“Most red team engagements test whether your defences can stop a generic attacker. Threat intelligence-led red teaming asks a harder question: can your defences stop the specific adversaries that are already targeting your sector, your geography, and your supply chain?” — Katie Nickels, Director of Intelligence, Red Canary, speaking at SANS CTI Summit 2025.
Threat intelligence-led red teaming is the practice of using finished cyber threat intelligence (CTI) to design, scope, and execute adversary simulation engagements that replicate the tactics, techniques, and procedures (TTPs) of real threat actors relevant to a specific organisation. Instead of running generic exploitation playbooks, operators reconstruct the attack chains that named adversary groups actually use against organisations in the target’s sector and region.
The approach gained formal structure through the TIBER-EU framework, which the European Central Bank published in 2018 and which has since become the reference standard for threat-led penetration testing (TLPT) across European financial services. Switzerland adopted its own variant, TIBER-CH, administered by the Swiss Financial Market Supervisory Authority (FINMA) and the Swiss National Bank.
Search interest in “threat intelligence red teaming” has grown 168% year-over-year in Switzerland (Google Trends, March 2026), driven by DORA enforcement timelines, TIBER-CH expansion, and a broader recognition that adversary emulation produces better security outcomes than scoped vulnerability testing.
Why Generic Red Teaming Falls Short
Standard red team engagements typically follow a methodology-first approach. Operators select techniques from a general playbook, attempt initial access through common vectors (phishing, external service exploitation, valid credential abuse), and escalate through whatever path the environment allows. The results are useful but structurally limited.
The problem is relevance. A generic engagement might demonstrate that your SOC cannot detect Kerberoasting (T1558.003), but if no threat actor targeting your sector uses Kerberoasting as a primary technique, that finding has lower operational value than testing the spearphishing attachment (T1566.001) to scheduled task persistence (T1053.005) chain that APT29 actually uses against European financial institutions.
Threat intelligence-led red teaming solves this by inverting the workflow. Instead of starting with “what can we exploit,” it starts with “who is targeting us, what do they do, and can we detect and stop it.”
Three measurable benefits follow from this inversion:
Detection validation against real threats. When your red team replicates APT28’s use of compromised OAuth tokens (T1528) followed by NTDS.dit extraction (T1003.003), a successful detection confirms your SOC can catch the specific attack chain your organisation is most likely to face.
Better resource allocation. CTI data shows which threat actors are active against your sector. A Swiss private bank faces different adversaries than a Swiss pharmaceutical manufacturer. Threat-led testing allocates defensive investment toward the gaps that matter most.
Regulatory compliance. TIBER-EU, TIBER-CH, and DORA Article 26 all require threat-led penetration testing for significant financial entities. These frameworks explicitly mandate that test scenarios derive from targeted threat intelligence, not generic attack playbooks.
For more on the distinction between scoped testing and full adversary simulation, see Red Teaming vs Penetration Testing.
TIBER-EU: The Gold Standard for Threat-Led Testing
The Threat Intelligence-Based Ethical Red Teaming (TIBER-EU) framework is the most mature and widely adopted standard for intelligence-driven red teaming. Published by the European Central Bank in May 2018 and updated in 2024, TIBER-EU has been adopted by over 20 EU/EEA jurisdictions plus Switzerland (as TIBER-CH).
TIBER-EU defines a three-phase process with three distinct roles:
| Phase | Activities | Responsible Party |
|---|---|---|
| Preparation | Scope definition, regulatory engagement, team selection, legal agreements | Target entity, TIBER authority |
| Testing | Targeted threat intelligence report, red team test execution | Threat intelligence provider, red team provider |
| Closure | Purple team workshop, remediation plan, attestation | All parties jointly |
The framework enforces a strict separation between the threat intelligence provider and the red team provider, though some jurisdictions allow the same firm to deliver both under internal separation controls. The CTI provider produces an independent assessment of the threat landscape, which the red team then operationalises.
What Makes TIBER-EU Different from Standard Red Teaming
| Dimension | Standard Red Team | TIBER-EU |
|---|---|---|
| Scoping basis | Organisation-defined scope | CTI-derived scenarios targeting critical functions |
| Threat intelligence | Optional or informal | Mandatory targeted threat intelligence report |
| Regulatory oversight | None | National authority oversees the entire process |
| Target definition | Systems and networks | Critical functions and live production systems |
| Purple teaming | Optional post-engagement | Mandatory structured closure and purple team exercise |
| Outcome | Technical report with findings | Attestation letter from regulatory authority |
TIBER-EU tests run against live production systems targeting the critical functions that the institution provides to the financial system. For the full framework breakdown, see TIBER-EU Framework.
The CTI-to-Red Team Workflow
The operational workflow from raw intelligence to executed attack simulation involves four stages. Each stage produces a defined output that feeds the next.
Stage 1: Threat Landscape Analysis
The CTI team produces a sector-specific and geography-specific threat landscape answering three questions: Which threat actors have demonstrated intent and capability against this sector and region? What TTPs do they use? What is their current operational tempo?
