A threat-led penetration test succeeds or fails on provider selection. Two rules decide most of that outcome, and buyers routinely miss both. The first is the regulator-mandated independence between the threat-intelligence provider and the red-team provider. The second is that accreditation sits at the firm level, not only on the certificates individual testers carry. Get those two right and the rest of the evaluation falls into place.
So how do you choose a threat-led penetration testing provider, and what independence and accreditation rules apply? Shortlist firms that can demonstrate independent threat-intelligence and red-team delivery, hold firm-level accreditation from a recognised scheme, and field testers with verifiable experience, references and professional indemnity insurance. Every major framework that governs this work, the European Central Bank's TIBER-EU, the EU's DORA, the Bank of England's CBEST, and Canada's OSFI I-CRT, is built around those same requirements. This guide walks through each one and ends with a checklist you can run before you sign.
TL;DR
The core selection rule: the threat-intelligence provider and the red-team provider must be independent so intelligence is not marking its own homework. This separation runs through TIBER-EU, DORA, CBEST and OSFI I-CRT (ECB TIBER-EU Framework).
DORA sets hard tester thresholds: the RTS requires a lead red teamer with at least five years of penetration testing and red team experience, plus additional testers with at least two years each (Commission Delegated Regulation (EU) 2025/1190).
The threat-intelligence provider must be external: under DORA's RTS the threat-intelligence provider has to be external to the financial entity and its intra-group ICT providers, even when internal red teamers are used (Commission Delegated Regulation (EU) 2025/1190).
Accreditation is firm-level: under CBEST, both the penetration testing provider and the threat-intelligence provider must be accredited and be members of CREST, not just staffed by certified individuals (Bank of England CBEST).
Canada mirrors the pattern: OSFI's I-CRT framework recommends contracting separate vendors for threat intelligence and red teaming because their independence reduces the risk of conscious or unconscious bias (OSFI I-CRT Framework).
Rotation is mandated too: DORA allows internal testers but requires an external tester on a rotating basis, and significant credit institutions must always use external testers (Regulation (EU) 2022/2554, Article 26).
Key takeaways
Independence between intelligence and red team is designed in, not optional. The point of a threat-led test is that the red team acts on intelligence it did not author, the way a real adversary would. When one team writes the scenario and then attacks against it, the exercise quietly loses the objectivity regulators require. OSFI states the reasoning plainly: separate vendors reduce the risk of conscious or unconscious bias (OSFI I-CRT Framework).
Firm-level accreditation is the trust signal most buyers overlook. A team full of OSCP and CREST-certified testers is necessary but not sufficient. CBEST and its STAR-FS sibling require the company itself to be accredited and a CREST member (Bank of England CBEST). That attests to process maturity, quality assurance and legal cover, not only individual skill.
The frameworks converge, so a provider that satisfies one usually satisfies the others. TIBER-EU, DORA, CBEST and OSFI I-CRT all descend from the intelligence-led model the Bank of England pioneered with CBEST, so their independence, experience and accreditation requirements rhyme.
Experience thresholds are now written into law. DORA's RTS gives you concrete, checkable numbers: a five-year lead, two-year supporting testers, five client references for red teamers and three for intelligence providers (Commission Delegated Regulation (EU) 2025/1190). Use them as your minimum bar even if you are not a DORA-scoped entity.
What is threat-led penetration testing?
Threat-led penetration testing (TLPT) is a controlled, intelligence-driven red team exercise that simulates the tactics of a realistic adversary against an organisation's critical functions. It is not a scan and it is not a scoped web-app pentest. A dedicated threat-intelligence provider first builds a threat profile and target-specific scenarios, then a separate red team executes those scenarios against live production systems, measuring the organisation's ability to prevent, detect and respond.
The model originated with the Bank of England's CBEST and has been adopted by regulators worldwide. The European Central Bank published TIBER-EU as the European framework for threat intelligence-based ethical red-teaming (ECB). The EU's Digital Operational Resilience Act (DORA) made TLPT a legal obligation for a defined set of financial entities. In Canada, OSFI released its Intelligence-led Cyber Resilience Testing (I-CRT) framework in April 2023 (OSFI). Because these frameworks share a lineage, they share a spine of requirements. The most important of those is provider independence.
