Endida
Home Solutions Sectors About Insights Scope an Engagement
Autonomous Scale · Human Ingenuity

Specialist penetration
testing where autonomous
isn't enough.

While you're scheduling next quarter's pen test, an AI-powered attacker is already inside your network — and it got there before lunch. Specialist depth is the human-led layer that catches what autonomous scanning can't: business logic flaws, critical applications, adversary simulation, and regulator-mandated engagements. Delivered by CREST-certified, CBEST and TIBER-approved testers.

Scope an Engagement See Continuous PTaaS
CREST-Certified Testers CBEST · TIBER-EU · DORA TLPT Business Logic Red Team
The threat model has changed

Code ships daily. Attackers exploit vulnerabilities before the patches exist. The annual pen test was designed for a threat model that no longer applies — and autonomous-only is overselling. Specialist human depth is what closes the gap.

−1 day
Average time-to-exploit in 2025. Attackers exploit vulnerabilities before patches exist.
Mandiant M-Trends 2025
29%
Newly exploited CVEs in 2025 weaponised on or before the day of disclosure.
VulnCheck 2026
131
CVEs published every single day. Over 50,000 in 2025 alone.
CVE Programme 2025
36k/sec
AI-driven scan rate sweeping the public internet for exploitable conditions.
Industry telemetry 2026

Most major 2025 breaches involved no CVEs at all. They exploited trust, tokens and integrations — exactly the surface that scanners cannot reason about and autonomous platforms cannot fully replicate. Group-IB calls identity "the dominant choke point" of 2026.

Drift OAuth
Token compromise via trusted third-party integration. No CVE. Pure trust exploitation.
Shai-Hulud
Supply chain worm propagated through legitimate package ecosystems. Credentials and trust, not vulnerabilities.
DragonForce
Industrialised ransomware operation. Initial access through credential abuse and identity weaknesses.
Cl0p / Oracle EBS
One of 2025's largest extortion waves, driven through a single Oracle E-Business Suite zero-day.
Why specialist depth

Continuous coverage finds the surface.
Specialists find what intent hides.

Autonomous penetration testing wins on continuous coverage, scale and speed — 98% of the network, every day, first findings in hours. It finds the misconfigurations, exposed services and exploitable conditions that adversaries automate against. It does not, however, replace the work that requires human judgement: business logic flaws where every request looks valid but the sequence enables fraud; adversary simulation that demands a designed campaign rather than a scan; and regulator-mandated exercises like CBEST, TIBER-EU and DORA TLPT that require accredited testers and threat intelligence providers by framework rule. Autonomous and human testing solve different problems. Combining them is the right strategy — and for regulated firms, the only architecture that satisfies the regulator.

Engagement types

Five specialist engagements.
One accredited delivery model.

Each engagement is scoped to the framework or objective, delivered by appropriately accredited testers, and managed end-to-end by Endida.

