TestOracle

DORA Art. 24-27 resilience testing management for AI agents. From annual test programme to AmpelOracle sync in one call.

16
MCP Tools
12
DORA Scenarios
10
Obligations
4
DORA Articles
DORA Art. 24-27 RTS 2025/1190 TIBER-EU AmpelOracle Sync All Tools Free
MCP Endpoint: https://tooloracle.io/test/mcp
Health: https://tooloracle.io/test/health
Transport: StreamableHTTP + SSE
Pricing: All 16 tools free (discovery tier)

Tools (16)

create_test_programme
Annual testing programme (Art. 24(1)). Auto-generates 12 scheduled tests for all DORA-mandated scenarios.
Art. 24(1) · DORA-TST-01
register_test
Register any test: pentest, DR, vuln scan, TLPT, source code review, performance, e2e. Maps to obligation ID.
Art. 25 · DORA-TST-05
test_status
Dashboard: all tests with counts by status, type, findings. Total findings and critical count.
Overview
test_findings
Findings from tests with severity, status, owner, remediation. Filter by status.
Finding management
close_finding
Close or remediate a test finding. Actions: close, remediate, accept_risk.
Finding lifecycle
schedule_test
Schedule a future test with deadline. Auto-assigns obligation ID and calculates days until.
Planning
overdue_tests
Find all tests past their scheduled date. Critical for DORA compliance audits.
Compliance risk
scenario_library
12 DORA-mandated test scenarios from Art. 25(1) + RTS 2025/1190 with frequency and method.
Art. 25(1) · Reference
tlpt_status
TLPT compliance: last test, 3-year window, cross-jurisdiction equivalents (CBEST, FFIEC CAT).
Art. 26 · DORA-TST-06
tester_qualification
Verify tester meets Art. 27: certification (CREST/OSCP/GPEN), experience, independence, NCA approval.
Art. 27 · DORA-TST-09
test_coverage
Which DORA Art. 25 scenarios tested this year? Coverage %, missing tests, Ampel impact (RED/YELLOW/GREEN).
Art. 24(4) · Coverage
sync_to_ampel
Push test results to AmpelOracle. Updates Art. 24+26 checks, creates evidence + chain-linked audit trail.
DORA OS Bridge
evidence_pack
Export test evidence for auditor/NCA: programme, tests, findings, obligations, SHA-256 hash.
NCA reporting
obligation_map
All Art. 24-27 obligations with stable IDs (DORA-TST-01 to TST-10) + cross-jurisdiction equivalents.
Obligation mapping
health_check
Server status with DB stats: tests, findings, programmes count.
System
ping
Connectivity test. Returns product name, version, timestamp.
System

12 DORA test scenarios

IDScenarioArticleFrequencyMethod
SCN-01Vulnerability assessmentArt. 25(1)(a)QuarterlyAutomated scanning + manual validation
SCN-02Network security assessmentArt. 25(1)(b)YearlyConfiguration review + traffic analysis
SCN-03Gap analysisArt. 25(1)(c)YearlyDocument review + interviews
SCN-04Physical security reviewArt. 25(1)(d)YearlySite inspection + access log review
SCN-05Source code reviewArt. 25(1)(e)Per releaseSAST + manual code review
SCN-06Scenario-based testingArt. 25(1)(f)YearlyTabletop + simulation exercises
SCN-07Compatibility testingArt. 25(1)(g)Per changeIntegration + regression testing
SCN-08Performance testingArt. 25(1)(h)YearlyLoad + stress testing
SCN-09End-to-end testingArt. 25(1)(i)YearlyFull chain validation
SCN-10Penetration testingArt. 25(1)(j)YearlyBlack + grey + white box
SCN-11TLPT / Red teamArt. 26(1)3 yearsTIBER-EU framework, external testers
SCN-12DR/BCM switchoverArt. 11(6)YearlyLive failover + recovery validation

Obligation mapping (10)

DORA-TST-01
Art. 24(1)
Establish and maintain digital operational resilience testing programme
DORA-TST-02
Art. 24(2)
Include variety of tools and actions from Art. 25
DORA-TST-03
Art. 24(4)
Test all critical ICT systems at least yearly
DORA-TST-04
Art. 24(6)
Testing by independent parties (internal or external)
DORA-TST-05
Art. 25(1)
Perform 10 categories of security assessments
DORA-TST-06
Art. 26(1)
TLPT at least every 3 years for significant entities
DORA-TST-07
Art. 26(2)
TLPT on live production systems, critical functions
DORA-TST-08
Art. 26(8)
Submit TLPT findings and remediation to NCA
DORA-TST-09
Art. 27(1)
TLPT testers: suitable, reputable, certified
DORA-TST-10
Art. 27(2)
Internal testers require NCA approval, no conflicts

Cross-jurisdiction equivalents

UK — CBEST
Bank of England Threat-Led Penetration Testing framework. Analogous to DORA Art. 26 TLPT.
Analogous · Significant firms
UK — PRA SS1/21
Operational resilience including scenario testing and impact tolerances.
Analogous · All PRA-regulated
US — FFIEC CAT
Cybersecurity Assessment Tool for US financial institutions.
Related · US banks
DE — BaFin MaRisk AT 7.2
German banking supervisory requirements for IT testing.
Analogous · German banks

DORA OS integration

Bidirectional bridge with AmpelOracle:

TestOracle → AmpelOracle (sync_to_ampel):
  Test coverage → Art. 24 check status (GREEN/YELLOW/RED)
  TLPT compliance → Art. 26 check status
  Creates evidence + chain-linked audit trail

AmpelOracle → TestOracle (obligation_id):
  Art. 24 checks reference DORA-TST-01
  Art. 26 checks reference DORA-TST-02

Impact: Readiness score reflects actual test execution, not manual assessments.