VARA TLPT: What Threat-Led Penetration Testing Means for UAE VASPs

What Is VARA TLPT — And Why It Is Not a Standard Penetration Test

Threat-Led Penetration Testing (TLPT) is a specific class of adversarial security simulation that VARA mandates for UAE-licensed Virtual Asset Service Providers (VASPs) under the Technology & Information Rulebook. It is one of the most operationally demanding cybersecurity requirements in the entire VARA framework — and it is routinely misunderstood, or worse, quietly substituted with a standard penetration test that does not meet the requirement.

Understanding the distinction between TLPT and conventional penetration testing is not an academic exercise. VARA examiners are asking for TLPT documentation with increasing specificity in 2026. Firms that have commissioned standard pen tests and presented them as TLPT compliance are finding that those documents do not satisfy regulatory scrutiny. The gap between what most VASPs have done and what VARA's framework actually requires is significant — and the time to close it is before your next supervisory review, not during one.

This article explains exactly what VARA TLPT requires, how it differs from what most VASPs currently have in place, what the output must look like, and how UAE-based virtual asset firms should approach it.

TLPT vs Standard Penetration Testing: The Core Difference

A conventional penetration test works like this: a defined scope is agreed (a set of IP addresses, an application, a network segment), a methodology is followed (typically OWASP, PTES, or a similar framework), vulnerabilities are identified and confirmed, and a report is produced. The exercise is bounded, documented in advance, and optimised for thoroughness within that defined scope.

TLPT is structurally different in almost every respect:

• Threat intelligence-led scoping: TLPT begins with threat intelligence — specifically, analysis of the tactics, techniques, and procedures (TTPs) used by real threat actors who target virtual asset businesses. The scope of the test is derived from that intelligence, not from a pre-agreed asset list. If the intelligence shows that the most credible threat to a VASP of your size and profile involves front-end interface manipulation targeting multi-signature signing environments, that is what gets tested.
• Full kill-chain simulation: TLPT simulates a complete attack scenario from initial access through lateral movement, privilege escalation, and the final objective — whether that objective is asset extraction, data exfiltration, or operational disruption. Standard penetration tests rarely simulate the full kill chain; they identify and confirm individual vulnerabilities.
• Minimal pre-notification: In a TLPT engagement, the defenders — your internal security and operations teams — are typically not informed that a test is occurring. The test is designed to evaluate your real detection and response capability under conditions that mirror a genuine attack. This is fundamentally different from a coordinated penetration test where the IT team is notified and monitoring specifically for the test period.
• Regulator-facing output: The TLPT report is a regulatory document. It must be structured to demonstrate to VARA that a credible adversarial simulation was conducted, that the scope was appropriate, that findings were addressed, and that the methodology was sound. A standard penetration test report written for an internal security audience will not meet this requirement.

What VARA's Technology & Information Rulebook Actually Says About TLPT

VARA's Technology & Information Rulebook (effective 19 May 2025) establishes cybersecurity requirements across multiple domains. The TLPT requirement sits within the Security Testing and Assessment domain and applies to all Category 1 and Category 2 VASPs, including exchanges, broker-dealers, OTC desks, and custodians.

The key requirements as they apply to TLPT are:

• Annual frequency as baseline: VARA expects TLPT to be conducted at a frequency commensurate with the risk profile of the operation. For active trading platforms and OTC brokers, annual TLPT is the minimum baseline. Infrastructure changes, new product launches, or material changes to custody architecture trigger ad-hoc TLPT requirements outside the annual cycle.
• Coverage of critical systems: TLPT scope must cover the systems that VARA considers critical — transaction authorisation flows, wallet management infrastructure, API layers, trading engines, and the interfaces between front-end applications and back-end custody systems. It is not sufficient to test peripheral systems while leaving the core transaction infrastructure out of scope.
• Independent, qualified assessors: VARA requires TLPT to be conducted by qualified, independent assessors. The Rulebook does not specify a particular certification body, but VARA examiners expect assessors to have demonstrable experience with virtual asset attack vectors — not just general application or network security expertise.
• Documented remediation and retesting: All TLPT findings must be documented, remediated within defined timelines, and retested. The retest results must be documented alongside the original findings. VARA expects to see a complete picture of what was found, what was done, and that the findings were closed — not just a point-in-time report.
• Board and management sign-off: The TLPT engagement, its findings, and the remediation plan must be signed off at board or senior management level. This connects the TLPT requirement directly to VARA's broader governance requirements — it is not purely a technical exercise.

The Attack Scenarios VARA TLPT Must Cover

Given VARA's focus on the specific threat landscape for virtual asset businesses, a credible TLPT programme must address the attack scenarios that represent real, material risk to UAE VASPs. These include:

• Front-end interface compromise targeting signing environments: The February 2026 Bybit hack — the largest exchange compromise in history at $1.5 billion — exploited a compromised Safe{Wallet} front-end interface to manipulate a multi-signature transaction. The underlying smart contract logic appeared valid; the attack operated at the interface layer. Any VARA TLPT that does not test this attack vector is leaving the most relevant current threat unaddressed.
• API key theft and trading engine abuse: Unauthorised access to API keys with trading permissions, followed by exploitation of order management logic to manipulate positions or extract funds. This attack class affects both centralised exchanges and OTC desk infrastructure.
• Wallet infrastructure penetration: Attempts to reach hot wallet signing environments from external entry points through the internal network. This scenario tests the segmentation between internet-facing infrastructure and custody systems.
• Credential harvesting targeting privileged accounts: Phishing and social engineering targeting staff with access to privileged systems — trading desks, operations teams, and technical administrators. Human factors remain the most reliable initial access vector for sophisticated attackers.
• Cold storage architecture validation: Testing the physical and logical controls that prevent unauthorised access to cold storage key material — including HSM integration testing, air-gap verification, and multi-signature quorum controls.

