TIBER-EU: threat-led red teaming as the ECB defined it.
A guide for CISOs, DORA leads and supervisory contacts: what TIBER-EU is, who runs it, how an operation unfolds — and where TIBER-DE, DORA TLPT and CBEST diverge.
A framework, not a tool.
TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) was published by the European Central Bank in 2018. It describes how an intelligence-led attack against a financial entity's production systems is scoped, executed and reviewed. The framework defines roles, phases and governance — not the specific techniques.
It is implemented nationally as TIBER-DE (Deutsche Bundesbank), TIBER-NL, TIBER-IT and others. The TIBER-EU core stays identical so results remain comparable across countries and supervisors.
Who sits at the table in a TIBER exercise?
White team
A very small circle inside the firm that coordinates the exercise. Everyone else — SOC included — stays in the dark.
Threat intelligence provider
Delivers the firm-specific Targeted Threat Intelligence Report that drives scenario selection.
Red team provider
Runs the covert operation against live production systems. This is the role Exploit Labs delivers.
TIBER Cyber Team (TCT)
Supervisory side — Deutsche Bundesbank in Germany. Oversees scope, execution and attestation.
Three phases, six to nine months.
1. Preparation phase
Scope, critical functions, white team, TI and RT provider procurement, submission of the scope specification to the Bundesbank.
2. Testing phase
Targeted Threat Intelligence Report → attack scenarios → covert red team operation on live production systems (10–14 weeks active).
3. Closure phase
Report, replay workshop with the blue team, purple teaming, remediation plan, joint 360° report and attestation.
TIBER-DE, DORA TLPT, CBEST — how do they differ?
| Framework | Supervisor | Applies to | Relationship to TIBER-EU |
|---|---|---|---|
| TIBER-DE | Deutsche Bundesbank | German financial institutions (voluntary / DORA-TLPT implementation) | National 1:1 implementation of TIBER-EU |
| DORA TLPT | National supervisor (BaFin/Bundesbank in Germany) | In-scope financial entities under DORA Art. 26 (mandatory) | TIBER-EU is the recognised methodology for the TLPT |
| CBEST | Bank of England / PRA | Significant UK financial institutions | Predecessor and sister framework — comparable structure |
In short: TIBER-EU is the methodology. TIBER-DE is its German implementation. DORA TLPT is the obligation that uses the methodology.
A team that knows the rulebook — because we helped write it.
ENISA contributor 2021–2024
Contributed to European TLPT frameworks and guidance documents.
DORA TLPT completed 2024
Full TLPT exercise delivered for a regulated entity — end-to-end to the TIBER-EU methodology.
One team, one point of contact
No subcontracting. The same operators from kick-off through attestation.
Frequently asked questions about TIBER-EU
What is TIBER-EU?→
TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) is the framework published by the European Central Bank in 2018 for intelligence-led red teaming across the EU financial sector. It defines how a realistic, threat-led attack is executed against a firm's production systems — with clear roles for the white team, the threat intelligence provider, the red team provider and the national TIBER Cyber Team (in Germany: Deutsche Bundesbank).
Who has to run a TIBER exercise?→
TIBER-EU is implemented nationally (TIBER-DE, TIBER-NL, TIBER-IT and others) and has so far been used mostly on a voluntary basis by significant banks, insurers and financial market infrastructures. Since 17 January 2025, DORA Article 26 makes Threat-Led Penetration Tests (TLPT) mandatory for in-scope financial entities — and TIBER-EU is the methodology recognised by the DORA RTS.
How is TIBER-EU different from a normal red team?→
Three things are specific to TIBER: (1) supervisory involvement via a national TIBER Cyber Team, (2) a formal threat-intelligence report that drives scenario selection, and (3) mandatory testing on live production systems with a very small white team. A regular red team is more flexible but is not TIBER-compliant without these three elements.
How long does a TIBER exercise take?→
Realistically 6–9 months from kick-off to final report: 4–6 weeks of threat intelligence, 10–14 weeks of active red-team execution, then reporting, a replay workshop with the blue team and purple teaming. The active testing window is the shorter part.
Can Exploit Labs run a TIBER exercise?→
Yes. Exploit Labs was an ENISA contributor to European TLPT frameworks from 2021 to 2024 and completed a DORA TLPT exercise for a regulated institution in 2024. We deliver the red-team role and coordinate with a separately mandated threat-intelligence provider.
TIBER, TLPT or a focused red team?
We help you decide which format matches your question, your regulatory status and your maturity.