Mitsuaki (Mitch) Shiraishi

Mitsuaki was a speaker at BSides Tokyo 2018 and has served as a lecturer for the Security Camp National Program from 2023 to 2025. In 2016, he established Japan’s first Red Team operations service at Secureworks Japan, where he was responsible for service design and project delivery as the technical lead. Since 2022, he has been with a major global cybersecurity firm, leading the launch of its domestic Red Team services while also participating in international Red Team projects as a member of the global team.

OSEE/OSCE/OSCP/GREM/CARTP/CHMRTS/CISSP/CISA/Information Security Specialist/Software Development Engineer/Master of Technology Management (Professional)

A Proposal for TLPT 2.0: Decoupling “Knowing the Enemy” from “Knowing Yourself”

This session proposes an evolutionary update to the Threat-Led Penetration Test (TLPT) framework—the standard for cyberattack simulations in the financial sector for Japan—to further enhance its practical effectiveness.

The current TLPT framework follows a linear path: “Threat Intelligence (TI) → Attack Scenario Creation → Cyberattack Exercise.” However, I believe that the rigid requirement to couple “detailed attack scenarios based on organization-specific TI” with the “execution of the exercise” unnecessarily restricts the flexibility and impact of these projects.

Fundamentally, Threat Intelligence and cyberattack exercises can be conducted independently. Forcing them together via mandatory detailed scenarios creates several unnatural constraints:

  • Threat Intelligence becomes a “one-shot” effort specifically for the TLPT, rather than a continuous process.
  • Detailed attack scenarios are not a prerequisite for conducting effective cyberattack exercises.
  • Focusing primarily on scenario-based execution can undermine the core essence of a red team exercise: the discovery of previously unknown attack paths.

To address these issues while upholding the core philosophy of TLPT, I propose a redesign based on the following principles:
  1. Decouple Threat Intelligence from Attack Simulation.
  2. Treat Threat Intelligence as a continuous activity. Financial institutions should regularly develop attack scenarios based on this intelligence to verify the necessity of their own countermeasures.
  3. Simplify the requirements for starting an attack simulation. Only the definition of the “Start” (Attack Origin) and “Goal” (Target) should be mandatory, leaving detailed scenarios as an optional element.

Drawing on my experience leading Japan's first full-scale Red Team services since 2016 and conducting simulations for numerous global and domestic organizations, I will explain the background of this proposal, focusing on:
  • Threat Intelligence as a means of “Knowing the Enemy.”
  • Cyberattack Simulation as a means of “Knowing Yourself.”
  • Observations on why these two are currently so tightly coupled in the existing TLPT framework.

Attendees will gain a clear understanding of the structural issues in the current TLPT and walk away with design guidelines for a new, improved framework. This session aims to spark constructive dialogue among Red Team and TI providers, regulators, CISOs, and security professionals involved in the TLPT ecosystem.