What a VARA-Compliant TLPT Report Must Include

The output of a VARA TLPT engagement is a regulatory document, not just a security assessment. It must be structured to demonstrate compliance to a VARA examiner who may not have a deep technical background but will have a clear framework of what adequate testing looks like.

A VARA-compliant TLPT report must include:

• Executive summary: Board and senior management-level summary of the engagement scope, methodology, key findings, and remediation status. Written for non-technical readers.
• Threat intelligence summary: The threat intelligence inputs that shaped the test scope — the specific threat actor profiles, TTPs, and attack scenarios that were prioritised and why.
• Scope and methodology documentation: Full documentation of what was in scope, what was explicitly out of scope, the methodology used, and the test timeline. This section allows VARA to assess whether the test was credible and comprehensive.
• Findings register with CVSS scoring: All identified vulnerabilities with severity ratings, technical descriptions, proof-of-concept evidence, and business impact assessment.
• Remediation tracking: For each finding, the agreed remediation, responsible owner, target completion date, and confirmation of retest outcome.
• Management sign-off: Board or senior management acknowledgement of the findings, the remediation plan, and acceptance of residual risk where applicable.
• Assessor credentials: Confirmation of the qualifications and independence of the TLPT team.

Why Most UAE VASPs Are Not Currently TLPT-Compliant

ITSEC conducts cybersecurity assessments for VARA-regulated organisations and businesses in the VARA licensing pipeline. Based on that direct experience, the most common gaps against the VARA TLPT requirement are:

Standard pen tests presented as TLPT: The most common gap. Annual penetration tests are real security controls with real value — but they are not TLPT. VARA examiners are increasingly distinguishing between the two in supervisory reviews.

Incomplete scope: Tests that cover web applications and network infrastructure but do not include the signing environment, API layer, or wallet architecture. VARA expects TLPT to cover the full critical system perimeter.

Point-in-time findings without remediation tracking: VARA expects to see findings closed and retested. A TLPT report from 18 months ago with open critical findings is not a demonstration of compliance — it is a demonstration of non-compliance.

No threat intelligence input: Tests scoped without reference to threat intelligence are conventional penetration tests, not TLPT. VARA expects the test scope to be shaped by analysis of what real threat actors targeting UAE VASPs are actually doing.

Reports not structured for regulatory consumption: Technical reports written for internal security teams do not satisfy VARA's documentation requirements. The output must be structured to demonstrate programme integrity to a regulator.

How to Prepare Your VARA TLPT Programme

For VASPs that are building or correcting their TLPT programme ahead of VARA's 2026 supervisory cycle, the preparation steps are:

1. Gap assessment: Assess your current penetration testing programme against VARA's TLPT requirements. Identify whether your existing documentation would satisfy VARA examiner scrutiny. This does not require an immediate full TLPT engagement — a scoping and documentation review will identify the most material gaps quickly.
2. Assessor selection: Identify a TLPT provider with documented experience in virtual asset attack vectors, UAE regulatory requirements, and the production of regulator-facing deliverables. Generic penetration testing firms do not have the threat intelligence capability or regulatory documentation experience that VARA TLPT requires.
3. Scope definition: Work with your TLPT provider to define a scope that covers VARA's critical system expectations — at minimum, transaction authorisation flows, signing environments, wallet infrastructure, API layers, and administrative access paths.
4. Threat intelligence briefing: Before test execution, commission a threat intelligence briefing that profiles the current threat actor landscape for UAE VASPs and identifies the TTPs most relevant to your infrastructure profile. This input shapes the test scenarios.
5. Board engagement: Ensure board and senior management awareness before the TLPT engagement commences, and plan for formal sign-off on findings and remediation once the report is delivered.
6. Remediation and retest cycle: Build remediation timelines into the engagement plan from the outset. VARA expects the full cycle — test, remediation, retest — to be completed and documented, not just the initial findings.

ITSEC's Approach to VARA TLPT

ITSEC has been delivering cybersecurity services to UAE-regulated organisations since 2011. Our VARA TLPT engagements are designed to VARA's specific framework — not adapted from a generic red team methodology. Our team combines CREST-certified penetration testing expertise with blockchain security capability and direct VARA regulatory experience, producing engagements that address both the technical and regulatory dimensions of the requirement.

Every VARA TLPT engagement ITSEC delivers produces documentation structured for VARA submission: executive summaries suitable for board review, threat intelligence briefings, scope and methodology documentation, CVSS-rated findings registers, remediation tracking, and regulator-ready final attestation. The output is designed to withstand examiner scrutiny — because that is ultimately what TLPT compliance requires.

ITSEC operates alongside SecureVisa Group (SVG), VARA's licensing advisory practice, which means that for firms navigating the full VARA licensing process, cybersecurity requirements and licensing requirements are addressed by a single integrated team. That integration eliminates the coordination gap that creates compliance risk when advisors are working from different frameworks.

If you are a VARA-licensed VASP or preparing for VARA licensing and want to understand where your current testing programme stands against VARA's TLPT requirements, contact ITSEC for a scoping conversation.