The two-provider independence rule
The single most misunderstood requirement in this space is that the threat-intelligence provider and the red-team provider are meant to be independent of each other. The intelligence team studies the target and hands over realistic scenarios. The red team then acts on that intelligence without having written it. That separation is what keeps a threat-led test honest.

Here is how each framework handles it.
TIBER-EU (European Central Bank)
TIBER-EU is explicit that a test is conducted by independent third-party providers, namely external threat-intelligence (TI) and red-team (RT) providers (ECB TIBER-EU Framework). An external tester, the framework notes, gives a fresh and independent perspective that internal teams accustomed to the organisation's own systems and people cannot always provide. TIBER-EU acknowledges that some providers offer both TI and RT services and that an entity can opt to procure both from a single firm, but the baseline expectation is independent, external delivery with a White Team and a national Test Cyber Team overseeing the engagement.
DORA (European Union)
DORA turned the intelligence-led model into binding law. Its regulatory technical standards, set out in Commission Delegated Regulation (EU) 2025/1190, require the threat-intelligence provider to be external to the financial entity and to its intra-group ICT service providers (EUR-Lex). Even an entity that uses internal red teamers cannot use internal threat intelligence. On top of that, Article 26 of DORA permits internal testers but requires financial entities to bring in external testers on a rotating basis, and credit institutions classified as significant must always use external testers (Regulation (EU) 2022/2554). The direction of travel is clear: independence and external perspective are treated as controls, not conveniences.
CBEST and STAR-FS (Bank of England)
CBEST, developed by the Bank of England with CREST, keeps the two roles in separate hands. The Penetration Testing Service Provider and the Threat Intelligence Service Provider are each independent companies, both must be CBEST accredited, and accredited providers must be members of CREST (Bank of England CBEST). STAR-FS applies the same intelligence-led methodology to financial services firms outside the regulator-led CBEST remit, again through accredited providers (Bank of England STAR-FS).
OSFI I-CRT (Canada)
Canada's framework is the most direct about why independence matters. OSFI recommends contracting separate vendors for the threat intelligence and the red teaming, explaining that their independence reduces the risk of influence from conscious or unconscious biases (OSFI I-CRT Framework). Where a single provider does perform both functions, OSFI expects a documented separation between the two activities, with no information shared between them beyond what genuine collaboration requires. I-CRT currently applies to Systemically Important Banks and Internationally Active Insurance Groups, typically on a three-year cycle.

The practical takeaway for a buyer is simple. If you are procuring a threat-led test, either engage two independent providers or engage one firm that can prove a genuine internal separation between its intelligence and red-team functions. Ask the question early, because a provider that treats independence as an afterthought will struggle to satisfy any of these regulators.
Why firm-level accreditation matters
Buyers reflexively check testers' certifications, OSCP, OSCE3, CREST CRT, and stop there. Individual certs matter, but every framework above anchors trust at the level of the firm.

Under CBEST and STAR-FS, the company must be accredited and a CREST member before it can deliver at all (Bank of England CBEST). Under DORA's RTS, the checkable evidence, five client references for testers, three for intelligence providers, and professional indemnity insurance covering misconduct and negligence, is evidence about the organisation, not any one employee (Commission Delegated Regulation (EU) 2025/1190). Firm-level accreditation is what tells you the provider has repeatable methodology, quality assurance, legal cover and safe-testing controls behind the individuals on the engagement.
This is why firm-level CREST accreditation is a meaningful signal when you shortlist. Stingrai is a CREST-accredited penetration testing service provider at the firm level, which is a distinct, organisation-wide credential rather than a certificate held by one tester. Our team also holds individual certifications including OSCE3, OSCP, OSWE, OSEP and CREST CRT, but the firm-level accreditation is the credential the frameworks are built around. When you compare providers, look for both layers and do not let a wall of individual badges stand in for organisational accreditation.
Provider-evaluation checklist
Run every shortlisted firm through the same criteria. Each one traces back to a requirement in the frameworks above.

