We have compiled a list of Pentesting, DORA and TLPT related terms below. If you spot any missing ones please drop us a line below and we’ll be happy to consider them in our list.
| Term | Description |
| Attack Surface | An attack surface is a core concept in cybersecurity. It refers to all the possible points where an attacker could try to break into, interfere with, or extract data from a system, network, or organisation. Typical attack surfaces are Digital, Physical and Human. |
| APT (Advanced Persistent Threat) | A sophisticated, long-term, and targeted cyberattack where intruders gain unauthorised, undetected network access to steal data or spy, rather than causing immediate damage. These skilled adversaries use custom malware, spear-phishing, and lateral movement to stay hidden for months. |
| BCP | Business Continuity Plan is a documented strategy that ensures an organisation can continue operating during and after a disruption. BCP focuses on maintaining critical business functions when facing incidents such as cyberattacks, system outages, natural disasters, or supply‑chain failures. |
| Blue Team | Defensive SOC team within the entity being tested in a TLPT simulation whose detection and response capabilities are tested without their knowledge. |
| Blue Team Report | Defensive analysis describing detections, response actions, and lessons learned by the Blue Team in defending themselves from a Red Team attack. |
| C2 | Command and Control: The covert communication infrastructure (servers and channels) that hackers use to remotely manage malware and exfiltrate data from compromised systems. |
| CDE | Tthe Cardholder Data Environment (CDE) is the people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data. It acts as a secure, segmented, and monitored boundary for PCI DSS compliance to protect against data breaches, encompassing POS terminals, networks, and databases. |
| CIA | Confidentiality, Integrity and Availability – These three pillars define the core objectives of information security. All modern security frameworks — including NIST, ISO 27001, SOC2, DORA, and TLPT/TIBER — rely on this model. |
| CIF | Critical or Important Function: business-critical functions forming TLPT scope. |
| Competent Authority | The TLPT authority and/or TIBER authority. |
| Control Team | Internal team coordinating TLPT, managing risk, providers, and communication with authorities. |
| CVE | CVE (Common Vulnerabilities and Exposures) is a standardised, publicly disclosed list of cybersecurity flaws in software and hardware. Each CVE entry provides a unique identifier (e.g., CVE-2024-1234) used by IT teams to identify, prioritise, and fix specific security vulnerabilities that could allow unauthorised access or malicious activity. |
| CVSS Score | A CVSS score (Common Vulnerability Scoring System) is a standardized, open framework used to evaluate and communicate the severity of software vulnerabilities, ranging from 0.0 to 10.0. It helps organisations prioritise remediation efforts based on risk, with higher scores indicating greater urgency (e.g., 9.0–10.0 is Critical). |
| DORA | Digital Operational Resilience Act: EU regulation mandating cyber resilience and TLPT. |
| DR | Disaster Recovery is a more technical subset of BCP. It focuses on restoring IT systems, data, and infrastructure after a major incident. |
| EDR | EDR stands for Endpoint Detection and Response. It is a cybersecurity technology designed to continuously monitor endpoints, detect threats, and automatically respond to malicious activity—especially advanced attacks that traditional antivirus tools often miss. |
| ESAs | European Supervisory Authorities – They are the three EU‑level regulatory bodies responsible for overseeing and harmonising financial supervision across the European Union. Under DORA, the ESAs have a central role, especially in TLPT and in the oversight of critical third‑party ICT providers. |
| FAPI | Financial-grade API (FAPI) is a high-security technical standard designed by the OpenID Foundation to protect sensitive data in open banking and fintech. It acts as a “hardened” security layer on top of OAuth 2.0 and OpenID Connect, mandating strict cryptographic controls, sender-constrained tokens, and stronger authentication to prevent fraud in API interactions. |
| FE | Financial Entity. Under DORA, these are the entities identified under Article 26 (1) of the DORA Regulation (EU) 2022/2554, and further specified in Article 2 of the RTS (EU) 2025/1190, required to undergo TLPT. |
| Flag | Specific objectives the Red Team must achieve during attacks. |
| ICT intra-group service provider | An undertaking that is part of a financial group and that provides predominantly ICT services to FEs within the same group or to FEs belonging to the same institutional protection scheme, including to their parent undertakings, subsidiaries, branches or other entities that are under common ownership or control, (DORA, Article 3(20)). |
| ICT third-party service provider (‘ICT TPP’) | An undertaking providing ICT services, (DORA, Article of 3(19)). |