01 — Bank of England
CBEST Penetration Testing
Intelligence-led red team testing for UK financial firms under the Bank of England CBEST framework. Threat intelligence is developed against current adversaries targeting the firm's sector and geography; the red team executes scenarios against critical systems with the regulator informed throughout. Engagements are delivered by CBEST-approved Threat Intelligence and Penetration Testing providers.
UK Bank of England Intelligence-Led Red Team
02 — European Central Bank
TIBER-EU Threat-Led Testing
Threat-led penetration testing under the European Central Bank's TIBER-EU framework, adopted across the EU as TIBER-XX (TIBER-MT in Malta, TIBER-DE in Germany, etc.). Aligned with DORA TLPT requirements. Two-provider model — Threat Intelligence Provider and Red Team Provider — with the firm's white team coordinating internally and the test conducted on production systems under controlled conditions.
EU / EEA TIBER-EU Two-Provider Production
03 — DORA Article 26
DORA Threat-Led Penetration Testing (TLPT)
Mandatory under Articles 26 and 27 of EU Regulation 2022/2554 for in-scope financial entities including credit institutions, investment firms, insurers, central counterparties, central securities depositories and MiCA-regulated CASPs. Cycle is at least every three years. Endida engagements are scoped against the firm's critical and important functions and aligned with TIBER-EU methodology where the national regulator has adopted it.
EU Article 26-27 3-Yearly CASPs
04 — Application-Level
Business Logic Penetration Testing
Manual testing for flaws that exist in how an application works rather than how it is built. Race conditions in payment and refund flows, insecure direct object references across user boundaries, authorisation bypasses, bonus and promotion abuse in iGaming platforms, RNG manipulation, and chargeback fraud. Each individual request looks legitimate; the flaw lives in the sequence or the intent. Scanners cannot find these. Delivered by senior CREST-certified testers with relevant platform-side experience.
Race Conditions IDOR iGaming Payments
05 — Scenario-Based
Adversary Simulation & Red Team
Designed red team campaigns based on threat intelligence about adversaries actually targeting the firm. Scenarios are developed against named threat actors, mapped to MITRE ATT&CK, and executed end-to-end through reconnaissance, initial access, privilege escalation, lateral movement and objective achievement. For organisations that want to test their detection and response capability rather than only their preventive controls.
MITRE ATT&CK Detection & Response Purple Team Scenario-Based
06 — NodeZero Sign-Off
CREST Review of Autonomous Findings
For regulated firms running continuous PTaaS through NodeZero, autonomous findings are reviewed and signed off by CREST-certified testers. Adds the human assurance layer regulators and cyber insurers expect — interpretation, contextual prioritisation and a CREST-certified opinion — without re-running the work the autonomous platform has already completed. Pairs with the continuous PTaaS service.
CREST Sign-Off NodeZero Insurer-Ready Hybrid
The delivery model

Led by Endida.
Delivered by accredited specialists.
Single point of accountability.

Layer 1
Endida leads the engagement

Scoping against the framework, contract and commercial terms, project management, white team coordination, regulator interaction where required, deliverables and sign-off. One accountable counterparty for the buyer through the engagement and beyond.

Layer 2
Accredited testers deliver

Testing performed by CREST-certified penetration testers, including CBEST and TIBER-approved specialists for regulator-mandated engagements. Tester credentials and accreditation evidence are provided to procurement during scoping and confirmed under NDA.

Layer 3
Tier-1 threat intelligence backs it up

For threat-led engagements, threat intelligence is supplied by tier-1 partners with primary-source visibility of nation-state and financially-motivated adversary activity — not aggregated commercial feeds. Scenarios are built on intelligence that reflects what is actually targeting the firm's sector and geography.

Methodology

TIBER-EU-aligned.
MITRE ATT&CK mapped.
Regulator-fluent.

Threat-led engagements follow the published frameworks. Application-level engagements follow OWASP and bespoke business logic testing. Reports map findings to MITRE ATT&CK techniques and to the relevant regulatory framework. Gartner's March 2026 Market Guide for Adversarial Exposure Validation projects 60% of organisations will adopt continuous exposure validation by 2029 — combining autonomous breadth with the human depth this methodology provides.

01
Threat Intelligence Phase
Targeted threat intelligence on adversaries actually active against the firm's sector and geography. Identification of named threat actors, tactics observed in recent campaigns, and the technical capabilities they bring. Output is a threat profile and a set of test scenarios — not a generic checklist.
02
Red Team Execution
Scenarios executed end-to-end against production systems under controlled conditions. Reconnaissance, initial access, privilege escalation, lateral movement and objective achievement. Mapped to MITRE ATT&CK throughout. Detection telemetry captured to inform the purple team replay.
03
Replay & Reporting
Purple team replay walks the firm's blue team through every step of the engagement, identifying detection gaps and tuning opportunities. Final report is structured for the regulator (CBEST, TIBER-XX, DORA), the executive (commercial impact, board narrative) and the technical team (remediation guidance).
Who needs specialist testing

Regulated firms
and platform builders.

