London (ots) - Since the implementation of the Digital Operational ResilienceAct ( DORA (https://horizon3.ai/downloads/whitepapers/dora/) ) on January 17ththis year, financial institutions in the EU are required to conduct regularThreat-Led Penetration Testing (TLPT). This involves using real-worldcyber-attack techniques to assess IT infrastructures and identify exploitableattack vectors before they are discovered by threat actors. "While this is apositive step, the mandated three-year testing cycle is far too long given thefast-paced nature of cybercrime," said security expert Keith Poyser(https://www.linkedin.com/in/keith-poyser-883979/?originalSubdomain=uk) , VicePresident for EMEA at cybersecurity company Horizon3.ai (http://horizon3.ai/) .The company operates the autonomous pentesting platform NodeZero®, wherefinancial service providers can conduct penetration tests on their ITinfrastructure, cloud and kubernetes environments, as often as they like toidentify potential security gaps. Poyser points to findings from Horizon3.ai's"Cyber Security Report UK 2024/25" according to which 70 percent oforganisations questioned have fallen victim to a cyberattack at least once inthe past two years."Given the increasing frequency of cyberattacks, it is unacceptable for afinancial services provider to assess just once every three years whether theirIT infrastructure is capable of withstanding an attack or if it will fail,"explained Poyser. He further added: "With cybercriminals becoming ever moreaggressive, an exploit focused, impact prioritised, high frequency, moderntesting regime, with fix actions and re-tests, has to be a key part of anysensible strategy for financial services institutions.""Like Finding a Needle in a Haystack"According to the industry veteran, the biggest challenge is identifying which ofthe vast number of potential IT weaknesses or vulnerability "noise" are realworld exploitable within an organisation, and prioritising these for quickremediation. "The list of potential entry points is long, ranging from outdatedsoftware somewhere in the system, weak or reused passwords, or excessively broadaccess rights for individual employees, to threats arising from the softwaresupply chain," explained Poyser, illustrating the scale of the task. Hecontinued: "In this typically heterogeneous and complex IT landscape, finding asecurity gap is like searching for the proverbial needle in a haystack. Threatactors manage to do it, which is why financial service providers need to use thesame methods as cybercriminals to stay one step ahead. And that's exactly whatpenetration tests are: searching for needles in your own IT haystack before