Skip to main content
NCASolutions

Banking & Finance

Hardening a Tier-1 bank's core perimeter

87%

reduction in critical vulnerabilities in 90 days

Tier-1 commercial bank, East Africa

Challenge

A Tier-1 commercial bank preparing for a central bank supervisory review needed an honest picture of its exposure. Its last external assessment was a checkbox exercise: a scanner report with no exploitation, no business context, and no prioritization the board could act on.

Approach

We ran a full-scope engagement in three passes. First, external and internal penetration testing across the internet perimeter, staff network, and the interfaces surrounding the core banking system, with manual exploitation to confirm what was actually reachable. Second, a joint remediation sprint with the bank's infrastructure team, sequenced by exploitability and business impact rather than raw CVSS score. Third, retesting of every critical and high finding, with evidence packaged in the language the regulator expects.

Result

Critical vulnerabilities across the core banking perimeter fell by 87 percent within 90 days of the first report, and every remaining finding carried an accepted, documented risk owner. The supervisory review closed with no security-related directives.

The engagement was scoped, executed, and documented under NDA. The client's identity is withheld by agreement; the outcome figures are as reported to the client's board.

All case studies

A version of this, for your institution.

Same methodology, scoped to your systems and your regulator.

Book a Consultation