| IOCs | IOCs stands for Indicators of Compromise. They are forensic clues or pieces of evidence that suggest a system, network, or endpoint has been breached or is under malicious activity. These indicators are essential in cybersecurity for detecting intrusions, investigating incidents, and responding quickly. |
| Kill Chains | A Cyber Kill Chain is a framework developed by Lockheed Martin that models the seven stages of a cyberattack, from initial planning to objective completion. It helps security teams understand, detect, and interrupt adversary tactics, techniques, and procedures (TTPs) at various points, aiming to stop attacks early in the process. The primary value of the kill chain is that attackers must succeed at all seven steps to achieve their goals, whereas defenders only need to break the chain at one point to prevent the attack. It aids in mapping out defenses to ensure security controls exist for every stage. |
| Kill Switch | In pentesting, a kill switch is a mechanism or code agreed between pentesters and the target organisation whose systems are being tested that, when triggered, will immediately stop any testing activity. This is put in place to safeguard the target organisation’s smooth operations since, during a pentest, certain vulnerabilities, when discovered or triggered, might cause some disruption to the organisation’s activities or systems. |
| Leg-up | Assistance provided to the Red Team to progress if stalled, as pre-approved by Control Team. |
| Major ICT-Related Incident Reporting | DORA-mandated reporting of significant cyber incidents with standard templates and timelines. |
| MITRE | A not-for-profit organisation that manages federally funded research and development centers (FFRDCs) in the U.S., focusing on cybersecurity, defense, aviation, and healthcare. It is best known for developing the MITRE ATT&CK® framework, a comprehensive, open-source knowledge base of adversary tactics and techniques based on real-world observations. |
| MITRE ATT&CK® | A framework developed by MITRE that categorises attacker behaviors (Tactics, Techniques, and Procedures – TTPs) across the entire attack lifecycle. The framework is divided into matrices, including Enterprise (Windows, Cloud, Linux), Mobile, and ICS (Industrial Control Systems). Security teams use ATT&CK to identify gaps in defenses, improve threat detection, and simulate adversary behavior. |
| OPSEC | (Operations Security) is a risk management process that prevents adversaries from obtaining sensitive information by analysing operations from an attacker’s perspective. |
| OSINT | OSINT stands for Open‑Source Intelligence. It refers to the collection, analysis, and use of information gathered from publicly available sources to produce intelligence that supports decision‑making, investigations, or threat assessments. |
| OWASP | The Open Worldwide Application Security Project (OWASP) is a nonprofit foundation dedicated to improving software security through community-led, open-source projects, tools, and documentation. Founded in 2001, it is the industry standard for web application security, providing free resources, including the well-known OWASP Top 10 list of critical security risks. |
| OWASP Top 10 | The OWASP Top 10 is a standard awareness document from the Open Worldwide Application Security Project (OWASP) Foundation that identifies the most critical security risks to web applications. It is updated periodically based on consensus, data, and industry trends to provide developers and security professionals with guidance on the most dangerous, common vulnerabilities. |
| PoC | Proof of Concept: It is either a non-harmful demonstration showing that a software vulnerability exists and can be exploited, or a small-scale trial to prove a security tool or defense strategy is feasible before full deployment. |
| PSD2 | The Revised Payment Services Directive (PSD2) is an EU regulation that modernises payment services to foster competition, innovation, and enhanced security across Europe. Effective since 2018, it enables “open banking” by requiring banks to share customer data with authorised third-party providers (TPPs) via APIs (if the customer consents). Key pillars include Strong Customer Authentication (SCA) to reduce fraud and improved consumer rights. |
| Purple Team | Joint collaboration between Red and Blue Teams after the test to validate fixes and improve defences. |
| Purple Team Outcomes | Purple Team outcomes are the results and improvements generated when the Red Team and Blue Team collaborate during the closure phase of a TIBER‑EU or DORA TLPT exercise. They represent the tangible learning, enhanced defensive capabilities, and validated improvements that come from jointly analysing, replaying, and refining offensive and defensive actions after the main red‑team test is complete. |
| RCE (Remote Code Execution) | A Remote Code Execution attack is one where an attacker can run malicious code on a target organisation’s computers or network. The ability to execute attacker-controlled code can be used for various purposes, including deploying additional malware or stealing sensitive data. |
| Red Team | Offensive team simulating adversaries using realistic TTPs during TLPT/TIBER tests. |
