This sector deep-dive is currently available in Portuguese only. Full English translation is in progress.

/servicos · Pentest ATM

Pentest ATM: Jackpotting, Black Box, Ataque Lógico

Pentest de caixa eletrônico: jackpotting, black box, ataque físico ao Windows do ATM, comunicação com banco, hardening de hardware.

Conversar confidencialmente See vectors

90% manual · 10% automated

OSCP · CISSP · CRTO · GPEN

BR · PT · IT · ES · MA · US · AU

OWASP · MITRE · PTES · NIST

Why now

The real pain

ATM no Brasil ainda roda Windows XP/7 embarcado, com USB exposto atrás do dispenser. Jackpotting (extração via black box) é técnica documentada e barata. Banco que não testa ATM perde milhões em ataque coordenado.

Applicable frameworks

PCI-PTS POIATM Industry Association (ATMIA)BACEN Res. 4.658Visa/Mastercard ATM security

/attack-surface

Pentest ATM

Every engagement is designed for your environment. The points below are part of our standard playbook for this sector — final scope is adapted to your stack and contract.

Ataque físico ao Windows do ATM

USB drop atrás do dispenser, boot via USB/CD, escalada local, manipulação de XFS.

Jackpotting / black box

Conexão direta ao dispenser via USB/cabo, comando de saída de cédulas.

Comunicação com banco central

Auditoria de canal (VPN/leased line), criptografia da mensagem ISO 8583, integridade.

Hardening físico

Lockbox, anti-skimming, anti-tampering, gravação CCTV, alarme.

Recarga e manutenção

Procedimento de recarga, dupla custódia, acesso de prestador, log fiscal.

/methodology

Genuinely manual pentest

Automated scanners find what's documented. Real attackers find what isn't. 90% of the work is manual — performed by specialists holding OSCP, CISSP, CRTO and GPEN.

01 · Reconnaissance

Target mapping, OSINT, footprint, sector-specific threat modeling.

02 · Discovery

Deep enumeration, complementary scanning, manual exposure identification.

03 · Exploitation

Manual validation with controlled PoC, finding chaining, escalation.

04 · Report

Executive + technical, step-by-step replication, mapped to applicable regulation.

/why-trust

Who has trusted our work

Engajamentos confidenciais em instituições financeiras com rede própria de ATM.

Caixa Econômica Federal

Banco BMG

iFood

ArcelorMittal

Multibanco

Polícia Federal

Fórmula 1

OpenFinance

Technical assessment recognized in highly regulated, mission-critical environments — the pentest that finds what nobody had found before.

Douglas Lopes

Founder · CEO · intrus.io

/crivo · integrity program

87%

of pentester candidates fail our Crivo screening

Do you know who's getting access to your environment?

NDAs work in court. They don't work day-to-day. Before first access, every pentester on our team passes background, psychometric profile and integrity testing.

In-depth criminal, fiscal and professional verification
Psychometric assessment and risk profile
Practical integrity testing with controlled scenarios
Fixed team — non-rotating, no 'stranger every engagement'

Learn about the Crivo programcrivo.intrus.io

/faq

FAQ — Pentest ATM

Vocês quebram ATM em campo?

Apenas com autorização do banco + ATM dedicado a teste (não em produção). Trabalhamos em laboratório do cliente ou ATM isolado.

Faixa de preço?

Pentest amostral em 5-10 ATMs: R$ 40-90k. Rede de ATM com 100+ unidades: R$ 100-280k amostral com plano.

/contact

Conversar confidencialmente

Schedule a confidential meeting. Within 48h we'll send a proposal with scope, timeline and pricing.

Talk to us See other sectors

Other sectors we cover

/pentest-mobile

Pentest Mobile

/pentest-api

Pentest de API

/red-team

Red Team

/pentest-cloud-aws

Pentest AWS

/pentest-cloud-gcp

Pentest Google Cloud

/pentest-cloud-azure