A focused course, tailored for you
Operational Resilience Testing for Global Bank Security Officers
Build the threat-led penetration testing programme your regulators expect, from scope to evidence pack.
Your TLPT scope document does not yet map cleanly to your Important Business Services register, and DORA Article 26 requires that it does. This course gives you the methodology to close that gap before the next supervisory review.
Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.
Why this course
Security Officers at large, internationally active banks are accountable for TLPT execution under DORA, but the programme sits at an uncomfortable intersection: regulatory policy (owned by Compliance), critical function mapping (owned by Operations or Risk), and technical execution (owned by the Red Team or an external tester). The scope justification document is typically the weakest link. It references the right frameworks, it names the right systems, but the chain of reasoning from Important Business Services through threat intelligence selection to in-scope system is rarely documented in a way that survives a supervisory deep-dive. When the ACPR or ECB examiner asks 'show me how you determined this system was in scope', the answer is often a spreadsheet, a slide deck from six months ago, and a verbal explanation. That is not what Article 26 asks for.
What you walk away with
- Map your bank's Important Business Services register to a defensible TLPT scope document in the format supervisors expect.
- Select and brief a threat intelligence provider using the criteria specified in the TIBER-EU framework.
- Draft the Red Team test plan that satisfies both internal approval committees and external supervisory review.
- Build the post-test remediation register with risk-ranked findings, remediation owners, and re-test dates.
- Produce the DORA Article 26 submission package from the test report without starting from a blank template.
- Run the annual TLPT cycle end-to-end with a documented audit trail that satisfies both internal audit and the lead supervisory authority.
The 12 modules
How this addresses your situation
Specific modules that map to what you said you are dealing with.
What you get with this course
- 12 written modules covering the full TLPT lifecycle from IBS mapping to supervisory submission.
- Scope justification template aligned to DORA Article 26 and TIBER-EU.
- Remediation register template with severity classification and re-test tracking.
- Supervisory submission structure guide with annotated worked example.
- Red team provider qualification checklist and contract clause reference.
- Hand-built implementation playbook tailored to your institution's regulatory context, delivered alongside course access.
What you will have in hand by Day 1, Week 1, Month 1
Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.
Before and after
Your TLPT scope document exists, but the chain of reasoning from IBS register to in-scope system is verbal rather than documented. The supervisory submission from the last cycle was assembled under time pressure from a combination of the red team report and slides from the kick-off meeting.
You have a repeatable TLPT programme with documented scope justification, a structured remediation register, and a supervisory submission template that produces the Article 26 package without starting from scratch each cycle. The next ECB or ACPR review finds a complete, traceable evidence pack.
What happens if you do not address this
DORA's TLPT requirements for significant institutions are not advisory. Supervisory authorities have the power to require remediation of programme gaps identified during review, and persistent gaps in TLPT documentation quality feed directly into SREP scores. A scope justification that cannot be traced to the IBS register is a finding, not a recommendation.
Who it is for
This course is for Security Officers and their direct reports at Tier 1 and Tier 2 global banks who are accountable for TLPT programme delivery under DORA. It assumes you already understand your bank's control framework and have some familiarity with red team concepts. You do not need to be a penetration tester yourself; you need to build and own the programme that governs the testers.
How it arrives
Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.
Time investment. Each module is self-contained and reads in 20-35 minutes. The full course is completable in a single focused week or across several working sessions.
Why $199 is the right number
The TIBER-EU framework documentation is publicly available but describes process at a regulatory level, not an implementation level. External consultants who run TLPT programmes charge day rates that make a full programme review expensive. This course teaches you to build and own the programme yourself, so you are the one who understands it when the supervisor asks.
FAQ
30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.
Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.