Threat-led penetration testing

Preamble (Recitals 1 – 29)

Recitals

Chapter I (Article 1)

General provisions

Article 1

Definitions

Chapter II (Article 2)

Criteria to identify financial entities required to perform TLPT

Article 2

Identification of financial entities required to perform TLPT

Chapter III (Articles 3 – 12)

Requirements regarding test scope, testing methodology and results of TLPT

Section I

Testing methodology

Article 3

TCT and TLPT Test Managers

Article 4

Organisational arrangements for financial entities

Article 5

Risk management for TLPT

Article 6

Risk management for pooled and joint TLPTs

Section II

Testing process

Article 7

Specificities for pooled and joint TLPTs

Article 8

Preparation phase

Article 9

Testing phase: Threat intelligence

Article 10

Testing phase: Red Team Test

Article 11

Closure phase

Article 12

Remediation plan

Chapter IV (Article 13)

Requirements and standards governing the use of internal testers

Article 13

Use of internal testers

Chapter V (Articles 14 – 15)

Cooperation and mutual recognition and final provisions

Article 14

Cooperation

Article 15

Entry into force and application

Article 11Note: This article is based on the final draft from the ESAs and is not yet adopted. Closure phase

  1. Following the end of the active red team testing phase, the control team lead shall inform the blue team that a TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems took place.

  2. Within four weeks from the end of the active red team testing phase, the testers shall submit to the control team a red team test report containing the information set out in Annex V.

  3. Without undue delay, the control team shall provide the red team test report to the blue team and test managers.

    At the request of the test managers, the report referred to in the first subparagraph of this paragraph shall not contain sensitive information.

  4. Upon receipt of the red team test report, and no later than ten weeks after the end of the active red team testing phase, the blue team shall submit to the control team a blue team test report containing the information set out in Annex VI. Without undue delay, the control team shall provide the blue team test report to the testers and the test managers.

    At the request of the test managers, the report referred to in the first subparagraph of this paragraph shall not contain sensitive information.

  5. No later than ten weeks after the end of the active red team testing phase, the blue team and the testers shall carry out a replay of the offensive and defensive actions performed during the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems. The control team shall also conduct a purple teaming exercise on topics jointly identified by the blue team and the testers, based on vulnerabilitiesmeans a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited; identified during the test and, where relevant, on issues that could not be tested during the active red team testing phase.

  6. After completion of the replay and purple teaming exercises, the control team, the blue team, the testers and threat intelligencemeans information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations; providers shall provide feedback to each other on the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems process. The test managers may provide feedback.

  7. Once the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authority has notified the control team lead that it has assessed that the blue team test report and the red team test report contain the information set out in Annex V and Annex VI, the financial entity shall within eight weeks submit the report summarizing the relevant findings of the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems referred to in Article 26(6) of Regulation (EU) 2022/2554, containing the elements set out in Annex VII for approval.

    At the request of the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems authority, the report referred to in the first subparagraph of this paragraph shall not contain sensitive information.

Table of contents