Independence: can the provider deliver threat intelligence and red teaming through independent teams, or will you engage two firms? If one firm does both, ask them to show the documented separation OSFI and TIBER-EU expect.
Firm-level accreditation: is the company itself accredited by a recognised scheme such as CREST, not merely staffed by certified people?
Lead tester experience: does the lead red teamer have at least five years of penetration testing and red team experience, per DORA's RTS threshold?
Supporting team experience: do the additional testers each have at least two years of relevant experience?
References: can the provider supply client references at the depth DORA specifies, five for red teaming, three for threat intelligence?
Professional indemnity insurance: is the firm covered against risks of misconduct and negligence during live testing?
Safe-testing and scoping controls: how does the provider protect production systems, define rules of engagement, and coordinate with a White Team?
Threat-intelligence quality: does the intelligence phase produce target-specific, adversary-realistic scenarios, or generic threat feeds?
Framework fluency: has the provider delivered against the framework you are scoped to, whether TIBER-EU, DORA TLPT, CBEST, STAR-FS or OSFI I-CRT?
Reporting and remediation support: does the engagement end with evidence you can use for supervisory and audit conversations, plus a clear remediation path?
Common mistakes buyers make
Treating a scoped pentest as a threat-led test. A web-application or network pentest is valuable, but it is not intelligence-led red teaming and will not satisfy a TLPT obligation. Know which product you are buying.
Letting intelligence and red team collapse into one team without controls. Convenience is not a defence. When you use a single provider, insist on the documented separation the frameworks require.
Grading on individual certs alone, or skipping insurance and references. A brilliant tester at an unaccredited firm still leaves you without organisational assurance, and the insurance and reference checks that feel like box-ticking are exactly what DORA made explicit requirements.
What this means for buyers
Buyers scoped to DORA, TIBER-EU, CBEST or OSFI I-CRT face a simple reality: provider independence and firm-level accreditation are not preferences, they are the frame the whole engagement hangs on. Organisations that are not formally in scope should still borrow these requirements, because they are the market's best available definition of a credible threat-led provider.
Stingrai runs intelligence-led red teaming with senior human operators leading the adversary emulation, and we hold firm-level CREST accreditation as a penetration testing service provider. That testing produces the kind of independent, well-documented evidence that supports your DORA operational-resilience programme and your broader SOC 2, ISO 27001 and PCI DSS compliance work. For scoped application testing that complements a red team, our web application penetration testing is accelerated by Snipe, Stingrai's autonomous AI agent for web-app testing, while the threat-led scenarios themselves are run by our human pentesters. You can explore how continuous and hybrid delivery works through our PTaaS model, and package details are on the pricing page.
For the regulatory detail behind this guide, see our deeper explainer on DORA threat-led penetration testing, and for the broader vendor question, our guide on how to choose a penetration testing service provider.
Frequently asked questions
How do I choose a threat-led penetration testing provider?
Choose a provider that can deliver independent threat intelligence and red teaming, holds firm-level accreditation from a recognised scheme such as CREST, and fields testers with verifiable experience, client references and professional indemnity insurance. Every framework that governs threat-led testing, TIBER-EU, DORA, CBEST and OSFI I-CRT, is built on those same requirements, so a provider that meets them for one framework is usually well placed for the others (ECB TIBER-EU).
What is the two-provider independence rule in threat-led testing?
It is the principle that the threat-intelligence provider and the red-team provider should be independent of each other, so the team that attacks did not author the intelligence it is acting on. OSFI states that this independence reduces the risk of conscious or unconscious bias, and TIBER-EU frames a test as being conducted by independent external threat-intelligence and red-team providers (OSFI I-CRT).
Can one company provide both the threat intelligence and the red team?
Sometimes, but with conditions. TIBER-EU notes that some providers offer both services and an entity can opt to use one firm, and OSFI allows it only where there is a documented separation between the two activities with no information shared beyond genuine collaboration. Under DORA, however, the threat-intelligence provider must always be external to the financial entity and its intra-group ICT providers (Commission Delegated Regulation (EU) 2025/1190).
What tester experience does DORA require for TLPT?
