Cyber

What Is Threat-Led Pen Testing?

Threat-Led Penetration Testing (TLPT) is a threat-intelligence-led red team exercise designed to assess the resilience of Critical or Important Business Services (CIFs/CIBS).

This blog series explores the value of threat-led penetration testing for security leaders, how to scope an effective TLPT to DORA requirements, the critical role of threat intelligence and how to use TLPT to demonstrate operational resilience.

 

How Does a TLPT Work in Practice?

The technical execution of TLPT remains adversarial and adaptive. Detection pressure, dwell time and attacker experimentation are inherent to the exercise and consistent with mature red team delivery.

What differentiates TLPT is how red-team activity is framed by threat intelligence, aligned to critical services and governed to produce defensible assurance outcomes.

 

The Value of TLPT Outcomes

TLPT is designed to answer a fundamental question for senior security and resilience leaders: Are our most critical services resilient to the most credible cyber threats we face today?

When executed correctly, a TLPT enables organizations to evidence:

• Whether critical or important business services can be materially impacted by credible, intelligence-led threat scenarios, rather than theoretical or generic attack paths
• Whether controls, processes and decision-making protect those services under sustained adversarial pressure
• Whether detection, escalation and response capabilities are sufficient to preserve service continuity when critical services are at risk
• Where governance, ownership or cross-functional coordination degrades under realistic attack conditions

By grounding the exercise in current threat intelligence, TLPT ensures testing effort is prioritised against the highest-risk and most relevant attacker behaviours observed in the sector. As threat actor tactics, techniques and access paths evolve, TLPT provides a structured mechanism to validate that defensive capabilities remain effective against current and emerging risks, rather than historical attack patterns.

In this way, TLPT supports a practical and evidence-based view of operational resilience, rather than a static assessment of security controls.

 

TLPT – Red Teaming Anchored to Critical Services

Traditional red team engagements are commonly driven by technically defined objectives such as privileged access, persistence, data exfiltration or ransomware-style impact. In these engagements, business impact is typically assessed during reporting, based on the technical outcomes achieved.

In a TLPT, red-team objectives are defined upfront in business terms and explicitly mapped to CIBS and the systems that support them. The exercise remains technically rigorous, but outcomes are assessed by whether attacker activity can credibly threaten the availability, integrity or continuity of those services.

This alignment ensures red-team activity directly supports the resilience outcomes described above.

 

Threat Intelligence as the Foundation of a TLPT

In a TLPT, threat intelligence defines the threat scenario the organization is testing against.

It establishes the relevant threat actors, their motivations and objectives, the critical or important business services most likely to be targeted, and the access patterns and attack paths that are realistic for those actors. This intelligence is produced and validated before any offensive activity begins and defines the conditions, constraints and objectives of the exercise.

By doing so, TLPT ensures that testing effort is focused on the most credible real-world risks, rather than on generic or opportunistic techniques. This intelligence-led framing is central to maintaining the relevance of the exercise as the threat landscape continues to change.

Initial Access Within a TLPT

A TLPT may include an external access phase where threat intelligence indicates this is a credible and material part of the threat scenario.

External activity is selective and intelligence-led, reflecting access patterns observed for the identified threat actors within the sector. Examples of initial access testing include:

• Abuse of cloud identity and federation mechanisms, such as AWS OIDC federation through a compromised external identity
• Compromise of Microsoft Entra ID via malicious or over-privileged application service principals
• Access to CI/CD platforms such as Microsoft DevOps or GitLab to obtain build credentials, tokens or deployment permissions
• Compromise of container orchestration platforms, including AKS or EKS, using exposed service accounts, misconfigured workloads, or CI/CD-issued credentials
• Abuse of CI/CD pipelines or platform integrations to gain indirect access to environments supporting critical services

These access paths are selected to reflect current attacker tradecraft, reinforcing the temporal relevance of the test and its alignment to real-world risk.

 

Assumed Compromise in a TLPT Context

Assumed breach within a TLPT represents a threat-intelligence-justified starting condition.

An assumed breach is supported by the threat intelligence hypothesis, credible for the selected threat actor, aligned to known detection gaps or control weaknesses and reflective of access paths commonly observed in the sector.

The assumed breach forms part of the threat model and ensures the exercise remains focused on the resilience of critical services, rather than on the mechanics of initial compromise alone.

 

Governance Constraints on TLPT Execution

In a TLPT, scope, objectives and termination conditions are formally agreed and approved upfront.

Offensive actions are selected based on their relevance to the agreed threat scenario and their impact on in-scope critical services. Activities must be justifiable within the scenario and defensible to senior stakeholders and regulators.

This governance discipline ensures that the outcomes of the exercise directly support operational resilience and regulatory assurance.

 

TLPT Attack Termination

Attack termination in a TLPT is a governance decision.

Stopping conditions are defined in advance and tied to evidential thresholds. An attack phase may be halted once sufficient evidence has been gathered to demonstrate material exposure of a critical or important business service, or a clear success or failure in detection, escalation or response capability.

This approach ensures the exercise remains proportionate while still delivering meaningful and defensible assurance.

 

Closing Perspective

Threat-Led Penetration Testing provides valuable red team insight executed through a critical-services and operational resilience lens.

By combining threat intelligence, realistic offensive execution and governance discipline, effective TLPT enables organizations to continually assess their ability to withstand the most relevant and credible cyber threats affecting their critical services.

Stay tuned for subsequent updates in our TLPT series and get in touch if you’d like to learn more.

Discover Kroll’s TLPT Services