Built for the Technical Demands of TIBER-EU Engagements
TIBER-EU mandates threat intelligence-led attacks against live production systems with precision and pace. BallisKit's tooling handles the parts that consume your engagement time: payload generation, evasion calibration, and format selection, so your team executes scenarios at the depth TIBER requires.
What is TIBER-EU
TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) is the European framework for controlled, bespoke red team exercises. It was developed by the European Central Bank and adopted by national central banks and financial regulators across the EU.
Unlike conventional penetration tests or vulnerability assessments, TIBER-EU mandates a specific approach:
- Threat intelligence-led scenarios - Attacks are designed around actual threat actors known to target the specific organization, based on bespoke Threat Intelligence Reports
- Live production testing - Exercises target real production systems, not test environments
- Assumed breach scope - Tests cover initial access, lateral movement, persistence, and impact - the full kill chain
- Multi-team structure - Separate teams for Threat Intelligence, Red Teaming, and Blue Team response with controls
- Regulatory reporting - Findings feed directly into regulatory supervisory processes
TIBER-EU is not optional for systemically important financial institutions in participating countries. It is the regulatory standard for demonstrating cyber resilience.
Outside the EU?
Regulated financial institutions in North America, the UK, and APAC run intelligence-led red team programs applying the same core principles: bespoke threat intelligence, live production testing, and regulatory oversight. BallisKit tooling meets the technical requirements of these advanced red team programs regardless of the specific regulatory mandate in your jurisdiction.
What TIBER-EU Requires from Red Teams
TIBER-EU makes specific technical demands elevated by the intelligence-led, production-system scope.
Threat Actor-Accurate Initial Access
RequirementThe red team must replicate documented threat actor TTPs at the initial access stage - using delivery methods, payload formats, and evasion techniques consistent with the threat actor's known tradecraft.
BallisKitMacroPack Pro generates threat-actor-accurate delivery formats with configurable execution chains, lure metadata, and per-target EDR profiles.
Weaponization Fidelity
RequirementShellcode or stager delivered must survive both gateway scanning and endpoint detection on the production system. TIBER engagements cannot rely on leaving detections open.
BallisKitShellcodePack applies layered encryption, obfuscation, and assembly-level bypass techniques (including direct/indirect syscalls) producing consistent evasion quality across all operators.
macOS Scope Coverage
RequirementEnterprise environments in the financial sector have significant macOS adoption. Threat actors targeting these organizations include macOS in their TTPs. An engagement that excludes macOS scope is incomplete.
BallisKitDarwinOps provides full macOS kill chain coverage with dedicated bypass profiles for all major enterprise EDR and MDM security platforms deployed in Apple environments.
Engagement Speed
RequirementTIBER engagements run within fixed time windows. The intelligence-led scenario design phase is where teams should invest time. Payload iteration loops should not consume engagement execution time.
BallisKitAll three tools generate payloads within minutes, removing preparation overhead from fixed-window engagement execution.
MITRE ATT&CK and TTP Emulation Accuracy
TIBER-EU's threat-intelligence-led requirement has a concrete operational meaning: the red team must replicate the specific techniques used by the threat actor named in the Threat Intelligence Report. MITRE ATT&CK is the shared taxonomy both the TI provider and the red team use to document and verify that accuracy.
When the TI report documents that a threat actor uses T1566.001 (Spearphishing Attachment) for initial access and T1055.012 (Process Hollowing) for execution, the red team must be able to reproduce those specific techniques - not substitute generic alternatives. BallisKit tools map directly to ATT&CK techniques, giving red teams verified coverage of the techniques they need to emulate.
This matters equally for non-EU engagements. Advanced red team programs at regulated financial institutions in North America and APAC use ATT&CK as the framework for scenario documentation and accuracy verification. Technique-level coverage is how you demonstrate that a simulated attack accurately represents the threat.
16+ ATT&CK techniques covered across Windows initial access, execution, defense evasion, and privilege escalation
Defense evasion and execution techniques for weaponization fidelity against live EDR
12+ ATT&CK techniques covered across macOS initial access, privilege escalation, and persistence
BallisKit Mapped to TIBER-EU Phases
| TIBER Phase | BallisKit Tool |
|---|---|
| Initial access (Windows) | MacroPack + ShellcodePack |
| Weaponization | ShellcodePack + MacroPack |
| Initial access (macOS) | DarwinOps |
| Privilege escalation (macOS) | DarwinOps |
| Persistence | MacroPack Pro + DarwinOps |
| C2 integration | All tools |
How to Get Started with BallisKit for TIBER
Identify your scope
Which platforms (Windows, macOS, both), which threat actor TTPs, which target EDR products
Select the right tools
MacroPack Pro for Windows initial access, ShellcodePack for weaponization, DarwinOps for macOS coverage
Request a demo
See the tools in action against your specific scenario. Contact contact@balliskit.com with professional email.
License and onboard
Annual licenses with bypass profile update notifications and access to product video walkthroughs
Execute
Run your TIBER scenario with production-ready tooling. Update EDR bypass profiles from the Discord community as needed.
Product Summary for TIBER Teams
| Product | Annual Price |
|---|---|
| MacroPack Pro | €1,350 / user |
| ShellcodePack | €875 / user |
| DarwinOps | €1,490 / user |
| All three (bundle) | Contact for pricing |
Frequently Asked Questions
Does BallisKit have TIBER-EU certification?
No. TIBER-EU certification applies to red team service providers, not tooling vendors. BallisKit provides the tools; TIBER-certified red team providers use those tools in their engagements. The tools themselves do not require certification - they need to be technically capable of meeting TIBER's requirements. They are.
Do your bypass techniques work against production EDR?
Yes. Bypass profiles are developed and tested against production EDR deployments, not lab configurations. The Discord community contributes real-world validation, and profiles are updated as EDR vendors respond with detection improvements.
Can I configure payloads to match specific threat actor TTPs from the intelligence report?
Yes. MacroPack Pro supports configurable metadata, execution chain selection, and format combinations that can match documented threat actor delivery patterns. ShellcodePack's obfuscation stack is configurable to match known payload characteristics from threat intelligence. DarwinOps supports technique selection for matching macOS-specific TTPs.
What C2 frameworks do you support?
Cobalt Strike, Sliver, Mythic, Empire, Merlin, and Brute Ratel C4. Raw shellcode (.bin) input is supported by all three products, making custom C2 frameworks compatible.
Do you provide professional services or consulting for TIBER engagements?
Not directly. BallisKit is a tooling vendor. For TIBER-certified red team services, you need a TIBER-accredited test provider. Contact us if you need guidance on pairing BallisKit tooling with TIBER-certified service providers.
What EDR products do your bypass profiles cover?
See individual product pages for full lists. Combined coverage includes all major enterprise EDR platforms across Windows and macOS environments, including next-gen AV engines, MDM-integrated endpoint security, and open-source macOS security tools.
Running a TIBER-EU Engagement?
Evaluate BallisKit tooling for your upcoming engagement. Professional email required. Response within 24 hours.