Threat-Led Penetration Testing (TLPT) for VARA-Regulated VASPs
Intelligence-led red team testing that proves your VASP can detect, contain, and survive a real attack — not just list vulnerabilities. Delivered by an accredited external tester, built to the standard VARA expects.
What Threat-Led Penetration Testing
Actually Is
TLPT is an intelligence-led red team exercise that emulates the real threat actors most likely to come after your business. A standard penetration test answers "where are we vulnerable?" TLPT answers the harder question: if a determined attacker targeted your critical functions on live production, would you detect it, contain it, and keep operating?
It tests your technology, your processes, and your people at the same time. Most of your team isn't told it's happening — so what you measure is your genuine detection and response, not a rehearsal.
Annual penetration testing is mandatory for every VARA-licensed VASP. TLPT is the tier above it — a full red team exercise VARA can require of higher-risk firms like exchanges and custodians. If that's you, being ready before VARA asks beats scrambling after.
Where TLPT Fits in Your VARA Obligations
Every VASP licensed by VARA already has to run independent penetration testing and vulnerability assessment at least once a year — and again before launching any new system, app, or product. That baseline is non-negotiable and it's the same for everyone.
Annual VAPT — required of all VASPs
Independent, third-party penetration testing and vulnerability assessment every year and before major changes. This is the mandatory floor, and the evidence has to be ready when VARA asks for it.
TLPT — the advanced tier VARA can require
Where VARA judges it necessary and proportionate to your risk and how critical your business is, it can require a full threat-led red team exercise on your live production. Exchanges, custodians and high-volume platforms are the most likely to be asked.
Grounded in VARA's Technology & Information Rulebook (Testing & Audit), in force since 19 June 2023. Read it on the official VARA Rulebook →
TLPT vs a Standard Penetration Test
| Standard penetration test | Threat-Led Penetration Testing | |
|---|---|---|
| Question | Where are we vulnerable? | Can we detect and survive a real attack? |
| Cadence | At least annual + before new systems | When VARA requires it, for higher-risk VASPs |
| Scope | Defined systems / applications | Your critical functions, on live production |
| Driven by | Known vulnerability classes | Threat intelligence on adversaries targeting you |
| Tests | Technology | Technology + processes + people |
| Awareness | Team usually knows | Team is kept blind — a true detection test |
| Tester | Qualified independent third party | Accredited external tester |
| Output | Findings + remediation | Findings, remediation plan & regulator-ready evidence |
What to Demand From Any TLPT Provider
VARA sets a clear bar for who is allowed to run a threat-led test. Use this as your checklist for any vendor — ITSEC meets every line.
An external, independent tester — not your internal team, and reputable enough that VARA will accept the result.
Real threat-intelligence and red team expertise — the ability to model the actual adversaries who target virtual asset businesses, not run a checklist scan.
Accreditation or a recognised ethical framework — demonstrable professional standards governing how the test is run.
Independent assurance on how they handle your data — ITSEC is ISO 27001 and ISO 22301 certified, so our own security and continuity meet international standards.
Professional Indemnity insurance — proper cover for a live-production engagement, including against misconduct and negligence.
Regulator-ready reporting — a findings summary, remediation plan and evidence pack you can hand to VARA without rework.
The ITSEC TLPT Engagement
An intelligence-led red team lifecycle that produces regulator-ready evidence at every step.
Scoping & threat profiling
We agree your critical functions, the rules of engagement, and the small trusted team who'll know the test is live — then lock the safeguards that protect data and operations throughout.
Threat intelligence
Independent, targeted intelligence builds realistic attack scenarios specific to your business, your geography, and your infrastructure.
Red team execution
Our accredited testers emulate real adversary tradecraft against live production — technical intrusion, social engineering, business-logic abuse — while your defenders operate blind.
Purple team & replay
We walk the findings through jointly with your blue team, turning the exercise into measurable detection and response improvement.
Reporting & VARA evidence
A clear findings summary, a prioritised remediation plan, and the documentation that shows the test was done right — packaged for VARA.
Who Should Prepare for TLPT Now
The higher your risk and criticality, the more likely VARA is to ask. Get ready before the notification, not after.
Exchanges & trading platforms
High-volume, large attack surface
Custodians
Direct control of client virtual assets
Transfer & settlement networks
Systemic connectivity
Broker-dealers
Client funds and order-flow exposure
High-volume / multi-jurisdiction VASPs
Elevated criticality profile
Coin & token issuers
Issuance, treasury and smart contract exposure
Firms also facing DORA
Serving EU markets — one test, two regimes
If you also fall under the EU's Digital Operational Resilience Act (DORA), threat-led testing is a defined obligation there as well. That's a different regime from VARA — but many Dubai VASPs serve EU clients, and a single well-scoped engagement can be built to satisfy both. We'll tell you honestly whether that applies to you.
A Red Team That Lives Where You're Regulated
UAE-resident, on the ground
Global firms fly in. We're here — coordinating directly with your CISO and control team, and fluent in how VARA actually inspects.
ISO 27001 & 22301 certified
Our own information-security and business-continuity management meet international standard — the assurance a regulator wants from a tester.
Intelligence-led, not checklist
Scenarios built from real intelligence on the adversaries hitting virtual asset businesses today.
Since 2011 in UAE finance
15+ years securing regulated finance, crypto and virtual asset firms — well before virtual assets were regulated here.
Regulator-ready evidence
Every engagement is packaged to produce the findings, remediation and documentation VARA expects.
One accountable team
Scoping, testing, remediation support and re-test handled end to end — not handed between vendors.
VARA TLPT — Straight Answers
Is TLPT mandatory for every VARA-licensed VASP?
What's the difference between TLPT and a normal penetration test?
Who is allowed to perform a VARA TLPT?
Does TLPT have to run on live production systems?
What do we have to give VARA afterwards?
How long does a TLPT take?
When did VARA's current cybersecurity rules take effect?
Ready to Secure Your Digital Assets?
Get a comprehensive security assessment from our expert team. Protecting businesses since 2011.
ITSEC Security Team
Usually replies within 1 hour
ITSEC Security Agent
AI-Powered • 24/7 Active
I'm your AI Security Agent. How can I assist you with your cybersecurity needs today?