Pentest for Credit Unions
Security for cooperative internet banking, member apps, central platform integration and PIX.
Why now
The real pain
Sicoob, Sicredi, Unicred and singular credit unions operate under BACEN with the same ruler as banks — but with IT distributed between singular and central, shared vendors and lean teams. A single finding in one singular contaminates the entire network. In 2024-25, credit unions became a prime ransomware target in Brazil.
Applicable regulation
/attack-surface
Vectors we test in cooperativas de crédito
Every engagement is designed for your environment. The points below are part of our standard playbook for this sector — final scope is adapted to your stack and contract.
Internet banking and member app
Transfers, OTP, PIX, digital signature fraud and MFA bypass.
Singular ↔ central integration
Communication, segregation, lateral propagation between nodes and shared vendors.
Cooperative cards and acquiring
Tokenization, EMV, authorization, reversal and pinpad security.
PIX and DICT
Keys, MED, refunds, QR Code abuse and social engineering fraud.
Rural/agri credit branch
Rural notes, collateral, CCB and CPR-F registration.
Back office and operators
Internal access, branch segregation, employee and BPO fraud.
/methodology
Genuinely manual pentest
Automated scanners find what's documented. Real attackers find what isn't. 90% of the work is manual — performed by specialists holding OSCP, CISSP, CRTO and GPEN.
01 · Reconnaissance
Target mapping, OSINT, footprint, sector-specific threat modeling.
02 · Discovery
Deep enumeration, complementary scanning, manual exposure identification.
03 · Exploitation
Manual validation with controlled PoC, finding chaining, escalation.
04 · Report
Executive + technical, step-by-step replication, mapped to applicable regulation.
/why-trust
Who has trusted our work
BACEN-regulated sector with increased demand after 2024-25 incidents.
Technical assessment recognized in highly regulated, mission-critical environments — the pentest that finds what nobody had found before.
Douglas Lopes
Founder · CEO · intrus.io
/crivo · integrity program
of pentester candidates fail our Crivo screening
Do you know who's getting access to your environment?
NDAs work in court. They don't work day-to-day. Before first access, every pentester on our team passes background, psychometric profile and integrity testing.
- In-depth criminal, fiscal and professional verification
- Psychometric assessment and risk profile
- Practical integrity testing with controlled scenarios
- Fixed team — non-rotating, no 'stranger every engagement'
/faq
FAQ — Cooperativas de Crédito
Do you audit singular-central communication?
Yes. That's the most critical and frequently underestimated point. We audit channel, authentication and tenancy segregation.
Do you serve small rural credit unions?
Yes. We have lean scopes for small singular cooperatives that need to meet BACEN without a bank's budget.
/contact
Ready for a serious pentest in cooperativas de crédito?
Schedule a confidential meeting. Within 48h we'll send a proposal with scope, timeline and pricing.