NOXVERI Service

Security audit, TLPT and defence quality validation

A penetration test report is not the same as knowing whether your defences work. NOXVERI assesses the quality of controls, orchestrates threat-led tests and translates findings into decisions — independently of the teams running the tests.

TLPT DORA Security Audit Control Validation Red Team Purple Team Threat Intelligence TIP

What NOXVERI offers

Judgement, not scanning

NOXVERI does not execute penetration tests. The value delivered is not in running tools — it is in assessing what the results mean, whether the right things were tested, and what decisions the findings should drive. This distinction matters both for quality and for independence.

Security posture review — an independent assessment of the organisation's overall security position. Not a technical scan, but a structured evaluation of whether the security programme, controls and governance are functioning as intended. Identifies where the stated position diverges from the operational reality.
Control effectiveness assessment — evaluating whether specific security controls are working as designed. Detection capabilities, response procedures, access controls, logging and alerting — tested against realistic scenarios, not against the documentation that describes them. Controls that work on paper but fail in practice offer no protection.
Security architecture review — assessment of architectural decisions and their security implications. Segmentation, trust boundaries, authentication flows, third-party integrations, data exposure. Architectural weaknesses are typically harder to exploit quickly and harder to fix — finding them before a test or incident is significantly more valuable.
TLPT orchestration under DORA — acting as Threat Intelligence Provider (TIP) and test orchestrator for Threat-Led Penetration Tests required under DORA. This includes threat intelligence development, scenario design, engagement of the red team provider, coordination with the regulator where required, and independent oversight of test execution and findings.
Oversight of penetration testing and red team engagements — for organisations engaging specialist test providers directly, NOXVERI provides independent oversight: scope validation, methodology review, quality assurance of findings, and translation of technical results into remediation decisions. The test provider executes; NOXVERI ensures the output is credible and actionable.
Remediation decision support — findings without clear remediation direction are half the value. NOXVERI translates test results into prioritised decisions: what to fix first, what to accept, what requires architectural change versus a configuration adjustment. The organisation ends with a clear action plan, not a list of vulnerabilities sorted by CVSS score.

TLPT under DORA

What TLPT is and how NOXVERI fits in

Threat-Led Penetration Testing is a specific, regulated form of security testing required under DORA for significant financial entities. It differs from standard penetration testing in structure, scope, rigour and regulatory involvement. Understanding the roles — and why they must be separated — is essential before engaging.

What TLPT is

Threat-led, not scope-led

TLPT simulates the tactics, techniques and procedures of real threat actors targeting the specific organisation. The test scenarios are derived from a threat intelligence assessment — what threats are actually relevant to this entity, in this sector, with this profile. This is fundamentally different from a penetration test that works through a predefined scope.

Under DORA, TLPT must cover live production systems. The regulator (or a designated authority) is involved in the process. The test has a defined structure — intelligence phase, red team execution, purple team review — and produces a formal closure report with regulatory significance.

Roles in a TLPT

Three parties, clear separation

Threat Intelligence Provider (TIP) — develops the threat intelligence assessment that defines test scenarios. Requires specific knowledge of the threat landscape relevant to the sector and entity. NOXVERI acts as TIP.

Red team provider — executes the test against the defined scenarios, using the intelligence provided. Must be independent of the TIP and the entity. NOXVERI engages specialist red team providers for this role.

The entity's control team — a small group within the organisation who know the test is happening and manage the engagement. The rest of the organisation (including security operations) is unaware and responds as they would to a real attack.

NOXVERI's role: acting as TIP and orchestrator — developing threat intelligence, designing scenarios, engaging and overseeing the red team provider, coordinating with the regulator, and overseeing the full process to closure. The red team provider executes; NOXVERI ensures the process meets DORA requirements and that findings are translated into defensible remediation decisions.

Why oversight, not execution

Conflict of interest is structural, not personal

NOXVERI deliberately separates advisory and oversight work from test execution. This is not a capability limitation — it is a design decision. The separation eliminates a structural conflict of interest that compromises the value of security testing when both roles are held by the same party.

The conflict in combined roles — when the same firm designs, executes and validates a security test, there is an inherent pressure to find findings consistent with effort invested, to scope the test toward areas where success is likely, and to present findings in a way that reflects well on the execution. None of this requires bad faith — it is a structural dynamic that affects any combined advisory-and-execution model.
Independent oversight changes the dynamic — when NOXVERI oversees a test delivered by a specialist provider, the scope is validated independently, the methodology is reviewed before execution, and the findings are assessed by a party with no stake in the outcome. The result is more credible to the board, to auditors and to regulators.
Better test quality follows — test providers who know their work will be independently reviewed by a technically credible party tend to produce better work. Oversight raises the standard of execution, not just the quality of interpretation.
Regulatory credibility — under DORA, the separation of TIP and red team provider roles is required, not recommended. The same principle — independence between those who design/oversee and those who execute — is good governance practice in any security testing programme, regardless of regulatory requirement.

Who it's for

Organisations that need to know if their defences hold

The common thread is a genuine question about defence quality — not a need to produce a test report for compliance purposes. If the organisation already knows what the test will find, it probably doesn't need this engagement. If the question is open, the answer matters.

Regulated entities subject to DORA TLPT

Financial entities identified as significant under DORA, required to conduct TLPT on a three-year cycle. NOXVERI provides TIP services and end-to-end orchestration of the TLPT process — from threat intelligence development through to the closure report and regulator engagement.

Organisations preparing for audit or certification

Where an independent assessment of control effectiveness is required to support an audit conclusion, certification renewal or regulatory submission. The security posture review and control effectiveness assessment provide defensible, independently-produced evidence of the security position.

Post-incident review

Following a security incident — whether directly affecting the organisation or a sector-wide event — where the board or management needs an independent view of whether the defences would detect and contain a similar attack. Not a forensic investigation, but a forward-looking assessment of residual exposure and what needs to change.