Sources include government advisories (NCSC, CISA, ANSSI), commercial feeds (Mandiant, Recorded Future, CrowdStrike), sector ISACs, dark web monitoring, and OSINT.
Output: Threat landscape report identifying 3 to 5 priority threat actors with documented TTPs.
Stage 2: Scenario Development
The CTI team translates the threat landscape into attack scenarios. Each scenario is a plausible, end-to-end attack narrative built from documented adversary behaviour.
A scenario for a Swiss financial institution might read: “APT29 gains initial access through a spearphishing link (T1566.002) targeting a treasury operations analyst. Persistence via scheduled task (T1053.005). Internal reconnaissance using native Windows tools (T1057, T1018). Lateral movement through Windows Remote Management (T1021.006) to reach SWIFT messaging infrastructure. Data staging (T1074.001) and exfiltration (T1041).”
Every technique maps to a MITRE ATT&CK ID and is grounded in observed adversary behaviour.
Output: 2 to 4 detailed attack scenarios with full ATT&CK mappings and flags of opportunity (organisational weaknesses identified through OSINT).
Stage 3: Red Team Operationalisation
The red team receives the scenarios and translates them into executable attack plans. The scenarios describe what the adversary does; the red team determines how to replicate it in the target environment. Key decisions: tool selection (custom loaders instead of off-the-shelf C2 if the adversary uses custom tooling), infrastructure setup (C2 domain naming and hosting patterns that mirror the adversary’s known infrastructure), and timing (replicating the adversary’s documented operational tempo between phases).
Output: Detailed operation plan, C2 infrastructure, custom tooling, communication protocols.
Stage 4: Execution, Detection Logging, and Purple Team Closure
The red team executes the plan against production systems. Every action is logged with timestamps and ATT&CK technique IDs. The engagement typically runs 8 to 12 weeks for a TIBER-EU test.
After execution, the mandatory purple team phase begins. Red team operators walk through every action with the blue team and SOC analysts. For each technique:
- Did the blue team detect it? If yes, how quickly?
- Did detection trigger an appropriate response?
- If it was missed, what visibility gap allowed it?
This phase is where the operational value crystallises. The output is not a list of “findings” but a mapped assessment of detection and response capability against specific, intelligence-validated threat actor behaviour.
Integrating the Diamond Model and Kill Chain
Two analytical frameworks underpin threat intelligence-led red teaming: the Diamond Model of Intrusion Analysis and the Cyber Kill Chain. Used together with MITRE ATT&CK, they give the CTI team a structured way to analyse adversary behaviour and translate it into testable scenarios.
The Diamond Model (Caltagirone, Pendergast, and Betz, 2013) models every intrusion event as a diamond with four vertices: adversary, capability, infrastructure, and victim. For CTI-driven red teaming, it structures the intelligence gathering phase. The CTI team maps known intrusions against these vertices to identify targeting patterns. If an adversary group has consistently targeted European financial infrastructure using spearphishing with ISO file attachments and Cobalt Strike C2 through CDN fronting, that pattern directly informs the red team scenario.
Lockheed Martin’s Cyber Kill Chain (2011) divides an intrusion into seven sequential phases: Reconnaissance, Weaponisation, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives. It provides the sequencing logic for attack scenarios. Each scenario maps to a full Kill Chain traversal, with detection and response capabilities assessed at each phase to identify the earliest point at which the blue team can disrupt the attack chain. For more detail, see Cyber Kill Chain.
MITRE ATT&CK provides the granular technique taxonomy that the Diamond Model and Kill Chain lack. In practice, the three frameworks serve complementary roles:
- The Diamond Model structures the CTI analysis at the strategic level (who, what, how, against whom)
- The Kill Chain provides the operational sequencing (in what order)
- MITRE ATT&CK provides the tactical detail (specific technique IDs and sub-techniques)
The Diamond Model drives threat actor selection. The Kill Chain structures the scenario narrative. ATT&CK populates each Kill Chain phase with specific, testable techniques. For the full ATT&CK mapping methodology, see MITRE ATT&CK for Red Teams.
Measuring What Matters: Metrics for Intelligence-Led Engagements
Generic red team engagements often report success in binary terms: “we got domain admin” or “we exfiltrated the crown jewels.” Intelligence-led engagements demand better metrics because the goal is not to prove you can be breached but to measure your detection and response capability against specific adversary behaviour.
Five metrics that matter:
1. Detection coverage by Kill Chain phase. What percentage of red team actions were detected at each Kill Chain phase? Early detection (reconnaissance, delivery) is more valuable than late detection (actions on objectives). A mature organisation detects 60% or more of techniques at the delivery and exploitation phases.
2. Mean time to detect (MTTD) per technique. For each ATT&CK technique executed, how long did the SOC take to detect it? This metric reveals which techniques your detections cover well and which represent blind spots.
3. Mean time to respond (MTTR) per detection. After detection, how quickly was an appropriate response initiated? Detection without response is a failed control.
