Skip to content
arrow-alt-circle-up icon

Cyber Incident Call

arrow-alt-circle-up icon

00800 1744 0000

arrow-alt-circle-up icon


improve your organisation’s cyber resilience in terms of business, bytes, and behaviour

We perform realistic simulations of cyber threat actors breaching their way to your organisation's crown jewels, with the goal to improve cyber resilience in terms of business, bytes and behaviour.

  We are a red team provider and can also facilitate as threat intelligence provider, eliminating overhead during the TIBER assignment. 

 You gain insights into the most vulnerable parts of your organisation, including how they can be abused by threat actors, what the impact can be, and how to fix them.

  Your specialists get the most realistic training in responding swiftly and adequately to cyber threats that are relevant to your organisation.

  We provide you with clear advice on countermeasures on strategical, tactical, and operational levels to reduce risks for your organisation.

Our red team will put you to the test

Our Red Team performs threat intelligence based ethical red-teaming assignments based on the TIBER-NL/EU framework. If applicable, governed by and in cooperation with the relevant authority.

Driven by the generic threat landscape, tailored with the dedicated and unique threat intelligence capability that Northwave has, our Red Team simulates your biggest threats breaching their way through your organisation, achieving all objectives (or so-called compromise actions or flags). The simulation gives your organisation maximum insight of what it’s like to be under attack by these threats, with the aim to learn and identify weaknesses. It is our mission to increase the cyber resilience and capabilities of your organisation’s blue team by enhancing your controls against these threats and helping you respond adequately before they strike.

During the simulation, you will be guided by the specialists of Northwave. Together with them, you make educated decisions, based on which they safely steer the simulation in the right direction. The assignment follows the entire TIBER procedure, ending with a learning and closure phase. This includes a Purple Teaming session, in which your specialists, the Northwave Red Team, and possible other stakeholders get together to share experiences, replay attacks, and work on the improvement of monitoring and detection controls.

Purple Teaming is a proven and valuable method to really improve detection and response, increasing the cyber resilience of your organisation.

Threat Intelligence

We use threat intelligence from actual cyber-attacks investigated by the Northwave CERT and SOC, resulting in realistic and up to date attacks scenarios. Our Reverse Engineering team rebuilds actual malware samples used by threat actors, to create the most realistic simulation of the threat actor.


TIBER Phases

The TIBER framework prescribes the following phases, of which the threat intelligence phase may be executed by Northwave or optionally a third-party provider.

1. Preparation

Our Red Team is involved in the TIBER from the preparation phase onwards. With your organisation we effectuate planning, responsibilities, scoping and more.

2. Threat Intelligence

Tailored threat intelligence on your organisation is gathered to identify your organisations threat landscape and build intelligence-led attack scenarios.



3. In

Based on the agreed intelligence-led attack scenarios, our red team operators obtain an initial digital foot in the door of your organisation.

4. Through

Within your organisation, our red team operators move towards critical systems and processes, simulating the defined threat actor.

5. Out

Through the critical systems and processes, our red team operators strike and obtain the objectives (or so-called compromise actions or flags) of the TIBER.

6. Purple Teaming

When the red team operators moved IN, THROUGH, and OUT, Purple Teaming starts. The emphasis is on learning as much as possible from the simulation.


7. Closure

After feedback sessions and the presenting the results to executives at board level, the remediation plan ultimately helps your organisation to mitigate weaknesses.

What Does This Mean For You

We perform realistic simulations of cyber threat actors breaching their way to your organisation's crown jewels, with the goal to improve cyber resilience in terms of business, bytes and behaviour.

A TIBER generally takes 22 to 32 weeks but can take longer depending on the scope. During the TIBER, we are in contact at regular intervals, seeking progressively closer cooperation with your specialists, working towards the Purple Teaming session.

During the TIBER you receive written reports of the deliverables, such as the threat intelligence report and red team attack plan. We also provide presentations for operational personnel up to board level executives, to maximise the added value of the TIBER.

Our reports contain clear advice for board level executives, on a strategical and tactical level, to decrease your organisations risk based on your biggest threats. For operational advice, the report uses the Unified Kill Chain, based on MITRE ATT&CK, to give your personnel maximum insight into the identified weaknesses and mitigations.

No resources?

Leave your Cyber security to us!

Frequently Asked Questions

We can imagine that you have many questions. You can always contact us to learn more. Below are a few examples of questions that we can investigate further with you.

