TLPT Series Part 2: Designing Intelligence-Led TLPT Scenarios

Cyber

May 6, 2026

TLPT Series Part 2: Designing Intelligence-Led TLPT Scenarios

Author: Sadi Zane

Threat-Led Penetration Testing (TLPT) is intelligence-led by design. In practice, this means more than selecting a relevant threat actor. It requires translating a defined threat hypothesis into a coherent, executable and regulator-defensible engagement model.

Threat intelligence defines the hypothesis. Scenario design determines how that hypothesis becomes a structured test aligned to Important or Critical Functions (ICFs) and the organization’s operating environment.

 

Intelligence Defines the Threat Hypothesis

TLPT is typically regulator-triggered and conducted within a defined supervisory framework. The defining requirement is that the scenario must be grounded in a formally documented threat hypothesis aligned to sector risk. Threat intelligence establishes that foundation. Whether delivered by a standalone provider or as part of an integrated capability, the intelligence function defines the threat model that will shape the exercise.

This intelligence involves:

  • Identifying relevant financially motivated or service-disruption-focused threat actors active within the sector.
  • Analyzing current tactics, techniques and procedures (TTPs) observed in live campaigns.
  • Identifying realistic access patterns, including identity compromise, federation abuse, cloud workload exploitation or Continuous
  • Integration/Continuous Deployment (CI/CD) exposure.
  • Mapping those behaviors directly to the organization’s Important or Critical Functions. 
 

Intelligence-Led TLPT

Key activities from threat hypothesis to resilience assessment.

TLPT Series Part 2: Designing Intelligence-Led TLPT Scenarios

All phases anchor to Important or Critical Functions ( ICFs)

For example, sector intelligence may highlight identity-layer compromise used to bypass perimeter controls, abuse of federated trust relationships to escalate privileges, or targeted manipulation of cloud-native permissions to reach payment, settlement or customer onboarding workflows. These behaviors should be evaluated in the context of the organization’s architecture and service dependencies.

Mapping to Important or Critical Functions anchors the threat hypothesis. The objective is to model how realistic adversary behavior could materially affect defined services.

The output is therefore a structured and evidence-based threat model that guides scenario design and execution.

 

The Role of the Control Team in TLPT Scenario Governance

Under the Digital Operational Resilience Act (DORA), the regulated financial entity initiates and conducts the TLPT, with oversight from the relevant National Competent Authority. The regulator oversees the engagement and reviews scope and outcomes but does not direct execution.

The financial entity appoints an internal control team to manage the TLPT. The control team coordinates the engagement, preserves secrecy and safety controls, and acts as the interface between the organization, the regulator and the selected providers.

The control team selects both the threat intelligence provider and the Red Team, managing the flow of information between all parties and ensures that delivery remains aligned to the agreed scope and defined Important or Critical Functions.

The regulator’s role is to oversee the exercise and ensure that the threat hypothesis, Important or Critical Functions, and scenario boundaries remain consistent with the DORA framework.

Scenario design operates within clearly defined governance boundaries. Scope, Important or Critical Functions, and threat assumptions are agreed on in advance and subject to regulatory oversight. Decisions regarding starting conditions, escalation paths and potential service impact must be proportionate and defensible within that framework.

The objective is to evaluate resilience against a credible and intelligence-informed threat aligned to defined services.

 

Translating the Threat Hypothesis into Executable Delivery

Once the threat intelligence phase is complete, a formal intelligence package is produced. This document defines the selected threat actors, observed tactics, techniques and procedures (TTPs), credible access patterns and intended service impact to ICFs.

The Control Team reviews and approves this package before sharing it with the Red Team for execution. The Red Team’s role is to operationalize it within the organization’s live environment.

Operationalization begins with validating how the documented behaviors map to the organization’s architecture. In modern financial institutions—particularly fintech organizations operating predominantly cloud-native environments—identity and cloud control planes frequently represent the primary security boundary.

For example:

  • Identity-centric TTPs may translate into testing of core identity providers such as Microsoft Entra ID, Okta or equivalent federated identity services.
  • Observed privilege escalation behaviors may require evaluation of Amazon Web Services (AWS) Identity and Access Management roles, cross-account trust relationships, or identity federation models.
  • Tradecraft involving cloud-native access may necessitate review of control planes within AWS, Microsoft Azure or Google Cloud Platform, including container orchestration environments and the permissions granted to workload identities, service principals or equivalent cloud-native identity constructs.

The objective is not to reproduce intelligence verbatim, but to adapt observed adversary behaviors to the organization’s operating model. Each step in the attack path must remain consistent with the defined threat profile and proportionate to the agreed scope.

The result is a structured and actor-consistent progression toward potential impact on Important or Critical Functions, grounded in both intelligence and technical reality.

 

Design Discipline Determines TLPT Value

The complexity of TLPT extends beyond execution. Understanding the interplay among regulatory expectations, threat intelligence, governance structures and operational delivery requires a structured and coordinated approach.

The selection of threat intelligence and Red Team providers materially influences the quality of the engagement. Translating intelligence into coherent and actor-consistent scenarios requires specialized expertise across identity, cloud architecture and adversary tradecraft, as well as a clear understanding of regulatory context.

Disciplined delivery and reporting are equally essential to ensure that outcomes are structured, proportionate and defensible. Scenario design therefore determines more than the technical pathway of an engagement. It shapes the credibility of the results and the value of the resilience assessment.

Stay tuned for subsequent updates in our TLPT series, or get in touch to learn how Kroll can help you build a TLPT program to deliver tangible improvements to your security and resilience.

 

Discover Kroll’s TLPT Services

Stay Ahead with Kroll

Cyber and Data Resilience

Kroll merges elite security and data risk expertise with frontline intelligence from thousands of incident responses and regulatory compliance, financial crime and due diligence engagements to make our clients more cyber- resilient.

Threat-Led Penetration Testing

Simulate real-world attacks, uncover vulnerabilities, and strengthen your defenses in line with DORA requirements with guidance from Kroll's offensive security experts.

DORA Compliance Assessment

Understand your gaps and prioritize key requirements for DORA compliance with guidance from Kroll experts.