Threat-Led Penetration Testing (TLPT) for VARA-Regulated VASPs | ITSEC
ITSEC
VARA-Regulated VASPs · Dubai

Threat-Led Penetration Testing (TLPT) for VARA-Regulated VASPs

Intelligence-led red team testing that proves your VASP can detect, contain, and survive a real attack — not just list vulnerabilities. Delivered by an accredited external tester, built to the standard VARA expects.

Talk to a Red Team Expert
Accredited External Tester ISO 27001:2022 ISO 22301:2019 UAE-Resident Red Team Since 2011
Adversary Simulation Live
00:00:14External attack surface mappedRECON
00:03:22Phishing lure delivered → 3 targetsINITIAL
00:11:05Foothold on CI/CD build nodeFOOTHOLD
00:11:06Awaiting blue-team detection
TIME TO DETECT— monitoring —
Since 2011
Securing UAE Finance
ISO 27001:2022
Information Security
ISO 22301:2019
Business Continuity
$2B+
Digital Assets Secured
UAE-resident
On-the-Ground Red Team
Definition

What Threat-Led Penetration Testing
Actually Is

TLPT is an intelligence-led red team exercise that emulates the real threat actors most likely to come after your business. A standard penetration test answers "where are we vulnerable?" TLPT answers the harder question: if a determined attacker targeted your critical functions on live production, would you detect it, contain it, and keep operating?

It tests your technology, your processes, and your people at the same time. Most of your team isn't told it's happening — so what you measure is your genuine detection and response, not a rehearsal.

The 30-Second Version

Annual penetration testing is mandatory for every VARA-licensed VASP. TLPT is the tier above it — a full red team exercise VARA can require of higher-risk firms like exchanges and custodians. If that's you, being ready before VARA asks beats scrambling after.

The VARA Picture

Where TLPT Fits in Your VARA Obligations

Every VASP licensed by VARA already has to run independent penetration testing and vulnerability assessment at least once a year — and again before launching any new system, app, or product. That baseline is non-negotiable and it's the same for everyone.

1

Annual VAPT — required of all VASPs

Independent, third-party penetration testing and vulnerability assessment every year and before major changes. This is the mandatory floor, and the evidence has to be ready when VARA asks for it.

2

TLPT — the advanced tier VARA can require

Where VARA judges it necessary and proportionate to your risk and how critical your business is, it can require a full threat-led red team exercise on your live production. Exchanges, custodians and high-volume platforms are the most likely to be asked.

Grounded in VARA's Technology & Information Rulebook (Testing & Audit), in force since 19 June 2023. Read it on the official VARA Rulebook →

Comparison

TLPT vs a Standard Penetration Test

Standard penetration testThreat-Led Penetration Testing
QuestionWhere are we vulnerable?Can we detect and survive a real attack?
CadenceAt least annual + before new systemsWhen VARA requires it, for higher-risk VASPs
ScopeDefined systems / applicationsYour critical functions, on live production
Driven byKnown vulnerability classesThreat intelligence on adversaries targeting you
TestsTechnologyTechnology + processes + people
AwarenessTeam usually knowsTeam is kept blind — a true detection test
TesterQualified independent third partyAccredited external tester
OutputFindings + remediationFindings, remediation plan & regulator-ready evidence
Choosing a Tester

What to Demand From Any TLPT Provider

VARA sets a clear bar for who is allowed to run a threat-led test. Use this as your checklist for any vendor — ITSEC meets every line.

An external, independent tester — not your internal team, and reputable enough that VARA will accept the result.

Real threat-intelligence and red team expertise — the ability to model the actual adversaries who target virtual asset businesses, not run a checklist scan.

Accreditation or a recognised ethical framework — demonstrable professional standards governing how the test is run.

Independent assurance on how they handle your data — ITSEC is ISO 27001 and ISO 22301 certified, so our own security and continuity meet international standards.

Professional Indemnity insurance — proper cover for a live-production engagement, including against misconduct and negligence.

Regulator-ready reporting — a findings summary, remediation plan and evidence pack you can hand to VARA without rework.

How We Run It

The ITSEC TLPT Engagement

An intelligence-led red team lifecycle that produces regulator-ready evidence at every step.

01

Scoping & threat profiling

We agree your critical functions, the rules of engagement, and the small trusted team who'll know the test is live — then lock the safeguards that protect data and operations throughout.

02

Threat intelligence

Independent, targeted intelligence builds realistic attack scenarios specific to your business, your geography, and your infrastructure.

03

Red team execution

Our accredited testers emulate real adversary tradecraft against live production — technical intrusion, social engineering, business-logic abuse — while your defenders operate blind.

