← All case studiesBFSI · MENA

Banking Sector (MENA) — VAPT (1000+ servers, 100+ apps)

Sector: Banking (regulated) · Region: MENA · Engagement: Comprehensive VAPT

1000+
Servers in scope
100+
Applications
Regulated
BFSI guidance

Engagement context

A regulated banking institution in the MENA region commissioned a comprehensive VAPT covering its retail, corporate, and treasury business lines. Estate spanned 1000+ servers, 100+ applications including online banking portals, mobile banking apps, internal core-banking interfaces, treasury workstations, partner APIs for payment switches, and a sizeable Active Directory forest.

Engagement scoped against regional cyber-resilience guidance for financial institutions — the regulatory baseline that mandates periodic third-party VAPT, with reporting structured for board and regulator consumption.

Methodology

  1. Pre-engagement compliance mapping. Test plan aligned to regional banking cyber-resilience requirements; rules of engagement signed by both legal and the institution's CISO office.
  2. Internet-exposed surface. Online banking, mobile banking endpoints, partner integration APIs — full unauthenticated and authenticated testing.
  3. Internal infrastructure. Active Directory attack-path enumeration, segmentation validation between treasury and retail networks, and core-banking interface review.
  4. Mobile banking apps (iOS / Android). Static + dynamic analysis aligned to OWASP MASVS — Frida, Objection, MobSF — covering authentication, certificate pinning, local storage, and IPC surface.
  5. Reporting. Two report tracks — a technical pack with reproducible PoCs for engineering, and a regulator-ready executive summary mapped to the regional cyber-resilience clauses.
  6. Remediation tracking. Joint working sessions with the bank's engineering and SOC teams; targeted retest cycle on Critical / High findings.

Tooling

Burp Suite Professional, Nuclei, Nmap, Nessus, BloodHound, CrackMapExec, Impacket, MobSF, Frida, Objection, Postman, custom Python tooling for the payment-switch API integration tests. Configuration audits referenced CIS Benchmarks for OS / database hardening; reporting structure aligned to regional banking cyber-resilience guidance plus PCI DSS where card-data flows were in scope.

Representative findings

  • Authentication-flow weakness on online banking permitting session-fixation prior to MFA challenge.
  • Mobile banking app: insufficient certificate pinning enforcement on a debug build that had reached production roll-out for a small user cohort.
  • Partner payment API: predictable request IDs combined with lax input validation enabling enumeration of historical transaction status.
  • Active Directory: kerberoasting + AS-REP roasting paths; unconstrained-delegation hosts reachable from user-tier; segmentation gap between retail and treasury subnets.
  • Treasury workstation hardening gaps against CIS Level-2 baseline; remediated as part of the engagement's configuration-review track.

Outcomes

  • All Critical and High findings closed and re-validated within the retest window.
  • Active-Directory hardening backlog produced, with named remediation owners and acceptance criteria.
  • Mobile banking pipeline gained a hardened release-gate checklist informed by the MASVS findings.
  • Regulator-ready report pack accepted in the institution's next regulatory cyber-resilience submission cycle.

Why it worked

Two-track reporting from day one — engineering pack with reproducible PoCs, regulator pack mapped to the cyber-resilience clauses — meant nobody had to translate the same findings twice. Joint remediation sessions with the bank's SOC kept closure measured rather than nominal.

BFSI engagement model →VAPT in UAE →Government VAPT →

BFSI engagement coming up?

VAPT structured for board and regulator consumption — RBI Cyber Framework, SEBI CSCRF, regional MENA guidance, PCI DSS where applicable.

Scope a BFSI Engagement →