could a determined adversary compromise your critical business functions?" These are fundamentally different questions, and they produce fundamentally different answers.

What DORA Requires

Articles 26 and 27 of DORA create a clear obligation: significant financial entities must conduct TLPT at least every three years.

Who is in scope? DORA uses a two-tier approach:

  • Automatically required: globally systemically important institutions (G-SIIs)
  • Potentially required: other entities designated by the competent authority based on criticality, size, and risk profile

In Portugal, Banco de Portugal is the competent authority. The ECB directly supervises significant institutions under the Single Supervisory Mechanism.

The test must cover live production systems and involve a qualified external red team. Internal testing or staging environments do not satisfy the requirement.

TIBER-EU vs. a Standard Red Team Engagement

The most common misconception: CISOs who have run internal red team exercises and assume that covers the TLPT obligation. It does not.

A TIBER-EU TLPT has mandatory phases and specific required participants:

1. Preparation

Scope is defined with the regulatory authority. The internal Control Team is established. A certified Threat Intelligence Provider (TIP) is contracted separately from, and independent of, the red team.

2. Threat Intelligence

The TIP produces an organisation-specific threat intelligence report: who the most likely adversaries are, which TTPs they would use, and which vectors are most relevant to your sector and geography.

3. Red Team Testing

Based on the TI report, the red team executes the attack. The red team does not choose the scenarios. The scenarios emerge from real intelligence. Testing typically runs twelve weeks or longer.

4. Closure

A joint report is produced, a remediation session is conducted, and results may be shared with the regulator for cross-sector benchmarking.

The separation between TIP and red team is intentional and mandatory. It ensures attack scenarios are grounded in real threats, not in the red team's preferences or existing tooling.

PhaseWhat HappensWho Is Involved
PreparationScope defined with regulator, Control Team established, TIP contractedEntity, regulator, TIP
Threat IntelligenceOrganisation-specific TI report: threat actors, TTPs, attack vectorsTIP (independent)
Red Team TestingAttack execution based on TI report, typically 12+ weeksExternal red team (independent of TIP)
ClosureJoint report, remediation session, potential regulator sharingAll parties

Why This Cannot Wait

Three reasons to act now rather than when the notification arrives:

1. Notifications are already being sent. The RTS entered into force in July 2025. Entities in scope are receiving letters now. Arriving at the process unprepared means starting from zero under regulatory time pressure, and the process has long lead times by design.

2. Preparation takes months before testing begins. Qualifying vendors, establishing the Control Team internally, and coordinating with the supervisor is not a two-week exercise. Organisations that begin when they receive the notification routinely find themselves without viable options within the required window.

3. The intelligence is worth more than the certificate. A well-executed TLPT tells you something a compliance checklist cannot: whether your controls hold against a real adversary with time, motivation, and a specific target. The operational intelligence produced, attack paths, detection gaps, response failures, has value that outlasts the regulatory cycle. A check-the-box TLPT produces a certificate. A serious one changes how you run your security programme.

What to Do Now

If you do not know whether your entity is in scope: the determination is the competent authority's responsibility, not yours. Contact Banco de Portugal directly.

If you are already in scope:

  • Identify who sits on your Control Team, typically CISO, CRO, and business representatives from the critical functions being tested
  • Map the critical business functions an adversary would prioritise. This shapes the threat intelligence brief
  • Begin vendor qualification for both TIP and red team. They must be external, independent of each other, and qualified under the framework
  • Open a line of communication with your supervisor before the formal process starts. Alignment on expectations early avoids friction later

A Final Note

TIBER-EU is not regulatory bureaucracy dressed up as security. It is the closest thing to a real attack that a financial organisation can experience in a controlled, legal context.

The value depends entirely on who runs it. A TLPT treated as a compliance exercise will consume budget and produce a report that satisfies a checkbox. A TLPT run with genuine adversarial intent will surface things your existing programme has not found, and give you the evidence to fix them before a real incident does.

The difference is in the vendor you choose and the questions you ask before you sign.

OFFCEPT is an offensive security firm specialising in red team operations and adversarial simulation. If you are evaluating providers for TLPT or want to understand the process before initiating it, get in touch.

This post is for informational purposes only and does not constitute legal advice. For guidance specific to your organisation's legal obligations, consult a qualified legal professional.

← Previous

NIS2 Compliance in Portugal: Evidence Over Documentation