TIBER-EU Framework Explained — Threat Intelligence-Led Red Teaming
Published April 26, 2026 · 14 min read
TIBER-EU — Threat Intelligence-Based Ethical Red Teaming — is the European Central Bank's framework for controlled red-team exercises against critical financial infrastructure. Adopted in 2018 and extended by national variants (TIBER-NL, TIBER-DE, TIBER-IT, TIBER-IE, TIBER-NO), it now sits at the centre of the Digital Operational Resilience Act (DORA) Threat-Led Penetration Testing (TLPT) requirement that became binding for EU financial entities on 17 January 2025.
Why TIBER-EU exists
Traditional pentests don't simulate adversaries that matter to a Tier-1 bank — Lazarus, FIN7, APT28, Cobalt Group. TIBER-EU mandates that the testing follows real threat intel about who actually targets your sector, what TTPs they use, and what their objectives are. The bank's blue team is not informed (control group), so detection-and-response capability is genuinely evaluated.
Three phases
TIBER-EU runs in three phases over 6-12 months: Preparation, Testing, Closure.
Phase 1 — Preparation (8-12 weeks)
- Engagement — entity formally engages the TIBER Cyber Team (TCT) at the relevant central bank.
- White Team formation — small, trusted internal cell (CISO, CIO, audit, board sponsor) that knows about the test.
- Provider procurement — entity selects accredited Threat Intelligence Provider (TIP) and Red Team Provider (RTP). Both must satisfy the TIBER-EU Services Procurement Guidelines.
- Scope definition — critical functions to be tested (e.g. payment processing, custody, trading), out-of-scope assets, and stop conditions.
- Targeted Threat Intelligence (TTI) report — TIP delivers a tailored intelligence document covering threat actors, motivations, and likely attack scenarios for the entity.
Phase 2 — Testing (12-16 weeks)
- Red Team Test Plan — RTP designs attack scenarios derived from the TTI. White Team and TCT approve.
- Test execution — RTP performs intelligence-led attacks across multiple flags (e.g. exfil customer DB, sign fraudulent SWIFT message, deploy ransomware-style canary in trading systems). Blue team is unaware throughout.
- Leg-up — if the team gets stuck, the White Team may grant a controlled foothold so testing can continue (avoids wasting the engagement on initial-access-only).
- Activity log — RTP records every action with timestamp, target, technique (mapped to MITRE ATT&CK), and result.
Phase 3 — Closure (4-8 weeks)
- Replay workshop (purple team) — Red Team walks Blue Team through the kill chain step by step. Blue Team checks SIEM logs & tickets to map detection gaps.
- Test Summary Report — RTP delivers narrative kill chain + ATT&CK heat map.
- Blue Team Report — entity self-assesses what was detected vs missed.
- Remediation Plan — entity commits to detection and control improvements with timelines.
- Attestation — TCT issues a TIBER-EU Attestation confirming the test followed the framework.
Roles & responsibilities
| Role | Responsibility |
|---|---|
| TIBER Cyber Team (TCT) | Oversight from national central bank |
| White Team | Internal trusted agents — coordinate, gate, not informed of operational detail |
| Blue Team | SOC/IR — kept fully unaware until replay phase |
| Threat Intel Provider (TIP) | Delivers TTI report scoped to entity |
| Red Team Provider (RTP) | Executes intelligence-led attack scenarios |
| Control Team | Joint TIP+RTP+White team — meets weekly during execution |
Required deliverables
- Targeted Threat Intelligence (TTI) report.
- Red Team Test Plan (scenarios, RoE, stop conditions).
- Activity log with full ATT&CK mapping.
- Test Summary Report (narrative + technical).
- Blue Team Report (detection gap analysis).
- Remediation Plan with owners and timelines.
- TIBER-EU Attestation issued by TCT.
Sample ATT&CK heat-map output
{
"scenario": "APT-G0096 (Akira) emulation",
"phase_results": {
"TA0001 Initial Access": {"T1566.001": "success", "T1190": "success"},
"TA0002 Execution": {"T1059.001": "success", "T1218.011": "detected"},
"TA0003 Persistence": {"T1547.001": "undetected", "T1053.005": "detected"},
"TA0007 Discovery": {"T1018": "undetected", "T1087.002": "detected"},
"TA0008 Lateral Movement":{"T1021.002": "success", "T1550.002": "blocked"},
"TA0010 Exfiltration": {"T1041": "undetected (POC reached crown jewel)"}
},
"mttd_minutes": 184,
"mttr_minutes": 421
}DORA alignment — TLPT
DORA Article 26-27 requires significant financial entities to perform Threat-Led Penetration Testing at least every three years. TIBER-EU is the de-facto methodology accepted by competent authorities for satisfying TLPT. National variants (TIBER-DE, TIBER-IT) are equivalent. Smaller entities below the criticality threshold can use lighter testing — but if you're a globally systemic bank, a payments provider, a crypto-asset service provider above thresholds, or a critical third-party ICT provider, TIBER-EU style TLPT is mandatory.
TIBER-EU vs CBEST vs iCAST vs AASE
| Framework | Regulator | Scope |
|---|---|---|
| TIBER-EU | ECB + national CBs | EU financial entities (DORA scope) |
| CBEST | Bank of England | UK systemic financial firms |
| iCAST | HKMA | Hong Kong banks |
| AASE | RBI | Indian critical financial institutions |
| FEER | BSP / MAS | Philippines / Singapore variants |
All five share TIBER-EU's DNA: intelligence-led, blue-team blind, accredited providers, board attestation. Differences are largely in regulator-mandated scope and provider accreditation criteria.
