Pentest That Found What Three Vendors Missed.
Comprehensive black-box pentest on a treasury-management platform: web app, network, and phishing simulation. Findings turned into a costed, prioritized remediation roadmap.
The Situation
What They
Were Up Against.
A mid-market financial services platform serving treasury and cash-management customers had been through three penetration tests over two years. Each report came back with a similar handful of low-severity findings and the same recommendation: '… continue monitoring.' Leadership wasn't comfortable. They suspected the test scopes had been narrowed to deliver clean reports for SOC 2 auditors rather than to actually find weaknesses.
Why They Called Us
The Fit.
They needed a vendor with no remediation incentive to inflate or downplay findings. Tech Critic's structural separation between testing and remediation (we won't sell you the fix for what we found) was the differentiator. We also have hands-on background running incident response, which means our pentest scopes are written from an attacker's mindset rather than a checkbox auditor's.
What We Did
The Work.
- Black-box external pentest of all internet-facing assets, including third-party API integrations and OAuth flows
- Web application testing against OWASP Top 10 plus business-logic abuse cases specific to financial workflows
- Authenticated grey-box test against the customer-facing portal as a privileged user, then escalation attempts
- Internal network test via authorized VPN access including AD enumeration, lateral movement, and Kerberoasting attempts
- Phishing campaign across three pretexts targeting 220 employees, with click-rate and credential-submission tracking by department
- Executive-grade final report with severity scoring, business-impact framing, and a prioritized remediation roadmap costed to in-house effort
The Outcome
Real
Numbers.
findings identified across app and network
high-severity findings the prior tests had missed
cleared on the post-remediation re-test
- Two findings were exploitable chains the prior tests had missed (low + low chaining to critical via privilege escalation)
- Phishing click-rate landed at 14% with 6% credential submission. Both above industry average for the org's size, justifying the awareness program
- Remediation roadmap accepted by the board with a 90-day closure timeline reported monthly to the audit committee
- Customer engaged a separate vendor for remediation under our conflict-of-interest policy; relationship continued with no friction
Tech Stack
What We Used.
We'd been told for two years our security was 'fine.' Tech Critic showed us, with evidence, that it wasn't. And gave us the roadmap to fix it. They never tried to sell us the fix, which is exactly why we trusted them.
Financial Services · Anonymized Client
Got Something
That Looks Like This?
Tap a senior consultant. 30-minute call, no deck, no pitch. We'll tell you whether we're the right fit.