Cyber Risk

Tue, Feb 25, 2025

Threat-Led Pen Testing and Its Role in DORA Compliance

/en/our-team/tiernan-connollyTiernan Connolly

Tiernan Connolly

Threat-led penetration testing brings together specialist offensive (red team) security skills and threat intelligence to enable businesses to proactively test and identify any weaknesses, deficiencies or gaps in their controls and counteractive measures that could be exploited by threat actors.

In this article, we set out what threat-led pen testing is, how it relates to the Digital Operational Resilience Act (DORA) and the testing requirements included as part of the new EU regulation.

What Is Threat-Led Pen Testing?

Threat-led penetration testing is a controlled security assessment that identifies and leverages the ways an attacker could gain access to and move laterally in an organization and target its most critical business services. The goal of the testing is to comprehensively test the cyber resilience of an entity by simulating the TTPs (techniques, tactics and procedures) of real-life threat actors.

Typically driven by regulators, threat-led pen testing takes its name from the fact that it draws on threat intelligence and expert insight into attack strategies currently used in the wild. These strategies are analyzed, contextualized and provided to a partnering red team of ethical hackers who use this highly tailored intelligence to go beyond exploiting surface vulnerabilities to incorporate more complex attack methods and vectors.

Threat-Led Pen Testing and DORA

Threat-led penetration testing forms a key aspect of the Digital Operational Resilience Act (DORA), a regulatory framework that aims to prevent and mitigate cyber threats by establishing a comprehensive ICT risk management framework for the EU financial industry.

Having come into full effect January 17, 2025, DORA aims to enhance the IT security and resilience of financial entities such as banks, insurance companies and investment firms.

Under DORA, all companies across EU member states must build an understanding of the ICT risks facing their organization and ensure that they are able to monitor, detect, withstand, respond to and recover from ICT-related threats and disruptions. The measures put into place must be proportional to the potential risks.

DORA is based on five key pillars. Digital operational resilience testing is a crucial pillar that involves multiple means of testing and ensuring technology resilience through techniques such as threat-led penetration testing. While some requirements set out by DORA are straightforward, others are more challenging and prescriptive, demanding additional effort and resources to achieve compliance.

Discover our DORA Compliance Assessment Services

DORA Requirements for Threat-Led Pen Testing

In July 2024, the draft regulatory technical standards (RTS) on threat-led pen testing were released.

Key aspects of guidance relating to threat-led pen testing include:

  • Targeting “Critical or Important Functions”

    Threat-led pen tests must have the objective of targeting IT assets supporting “critical or important functions” of a financial entity (including third-party systems as appropriate). These critical functions must already be identified by financial entities as part of other DORA requirements.

  • Alignment with the TIBER-EU Framework

    Threat-led pen testing for DORA should be followed in accordance with the pre-existing TIBER-EU framework, with some additional considerations and aspects now also formalized and included in DORA (e.g., purple team exercises are now mandatory). The TIBER-EU framework provides comprehensive guidance on how authorities, entities, and threat intelligence and red team providers should work together to enhance organizations’ cyber resilience through these controlled assessments.

  • Testing Cadence

    Threat-led penetration testing must be performed every three years for relevant financial institutions and their critical ICT providers. This must be performed on live production systems.

 

  • External and Internal Parties can Conduct Testing

Financial entities can use external or internal testers for the red team part of threat-led pen testing if they have the in-house expertise to do so (but an external red team vendor must be used at least every third time), while the threat intelligence provider must be external and independent for every exercise.

  • Purple Teaming Mandated

While purple teaming is strongly encouraged but not mandatory in the TIBER-EU framework, the DORA RTS mandate that a purple team exercise be carried out at the threat-led pen testing closure stage.

  • Risk Management is Essential

Robust risk management at every stage of threat-led pen testing is essential, with responsibility for the conduct of the test and risk management resting entirely with the financial entity undergoing testing. Financial entities are required to assess the risk of conducting threat-led pen testing before it starts and to continually monitor this risk, updating the risk assessment as required. The RTS mandate an important way to minimize risks associated with threat-led pen testing: selecting experienced, appropriate and highly skilled testers and threat intelligence providers.

Leverage the Benefits of Threat-Led Pen Testing with Kroll

Field-proven pen testing, red team and threat intelligence services play an important role in enabling compliance with regulations such as DORA, as well as ensuring long-term cyber resilience. Kroll is an award-winning provider of cybersecurity penetration testing and red team services, conducting over 100,000 hours of security assessments every year. With more than 100 security qualifications, including CREST CRT, STAR, CC SAM and many more, we test to the highest technical, legal and ethical standards. All of our services include complete post-test care, actionable outputs, prioritized remediation guidance and strategic security advice to help you make long-term improvements to your cybersecurity posture.

Every pen test and red team exercise we undertake is fueled by incident response intel and insights from elite analysts. Leveraging frontline threat intelligence from handling thousands of cyber incidents every year, our team delivers more visibility against emerging threats and offers actionable steps to minimize risk and protect against operational and reputational damage. Our cyber threat intelligence analysts leverage their combined experience in the U.S. Secret Service, the FBI, Fortune 100 and the National Cyber Forensic Training Alliance to follow even the most obfuscated or opaque data trails. By cross-correlating a variety of open-source, private feeds and dark web data with frontline data collected from thousands of incidents, our team filters out false positives, duplicates and general noise to enable timely, meaningful and actionable intelligence.

Learn More About Our Services

Stay Ahead With Kroll

Cyber and Data Resilience

Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.

Cyber and Data Resilience

DORA Compliance Assessment

Are you ready for DORA compliance? Understand your gaps and build long-term digital and operational resilience.

DORA Compliance Assessment

Virtual CISO (vCISO) Advisory Services

Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.

Virtual CISO (vCISO) Advisory Services

Cyber Litigation Support

Whether responding to an investigatory matter, forensic discovery demand, or information security incident, Kroll’s forensic engineers have extensive experience providing litigation support and global eDiscovery services to help clients win cases and mitigate losses.

Cyber Litigation Support

Threat-Led Penetration Testing

Simulate real-world attacks, uncover vulnerabilities, and strengthen your defenses in line with DORA requirements with guidance from Kroll's offensive security experts.

Threat-Led Penetration Testing

Red Team Security Services

Red team security services from Kroll go beyond traditional penetration testing, leveraging our frontline threat intelligence and the adversarial mindset used by threat actors to push the limits of your information security controls.

Red Team Security Services

Penetration Testing Services

Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.

Penetration Testing Services

Kroll is headquartered in New York with offices around the world.

One World Trade Center
285 Fulton Street, 31st Floor
New York NY 10007
+1 212 593 1000
Sign up to receive periodic news, reports, and invitations from Kroll. Our privacy policy describes how your data will be processed.

More About Kroll

More About Kroll
© 2025 Kroll, LLC. All rights reserved. Kroll is not affiliated with Kroll Bond Rating Agency, Kroll OnTrack Inc. or their affiliated businesses. Read more.
Return to top