Common pitfalls
- White Team too large — operational detail leaks to Blue Team and contaminates the test.
- TTI report too generic — RTP can't execute realistic scenarios.
- Crown-jewel definitions vague — "exfil customer data" needs the table name and acceptance criteria.
- No leg-up framework — engagement collapses if initial access takes longer than estimated.
- Replay phase skipped — without purple team workshop the Blue Team learns nothing.
Provider procurement — what the Services Procurement Guidelines require
TIBER-EU is unusual among red-team frameworks in that the regulator vets the providers, not just the methodology. The Services Procurement Guidelinespublished by the ECB define minimum experience, accreditation, and ethical-conduct criteria for Threat Intelligence Providers and Red Team Providers separately. The two roles are explicitly separated to avoid conflicts of interest — the same firm cannot supply both TI and RT in the same engagement unless the entity provides explicit justification approved by the TIBER Cyber Team.
For RTPs the bar is roughly: demonstrable past delivery of intelligence-led red team engagements at similar criticality, formal corporate insurance covering operational damage, and named operators with industry credentials such as CREST CCRTS / CCSAS or the equivalent. For TIPs the bar is evidence of a recognised intelligence collection methodology, source diversity (technical, human, open source), and a documented analytic tradecraft — typically ICD-203 or equivalent. Procurement teams that try to use a generic pentest framework agreement for TIBER work get rejected at the TCT review stage; budget for a bespoke engagement contract.
DORA TLPT — when TIBER-EU is the answer and when it is not
DORA Articles 26 and 27 require Threat-Led Penetration Testing every three years for "significant" financial entities. TIBER-EU is the de facto methodology national competent authorities accept, but the regulation deliberately allows other equivalent frameworks. National Competent Authorities (NCAs) in member states publish their own TLPT guidance — often a TIBER-EU national variant (TIBER-DE, TIBER-IT, TIBER-IE) but in some cases a parallel scheme. Confirm with your NCA before booking the engagement. The criticality threshold is also worth checking: not every regulated entity is in scope for mandatory TLPT, and over-scoping yourself into TIBER when DORA does not require it can burn six figures unnecessarily.
Where TLPT is not mandatory but the entity wants the assurance, a TIBER-aligned engagement is still the cleanest path. The deliverables — TTI report, narrative kill chain, blue team gap analysis, attestation — are recognisable to any board, regulator, or large customer in the EU. A non-TIBER red team report often requires translation work to land the same conclusions with the same audiences.
Cost and timeline benchmarks
Public TIBER-NL summary statistics from De Nederlandsche Bank put a typical engagement at 8-12 months end-to-end and EUR 250k-700k in provider fees, with the lower end attaching to a single-system entity and the upper end to a globally systemic bank with multiple in-scope critical functions. Internal effort — White Team coordination, Blue Team replay participation, remediation backlog — usually adds another 0.5-1 FTE-year on the entity side. Plan for that in the year you book the engagement; under-resourced White Teams are the single biggest reason TIBER tests run long.
See our red team service for TIBER-EU-aligned engagement design and delivery.
FAQ
What does TIBER-EU stand for?
TIBER-EU stands for Threat Intelligence-Based Ethical Red Teaming. It is the European Central Bank's framework, adopted in 2018, for controlled, intelligence-led red team exercises against the critical functions of financial entities, with the blue team kept blind so detection and response capability is genuinely tested.
Is TIBER-EU mandatory under DORA?
DORA Articles 26 and 27 require Threat-Led Penetration Testing (TLPT) at least every three years for significant financial entities. TIBER-EU is the de facto methodology national competent authorities accept for TLPT, and national variants (TIBER-DE, TIBER-IT, TIBER-IE) are equivalent. DORA allows other equivalent frameworks, so confirm the specific TLPT guidance with your NCA before booking.
How long does a TIBER-EU engagement take and what does it cost?
A full engagement runs three phases (Preparation, Testing, Closure) over roughly 8-12 months. Public TIBER-NL statistics put provider fees at about EUR 250k-700k, with the low end for a single-system entity and the high end for a globally systemic bank with multiple in-scope critical functions. Budget an additional 0.5-1 FTE-year of internal effort for White Team coordination and remediation.
What is the difference between the White Team, Blue Team, and Control Team?
The White Team is a small internal cell of trusted agents (CISO, CIO, audit, board sponsor) who know the test is happening and gate the engagement. The Blue Team is the SOC and incident-response function, kept fully unaware until the replay phase so the test measures real detection. The Control Team is a joint group of the Threat Intelligence Provider, Red Team Provider, and White Team that meets weekly during execution.
How does TIBER-EU compare to CBEST, iCAST, and AASE?
All four are intelligence-led, blue-team-blind red team schemes that require accredited providers and board attestation, sharing TIBER-EU's DNA. They differ mainly by regulator and jurisdiction: TIBER-EU (ECB and national central banks, EU), CBEST (Bank of England, UK), iCAST (HKMA, Hong Kong), and AASE (RBI, India). Provider accreditation criteria and mandated scope vary by scheme.
Plan a TIBER-aligned engagement with AxVeil.
Pre-TIBER hardening: run automated MITRE ATT&CK adversary emulation against your environment.
Talk to us about scoping →