Pentest for Banks and Credit Unions
Red Team and high-complexity pentest for financial institutions — internet banking, ATM, core banking and SWIFT.
Why now
The real pain
Banks don't tolerate 'a problem'. A single finding in production can become news, open BACEN proceedings and freeze product launches. Superficial pentest doesn't fit here — it must be realistic adversary simulation.
Applicable regulation
/attack-surface
Vectors we test in banks & credit unions
Every engagement is designed for your environment. The points below are part of our standard playbook for this sector — final scope is adapted to your stack and contract.
Retail/corporate internet banking
Transfer manipulation, digital signature fraud, OTP bypass.
Core banking
Audit of mainframe integrations, segregation by branch and role.
SWIFT and correspondents
SWIFT network hardening, operator segregation and CSP.
ATM
Jackpotting, black box, physical and logical attacks on the ATM Windows host.
Cards and acquiring
Tokenization, EMV, PIN block, authorization and reversal.
Full Red Team
Adversarial simulation with defined objectives: 'transfer BRL X from one account to another undetected'.
/methodology
Genuinely manual pentest
Automated scanners find what's documented. Real attackers find what isn't. 90% of the work is manual — performed by specialists holding OSCP, CISSP, CRTO and GPEN.
01 · Reconnaissance
Target mapping, OSINT, footprint, sector-specific threat modeling.
02 · Discovery
Deep enumeration, complementary scanning, manual exposure identification.
03 · Exploitation
Manual validation with controlled PoC, finding chaining, escalation.
04 · Report
Executive + technical, step-by-step replication, mapped to applicable regulation.
/why-trust
Who has trusted our work
Caixa Econômica Federal — recognized as best technical pentest in a competitive evaluation. Banco BMG.
Technical assessment recognized in highly regulated, mission-critical environments — the pentest that finds what nobody had found before.
Douglas Lopes
Founder · CEO · intrus.io
/faq
FAQ — Banks & Credit Unions
Do you actually do Red Team?
Yes. We operate with our own C2 (Cobalt Strike, Mythic, Sliver), custom payloads, proper OPSEC and a TTP chain mapped to MITRE ATT&CK.
How do you handle confidentiality?
Mandatory NDA, encrypted communication channels (Signal/Element), delivery via dedicated portal, zero data retention after engagement closure.
/contact
Ready for a serious pentest in banks & credit unions?
Schedule a confidential meeting. Within 48h we'll send a proposal with scope, timeline and pricing.