Threat-led penetration testing (TLPT) is an intelligence-led adversary simulation conducted against a financial institution’s live production environment, using threat intelligence specific to the institution and its operating markets to design the attack scenarios. It is distinct from standard penetration testing in scope, methodology, and regulatory standing.
TLPT engagements simulate the tactics, techniques, and procedures of threat actors targeting the institution, and assess whether the institution’s people, processes, and technology can detect and respond to them. The engagement tests the live environment because that is what regulators and the institution itself need to confirm.
Your institution has documented, regulator-ready evidence that its security controls have been tested against the threat actors and attack patterns most relevant to its operating environment. Findings are structured for regulatory submission and programme action. Both are required. Each strengthens the other.
Regulators across APAC have concluded that point-in-time penetration testing does not produce meaningful evidence of institutional resilience. MAS, HKMA, and BNM have each developed threat-led testing frameworks that require financial institutions to simulate the adversaries actually targeting the sector.
China-nexus adversaries targeting financial services increased activity by 38% in 2025, with cross-domain tradecraft designed to evade standard controls. Standard security testing does not replicate that.
Every TLPT engagement begins with a threat intelligence phase specific to your institution. Theos develops a threat profile based on your sector, your operating markets, your technology environment, and the threat actors known to target institutions like yours. Attack scenarios are designed around that profile.
TLPT is conducted against the live production environment. Theos works with your institution and regulator to agree rules of engagement, scope boundaries, and communication protocols. The blue team responds to what it detects, with no advance knowledge of the engagement, replicating the conditions under which a real adversary would operate.. Theos works with your institution and regulator to agree the rules of engagement, the scope boundaries, and the communication protocols that govern the engagement. The blue team, your security operations team, does not know testing is underway, because that is the condition under which a real adversary would operate.
Theos red teams operate across the full attack surface relevant to financial institutions: external perimeter, internal network, identity and access management, cloud environments, core banking and payment infrastructure, and social engineering against your people.
TLPT findings are documented to the standard each applicable regulator requires. Theos produces the evidence pack, the executive summary, and the structured findings documentation that MAS, HKMA, and BNM examinations expect. The deliverable is regulatory evidence, structured for examination.
Following the red team phase, Theos facilitates a purple team debrief with your offensive and defensive teams. Detection gaps are identified and addressed in real time. Detection logic is updated based on the specific techniques used in the engagement.
Documented evidence structured for MAS TLPT, HKMA iCAST, and BNM RMiT submission.
Know whether your controls hold against the threat actors targeting your institution.
Confirm whether your SOC or MDR provider catches real adversary behaviour in a live environment.
Validate whether incident response procedures function under actual adversary pressure.
Practitioner-led, regulator-ready documentation of your institution’s resilience posture.
Findings feed into MDR detection tuning, VAPT scope prioritisation, and IR playbook development.
Theos works with your institution and, where required, your regulator to agree engagement scope, rules of engagement, communication protocols, and the regulatory framework governing the engagement.
Theos develops an institution-specific threat profile, the threat actors most relevant to your sector and markets, their known TTPs, and the objectives they pursue against financial institutions like yours. Attack scenarios are designed around this intelligence.
Theos red team operates in your live environment. Full-scope, multi-vector, extended duration. The blue team responds to activity as they would a real incident, detection and response capability is assessed under live conditions.
Attack scenarios are replayed collaboratively with your offensive and defensive teams. Detection gaps are identified, detection logic is updated, and the blue team leaves the debrief with an improved programme.
Findings are documented to regulatory submission standard. Executive debrief conducted with senior leadership. Regulatory evidence pack delivered for MAS, HKMA, or BNM submission as applicable.
Theos practitioners operate with direct knowledge of MAS TRM TLPT requirements, HKMA iCAST methodology, and BNM RMiT advanced testing expectations. Engagements are designed to satisfy the specific requirements of the regulator your institution answers to, not a generic TIBER-EU adaptation that does not account for APAC supervisory expectations.
TLPT is only as credible as the threat intelligence that underpins it. Theos builds threat profiles based on the adversaries and attack patterns active in APAC financial services, the threat actors targeting your sector in your operating markets. The engagement simulates the threat your institution actually faces.
TLPT documentation that satisfies a regulatory examination and a debrief that produces actionable programme improvements are two different deliverables. Theos produces both. Regulatory evidence is structured for submission. Programme findings are structured for remediation. Neither is treated as secondary to the other.
TLPT findings feed directly into your MDR detection programme, your VAPT scope priorities, and your IR playbooks. Clients who engage Theos across multiple service lines benefit from intelligence that compounds, a detection gap identified in TLPT becomes a detection rule in MDR, and a lateral movement path identified becomes a VAPT priority.
Theos holds CREST accreditation across our offensive security services practice, delivering CREST TLPT across APAC to the standards regulators require. TLPT engagements are conducted by CREST-certified practitioners, meeting the accreditation requirements that MAS TRM and HKMA iCAST carry.
Your institution may meet every compliance requirement in your market. Threat-led penetration testing tells you whether your controls hold against a real adversary. Structured for your regulator. Built for your programme.
We deliver outcomes.
LET US HELP YOU!
LET US HELP YOU!
