TIBER-AT - Threat-Led Penetration Testing in Austria
What is TIBER-AT?
TIBER-AT is the Austrian adaptation of the European TIBER-EU framework and stands for Threat Intelligence-Based Ethical Red Teaming Austria. It is a structured framework defining how threat-led penetration testing should be conducted at regulated entities - primarily in the financial sector.
The framework was developed by the European Central Bank (ECB) and operationalised in Austria by the Austrian Financial Market Authority (FMA) and the Austrian National Bank (OeNB). It mandates that red teaming assessments:
- are based on real threat intelligence (not generic attack scenarios),
- are executed against the live production environment,
- actively test the blue team's defensive capabilities,
- and include a structured replay with the defensive team to close identified gaps.
TIBER-AT is not a pentest and not a vulnerability scanning exercise. It is an adversary simulation at executive level - designed to measure and continuously improve operational resilience against real threat actors.
Scope: Who needs TIBER-AT?
Primary scope: Systemically important financial institutions
TIBER-AT primarily targets financial institutions supervised by the FMA or OeNB that are classified as systemically important. This typically includes:
- Large Austrian banks (G-SIBs and O-SIBs)
- Insurance groups
- Central market infrastructure operators (clearing and settlement houses)
- Payment service providers with high critical relevance
Expanded scope via DORA
With the Digital Operational Resilience Act (DORA), fully applicable since January 2025, threat-led penetration testing (TLPT) is extended to a much larger group of EU financial entities. DORA's TLPT requirements closely follow TIBER-EU - meaning many Austrian banks, insurers and payment service providers previously out of TIBER-AT scope now have to complete a TLPT cycle at least every three years.
Voluntary application beyond financial services
Companies outside DORA or TIBER-AT scope increasingly adopt the framework voluntarily - especially critical infrastructure operators, large energy providers and corporates with high cyber risk exposure. The reason: TIBER-AT provides a battle-tested playbook for realistic red teaming assessments.
The three phases of a TIBER-AT assessment
A complete TIBER-AT cycle has three main phases, embedded in a preparation phase and a closure phase. Total duration is typically 6 to 9 months.
Phase 1: Threat Intelligence (TI)
The TI phase is led by a Threat Intelligence Provider (TIP). The goal is to produce a Targeted Threat Intelligence Report (TTI report) answering three questions:
- Which threat actors are realistically motivated to attack this institution?
- Which critical functions and assets would those actors target?
- Which TTPs (Tactics, Techniques, Procedures) are typical for those actors?
The TTI report forms the foundation for the test scenarios subsequently executed by the Red Team Provider. It draws on real OSINT research, dark-web analysis, industry-specific ISACs and proprietary intel sources.
Phase 2: Red Teaming (RT)
In the RT phase, a Red Team Provider (RTP) actively attacks the institution over several months - based on the scenarios defined in the TTI report. The approach is stealthy and realistic: the blue team (Security Operations) is not informed in advance, with the exception of a small white team (executive board, CISO, optionally compliance).
Typical activities in this phase:
- Reconnaissance: OSINT, employee mapping, tech-stack fingerprinting
- Initial Access: spear phishing, OSINT-based social engineering calls, watering-hole attacks, supply chain vectors
- Persistence & Privilege Escalation: custom malware, Active Directory attacks, cloud pivoting
- Lateral Movement: toward the defined critical functions
- Actions on Objective: demonstrating potential impact without actually harming the production environment
Throughout the RT phase, all activities are documented and coordinated with the white team. Critical steps follow defined stop conditions and leg-up procedures in case the red team gets blocked at a particular stage (e.g. artificial provisioning of access to enable testing of subsequent phases).
Phase 3: Replay & Closure
After the active RT phase, the replay session brings together red team, blue team and white team for a detailed retrospective. The red team walks through the attack chain step by step - the blue team assesses where detection would have been possible, what worked, and where gaps remain.
The output is a detailed remediation roadmap for detection engineering, process improvements and (where needed) investments in additional tooling. Final results are reported to the FMA/OeNB - in aggregated, anonymised form, to inform sector-wide resilience improvements.
Provider requirements: Who can perform TIBER-AT?
