Skip to content
cyber-security.eu
DEEN

TIBER-EU

TIBER-EU is the European framework for threat-led resilience testing of critical functions. This page explains the idea, the phases and the link to DORA and TLPT - intentionally at a high level and without describing concrete attack techniques.

Who this page is for

This page is for leaders in IT risk, operational resilience, cyber security and supervision in the financial sector and for detection or SOC leads who want to measure maturity.

What TIBER-EU is

TIBER-EU stands for Threat Intelligence-based Ethical Red Teaming in a European context. It is a framework for how realistic, threat-led tests on live systems are coordinated, supervised and documented.

The goal is not a single audit result but a credible picture of the resilience of critical functions against realistic threats.

Purpose of threat-led tests

Threat-led tests examine how well detection, response and recovery actually work in production. They surface gaps in telemetry, playbooks, escalation, communications and the interplay of SOC, IT and business.

Unlike purely technical penetration tests they are less about individual vulnerabilities and more about the effectiveness of the entire defensive chain.

Difference from pentest, audit and classic red teaming

Classic penetration test: examines applications or systems for vulnerabilities.

Audit: checks compliance against requirements.

Classic red teaming: broad attacker simulation, often commissioned by the security organisation.

TIBER-EU: combines threat intelligence, red team and close supervision by the competent authority. The blue team is typically not informed in advance to measure realistic response.

Roles and phases at a high level

At a high level a TIBER-EU test typically includes:

1. Preparation with scope definition of critical functions
2. Threat intelligence phase with a report on realistic actors and behaviours
3. Red team phase with a threat-led exercise
4. Closure phase with evaluation, lessons learned and a remediation plan

Participants are a white team on the tested organisation's side, a red team provider, a threat intelligence provider and the competent authority.

Link to DORA and TLPT

DORA foresees advanced resilience testing. Threat-led penetration testing (TLPT) adopts core elements of TIBER-EU and makes them binding for critical financial functions. TIBER-EU remains the established methodological reference for TLPT.

Why SOC and detection benefit too

Even organisations that do not run their own TIBER-EU programme benefit from the patterns reported elsewhere: realistic tests surface recurring gaps in detection, escalation and identity protection. SOC and incident response teams can adopt these insights without immediately commissioning their own TLPT.

What this page intentionally is not

This page provides orientation on TIBER-EU. Concrete attack techniques, payloads, detection rules or Sigma and KQL examples are intentionally not covered here. That technical depth belongs in specialised red and purple team resources.

Deeper technical content is planned to live on a dedicated platform.

Checklist

  • Critical functions clearly defined
  • Scope and safeguards agreed early
  • Experienced threat intelligence and red team partners selected
  • White team named with clear escalation paths
  • Rehearsed detection and incident response processes
  • Lessons learned documented and prioritised

Frequently asked questions

+Is TIBER-EU mandatory?

TIBER-EU itself is voluntary. Through DORA TLPT it becomes effectively the methodological reference for many financial institutions.

+Who runs the tests?

Specialised red teams with documented experience in threat-led exercises, combined with a threat intelligence provider and supervised by the competent authority.

+Is it the same as a pentest?

No. A pentest looks for vulnerabilities. A TIBER-EU exercise tests the effectiveness of the entire defence against realistic threats.

Related topics

DORA - digital resilience in finance

DORA consolidates European requirements for digital operational resilience in the financial sector. This page provides factual orientation - not legal advice.

NIS2 - what organisations need to know

The NIS2 directive raises the cyber security bar in the EU noticeably. This page offers editorial orientation - not legal advice.

What is a SOC?

A security operations centre combines people, process and technology to detect cyber incidents early, handle them in a structured way and learn from them. This page covers tasks, models and common pitfalls.

SIEM

A SIEM aggregates log and telemetry data, correlates it and provides the foundation for detection and incident response. This page covers function, important data sources and common mistakes.

Incident response

A security incident requires a clear process, rehearsed roles and prepared communication. Improvising during an incident wastes time and creates mistakes. This page covers the phases, responsibilities and common pitfalls.

Cybersecurity for business

Effective enterprise security combines governance with concrete technical and organisational controls. This page shows what decision makers and IT leaders should focus on first - calm, practical and clearly prioritised.