Specialist depth is for organisations that face one of three pressures: regulator mandate, business logic risk, or the need to test detection and response capability.

Regulated finance

Banks, insurers, investment firms, central counterparties, central securities depositories and ICT third parties in scope of DORA. Firms regulated by the Bank of England subject to CBEST. DFSA-regulated firms in DIFC. MFSA-regulated firms in Malta.

Crypto & MiCA-scope

Crypto-asset service providers in scope of MiCA and DORA. CASPs face combined Web2 and Web3 testing requirements, three-yearly TLPT, and four-hour incident reporting. VARA-regulated VASPs in Dubai face equivalent annual obligations.

Platform & iGaming operators

Operators with high-value transaction logic — bonus systems, payment flows, RNG-driven games, refund and chargeback engines — where business logic flaws translate directly to financial loss or licence risk. UKGC, MGA and IoM GSC-licensed firms.

Frequently asked

Specialist penetration testing
— what buyers ask.

What's the difference between TIBER-EU, CBEST and DORA TLPT?
All three are intelligence-led red team frameworks for the financial sector but they differ in jurisdiction. CBEST is the Bank of England framework for UK financial firms. TIBER-EU is the European Central Bank framework adopted by national regulators across the EU (TIBER-MT, TIBER-DE, etc.). DORA TLPT is the threat-led penetration testing requirement under EU Regulation 2022/2554, mandatory for in-scope entities and aligned with TIBER-EU where the national regulator has adopted it. Methodology overlap is significant; the regulator and the legal basis differ.
Who is in scope of DORA TLPT?
DORA Article 26 covers credit institutions, investment firms, insurance and reinsurance undertakings, central counterparties, central securities depositories, trading venues, and crypto-asset service providers under MiCA. Firms must perform threat-led penetration testing at least every three years. National competent authorities determine which firms specifically are required to test, based on size and systemic importance.
Does Endida deliver these engagements directly or through partners?
Engagements are led by Endida and delivered through an accredited partner network. Endida scopes the engagement, manages the project, coordinates with the white team and the regulator, and signs off the final deliverable. Testing is performed by CREST-certified, CBEST and TIBER-approved specialists from our partner network. Threat intelligence comes from tier-1 partners. Specific delivery partners are confirmed under NDA during scoping.
What is business logic penetration testing and why can't scanners find it?
Business logic flaws live in how an application works rather than how it is built. A race condition in a refund flow, an authorisation bypass across user boundaries, a bonus abuse pattern that exploits the order of API calls — every individual request appears legitimate. Autonomous scanners look for technical conditions (SQL injection, XSS, auth weaknesses) and cannot reason about intent. Senior testers with platform-side experience can reason about intent because they have built and broken similar systems before.
How long does a CBEST or TIBER-EU engagement take?
A typical end-to-end engagement runs 16–24 weeks: 2–4 weeks scoping, 3–6 weeks threat intelligence, 8–12 weeks red team execution, 1–2 weeks purple team replay, 2–3 weeks reporting. Application-level and business logic engagements run shorter — typically 2–6 weeks depending on application scope. Specific timelines are confirmed during scoping.
Can specialist testing be combined with continuous PTaaS?
Yes — and for most regulated firms it should be. Continuous PTaaS through NodeZero provides daily coverage of the network and identifies the attack paths an adversary would automate against. Specialist engagements run periodically against critical assets, business logic and regulator-mandated scope. NodeZero findings can also be reviewed and signed off by CREST-certified testers, satisfying regulator and cyber insurer expectations for human assurance alongside autonomous depth.

Stop choosing.
Start combining.

Continuous autonomous coverage paired with CREST-certified specialist depth. Tell us what you need to test and which framework applies — we'll come back with scope, timeline and the right delivery partners, typically within 48 hours.

Scope an Engagement Continuous PTaaS Trial