TIBER-AT explicitly requires two separate providers:
- A Threat Intelligence Provider (TIP) with demonstrated experience in cyber threat intelligence
- A Red Team Provider (RTP) with demonstrated experience in adversary simulation against production environments
Both providers must meet the requirements of the TIBER-EU Service Provider Framework. Specifically:
- Experience: multiple years of practice in the respective discipline (TI or RT)
- Certifications: most providers hold industry-standard certifications (OSCP, OSEP, CRTO, CREST CCT/CCRT)
- Methodology: documented methods and quality assurance
- Confidentiality: strict NDA and data protection requirements
- Independence: no conflicts of interest with the institution being tested
- Security clearances for staff, often combined with geographic restrictions (EU-only)
How slashsec runs TIBER-AT
As a specialised red team provider headquartered in Vienna, slashsec meets the requirements for TIBER-AT and DORA-TLPT engagements. Our team:
- has 20+ years of cumulative offensive security experience
- holds industry certifications including OSCP, OSEP, OSWE, CRTO, CRTO2
- is featured in the Hall of Fame at Google, Microsoft, Netflix and other Fortune 500 companies
- has published 20+ CVEs and regularly speaks at international conferences
- has worked since founding with banks, insurers and critical infrastructure across the DACH region
Where needed, we cooperate with established threat intelligence providers and can also provide white team facilitation for institutions running TIBER-AT for the first time.
For deeper detail on our methodology, the typical flow of a red teaming assessment and the techniques we use, see the slashsec Red Teaming Whitepaper (free PDF download, German).
Book a free TIBER-AT consultation
TIBER-AT vs TIBER-DE vs TIBER-EU
TIBER exists as a European framework (TIBER-EU) and is implemented nationally by individual member states:
- TIBER-EU: the ECB parent framework, published 2018 and updated regularly
- TIBER-AT: Austrian implementation, owned by FMA and OeNB
- TIBER-DE: German implementation, owned by BaFin and Bundesbank
- TIBER-NL, TIBER-IT, TIBER-IE, ...: further national implementations
The frameworks are largely identical in methodology and phase structure. Differences appear primarily in:
- the competent authorities
- the scope (which institutions are mandated)
- the reporting obligations toward the national regulator
An institution operating across multiple EU countries may - subject to the national regulators' rules - execute a single TIBER-EU test that is mutually recognised, rather than testing separately in each jurisdiction.
TIBER-AT and DORA: What changes in 2025?
With the Digital Operational Resilience Act (DORA), directly applicable from 17 January 2025, threat-led penetration testing becomes legally binding for many EU financial entities. DORA's TLPT requirements track TIBER-EU closely but go further in several respects:
- Mandatory rather than recommended: for many entities, TLPT becomes obligatory with a minimum 3-year cycle
- Clearer requirements for providers, methods and reporting
- Stricter consequences for non-compliance
For slashsec clients this means: if your institution previously ran TIBER-AT voluntarily, the methodology is now formally recognised under DORA. If you have never run a TLPT, you should plan to start preparations by 2026 at the latest.
Frequently asked questions about TIBER-AT
What does a TIBER-AT assessment cost?
Full TIBER-AT cycles with threat intelligence, red teaming and replay are extensive, multi-month engagements. Realistic budgets start at around EUR 150,000 and scale significantly higher based on scope, number of critical functions tested and organisational complexity.
How long does a TIBER-AT cycle take?
Typically 6 to 9 months for a complete cycle. Of which: 4-6 weeks threat intelligence, 10-12 weeks active red teaming, followed by replay, closure and remediation phases.
Does the blue team need to be informed in advance?
No. The exact opposite is the point: the blue team is deliberately not informed to test realistic detection and response capabilities. Only a small white team (executive board, CISO, optionally compliance) knows in advance.
What damage can occur during a TIBER-AT test?
TIBER-AT runs against the live production environment - but under clearly defined Rules of Engagement that pre-authorise every potentially harmful action. The red team demonstrates impact without actually executing it (e.g. proving access to a database without exfiltrating or deleting data).
Do we need TIBER-AT if we already run regular pentests?
Pentests and TIBER-AT pursue different goals. Pentests probe individual systems deeply for vulnerabilities. TIBER-AT tests your whole organisation under real attack conditions, with a focus on detection and response. The two complement each other - they do not replace each other.
→ Red Teaming Companies in the DACH Region
→ Red Teaming Services Germany
→ Red Teaming Whitepaper - Methodology & Process