A TLPT does not fail because the Red Team was not skilled enough. Poor Red Team quality is a real risk, and the strict qualification requirements in TIBER-EU exist for exactly that reason. But in our experience, the more common causes of failure are organizational: the organization was not ready, the wrong provider...Read more...

We are going to say something unusual for a security company: “Your next penetration test might not need us”. If an assessment scope fits the narrow circumstances in which AI‑powered tools operate, current tools deliver fast and affordable vulnerability discovery. We track them closely, we respect what they do, and in...Read more...

Most organizations we speak to treat the pre-TLPT period as a waiting room.
They know a TLPT is coming. They know roughly when. And they assume that when the time comes, they will bring in the right party, run the test, and handle whatever comes out of it. That is not the best plan.
Here is what actually happens to...Read more...

Most financial institutions that fall under DORA will need to conduct their first Threat-Led Penetration Test within the next few years.
Most of them are not ready.
Not because they lack security, many have solid defenses in place. But because a TLPT is not a test you pass by having good security. It is a test you...Read more...

Over the past few weeks, there has been a great deal of attention on the MIAUW framework. We recently published a blog about this. Previously, we also wrote a similar article about the CCV Pentesting Quality Mark(Dutch only). These frameworks provide structure and guidance for clients and suppliers alike, and are...Read more...