Loading the Elevenlabs Text to Speech AudioNative Player...
“Start with ART” is the catchy yet fitting tagline of Advanced Red Teaming (ART), sometimes informally called “TIBER light”. Developed and launched in 2024 by De Nederlandsche Bank (DNB), ART is designed specifically for Dutch financial institutions and their critical ICT service providers under DNB’s supervision.
Advanced Red Teaming builds on the principles of TIBER-EU and aligns with the Threat-Led Penetration Testing (TLPT) regime introduced under the Digital Operational Resilience Act (DORA). Where TIBER-EU set the benchmark for large-scale, regulator-supervised red teaming across Europe, ART offers a more flexible and accessible entry point — but remains a national framework, managed and attested solely by DNB.
What is the ART framework?
According to the DNB’s Advanced Red Teaming (ART) Framework 2.0, ART is a comprehensive testing framework that enables financial institutions and their critical third-party ICT providers to conduct intelligence-led red team operations and prepare for the more comprehensive TIBER/TLPT assessments.
It is explicitly defined as an evolution of the Threat Intelligence-Based Ethical Red Teaming (TIBER) framework, designed to “give participating institutions the freedom to select and customise various modules” so that each test aligns with their cybersecurity posture and learning objectives.
The ART approach introduces a modular testing structure that covers domains such as network and endpoint security, data exfiltration, ransomware simulation, and crisis management. Each test follows the same fundamental principles as TIBER — testing on live systems, maintaining strict secrecy, and basing attack scenarios on intelligence — but allows institutions to scale complexity and frequency to their maturity level.
DNB issues a formal attestation once a test has met all mandatory deliverables under the ART framework. This attestation certifies compliance with the framework’s requirements but does not constitute an assessment of an institution’s overall defensive quality.
The goal of ART assessments, like with similar frameworks, is to identify vulnerabilities and potential gaps in the institution’s defences in order to gain insights about its cybersecurity posture and incident response capabilities.
ART uses intelligence-led scenarios to emulate advanced cyber attacks and conduct controlled attack simulation exercises that reflect actual cyber threats and the tactics of threat-led attacks observed in the current threat landscape.
Who is ART for?
The Advanced Red Teaming framework targets four main categories of participants within the Dutch financial sector:
- Institutions advancing cybersecurity maturity but not yet ready for a full TIBER test.
- Mature institutions outside DORA’s TLPT scope, seeking to benchmark their defences against real-world threat actors.
- Entities already performing TLPT (Threat Led Penetration Testing) or TIBER tests, looking for a more frequent and lighter testing cadence.
- Critical third-party service providers, including technology firms supporting financial market infrastructure.
Under specific conditions, Advanced Red Teaming may also be used to fulfil the DORA Article 24 requirements.
Framework governance and key participants
Each ART test involves several defined participants, mirroring TIBER’s controlled structure while maintaining flexibility:
- Control Team (CT), led by a Control Team Lead (CTL), acts as test owner, making key go/no-go decisions and coordinating deliverables.
- Threat Intelligence Provider (TIP) delivers the targeted threat intelligence report (TIR/TTIR), which forms the basis of the scenario design.
- Red Team Provider (RTP) executes the actual red teaming phase based on the approved intelligence.
- Blue Team (BT) represents the institution’s defensive function and remains unaware of the test until completion.
- Gold Team Provider (GTP), optional, facilitates crisis management exercises if the gold teaming module is selected.
- Board of Directors (BOD) includes a C-level sponsor responsible for approving key deliverables and learning goals.
- Test Cyber Team (TCT-DNB) ensures procedural compliance, supervises test quality, and ultimately issues the attestation.
The framework requires close coordination between the control team, red and blue security teams, and, where applicable, executive crisis teams. These interactions are managed through structured control team meetings overseen by DNB as the managing authority.
Phases and modules of an ART test
The ART process consists of three core phases — preparation, testing, and closure — supported by modular components that can be adapted to institutional needs.
1. Preparation phase
Involves engagement and scoping (average duration 8-12 weeks) between the institution and TCT-DNB to define learning objectives, select modules, and formalise the Scope Specification Document (SSD).
Procurement of providers follows, with guidance from the ART Service Procurement Guide. ART predicts 6-8 weeks for this stage.
2. Testing phase
The testing phase includes the main modules:
- Threat Intelligence (TI) — the foundation of ART. Conducted by internal or external TIPs, it produces the Threat Intelligence Report (TIR) or Targeted Threat Intelligence Report (TTIR). Three variants exist: basic, extended, and full TI, with increasing analytical depth and sourcing requirements. Average duration: 6-8 weeks
- Active Red Teaming (RT) — lasting 6-12 weeks, with execution of at least one scenario based on current threat intelligence, which can follow two main variants:
- Assumed compromise (minimum requirement) — skipping initial access to focus on in-depth post-compromise activity: lateral movement, privilege escalation, data access, and impact simulation. This approach minimises operational risk while still testing detection and response capabilities in depth.
- End-to-end simulation — a full-chain exercise that emulates the complete attack lifecycle, from reconnaissance and initial compromise through to exfiltration or impact. This variant is more resource-intensive but offers the most comprehensive assessment of an organisation’s resilience.
An optional Scenario X module may also be introduced to explore emerging or hypothetical threats that fall outside the institution’s current threat landscape.
