We've rebranded! Find out more about our rebrand to LRQA Nettitude here
Select Page


Put simply, the TIBER-EU framework keeps your organisation one step ahead of highly sophisticated cyber attackers. It helps protect your sensitive operations from dangerous intervention, safeguarding your global reputation.

There are several recent examples of leading global organisations suffering multi-million-dollar cyber-attacks. It’s on the rise and damage can be immense.

Nobody wants to discover their sensitive information for sale on the Dark Web – something governments across the world are at pains to avoid.

The Threat Intelligence-Based Ethical Red Teaming for the European Union (TIBER-EU) framework is the European Central Bank’s answer for an industry that can’t afford to have questions surrounding its cybersecurity effectiveness.

Unlike other frameworks, TIBER-EU delivers live, controlled testing on critical systems, mimicking methods used by real-life attackers, based on the latest threat intelligence.

Adopted throughout Europe, this new collaborative standard eliminates the frustration of incompatible results. Organisations operating in multiple countries or authorities can use the TIBER-EU framework to ensure commonality which regulators in all regions will recognise.

Not just for financial institutions, TIBER-EU helps many large organisations looking to become more resilient by strengthening their cybersecurity against the worrying rise of cyber-attacks. These include investment firms, accountancy firms, and credit agencies.

An incredibly comprehensive and flexible framework, TIBER-EU enables a third-party red team to simulate an attack, not just on your organisation’s technologies, but on its processes and people too. Acting on the results can radically transform your defences.

The Three Phases Of TIBER-DE

Adopting the TIBER-DE framework is voluntary, though most regulators encourage it. Whether carried out on a national or European-wide level, multiple stakeholders must be involved in the collaborative process.

This typically includes three areas:

The entity (your organisation) is wholly responsible for managing the test from start to finish. To control testing you must ensure risk is managed from all perspectives.

The relevant authorities will oversee the test, ensuring everything is carried out in line with the TIBER-DE framework requirements.

External threat intelligence (TI) and red team (RT) providers will provide cyber threat intelligence and conduct the test. They’ll then deliver results and guidance to your organisation.

There’s no pass or fail for a TIBER-DE test. Instead, it identifies strengths and weaknesses, enabling you to improve your organisation’s protection against destructive cyber activity. Cooperation and full disclosure of relevant information ensures you achieve a meaningful test with the most constructive results.

Three Phases Of The TIBER-DE Framework

Whilst the flexible process suits organisational and country-specific requirements, the TIBER-DE framework includes three key phases of work:

  1. The initiation phase: you establish your internal team and determine the scope of work required. You’ll also select external TI and RT providers.
  2. The testing phase: having created a threat intelligence report (TTI) the red team carry out controlled, intelligence-led testing on the entity’s processes and technologies.
  3. The closure phase: your organisation will receive test results and guidance to form a remediation plan that will improve your cyber security.

The speed of these phases depends on many factors. A thorough TIBER-DE test is far more important than a quick test.

The Initiation Phase

Preparing for an effective TIBER-DE test is vital. Both internally and when choosing the right external provider.

Providing far more meaningful results, TIBER tests your systems in the real world. This adds a level of risk that must be managed meticulously – by your organisation and your testing provider. The consequences of not doing so are serious. For example, an unexpected system crash, damage to your systems or loss of data.

Give sufficient thought to choosing your external threat intelligence and red team provider.

A local supplier might seem like a safe option, but have they got sufficient experience and qualified individuals? They might lack broader cybersecurity expertise and cross-country knowledge – both vital to deliver an effective test.

Larger, global providers of TIBER-DE testing will have experienced high risk before. They’ll know how to manage it, whether in-country or across borders. And they’ll have greater knowledge of local country laws and legal requirements. Altogether, a global provider will be a more robust option.

Finally, you must select your internal team and set out clear roles and responsibilities for all stakeholders.

The Testing Phase

It’s incredibly important to complete testing without widespread knowledge in your organisation. The core team will be aware, but to gain a true picture of your risks and vulnerabilities, no further employees should know.

Initially, the threat intelligence (TI) provider prepares a Targeted Threat Intelligence Report (TTI) on your organisation. To achieve this, you must provide as much relevant information as possible, including any recent cyber-attacks you’ve suffered.

The TTI will cover your technology, processes, and people. TIBER-NL is a comprehensive framework that identifies vulnerabilities in all possible areas of operation – not just technology.

Having gathered sufficient intelligence, testing is designed by the red team. This will simulate a real-life cyber-attack. The test will be live and create a picture of your organisation’s response to such an attack.

All this is carried out in a controlled, risk-managed environment. Your core internal team will be in constant communication with the red team.

The Closure Phase

Once testing is complete, the third phase of the TIBER-NL framework is closure. To gain the greatest value from TIBER, your organisation must understand and know how to act on the test results.

Raw test results are highly technical. Always ask your prospective red team provider how they will ‘translate’ these results, so all stakeholders understand the key issues identified.

Collaboration is, once again, necessary in this phase. Having discussed the results, you must compile a plan of remediation and a timeframe to act on it. This could include improvement of technical controls, changes to policies and procedures, and employee education.

Now testing is complete, you can communicate the exercise widely in your organisation and with other stakeholders, securing buy-in to act on the recommendations. Establish timeframes to review progress too. This will make sure required actions are completed.

