1.   Following approval of the targeted threat intelligence report by the TLPT authority, the testers shall prepare the red team test plan that shall contain the information set out in Annex IV. The testers shall use the scope specification document and the targeted threat intelligence report as a basis for producing the attack scenarios.

2.   The testers shall consult the control team, the threat intelligence provider, and the test managers on the red team test plan, including the communication, procedural and project management arrangement, the preparation and use-cases for leg-up activation, and the reporting agreements to the control team and test managers.

3.   Where the red team test plan is complete and ensures the performance of an effective TLPT, the control team and the TLPT authority shall approve the red team test plan and the TLPT shall inform the control team lead thereof.

4.   Upon approval of the red team test plan in accordance with paragraph 3, the testers shall carry out the TLPT during the active red team testing phase.

5.   The duration of the active red team testing phase shall be proportionate to the TLPT scope, to the scale, activity, complexity and number of the financial entities and ICT third-party or ICT intragroup service providers involved in the TLPT, and in any case shall last for at least 12 weeks. Attack scenarios may be executed in sequence or at the same time. The control team, the threat intelligence provider, the testers and the test managers shall agree on the end of the active red team testing phase.

6.   Subject to ensuring that the red team test plan remains complete and allows for the performance of an effective TLPT, the control team lead and the test managers shall approve any changes to the red team test plan subsequent to its approval, including to the timeline, scope, target systems or flags.

7.   During the entire active red team testing phase, testers shall report at least weekly to the control team and test managers on the progress made in the TLPT, and the threat intelligence provider shall remain available for consultation and additional threat intelligence when requested by the control team.

8.   The control team shall timely provide leg-ups designed on the basis of the red team test plan. Leg-ups may be added or adapted upon approval by the control team and the test managers.

9.   In the case of detection of the testing activities by any staff member of the financial entity or of its ICT third-party service providers or ICT intragroup service provider, where relevant, the control team, in consultation with the testers and without prejudice to paragraph 10, shall propose and submit measures allowing to continue the TLPT while ensuring its secrecy to the test managers for validation.

10.   Under exceptional circumstances triggering risks of impact on data, damage to assets, and disruption to critical or important functions, services or operations of the financial entity itself, of its ICT third-party service providers or ICT intragroup services providers, or disruptions to its counterparts or to the financial sector, the control team lead may suspend the TLPT, or, as a last resort, where the continuation of the TLPT is not otherwise possible and subject to prior validation by the TLPT authority, continue the TLPT using a limited purple teaming exercise. The duration of the limited purple teaming exercise shall be counted for the purpose of the 12-week minimum duration of the active red team testing phase referred to in paragraph 5.