Throughout the RT phase, the red team operates on live production systems under carefully defined “rules of engagement.” Activities that could disrupt services or modify data are strictly prohibited. Every action is logged for later review, and safety mechanisms such as immediate test suspension procedures are in place to prevent unintended consequences.
After completing the attack scenarios, the red team produces a Red Team Test Report (RTTR) documenting the tactics, techniques and procedures used, success criteria, indicators of compromise, and defensive observations. The results feed directly into the next stage, the Purple Teaming phase, where the red and blue teams collaboratively replay selected scenarios to enhance detection and strengthen controls.
- Purple Teaming (PT) — a collaborative replay phase between the red and blue teams, analysing detections and refining defences. Duration: around 2 weeks.
- Gold Teaming (GT) — optional crisis management exercises, structured as walk-throughs, tabletop exercises, or simulations, designed to test decision-making and strategic response at the executive level. Duration: 4-10 weeks.
3. Closure phase
The final phase includes remediation, reporting and attestation and lasts around 2 weeks. The organization prepares the Test Summary Report (TSR), conducts a 360° feedback session and develops a remediation plan. Once all deliverables are complete and quality standards are met, DNB’s TCT issues the official attestation document.
Documentation and deliverables
ART seeks to reduce administrative overhead compared to TIBER, while preserving essential documentation for traceability and quality assurance. The materials produced during the process include:
- ART Contract — a formal agreement between the institution and DNB.
- Scope Specification Document (SSD) — definition of systems, processes, and critical or important functions (CIFs).
- TIR / TTIR — threat intelligence basis for scenario design.
- RTTP (Red Team Test Plan) and RTTR (Red Team Test Report) — detailing scenarios, tactics (via MITRE ATT&CK mapping), and results.
- GTTP (Gold Team Test Plan) and GT Report — if applicable.
- TSR (Test Summary Report) and 360° Feedback Report — closure documentation.
- Attestation Document — issued by TCT-DNB upon satisfactory completion.
The ART framework also prescribes mandatory meetings (initiation, scoping, go/no-go approvals, and closure) and enforces strict risk management and ethical boundaries, including confidentiality, data protection, and explicit prohibitions on actions such as unauthorised data modification or service disruption.
ART vs TIBER and TLPT: how do they compare?
Learning outcomes and attestation
Each Advanced Red Teaming project concludes with a learning and improvement cycle. DNB mandates that institutions develop a remediation plan and present results to their Board of Directors, reinforcing executive accountability for cyber resilience.
The ART attestation confirms procedural adherence to the framework and the completeness of deliverables. It does not certify security posture, but it does demonstrate that the institution has executed a controlled, intelligence-led, regulator-supervised red team engagement aligned with DNB’s standards.
How to choose a red-team provider for ART project?
When procuring an ART red-team provider, DNB’s addendum prioritises demonstrable red-teaming competence, independence and appropriate safeguards. Key selection criteria are:
- The vendor must show comparable prior red-team engagements (intelligence-led preferred) and penetration-testing experience that demonstrates operational familiarity with live environments.
- Capacity to field a core red team of at least three operators, with multidisciplinary skills (reconnaissance, exploit development, social engineering, physical testing, vulnerability analysis).
- A named Red Team Test Manager with approximately three years’ red-team experience (including at least one year managing intelligence-led exercises) and an up-to-date CV for review.
- Individual team members with a minimum of two years’ red-team/pentest experience and clear CVs.
- Absence of conflicting commercial relationships, background screening of staff and adequate professional-indemnity insurance.
- Ability to translate technical findings to both SOC/Blue Team audiences and non-technical stakeholders, and to produce an RT Test Plan mapped to MITRE ATT&CK.
These requirements are mandatory for ART tests guided by DNB and should be specified in the RFP and evaluated during shortlisting.
Relationship to other frameworks and authorities
The ART framework explicitly builds on intellectual property from the Bank of England’s CBEST programme and the ECB’s TIBER-EU framework, both of which are licensed under Creative Commons and acknowledged by DNB.
While ART is designed and governed as a national framework for the Dutch financial sector, DNB recognises that “the fundamentals of red teaming according to the ART framework are applicable to multiple institutions and sectors.” In other words, its key elements, centred on secrecy, live-system testing, and independent oversight, can serve as a reference model for other critical sectors or jurisdictions seeking to develop comparable intelligence-led testing regimes. In fact, the Dutch healthcare sector has already adopted ART regulation in the form of ZORRO (ZOrg Redteaming Resilience Oefeningen) – a red teaming framework specific to healthcare organizations.
This approach reflects a broader European trend: the gradual convergence of national testing schemes under TIBER-EU governance and the harmonising influence of DORA’s TLPT provisions, which encourage mutual recognition of equivalent frameworks.
Conclusion: ART is not (yet) for everybody
According to De Nederlandsche Bank (DNB), Advanced Red Teaming “empowers a wide range of financial institutions and their ICT third-party service providers to conduct intelligence-led red-team testing under DNB’s supervision.” However, DNB also makes clear that “an ART test followed by a DNB attestation can only be conducted by financial institutions and their ICT third-party service providers under the guidance of DNB’s Test Cyber Team (TCT-DNB).”
In other words, the official ART framework is limited to Dutch financial institutions, even though its principles — secrecy, live-system testing, and independent oversight — can be applied elsewhere. DNB acknowledges that these fundamentals are transferable, giving ART potential as a methodological blueprint for organisations in other sectors and countries that want to strengthen cyber resilience through realistic, intelligence-led testing.