How Does TIBER-DE Testing Work With LRQA Nettitude?

This might sound great in theory, but it’s important to understand how your prospective external providers will work with you using the TIBER-DE framework.

At LRQA Nettitude, we exceed the TIBER standards at every stage, always firmly managing the risk to your organisation. And we leave you clear on what you must do to tighten your cybersecurity – always on hand to help you get there.

From our perspective, we’d expect a typical TIBER-DE process to take between 23 and 27 weeks, excluding the procurement process.

Thorough Threat Intelligence

Greater cyber threat identification leads to more comprehensive and realistic testing. TIBER-DE  isn’t a tick box exercise to us, it serves to strengthen your defences in a dangerous world.

Our aim is to first draw a picture of your organisation through the lens of an attacker.

Starting with our Generic Threat Landscape (GTL) phase, we draw on our ongoing global intelligence from work with leading government departments, regulators, and organisations across multiple sectors. We’ll also liaise directly with your threat intelligence team – if you have one.

Typical questions to research include:

• Who are your adversaries?
• What are their tactics and techniques?
• How do you defend against them?
• Where do their opportunities lie?
• What threats are of significance to your sector?

Our intelligence team has vast experience, plus high-level qualifications such as CREST Certified Threat Intelligence Manager (CCTIM). Many team members have specific technical capabilities too, such as malware analysis and reverse engineering. We also understand the likely attack areas on your people and processes.

The subsequent TIBER-DE Technical Threat Intelligence report (TTI) will define the testing scenarios we must pursue.

Risk-Managed TIBER Testing

When carrying out TIBER testing, a big hole is effectively punched through the defences of your organisation – in a live environment.

Should your provider not secure that hole for its exclusive use, the vulnerability remains open for third parties to infiltrate and do incredible harm.

That’s why it’s important to collaborate with external providers that have experienced – and managed – this level of risk before. There’s no room for error.

LRQA Nettitude holds some of the highest cyber threat intelligence (CTI) and red teaming accreditations worldwide. We’re also accredited to conduct advanced testing by regulators around the globe.

Delivering end-to-end service, we provide both CREST accredited cyber threat intelligence and experienced red teaming.

Whilst overall management of the testing lies with your white team leader, our test manager will be in direct contact throughout the entire testing timeframe. We’ll provide overall governance to ensure testing consistency and security – exceeding expectations for the TIBER-DE framework.

Meanwhile, our red team specialists will carry out the testing scenarios in a live environment. Where possible (and beneficial), they’ll expand on the remit to complete the most thorough and realistic test possible.

An Outcome You Can Understand

Your internal TIBER team and your board requires more than raw test results. They’re extremely technical and complex to understand. In fact, they’re of limited use in isolation.

At LRQA Nettitude, your attack manager delivers the findings in meaningful language everyone understands. Clear recommendations accompany every highlighted risk. Guidance and support readily on tap.

Fundamentally, you want to ask: “How vulnerable are we and what can we do to mitigate this?”

We’ll recommend the creation of a purple team during this final stage. Collaborating red and blue team members helps to develop a clear pathway forward – from test results to a more secure system in terms of technology, processes, and people.

It’s important to meet your regulator’s expectations too. We ensure you operate within an accepted TIBER framework, always comfortably meeting expectations from every relevant authority.

Where we leave you is a clear place of action. You’ll know exactly what you need to do to sure up your defences against cyber attackers and you’ll know how to do it. In this way, your organisation extracts the greatest value from your TIBER-DE experience.

Why Choose LRQA Nettitude For TIBER-DE?

New cyber threats can emerge very quickly. For example, the pandemic resulted in a rapid shift to homeworking that left many organisations reeling to keep their networks secure. Huge numbers of employee IP addresses were accessing them from kitchen tables and spare rooms. Distinguishing between legitimate staff and dangerous hackers continues to be a daily challenge for many businesses.

Always one step ahead

LRQA Nettitude’s research and innovation team is constantly scanning the horizon for looming threats that could impact both the financial sector and the wider global economy. We’re also creating new tools and techniques to advance our capability further. There’s no room for complacency.

In fact, our research team has now created a global honeypot network including over 200 nodes around the world. This includes strategically placed devices in key global service hubs.

Exceeding the standard

Our total immersion in the TIBER-DE testing framework, and cybersecurity testing generally, supports many high-profile financial organisations worldwide. Cross-border activity is standard for us and we’re familiar with many local regulations. We have language skills in most EU countries too.

We’re great believers in, not just experience, but accreditations too. That’s why clients trust us with their critically sensitive systems. Our red teams include CREST Certified Simulated Attack Managers, CREST Certified Simulated Attack Specialists, and other experts accredited by CBEST, STAR-FS and STAR.

All these accreditations exceed the minimum requirements of TIBER-DE suppliers. LRQA Nettitude delivers high testing standards globally and proven risk management.

Giving you clarity of action

The TIBER-DE framework is complex. And test results can be challenging to translate. That’s why we work with you after testing, in plain English, to ensure you have a clear plan of action. After all, what your organisation really wants is a higher level of cybersecurity so you can sleep at night.

Our value to you in a nutshell

  • Global leaders in cyber threat intelligence
  • Highly accredited and experienced red teams
  • Proven cross-border capability in high-risk testing
  • End-to-end support, including clarity on action required
  • Accredited by regulators across the globe

Get a free quote

speak to our experts