[Gartner SRM Summit 2025] The Value and Adoption Strategy of Threat Led Penetration Testing

Eric Ahlm’s session, “Tips for Improving Your Security Operations With Adversarial Exposure Validation,” underscored AEV as the heart of CTEM. Building on that, Dhivya Poole’s presentation, “The Ultimate Cyber Drill: Unveiling the Benefits of Threat-Led Penetration Testing,” explored practical adversarial validation methods for today’s rapidly evolving cyber-threat landscape.

Why We Need a New Approach

Cyber threats evolve so quickly that traditional check-the-box penetration tests no longer suffice. Poole argued for a shift to Threat-Led Penetration Testing (TLPT), which delivers scenarios grounded in real-world threat intelligence and drives genuine business value.

Definition and Core Value of Threat Led Penetration Testing

Threat Led Penetration Testing uses threat intelligence rather than simple vulnerability hunts. It analyzes actual threat actors, their motivations, objectives, and tactics to design and execute realistic attack scenarios.

Key values include

• Realism - Simulate actual attack scenarios to uncover and remediate true weaknesses

• Customization - Tailor tests to the organization’s business context and unique threat profile

• Business alignment - Contribute directly to goals such as zero day mitigation, incident response readiness and brand protection

• Resilience - Strengthen cyber resilience rather than merely meeting compliance requirements

TLPT Operating Framework: Five-Phase Method

1. Threat Intelligence

   Analyze potential attackers including identity motives goals and likely impact

   Create a detailed threat profile documenting actors tools and infrastructure

2. Planning

   Define scope attack scenarios methods and integration with exposure management

   Build an intelligence driven attack plan

3. Execution

   Simulate planned attacks adapt tactics in real time and maintain operational integrity

   Produce a detailed report of actions and outcomes

4. Analysis and Remediation

   Conduct joint reviews with both attack and defense teams

   Identify vulnerabilities and gaps then draft a prioritized remediation plan

5. Review and Continuous Improvement

   Assess the entire process to identify enhancements

   Build a continuous improvement model to strengthen security posture over time

Core Strategies for Successful TLPT Adoption

• Secure Executive SponsorshipFrame TLPT as a business imperative rather than a technical checkboxHighlight its role in preserving reputation, meeting regulations, and building customer trust

• Choose the Right Service MixBalance in-house expertise, external consultants, and automation toolsUse automation to broaden test coverage and specialists for complex scenarios

• Demonstrate Measurable ResultsGo beyond vulnerability counts to show real benefitsUse metrics such as Mean Time to Detect and Mean Time to Remediate to quantify cost avoidance

Embedding TLPT as a Core Capability

1. Focus on Crown JewelsAllocate effort to protect highest-value assets first

2. Integrate with Adjacent FunctionsLink TLPT with exposure management and incident response to form an intelligence-driven defense ecosystem

3. Foster a Continuous-Testing CultureTranslate TLPT insights into ongoing process improvements and targeted training

Day-One Wrap-Up

TLPT emerged as an essential strategy against evolving threats. Yet practical hurdles remain: security teams focus on defense, and maintaining a red-team capability can strain resources. Recognizing this reality is the first step. We must view TLPT not as a dedicated team but as a vital capability that continuously validates and refines our defenses through an attacker’s lens.

Author - Pyo Kwon, CPTO | PAGO Networks