DORA's regulatory technical standards require a lead red teamer with at least five years of penetration testing and red team experience, plus at least two additional testers with at least two years of experience each. Testers must supply at least five client references and threat-intelligence providers at least three, and the firm must carry professional indemnity insurance covering misconduct and negligence (Commission Delegated Regulation (EU) 2025/1190).
Why does firm-level accreditation matter more than individual certifications?
Individual certifications prove personal skill, but the frameworks anchor trust in the organisation. CBEST requires the company itself to be accredited and a CREST member, and DORA's evidence requirements, references and insurance, describe the firm rather than any one employee. Firm-level accreditation signals repeatable methodology, quality assurance and legal cover (Bank of England CBEST).
Is CREST accreditation required for a threat-led test?
For CBEST and STAR-FS in the UK, yes: accredited providers must be CREST members. TIBER-EU, DORA and OSFI I-CRT do not mandate CREST specifically, but they require equivalent evidence of firm-level competence, so CREST accreditation is widely recognised as a strong signal across all four (Bank of England CBEST).
How is TLPT different from a standard penetration test?
A standard penetration test assesses a defined scope, such as a web application or network segment, against known vulnerability classes. Threat-led penetration testing is an intelligence-driven red team exercise against live critical functions, designed to test prevention, detection and response the way a real adversary would. TLPT begins with a bespoke threat-intelligence phase that a standard pentest does not include (ECB TIBER-EU).
Which organisations must run threat-led penetration tests?
Under DORA, a defined set of financial entities in the EU are in scope. In Canada, OSFI's I-CRT currently applies to Systemically Important Banks and Internationally Active Insurance Groups, generally on a three-year cycle, with other federally regulated institutions able to request assessments. TIBER-EU is used by national authorities across the EU, and CBEST applies to firms the Bank of England considers systemically important (OSFI I-CRT).
Does a threat-led test help with DORA and other compliance programmes?
Yes. A well-run threat-led test produces independent, documented evidence of your operational resilience that supports supervisory and audit conversations under DORA, and the same testing rigour supports SOC 2, ISO 27001 and PCI DSS programmes. The value is in credible, independent evidence you can put in front of a regulator or auditor.
References
European Central Bank. TIBER-EU: What is TIBER-EU. https://www.ecb.europa.eu/paym/cyber-resilience/tiber-eu/html/index.en.html. Overview of the European framework for threat intelligence-based ethical red-teaming, including the roles of threat-intelligence and red-team providers.
European Central Bank. TIBER-EU Framework: How to implement the European framework for Threat Intelligence-based Ethical Red Teaming. https://www.ecb.europa.eu/pub/pdf/other/ecb.tiber_eu_framework.en.pdf. Full framework detailing independent external TI and RT providers, White Team and Test Cyber Team roles, and service procurement.
European Union. Commission Delegated Regulation (EU) 2025/1190 of 13 February 2025 (DORA RTS on threat-led penetration testing). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32025R1190. Regulatory technical standards specifying tester experience, references, insurance and the external threat-intelligence requirement.
European Union. Regulation (EU) 2022/2554 (Digital Operational Resilience Act), Articles 26 and 27. https://eur-lex.europa.eu/eli/reg/2022/2554/oj. Primary DORA obligation for advanced testing, including use of internal testers and the external-tester rotation rule.
Bank of England. CBEST Threat Intelligence-Led Assessments: Implementation Guide. https://www.bankofengland.co.uk/financial-stability/operational-resilience-of-the-financial-sector/cbest-threat-intelligence-led-assessments-implementation-guide. Requirements for accredited, CREST-member penetration testing and threat-intelligence service providers.
Bank of England. STAR-FS Implementation Guide (March 2024). https://www.bankofengland.co.uk/-/media/boe/files/financial-stability/star-fs-implementation-guide-march-2024.pdf. Intelligence-led testing framework for financial services delivered by accredited providers.
Office of the Superintendent of Financial Institutions (OSFI). Intelligence-led Cyber Resilience Testing (I-CRT) Framework (April 2023). https://www.osfi-bsif.gc.ca/en/guidance/guidance-library/osfis-intelligence-led-cyber-resilience-testing-crt-framework. Canadian framework recommending separate threat-intelligence and red-team vendors and defining scope and cadence.



