Home SERVICES
All Services Web Application Security Network & Infrastructure Cloud Security Active Directory Attack Social Engineering Red Team Operations AI Red Teaming Compliance Assessments Financial Services Testing Custom Tailored Pentest
ABOUT US
About Us Certifications FAQ
Process Industries Blog Request a Quote CONTACT
Request a Quote Get Help Now Ask a Question
Services / Financial Services Penetration Testing
Financial Services
Penetration Testing

Sector-specific penetration testing for Canadian banks, credit unions, OSC-registered firms, CIRO/IIROC investment dealers, OSFI-supervised institutions, and fintechs — principal-led by a CREST-certified consultant, with reporting framed against the regulators your compliance team actually answers to.

Scope a Financial-Sector Assessment → Request a Quote
TL;DR — Financial Services Penetration Testing

Financial-sector penetration testing assesses banks, credit unions, OSC-registered firms, CIRO (formerly IIROC) dealers, OSFI-supervised federally regulated financial institutions, and fintechs against the attack paths that actually cause financial-sector breaches: identity and Active Directory compromise, payment and API abuse, segmentation failures around core banking, and third-party risk. It differs from a generic pentest in scope, objectives, and reporting, not in tradecraft. At CSPI, engagements are principal-led by Arturs Stay (CREST CRPT, OSCP, OSEP), data stays in Canada, and findings are framed against OSFI B-13, OSC, CIRO/IIROC, PCI DSS, SOC 2, and PIPEDA. We position our testing as aligned to and supporting these frameworks; the relevant regulator determines compliance.

Overview

Penetration Testing Built for Canadian Financial Institutions

Financial institutions are the most heavily targeted sector in Canada, and they carry a risk profile a generic penetration test does not address well. Regulatory scrutiny is constant. Identity infrastructure — Active Directory and the hybrid AD plus Entra ID layer — is the dominant route attackers take to payment systems, treasury, and customer data. Payment rails, core banking integrations, and an expanding surface of public and partner APIs multiply the attack surface. And third-party processors, custodians, and SaaS dependencies extend exposure well beyond the institution's own perimeter.

A financial-sector engagement is scoped to those realities. We treat identity attack paths as a first-class objective, validate segmentation around payment and core banking environments, measure detection and response capability, and frame reporting against the frameworks Canadian financial institutions answer to. Every engagement is principal-led by Arturs Stay (CREST CRPT, OSCP, OSEP), with 15 years of offensive security practice across financial services. The methodology is the same disciplined offensive tradecraft used in any CSPI engagement; the scope, objectives, and reporting are sector-specific.

An accuracy note we hold ourselves to: where this page references regulatory frameworks, we describe our testing as aligned to and supporting them. We do not claim that any single engagement makes an institution compliant; compliance is a determination the relevant regulator makes across the institution's full programme.

CREST Certified OSCP / OSEP OSFI B-13 Aligned OSC / CIRO Aware PCI DSS Canada-Resident Data Principal-Led
Why It Differs

Why Financial-Sector Testing Is Not a Standard Pentest

Four factors separate a financial institution's risk from a generic enterprise's, and each one changes how a competent engagement is scoped.

Heightened Regulatory Scrutiny

FRFIs answer to OSFI; provincially registered dealers to OSC and CIRO; everyone handling card data to PCI DSS, and service organisations to SOC 2. Boards and CCOs need findings framed in the control language they attest against. A report that ignores the regulatory context creates rework for the compliance team and weakens the evidence value of the test.

Identity Is the Primary Breach Path

The majority of serious financial-sector intrusions move through identity, not a single exploitable host. Active Directory and the hybrid identity layer are the bridge to payment, treasury, and customer systems. Engagements that under-test Kerberoasting, ADCS abuse, NTLM relay, and delegation paths are measuring the wrong risk.

Payment & API Attack Surface

Core banking, payment rails, broker-dealer platforms, and a growing surface of public, partner, and open-banking APIs create authorisation, business-logic, and data-exposure risks that scanners systematically miss. These require manual, logic-aware testing against the institution's actual transaction flows.

Third-Party & Supply-Chain Risk

Custodians, processors, fintech partners, and SaaS dependencies extend the real attack surface far beyond the institution's perimeter. Regulators increasingly expect this to be assessed. We test the integration points and trust relationships that turn a vendor compromise into the institution's incident.

Engagement Scope

What We Test

A financial-sector programme typically combines several testing disciplines. We scope to the institution's risk profile and technology footprint rather than a fixed template.

  • External and internet-facing testing of the perimeter, online and mobile banking front ends, and exposed APIs.
  • Internal network and assumed-breach testing — lateral movement, privilege escalation, and segmentation validation around payment and core banking zones.
  • Active Directory and hybrid identity testing — Kerberoasting, ADCS abuse paths, NTLM relay, delegation abuse, and AD plus Entra ID exposure.
  • Web and API application security testing of core banking, payments, broker-dealer, wealth, and customer platforms, including business-logic and authorisation testing.
  • PCI DSS segmentation validation for cardholder data environments, with evidence structured for the relevant PCI DSS testing requirement.
  • Threat-led adversary simulation for the most critical systems, measuring detection and response, not just vulnerability presence.
  • Third-party and integration testing of the trust relationships with processors, custodians, and fintech partners that are in authorised scope.
  • Reporting that maps each finding to the institution's applicable frameworks (OSFI B-13, OSC, CIRO/IIROC, PCI DSS, SOC 2, PIPEDA) and to MITRE ATT&CK and NIST SP 800-115.
How We Work

Our Methodology

Engagements follow a structured methodology aligned to the Penetration Testing Execution Standard (PTES) and NIST SP 800-115, adapted with real-world adversarial tradecraft. The objective is defensible, regulator-ready evidence — not a scanner dump.

