For the objectives of TIBER-FI, it is essential to ensure that the results from testing result in security improvement measures. The following phases describe the procedures for improving cyber resilience with TIBER-FI.

Preparing the Red Team test report

The Red Team prepare a test report following the testing. To ensure the quality of the report it is recommended that it is finalized soon after the tests have been conducted. The report will contain a description of the testing activities, findings from the testing and recommendations for improving security. The testing activities outlined in the report will be detailed in a fashion that allows the Blue Team to analyze and reference them.

Task Responsibility
Creating the Red Team test report Red Team

Preparing the Blue Team report

After Red Team testing is completed and the White Team has been informed of the results, the White Team assesses what type of Blue Team will be compiled for analysing the test results. The Team should consist of persons responsible for the operational monitoring of cyber security and the investigation of incidents, and within whose area of responsibility the testing and detection activities lay.

The White Team informs the Blue Team of the tests conducted and supplies them with the Red Team test report. After receiving the report, the Blue Team investigates if the testing activities were detected and what response was initiated. The Blue Team prepares a summary connecting their monitoring, investigation and other response activities to the Red Team’s testing activities. The summary is referred to as the Blue Team report.


Task Responsibility
Informing the Blue Team White Team
Creating the Blue Team report Blue Team


The White Team organize a walkthrough workshop for the Red Team and the Blue Team. In the workshop, the Red Team present their activities, procedures and results from testing. At the same time, the Blue Team’s observations and responses as well as opportunities to improve activities are discussed.

The Test Manager is invited to participate in the walkthrough to assess that TIBER-FI procedures have been followed during testing.

Task Responsibility
Organizing the walkthrough White Team

Recording improvement opportunities

White Team compiles a record of improvement opportunities for the purpose of internal development based on the Red Team and Blue Team reports. Typical improvement opportunities contain recommendations for improving detection capabilities and internal processes as well as clarifying responsibilities.

Improvement opportunities are recorded for internal use by the financial entity.

Task Responsibility
Recording improvement opportunities White Team

preparing the Final report

The White Team compile a final report, describing at a high-level how the testing was prepared and implemented, observations on improving activities, recommendations for improving the entity’s own testing process the next time, and observations and feedback on the generic threat landscape report, the legal framework and TIBER-FI procedures. The White Team must attest in the report that the testing phases were conducted in accordance with TIBER-FI procedures. In addition, the management of the testing organisation, together with the service providers, sign an attestation confirming that the test was conducted in accordance with the mandatory requirements of the TIBER-EU framework. The attestation is based on the TIBER-EU attestation template.

The final report is delivered to the Test Manager for the purpose of compiling a summary across the financial sector.

Task Responsibility
Compiling a final report White Team
Preparing an attestation Management of testing organisation and service providers
Delivering final report and attestation to Test Manager White Team

Feedback session

The Test Manager organizes a feedback session after each TIBER-FI testing and invites the White Team and service providers to participate. From each team, at least the lead must participate in the session, and some of the other members as required.

The purpose of the feedback session is to discuss observations on the effectiveness of the TIBER-FI procedures during the testing. The participants will use the observations and feedback obtained to improve their own activities and the TIBER-FI procedures.

Task Responsibility
Organizing a feedback session TIBER-FI Test Manager 

Financial sector summary and information exchange

TIBER-FI Cyber Team compiles a financial sector summary of TIBER-FI testing conducted and their high-level results. The purpose of the summary is to form a common understanding about what type of TIBER-FI test have been conducted and what kind of improvement measures will be initiated on the basis of the results. The summary does not reveal specifics about testing or results that could be tied to any individual financial entity. The summary will be presented for the TIBER-FI cooperation network.

The TIBER-FI Cyber Team has established a cooperation network to discuss TIBER-FI related topics. The cooperation network shares information on developments of TIBER-EU and TIBER-FI frameworks as well as on experiences and lessons learned from practice. Financial entities are invited to participate in the cooperation network. The network meets a few times a year.

Task Responsibility
Creating a financial sector summary TIBER-FI Cyber Team
Organizing the TIBER-FI cooperation network TIBER-FI Cyber Team
Sharing experiences and lessons learned from TIBER-FI Financial entities on their own discretion