04

Purple team & replay

We walk the findings through jointly with your blue team, turning the exercise into measurable detection and response improvement.

05

Reporting & VARA evidence

A clear findings summary, a prioritised remediation plan, and the documentation that shows the test was done right — packaged for VARA.

Is This You?

Who Should Prepare for TLPT Now

The higher your risk and criticality, the more likely VARA is to ask. Get ready before the notification, not after.

EX

Exchanges & trading platforms

High-volume, large attack surface

CU

Custodians

Direct control of client virtual assets

TS

Transfer & settlement networks

Systemic connectivity

BD

Broker-dealers

Client funds and order-flow exposure

HV

High-volume / multi-jurisdiction VASPs

Elevated criticality profile

CT

Coin & token issuers

Issuance, treasury and smart contract exposure

EU

Firms also facing DORA

Serving EU markets — one test, two regimes

Serving EU Markets Too?

If you also fall under the EU's Digital Operational Resilience Act (DORA), threat-led testing is a defined obligation there as well. That's a different regime from VARA — but many Dubai VASPs serve EU clients, and a single well-scoped engagement can be built to satisfy both. We'll tell you honestly whether that applies to you.

Why ITSEC

A Red Team That Lives Where You're Regulated

UAE-resident, on the ground

Global firms fly in. We're here — coordinating directly with your CISO and control team, and fluent in how VARA actually inspects.

ISO 27001 & 22301 certified

Our own information-security and business-continuity management meet international standard — the assurance a regulator wants from a tester.

Intelligence-led, not checklist

Scenarios built from real intelligence on the adversaries hitting virtual asset businesses today.

Since 2011 in UAE finance

15+ years securing regulated finance, crypto and virtual asset firms — well before virtual assets were regulated here.

Regulator-ready evidence

Every engagement is packaged to produce the findings, remediation and documentation VARA expects.

One accountable team

Scoping, testing, remediation support and re-test handled end to end — not handed between vendors.

FAQ

VARA TLPT — Straight Answers

Is TLPT mandatory for every VARA-licensed VASP?
Annual independent penetration testing and vulnerability assessment is mandatory for all VASPs. TLPT is the advanced tier above that — VARA can require it where it judges the move necessary and proportionate to your risk and how critical your business is. High-criticality VASPs like exchanges and custodians should assume they're the most likely to be asked.
What's the difference between TLPT and a normal penetration test?
A standard penetration test asks "where are we vulnerable?" and usually targets defined systems with the team's knowledge. TLPT emulates the real adversaries likely to target you, runs against your critical functions on live production, tests people and process alongside technology, and keeps your defenders blind — so it measures genuine detection and response, not a rehearsal.
Who is allowed to perform a VARA TLPT?
An external, independent tester — not your internal team — with genuine threat-intelligence and red team capability, recognised accreditation or an ethical framework, independent assurance over how it handles your data, and professional indemnity cover. VARA has to be able to accept the result, so the tester's credibility matters as much as the test itself.
Does TLPT have to run on live production systems?
Usually yes — the point is to measure detection and response under real conditions, so a well-run TLPT targets your critical functions on live production. It's run under strict rules of engagement, with a small witting team and pre-agreed safeguards protecting data and operations throughout, so the risk is controlled rather than reckless.
What do we have to give VARA afterwards?
A regulator-ready evidence pack: a clear findings summary, a prioritised remediation plan, and documentation demonstrating the exercise was scoped, run and closed out properly. It's built so you can hand it to VARA without rework.
How long does a TLPT take?
It varies with scope and criticality, but a full engagement — scoping, threat intelligence, red team execution, purple-team replay and reporting — typically runs several weeks end to end. We scope it precisely once we understand your critical functions and infrastructure.
When did VARA's current cybersecurity rules take effect?
VARA's Technology & Information Rulebook — which governs testing and audit obligations including penetration testing and threat-led testing — has been in force since 19 June 2023. Annual VAPT is the baseline; TLPT is the advanced tier VARA can require on top of it.
ITSEC - Security Assessment
World Map

Ready to Secure Your Digital Assets?

Get a comprehensive security assessment from our expert team. Protecting businesses since 2011.

Consult Cyber Experts
NDA Protected
24hr Response
Global Coverage
×

ITSEC Security Agent

AI-Powered • 24/7 Active

👋 Welcome to ITSEC – UAE's first AI-augmented cybersecurity firm.

I'm your AI Security Agent. How can I assist you with your cybersecurity needs today?
ITSEC AI
Secured by ITSEC AI • ISO 27001 Certified