Scoping & Regulatory Alignment

We identify which frameworks apply (OSFI B-13, OSC/CIRO, PCI DSS, SOC 2, PIPEDA), define rules of engagement, mark critical and regulated systems, and agree how findings will be mapped in reporting.

Reconnaissance & Threat Modelling

Where threat-led testing is in scope, we incorporate intelligence on the actors and techniques most relevant to Canadian financial institutions to drive realistic scenarios.

Vulnerability Discovery

Manual-first identification across network, identity, web, and API surfaces, prioritised by exploitability and business impact rather than raw scanner volume.

Exploitation & Chaining

Authorised, hands-on exploitation with documented proof, including multi-step chains that show how individual findings combine into payment-system or data-access compromise.

Detect & Respond Measurement

For threat-led work, we measure whether your security function detects and responds — the capability that matters most to financial-sector resilience.

Reporting & Re-Test

Dual-audience reporting with framework mapping, a prioritised remediation roadmap, a leadership debrief, and a free re-test of remediated critical findings.

Quick Reference

Who We Test and Which Frameworks Apply

A guide to the institution types we test and the Canadian regulatory frameworks our reports are typically framed against. Framework applicability depends on the specific institution and should be confirmed in scoping.

Institution typePrimary regulator / oversightFrameworks reports typically map to
Federally regulated banks & insurers (FRFIs)OSFIOSFI B-13, PCI DSS, SOC 2, PIPEDA
Credit unions & caisses populairesProvincial regulatorsProvincial frameworks, PCI DSS, SOC 2
Investment dealersCIRO (formed 2023 from IIROC + MFDA)CIRO requirements, OSC expectations
Portfolio managers, EMDs, fund managersOSC (and provincial securities commissions)OSC cyber resilience expectations, PIPEDA
Payment processors / merchantsCard schemes / acquirersPCI DSS, SOC 2
Fintechs & open-banking platformsVaries (may be OSFI, OSC, or provincial)SOC 2, PCI DSS, PIPEDA, framework by model
Common Questions

Financial Services Penetration Testing FAQ

How is penetration testing for financial services different from a standard pentest?

Financial institutions carry a combination of factors that a generic engagement does not address well: heightened regulatory scrutiny, identity and Active Directory as the primary breach path, complex payment and API surfaces, and significant third-party and supply-chain exposure. A financial-sector engagement is scoped to those realities. It treats identity attack paths as a first-class objective, validates segmentation around payment and core banking systems, tests the institution's detection and response capability, and frames reporting against the regulatory frameworks Canadian financial institutions answer to. The methodology is the same disciplined offensive security tradecraft; the scope, objectives, and reporting are sector-specific.

Which Canadian financial regulators and frameworks do your reports align to?

We frame findings against the frameworks our clients actually answer to. For federally regulated financial institutions (FRFIs), that is OSFI Guideline B-13 (Technology and Cyber Risk Management). For provincially registered investment firms, OSC cyber resilience expectations and CIRO requirements (CIRO is the self-regulatory organisation formed in 2023 from the amalgamation of IIROC and the MFDA). Across the sector we also map to PCI DSS for cardholder data environments, SOC 2 for service organisations, ISO 27001, and PIPEDA for federal private-sector privacy. We describe our testing as aligned to and supporting these frameworks; we do not claim a test makes an institution compliant, which remains the relevant regulator's determination.

Do you test credit unions and caisses populaires as well as banks?

Yes. Credit unions and caisses populaires are typically provincially regulated rather than supervised by OSFI, so their expectations come from provincial regulators and their own risk frameworks, with PCI DSS and SOC 2 commonly in play for payment and member-data systems. The technical attack surface — online and mobile banking, core banking integrations, identity infrastructure, and third-party processors — is comparable to a bank's, and we scope accordingly. Engagement size and cadence are matched to the institution's risk profile rather than a one-size template.

Can you test core banking, payment, and open-banking APIs without disrupting production?

Yes. Most techniques used against banking and payment APIs are non-disruptive. Disruptive techniques are excluded by default and run only with explicit authorisation and a coordinated testing window. For high-sensitivity production systems we frequently test against a representative staging or pre-production environment for the most aggressive paths, then validate a focused subset in production under change control. Operational impact is treated as a contract-level decision agreed in scoping, not left to tester discretion.

Why does identity and Active Directory testing matter so much for financial institutions?

The large majority of serious financial-sector intrusions move through identity rather than a single exploitable server. Once an attacker has a foothold, Active Directory and the hybrid identity layer (AD plus Entra ID) become the route to payment systems, treasury, and customer data. Techniques such as Kerberoasting, ADCS abuse, NTLM relay, and delegation abuse are routinely how domain compromise happens. Financial-sector engagements that skip deep identity testing measure the wrong risk. We treat the identity attack surface as a primary objective, not an add-on.

Does the engagement data stay in Canada?

Yes. Engagement data, evidence, scoping documents, and exploitation artefacts remain within Canadian jurisdiction under PIPEDA and applicable provincial privacy law, and are not routed through offshore delivery centres. For OSFI-supervised institutions and OSC/CIRO-registered firms with third-party risk and data residency expectations, a Canada-based principal-led provider removes a procurement and outsourcing-review step that offshore vendors typically trigger.

Explore further

Prefer email? Send a scoping request and we will respond with next steps.

Regulatory references on this page are provided for general information and do not constitute legal or compliance advice. Framework applicability and compliance are determined by the relevant regulator and the institution's own counsel. Verify current requirements with OSFI, OSC, CIRO, the PCI Security Standards Council, and the Office of the Privacy Commissioner of Canada as applicable.