Best Threat-Led Penetration Testing (TLPT) Companies (2026)
Threat-led penetration testing (TLPT) is regulator-grade red teaming: a controlled, intelligence-led attack against your live production systems, mandated under DORA in the EU and CBEST in the UK for significant financial entities. The providers below have documented TLPT capability through CBEST, TIBER-EU, or equivalent threat-led engagements.
Related: Adversary simulation providers · DORA threat-led testing
What is threat-led penetration testing (TLPT)?
TLPT is a higher tier of offensive security testing than a conventional red team. It is goal-oriented and driven throughout by bespoke threat intelligence about the specific real-world actors most likely to target your sector, and it is performed against live production systems rather than a test environment. Engagements are deliberately slow-paced to test detection and response over time, and are mapped to frameworks like MITRE ATT&CK.
The demand is overwhelmingly regulatory. Under the EU Digital Operational Resilience Act (DORA), significant financial entities must undergo TLPT, with the methodology based on TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) and its national variants such as TIBER-DE and TIBER-NL. In the UK, CBEST under the Bank of England plays the equivalent role. These schemes pre-vet a small number of qualified threat-intelligence and red-team providers, and engagements are coordinated with the relevant supervisory authority.
A full TLPT programme typically runs 6 to 9 months end to end: a threat-intelligence and scoping phase, 4 to 12 weeks of active red teaming, and a purple-team replay and reporting phase afterwards. When choosing a provider, look for CBEST or TIBER-EU eligibility, evidence of custom offensive tooling and EDR-evasion experience, clean operational tradecraft and attribution restraint, and a methodology rigorous enough to satisfy a regulator's threat-led test plan.
NCC Group
Global cybersecurity consultancy with CREST, CHECK, and CBEST accreditation, renowned for deep technical research and comprehensive penetration testing services.
SECFORCE
Canary Wharf-based adversary simulation and CBEST-aligned penetration testing consultancy, delivering CREST-accredited offensive security to UK financial services and other organisations with the most demanding requirements.
Nettitude
CREST, CHECK, and CBEST accredited UK consultancy within Lloyd's Register, delivering premium penetration testing for government and critical infrastructure.
Pen Test Partners
The UK's largest independent security testing firm, renowned for IoT/OT research, CBEST red teaming, and CHECK/CREST-accredited penetration testing across all sectors.
PwC Cyber Security
Global Big Four professional services firm delivering CREST, CHECK, and CBEST-accredited penetration testing and red teaming services from London, serving the UK's largest enterprises and regulated organisations.
MDSec
Elite UK offensive security consultancy specialising in CBEST/STAR/TIBER red teaming, advanced adversary simulation, and CREST-accredited penetration testing for FTSE 100 clients.
Cyberis
CREST and CHECK-accredited UK penetration testing consultancy with CBEST approval, specialising in infrastructure, application, and simulated attack assessments across the public and private sectors.
Mandiant
World-renowned cybersecurity firm now part of Google Cloud, delivering threat intelligence-led penetration testing and red teaming informed by front-line incident response experience.
LRQA
The only organisation worldwide with a full suite of CREST accreditations. 250+ cybersecurity specialists operating in 55+ countries across pen testing, red teaming, and incident response.
Thales Cyber Solutions
Cybersecurity division of the Thales Group, with ANSSI, CREST, FedRAMP 3PAO, and NATO-cleared personnel. Defence, government, and critical infrastructure penetration testing worldwide.
WithSecure
Helsinki-headquartered Finnish cybersecurity firm with roots dating to 1988, offering CREST-accredited penetration testing and deep expertise in EU regulatory compliance including GDPR, NIS 2, and TIBER-EU.
Best Threat-Led Penetration Testing (TLPT) Companies (2026), FAQs
What is threat-led penetration testing (TLPT)?+
TLPT is intelligence-led red teaming performed against an organisation's live production systems to test detection and response against the specific threat actors most likely to target it. It is goal-oriented, slow-paced by design, and mapped to frameworks like MITRE ATT&CK. Under DORA it is a legal requirement for significant EU financial entities.
How is TLPT different from a standard penetration test or red team?+
A standard pen test finds vulnerabilities within a defined scope. A conventional red team is an objective-driven attack simulation. TLPT is the regulated tier: driven by bespoke threat intelligence about a named actor, run against live systems, coordinated with a supervisory authority, and required (not chosen) for in-scope financial entities. It is longer and more rigorous than a commercial red team.
Which regulations require TLPT?+
In the EU, DORA mandates TLPT for significant financial entities, using the TIBER-EU framework (and national variants like TIBER-DE and TIBER-NL). In the UK, CBEST under the Bank of England and PRA is the equivalent. Both pre-vet the threat-intelligence and red-team providers that may deliver the engagement.
How often is TLPT required, and how long does it take?+
Under DORA, in-scope entities must run TLPT at least every three years. A full programme typically spans 6 to 9 months end to end: threat intelligence and scoping, 4 to 12 weeks of active red teaming, then purple-team replay and reporting.