(929) 590-5818 [email protected]
en

Case Study: Comprehensive Security Assessment for a Large Financial Institution

Client:
A major financial institution serving over 500,000 clients
Industry:
Healthcare
Focus:
Protection of personal, financial, and corporate data across mobile applications, web portals, and internal infrastructure
Main challenge:
Assessing the resilience of digital services against attacks, safeguarding sensitive data, and ensuring compliance with international security standards
Market:
Georgia
Services provided:
Security Code Review, Penetration Testing (Black-box and Gray-box) of web portals, mobile applications, APIs, POS terminals, and parts of the internal network;
Key Takeaways
  • Pentest and Code Review were conducted for digital services
  • 106 vulnerabilities were identified, including a DoS attack threat targeting the call center.
  • Web portals, mobile applications, APIs, POS terminals, and the internal network were tested
  • A detailed report and practical recommendations were provided to enhance security and ensure compliance with PCI DSS and ISO/IEC 27001 standards.
    • 48 hours
    from detection to remediation
    7
    critical vulnerabilities identified
    1
    DoS attack anticipated and blocked
    Case Study: Comprehensive Security Assessment for a Large Financial Institution
    May 10, 2025
    14 min
    How resilient are banking services to modern cyberattacks? To find out, a major financial institution turned to Datami for a comprehensive penetration test and code review. The result: 106 vulnerabilities identified and a potential DoS attack on the call

    A major financial institution in Georgia serves over 500,000 clients through mobile applications, web portals, and APIs. The company handles sensitive data and operates in a regulated industry governed by PCI DSS and ISO/IEC 27001 standards.

    Information security is critical to preventing data leaks, financial fraud, and unauthorized access, while regular security assessments help strengthen cyber resilience.

     

    Objectives and challenges
    The banking institution initiated a scheduled security assessment to evaluate the resilience of its digital services against attacks and ensure compliance with regulatory standards, particularly PCI DSS and ISO/IEC 27001.

    The project's goal was to identify vulnerabilities, assess cyber threat risks, and strengthen the protection of personal, financial, and corporate data.
     
    • Conducting black-box and gray-box penetration testing of client-facing web portals, mobile applications, APIs, a POS terminal, and part of the internal IT infrastructure.
    • Performing a code review of critical components to verify business logic, authentication mechanisms, and module interactions.
    • Assessing configurations, identifying vulnerabilities, determining risk levels, providing recommendations, and validating compliance with security standards.
    icon
    Penetration Testing & Security Code Review
    Web portals, mobile applications, APIs, POS terminal, and internal network
    icon
    Risk Analysis
    Risk assessment, logic flaws, and configuration weaknesses
    icon
    Report & Recommendations
    Vulnerability descriptions, risk levels, and remediation steps
    Datami Methodology: Digital Security Assessment for a Financial Institution
    Our approach

    Before testing, we analyzed the client’s technical documentation to accurately model potential threats.

    The team conducted black-box and gray-box penetration testing of the bank’s key digital services, along with Security Code Review of selected components. Datami tested web portals, mobile applications, APIs, internal infrastructure, and POS terminals.

    We combined automated scanners with manual testing, applying OWASP Top 10, MITM analysis, fuzzing, and custom scripts. We assessed configurations, authorization mechanisms, and component interactions with partial access to the client’s infrastructure, simulating the most likely attack vectors in a real-world environment.

    Black-box
    Black-box
    External testing without access to internal information — simulated attacks by third parties or hackers with no access rights.
    Gray-box
    Gray-box
    Partial access allowed us to examine internal system logic, identify vulnerabilities in APIs, mobile applications, and service configurations.
    Main project stages and solutions

    Throughout the process, Datami adapted the work plan to fit the specifics of the infrastructure, delays in access provisioning, and newly added testing targets that emerged after the project began.

    The team rotated IP addresses during scanning to avoid being blocked. Temporary privilege escalation was approved, and tunnels were created through restricted zones to reach isolated systems.

    • Preparation:
      Collection of technical information and documentation analysis, confirmation of testing targets, and development of a plan tailored to the specifics of a regulated industry.
    • Testing:
      Penetration Testing (black-box and gray-box) of digital services — including mobile applications, APIs, web portals, POS terminals, and parts of the internal network. Security Code Review focused on logic, authorization, and inter-module interactions.
    • Analysis & reporting:
      Risk assessment, issue prioritization, and creation of a detailed report with actionable recommendations for vulnerability remediation and security enhancement.
    Cybersecurity starts with action
    How we can help you?

    Every cybersecurity case study we solve involves deep analysis, tailored solutions, and measurable results.
    Datami has already helped over 600 companies strengthen their digital defenses — and we can do the same for your business.
    Ready to take action?

    Let’s start with a free consultation!
    Results and recommendations
    Fewer critical risks — more confidence
    Results and recommendations

    Before the project, the client had a fairly secure system, but testing revealed a number of critical and high-risk issues, including the absence of CAPTCHA and DoS protection, weak security event monitoring, and vulnerable access points via APIs.

