intrus.io
Fintechs

Pentest for Fintechs

Cutting-edge offensive security for fintechs at scale — from PSPs to digital wallets, BaaS and PIX infrastructure.

Schedule a technical conversationSee vectors
90% manual · 10% automated
OSCP · CISSP · CRTO · GPEN
BR · PT · IT · ES · MA · US · AU
OWASP · MITRE · PTES · NIST

Why now

The real pain

Every fintech is a target. Fraud, ATO, money mules, scraping, cashback abuse, balance scraping — attackers are already running playbooks against you. The difference is finding the vector before they do.

Applicable regulation

BACEN Resolução 4.658Circular 3.978 (PIX)LGPDPCI-DSSOpenFinance/OpenBanking

/attack-surface

Vectors we test in fintechs

Every engagement is designed for your environment. The points below are part of our standard playbook for this sector — final scope is adapted to your stack and contract.

01

PIX and DICT API

Audit of PIX charge, refund, MED flows and key/QR Code abuse.

02

Onboarding and KYC

Liveness bypass, deepfake, document OCR and PFA fraud.

03

Digital wallet

Race conditions in withdrawal, induced overdraft, negative transfers.

04

Open Finance

Consent validation, mTLS, FAPI 1.0 Advanced, ITP/AISP.

05

Mobile app

Reverse engineering, root/jailbreak detection, certificate pinning, secrets in release.

06

Backoffice and BPO

Unauthorized operator access, internal abuse, employee fraud.

/methodology

Genuinely manual pentest

Automated scanners find what's documented. Real attackers find what isn't. 90% of the work is manual — performed by specialists holding OSCP, CISSP, CRTO and GPEN.

01 · Reconnaissance

Target mapping, OSINT, footprint, sector-specific threat modeling.

02 · Discovery

Deep enumeration, complementary scanning, manual exposure identification.

03 · Exploitation

Manual validation with controlled PoC, finding chaining, escalation.

04 · Report

Executive + technical, step-by-step replication, mapped to applicable regulation.

/why-trust

Who has trusted our work

OpenFinance/OpenBanking client; experience in BACEN-regulated environments.

Caixa Econômica Federal
Banco BMG
iFood
ArcelorMittal
Multibanco
Polícia Federal
Fórmula 1
OpenFinance

Technical assessment recognized in highly regulated, mission-critical environments — the pentest that finds what nobody had found before.

DL

Douglas Lopes

Founder · CEO · intrus.io

/faq

FAQ — Fintechs

Do you do FAPI pentest?

Yes. We cover FAPI 1.0 Advanced (Brazil), mTLS validation, JARM, PAR and consent validation by scope.

How long does a fintech pentest take?

Between 2 and 6 weeks depending on scope. Wallet + API + mobile usually takes 4 weeks with 2 pentesters.

/contact

Ready for a serious pentest in fintechs?

Schedule a confidential meeting. Within 48h we'll send a proposal with scope, timeline and pricing.

Talk to usSee other sectors

Other sectors we cover

/saude

Hospitals & Clinics

/planos-saude

Health Insurers

/bancos

Banks & Credit Unions

/consorcios

Consortium Administrators

/seguros

Insurance & Brokers

/igaming

iGaming, Casinos & Betting