What is TIBER?

TIBER stands for Threat Intelligence-Based Ethical Red. It is a framework designed to help financial
institutions and other critical infrastructure test and improve their cyber resilience against advanced cyber attacks. The framework guides  these entities in conducting controlled, bespoke, intelligence-led red team tests.

What do the country codes behind TIBER stand for (e.g. TIBER-NL)?

The country codes behind TIBER refer to the specific adaptation or implementation of the framework in different regions. For instance:
TIBER-NL: TIBER framework adopted in the Netherlands by the Dutch National Bank (DNB).
TIBER-DE: TIBER framework adopted in Germany, by the Deutsche Bundesbank.
Each adaptation maintains the core principles of TIBER but may have slight variations to suit the
regulatory and cybersecurity landscape of the respective country.

How does TIBER testing work?

TIBER testing involves simulating the tactics, techniques, and procedures (TTPs) of real-life cyber threat actors based on tailored threat intelligence. The process is divided into several phases: preparation, threat intelligence gathering, red teaming, and closure, including debriefs, purple teaming and follow-up actions.

Who can benefit from TIBER?
Primarily, TIBER is aimed at European entities within the financial sector, including banks, stock
exchanges, and payment providers, as well as other sectors identified as critical national
infrastructure. It helps these organizations assess their ability to defend against, and respond to, cyber
Is TIBER mandatory for financial institutions?
The adoption of TIBER varies by country and sector. Some European countries have integrated the framework into their national regulatory requirements for critical infrastructure, making it a
mandatory exercise for certain organizations. Additionally, the upcoming Digital Operational
Resilience Act (DORA), requires Threat-Lead Penetration Testing (TLPT), for example TIBER, for financial and critical infrastructure in Europe.
How often should TIBER tests be conducted?
The frequency of TIBER tests depends on several factors, including the threat landscape, previous test outcomes, and regulatory requirements. Typically, a complete TIBER cycle is recommended every 2-3 years, with continuous monitoring and improvement of cyber resilience practices in between.
What distinguishes TIBER from other penetration testing methods?
Unlike standard penetration tests, TIBER is intelligence-led and focuses on simulating sophisticated attacks specific to the tested entity. It provides a more realistic assessment of an organization's defenses by considering the latest threat intelligence and mimicking the behavior of actual adversaries. Besides finding improvements in an entity's digital infrastructure, TIBER focusses on getting defensive teams become more familiar with realistic attacks, making them more resilliant in case of a real attack.
How does TIBER ensure confidentiality and security during testing?
TIBER tests are conducted under strict confidentiality. All parties involved, including the red team, the entity being tested, and the regulator, are required to adhere to stringent security protocols to protect sensitive information throughout the testing process.
Can TIBER be applied outside the EU?
Official TIBER documentation, including the framework and guidelines, is available on the European Central Bank's website and the websites of national central banks and regulatory authorities
participating in the TIBER framework.



For a comprehensive understanding and implementation of TIBER, it's essential to consult the official documentation and consider engaging with certified professionals who specialize in TIBER testing and compliance.
Who are the TIBER-NL providers in the Netherlands?
There are several TIBER-NL providers in the Netherlands. This includes both Threat Intelligence
Providers (TIP's) and Red Team Providers (RTP's). Northwave is one of the leading TIBER-NL
providers that functions as both a Threat Intelligence Provider (TIP) as a Red Team Provider (RTP).
How many months does a TIBER take?
The duration of a TIBER is highly dependent on the scope and the size and complexity of the
organization. On average you can count on about 9 to 12 months to fully complete a TIBER test.
What framework will be used for TLPT in DORA?
TLPT, or Threat-Led Penetration Testing, is a cybersecurity framework used to assess the security resilience of financial institutions. In the context of DORA (Deployment of Regulatory Activities), TIBER serves as the designated framework for TLPT.
I am not a financial institution, can I still perform TIBER tests?
While TIBER was originally developed for financial institutions, there has been a growing need for
other parts of critical infrastructure in a similar fashion. The Advanced Red Teaming (ART)
framework was developed to allow other entities to perform TIBER-like tests with oversight of the
DNB. Northwave can also perform 'regular' Adversary Simulations based on relevant Threat
Intelligence, these however, do not carry the label ART or TIBER.

We are here for you

Need help with your cyber security or wondering how secure your business really is?
Get in touch and we will help you find the best solution.