    The Datami team identified 106 vulnerabilities: 7 critical, 15 high, 44 medium, 36 low, and 4 informational. Among them, a potential DoS attack on the call center — through mass creation of callback requests — was discovered and blocked.

    The client promptly implemented initial measures: part of the issues was resolved within 48 hours.

    1. implement CAPTCHA and rate limiting on critical interface elements;
    2. improve logging and security monitoring;
    3. review access policies for APIs;
    4. regularly update the protection system in accordance with PCI DSS and ISO/IEC 27001.

    Due to the scale and complexity of the infrastructure, the project lasted 5 months, including additional targets that appeared during the course of work.

    Our certificates
    Key project outcomes

    The project helped the banking institution timely identify critical vulnerabilities, prevent a DoS attack on the call center, and strengthen the protection of client-facing services.

    The client received an in-depth security assessment and practical recommendations from Datami on how to eliminate vulnerabilities and enhance cybersecurity.

    This case study confirms: even well-protected financial companies require regular penetration testing and security code review to reduce risks and stay compliant.

    Direction
    Before the project
    After implementation
    Security posture
    Partial security coverage, no in-depth analysis
    106 vulnerabilities identified, remediation plan created
    Critical vulnerabilities
    Potential DoS, risks via API, and feedback form
    7 critical threats, some resolved within 48 hours
    Account compromise
    Risk of call center disruption, data leakage due to weak traffic limits
    Rate limiting implemented, monitoring and logging recommendations provided
    Security compliance
    Partial compliance with PCI DSS and ISO/IEC 27001 standards
    Technical report and action plan provided for full compliance
    Timeline
    Planned: 5 months
    Tasks completed on schedule despite increased project scope
    More success stories with Datami
    Browse other project case studies
    Case Study HIDEEZ: Security Testing of Encryption and Authentication Before Product Release

    Case Study HIDEEZ: Security Testing of Encryption and Authentication Before Product Release

    • Conducted a white-box pentest of cryptography and authentication mechanisms
    • Identified 6 vulnerabilities: 1 critical, 2 medium, 3 low
    Services provided:
    White-box penetration testing with source code analysis of encryption and authentication modules; static code analysis (SAST) and dynamic application security testing (DAST), aligned with OWASP ASVS best practices
    May 10, 2025
    Case Study: Comprehensive Security Assessment for a Large Financial Institution

    Case Study: Comprehensive Security Assessment for a Large Financial Institution

    • Pentest and Code Review were conducted for digital services
    • 106 vulnerabilities were identified, including a DoS attack threat targeting the call center.
    Services provided:
    Security Code Review, Penetration Testing (Black-box and Gray-box) of web portals, mobile applications, APIs, POS terminals, and parts of the internal network;
    May 10, 2025
    Case Study HUSPI: Security Assessment of Frontend and Backend Servers in Docker Containers

    Case Study HUSPI: Security Assessment of Frontend and Backend Servers in Docker Containers

    • Conducted a white-box penetration test of servers and Docker containers
    • Reduced the risk of data leaks through inter-container interaction by 80–90%
    Services provided:
    Comprehensive white-box penetration testing of two servers (frontend and backend) in Docker, including a full assessment of containerized environments and network interactions.
    May 10, 2025
    Back to all cases
    Security image
    Ready to assess your project's security?
    Contact Datami — we’ll help you identify risks, strengthen your cybersecurity, and confidently pass certification.
    Datami articles
    Internal Network Penetration Testing: Identify Vulnerabilities Before Attackers Do Oleksandr Filipov: Security engineer at Datami, author of articles
    Oleksandr Filipov: Security engineer at Datami, author of articles

    Internal Network Penetration Testing: Identify Vulnerabilities Before Attackers Do

    Learn what an Internal Network Penetration Test is and how to prepare for it. Discover the meaning, stages, and challenges of conducting an Internal Network Pen Testing.

    May 8, 2025
    Network Penetration Testing: What Is It? Oleksandr Filipov: Security engineer at Datami, author of articles
    Oleksandr Filipov: Security engineer at Datami, author of articles

    Network Penetration Testing: What Is It?

    What is network penetration testing? Learn more about the approaches and types of network pentests, the key stages, and the outcomes of a network penetration test.

    May 1, 2025
    Cybersecurity in healthcare: why hospitals have become a favorite target for hackers Oleksandr Filipov: Security engineer at Datami, author of articles
    Oleksandr Filipov: Security engineer at Datami, author of articles

    Cybersecurity in healthcare: why hospitals have become a favorite target for hackers

    Cybersecurity in healthcare is at risk: hospitals face more cyberattacks than banks. Learn how to protect medical data with expert tips from Datami.

    Apr 24, 2025
    Show all articles
    Order a free consulidation
    By submitting this form, I confirm that I have read and agree to the Privacy policy
    We value your privacy
    We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies. Cookie policy