| Red Team Report | Output detailing attack chains, evidence, detections, and weaknesses after TLPT. |
| Remediation Plan | Plan addressing root causes, priority fixes, and verification after TLPT. |
| RoE (Rules of Engagement) | Rules of Engagement (RoE) in a penetration test are documented guidelines agreed between the pentester and the target organisation. These guidlines define the scope, timing, permitted techniques, and communication channels for authorised penetration tests. They ensure legal compliance, protect against operational disruption, and align expectations by detailing exactly what systems can be tested and how, avoiding unauthorised damage. |
| RTS | Regulatory Technical Standards – In the context of DORA and TLPT, RTS are binding technical rules that the European Supervisory Authorities (ESAs: EBA, ESMA, EIOPA) are legally required to develop. These standards define how Threat‑Led Penetration Testing must be conducted across the EU. |
| RTS for SCA | RTS for SCA refers to the Regulatory Technical Standards on Strong Customer Authentication and Secure Communication under the PSD2 directive. Published by the European Banking Authority (EBA), these mandatory technical rules dictate how banks and payment providers must authenticate users, secure transactions, and allow third-party access to account data. |
| RTT | Red Team Testers: specialists executing attack scenarios and producing the Red Team Report. |
| RTTP | Red Team Test Plan: approved plan detailing attack paths, TTPs, flags, and risk controls. |
| SIEM Logs | SIEM (Security Information and Event Management) logs are centralised records of security-relevant events collected from across an organisation’s IT infrastructure, including servers, firewalls, and applications. |
| SOC | A SOC stands for Security Operations Center. It is a centralised team or facility responsible for monitoring, detecting, analysing, and responding to cybersecurity threats across an organisation’s IT environment. |
| Tabletop Exercise | A Tabletop Exercise simulates cyber incidents through guided, scenario-based discussions involving technical and non‑technical stakeholders. You can read more about them here. |
| TCT | Authority-side supervisors ensuring compliance and validating deliverables. (TLPT Cyber Team / TIBER Cyber Team) |
| Testers | In the context of DORA TLPT, these are externally contracted providers or designated individuals within the FE subject to TLPT and/or a TIBER test, that carries out a simulated attack by attempting to compromise the critical functions of the FE, mimicking a cyber-attacker in accordance with the respective DORA Regulation and TIBER-EU framework. |
| Threat Scenario | A description of the end-to-end attack path based on the identified threat profiles. |
| TI | Threat Intelligence – Information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyberattack, those responsible for the attack and their modus operandi and motivations |
| TIBER-EU | Threat Intelligence-Based Ethical Red-Teaming: EU framework for intelligence-led red team testing. |
| TIBER Authority | Any authority under the TIBER framework and/or its national or European implementations, conducting (regulatory) tasks within a TIBER test. They are responsible for adopting and implementing TIBER-EU, closely monitoring and guiding the test and ensuring it is conducted in the right spirit and in accordance with the requirements of the TIBEREU framework, (TIBER-EU framework). When using the TIBER-EU framework for TLPT obligations under DORA, the respective “TLPT authorities” are considered as TIBER authorities for that test. |
| TIBER Cyber Team (TCT) | The staff within the TIBER authority, that is responsible for TIBER-related matters, (TIBER-EU framework). |
| TIP/TIPs | Threat Intelligence Provider: In the context of DORA, the expert(s), contracted by the FE for each TLPT, and external to the FE, who collect and analyse targeted TI relevant for the FE in scope of a specific TLPT exercise. |
| TKC | TIBER Knowledge Centre: A forum hosted by the ECB in which national and European TIBER-EU cyber teams coordinate and discuss initiatives and share details of their experiences with the objective of ensuring consistency. |
| TLPT | Threat-Led Penetration Testing: intelligence-led, regulator-supervised red-team assessment using real-world threats. |
| TLPT Summary Report | A formal, final-stage document produced at the end of a Threat‑Led Penetration Testing (TLPT) exercise under DORA and TIBER‑EU. It provides a concise, supervisory‑level overview of the entire TLPT engagement and is submitted by the Control Team to the TLPT Authority after the Red Team and Blue Team reports are completed. |
| TPPs | Third Party Providers of services. |
| Traffic Light Protocol 2.0 (TLP+) | A system of markings that designates the extent to which recipients may share potentially sensitive information. |
| TTIR | Targeted Threat Intelligence Report: document with scenarios, TTPs, and threat actor insights for TLPT. |
| TTPs | Tactics, Techniques, and Procedures: behavioural patterns of real threat actors. |
