Industries · Financial services → Banking

Testing that goes past the exam to the threats a bank actually faces.

Examiners check that controls exist. We check whether they’d actually stop someone: core banking, the channels your customers touch, and the privileged access an insider could abuse.

The problem

What banking is up against.

01

Channel & payment fraud

Online and mobile banking, the APIs behind them, and the payment rails an attacker moves money through.

The problem

Channel & payment fraud

Nobody’s cracking your encryption. They don’t need to. Fraud lives in the boring places: a transfer flow that trusts the wrong field, a step-up prompt that can be skipped, a reconciliation job that won’t notice until month-end. We follow the money the way a fraudster does, through the seams, rather than working control-by-control down a checklist.

  • Business-logic flaws in payment and transfer flows
  • Weak step-up and transaction authentication
  • Reconciliation and limit gaps fraud hides in
Application & API security →
02

Privileged & insider access

The standing access to ledgers and customer data that a compromised account inherits.

The problem

Privileged & insider access

A bank runs on standing access to ledgers, core, and customer data, most of it never scoped down, revoked, or watched. One phished employee or one over-permissioned service account inherits the lot. The question was never whether that access exists; it’s how far it travels once someone holds it. We find out before they do.

  • Over-scoped admin and service accounts
  • Reused credentials and weak separation of duties
  • Standing access a single phish inherits
Red team engagements →
03

Core & third-party exposure

Core platforms and the fintech and processor integrations that extend your perimeter.

The problem

Core & third-party exposure

Your perimeter quietly moved into other people’s data centres, and most firms “assure” it with a questionnaire. Here’s the open secret: the evidence behind those tidy answers is often pulled together the day before it’s due. A returned spreadsheet and a SOC 2 badge aren’t the same as someone actually trying to break in. We map the real connections and the blast radius if a provider is breached.

  • Questionnaire “evidence” often assembled the day before
  • A SOC 2 badge isn’t a test of their security
  • Blast radius when a provider is breached
Third-party risk →
04

Stretched budgets

Security spend rarely keeps pace with the threat, so every dollar has to map to real risk reduced.

The problem

Stretched budgets

Threats compound, regulations multiply, and the budget gets a polite single-digit bump. “Spend more” isn’t a strategy. The work is tying every dollar to risk actually reduced, retiring what’s just coasting, and walking into the board meeting able to show the difference rather than a bigger invoice.

  • Threats and rules rise every year
  • Spend and headcount rarely keep pace
  • Every dollar tied to risk reduced
Improving ROI →
05

Tool sprawl

Too many tools from too many vendors, each delivering unevenly, so spend keeps climbing without the protection following.

The problem

Tool sprawl

Wander any security show floor: booths the size of apartment buildings, new analyst reports every quarter, and another three-letter acronym you supposedly can’t survive without. Most banks bought plenty of it, half-deployed, overlapping, and nobody quite sure what stops what. The “new” capability you’re about to buy is often a switched-off tab in something you already own. We start by testing what you’ve already paid for.

  • Too many tools, too many vendors
  • Delivery and outcomes vary widely
  • Capability you already own, switched off
Spend nothing →
06

One size doesn’t fit all

Off-the-shelf, checklist testing misses how your specific stack and controls actually fail.

The problem

One size doesn’t fit all

Checklist testing assumes every bank breaks the same way, in the same order, off the same template. Yours doesn’t. A scanner run and a generic report will tick the box and sail straight past the few things in your stack a real attacker would reach for first. We scope to your environment, your controls, your threat model, and leave the template at the door.

  • Checklist tests assume everyone fails alike
  • Your stack and controls are specific
  • Scoped to your real threat model
How we test →
How an attacker gets in

How an attacker gets in

There’s never just one way in. A real engagement maps many entry points and the paths they open. When one route stalls, an attacker loops back, escalates, and tries another. Most paths still converge on the same objectives.

EntryFootholdPivotEscalateObjectivePhishingstaff inboxRemote accessVPN · CitrixPayment processorvendor accessStolen credscredential dumpOnline bankingpublic-facingBranch networklobby WiFiTeller endpointbranch hostCorporate networkflat · trustedE-banking DMZperimeter hostLateral movementhost to hostCloud / M365tokens · OAuthDomain adminActive DirectoryService accountspayment · SWIFTSWIFT / wiresmove moneyCore bankingledgers · PIIthe route taken this runother possible routesloop back to go again

What you get: a ranked shortlist of the fixes that close the most routes to your assets first, so remediation spend buys real risk reduction and the next attacker hits a dead end.

Read the bank engagement →
Regulation by regulation

The rules you answer to, and how we test for each.

Examiners and DORA expect tested resilience. We run engagements built for these regimes, and Incenter keeps coverage current between exams.

StandardWhat it expectsHow we test it
FFIEC
Independent testing of controls, including penetration testing, proportional to risk (IT Examination Handbook).
External and internal pen testing across core, channels, and segmentation.
PCI-DSS
Internal and external penetration testing at least annually and after significant change, plus segmentation testing (Req 11).
Scoped testing of the cardholder data environment, with proof the segmentation holds.
GLBA
Regular testing or monitoring of the effectiveness of safeguards (Safeguards Rule).
Testing that shows the safeguards actually work, not just that they exist.
DORA
Regular resilience testing, and threat-led penetration testing for significant entities (Art 24–27).
Intelligence-led red teaming modelled on TLPT / TIBER.
SOC 2
Vulnerabilities detected and remediated; auditors expect real testing (CC7.1).
Penetration testing that satisfies the SOC 2 auditor and finds what matters.
Compliance & risk alignment →
Book a 30-min call