Pentest Open Finance FAPI 1.0 Advanced (Brasil)
Pentest mapeado para FAPI 1.0 Advanced (Brasil) — mTLS, JARM, PAR, consent validation. Para Transmissor, Receptor, ITP e AISP.
Why now
The real pain
Open Finance é a regulação cibernética mais complexa do BR. FAPI 1.0 Advanced, mTLS, JARM, PAR, certificado ICP-Brasil + Diretório de Participantes. Erro em consent validation expõe dado de milhares de clientes. Multa BACEN + ANPD + ação coletiva.
Standard and reference
/attack-surface
Open Finance / FAPI
Every engagement is designed for your environment. The points below are part of our standard playbook for this sector — final scope is adapted to your stack and contract.
mTLS e certificado
Validação de cliente, SAN, EKU, revogação CRL/OCSP, integração com Diretório.
Consent Authorization Flow
PAR (Pushed Authorization Request), redirect_uri allowlist, state, nonce.
JARM (JWT Authorization Response)
Validação de assinatura, audience, expiração.
Consent management
Escopo por endpoint, revogação, expiração, refresh, audit log.
Endpoints regulados
/accounts, /payments, /credit-cards, /loans — validação de autorização por escopo.
ITP (Iniciação de Pagamento)
QR Code, link de pagamento, validação de payer e payee.
/methodology
Genuinely manual pentest
Automated scanners find what's documented. Real attackers find what isn't. 90% of the work is manual — performed by specialists holding OSCP, CISSP, CRTO and GPEN.
01 · Reconnaissance
Target mapping, OSINT, footprint, sector-specific threat modeling.
02 · Discovery
Deep enumeration, complementary scanning, manual exposure identification.
03 · Exploitation
Manual validation with controlled PoC, finding chaining, escalation.
04 · Report
Executive + technical, step-by-step replication, mapped to applicable regulation.
/why-trust
Who has trusted our work
Pentest em Transmissor S1/S2/S3, Receptor, ITP e plataforma de Open Finance.
Technical assessment recognized in highly regulated, mission-critical environments — the pentest that finds what nobody had found before.
Douglas Lopes
Founder · CEO · intrus.io
/crivo · integrity program
of pentester candidates fail our Crivo screening
Do you know who's getting access to your environment?
NDAs work in court. They don't work day-to-day. Before first access, every pentester on our team passes background, psychometric profile and integrity testing.
- In-depth criminal, fiscal and professional verification
- Psychometric assessment and risk profile
- Practical integrity testing with controlled scenarios
- Fixed team — non-rotating, no 'stranger every engagement'
/faq
FAQ — Open Finance / FAPI
Vocês fazem FAPI 1.0 Adv completo?
Sim. Cobrimos mTLS, JARM, PAR, consent validation por escopo, certificado ICP-Brasil e integração Diretório.
Faixa de preço?
ITP/AISP único: R$ 40-100k. Transmissor S3 com todas as APIs: R$ 60-180k. Plataforma multi-instituição: R$ 100-300k.
/contact
Cotar pentest Open Finance
Schedule a confidential meeting. Within 48h we'll send a proposal with scope, timeline and pricing.