Commission Delegated Regulation (EU) 2025/1190 of 13 February 2025 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria used for identifying financial entities required to perform threat-led penetration testing, the requirements and standards governing the use of internal testers, the requirements in relation to the scope, testing methodology and approach for each phase of the testing, results, closure and remediation stages and the type of supervisory and other relevant cooperation needed for the implementation of TLPT and for the facilitation of mutual recognition (Text with EEA relevance)

Annex V Content of the red team test report (Article 12(2))

LEU20251190EN110120250213EN0001.0005261261

The red team test report shall contain information on at least all of the following:

(a)
information on the performed attack, including:
1. (i)
  the targeted critical or important functions and identified ICT systems, processes and technologies supporting the critical or important function, as identified in the red team test plan;
2. (ii)
  summary of each scenario;
3. (iii)
  flags reached and not reached;
4. (iv)
  attack paths followed successfully and unsuccessfully;
5. (v)
  tactics, techniques and procedures used successfully and unsuccessfully;
6. (vi)
  deviations from the red team test plan, if any;
7. (vii)
  leg-ups granted, if any;
(b)
all actions that the testers are aware of that were performed by the blue team to reconstruct the attack and to mitigate its effects;
(c)
discovered vulnerabilities and other findings, including:
1. (i)
  vulnerability and other finding description including their criticality;
2. (ii)
  root cause analysis of successful attacks;
3. (iii)
  recommendations for remediation including indication of the remediation priority.