4. Technique-level gap analysis. Of the ATT&CK techniques in the scenario, which ones had no detection coverage at all? These are your critical gaps and should drive immediate investment.
5. Scenario disruption point. At which Kill Chain phase was the red team’s attack chain disrupted (if at all)? The earlier the disruption, the more mature the defence. Organisations at maturity Level 4 or higher (see State of Red Teaming 2026) typically disrupt intelligence-led scenarios before lateral movement completes.
Building Your CTI-Red Team Pipeline
Building a sustainable CTI-red team pipeline requires investment in three areas: people, process, and intelligence infrastructure.
People. You need CTI analysts who understand adversary tradecraft at the tactical level, not just strategic threat reporting. Analysts who can read a Mandiant APT report and translate it into ATT&CK-mapped, operator-ready scenarios. On the red team side, operators need the discipline to stick to the intelligence-derived scenario rather than defaulting to their preferred techniques. See CREST Certification for relevant certification pathways.
Process. Establish a cadence. Quarterly threat landscape updates feed semi-annual intelligence-led engagements. Each engagement follows the four-stage workflow described above. Findings feed back into the CTI function, updating the threat landscape with observed gaps.
Intelligence infrastructure. Invest in threat intelligence platforms (TIPs) supporting structured data: STIX/TAXII for indicator sharing, ATT&CK Navigator for coverage visualisation, and integration with your SIEM and SOAR. Commercial feeds from Mandiant, Recorded Future, or CrowdStrike provide raw intelligence. Your CTI team provides contextualisation.
Three common failures to avoid:
-
Treating CTI as a compliance checkbox. If the threat intelligence report sits on a shelf and the red team runs a generic engagement anyway, you have spent money on a TIBER-EU assessment and received the value of a standard pentest. The intelligence must genuinely drive the test.
-
Skipping the purple team phase. The purple team closure is where most of the operational value is generated. Skipping it reduces the engagement to a pass/fail exercise.
-
Static threat modelling. Adversary groups retool, shift targeting, and adopt new techniques. A threat landscape analysis from 12 months ago may not reflect current adversary behaviour. The CTI function must be continuous, not periodic.
The organisations that extract the most value treat this as a continuous loop: intelligence informs testing, testing reveals gaps, gaps drive defensive investment, improved defences update the threat model, and the cycle repeats. For organisations starting this journey, the first step is straightforward: commission a targeted threat intelligence assessment for your sector and geography, and use it to scope your next red team engagement.
Frequently Asked Questions
What is the difference between threat intelligence-led red teaming and standard red teaming?
Standard red teaming tests your defences against a generic attacker using a broad set of techniques chosen by the operator. Threat intelligence-led red teaming starts with a targeted threat intelligence assessment that identifies the specific adversaries, TTPs, and attack chains relevant to your organisation, sector, and geography. The red team then replicates those specific attack chains. The result is a direct measurement of your ability to detect and respond to the threats you are most likely to face.
Is threat intelligence-led red teaming required by regulation?
For significant financial entities in the EU, yes. DORA Article 26 mandates threat-led penetration testing (TLPT) at least every three years for entities identified by competent authorities. TIBER-EU and its national variants (including TIBER-CH in Switzerland) provide the framework for executing these tests. Outside of financial services, threat-led testing is not yet mandatory but is increasingly referenced in NIS2 guidance and sector-specific regulations.
How long does a TIBER-EU engagement take?
A full TIBER-EU engagement typically runs 6 to 12 months from start to final attestation. The threat intelligence phase takes 4 to 8 weeks. The red team execution phase runs 8 to 12 weeks. The closure and purple team phase takes 2 to 4 weeks. Preparation, regulatory coordination, and remediation planning account for the remaining time.
What does a TIBER-EU engagement cost?
A complete TIBER-EU engagement typically costs EUR 150,000 to EUR 500,000 depending on scope and complexity. The threat intelligence component alone usually costs EUR 30,000 to EUR 80,000.
Can the same provider deliver both threat intelligence and red team services?
TIBER-EU guidelines require functional separation between the threat intelligence and red team providers. Some national implementations allow the same firm to deliver both under internal separation controls. Using separate providers is considered best practice to ensure the intelligence assessment remains independent.
Sources
- European Central Bank. “TIBER-EU Framework: How to Implement the European Framework for Threat Intelligence-Based Ethical Red Teaming.” 2018, updated 2024.
- MITRE. “ATT&CK Framework.” 2025.
- Caltagirone, Sergio, Andrew Pendergast, and Christopher Betz. “The Diamond Model of Intrusion Analysis.” 2013.
- Lockheed Martin. “Intelligence Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains.” 2011.
- European Commission. “Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554.” 2022.
- FINMA. “TIBER-CH Implementation Guidance.” 2024.
- Google Trends. “Search interest data for ‘threat intelligence red teaming’ in Switzerland.” March 2026.
- CybersecuritySwitzerland.com Research. “State of Red Teaming 2026.” February 2026.
- Mandiant. “M-Trends 2026.” 2026.
- SANS Institute. “CTI Summit 2025 Proceedings.” 2025.