(929) 590-5818 [email protected]
en
en

Security Audit of Banking Web, Mobile & API Systems

Client:
A consulting company providing full-cycle services for bringing pharmaceutical and medical products to the Eurasian markets
Industry:
Healthcare
Focus:
Protection of confidential data and compliance with regulatory and partner security requirements
Main challenge:
Ensuring compliance with the information security standards of a potential business partner
Market:
Eurasian countries
Services provided:
Black-box pentest of web resources and infrastructure
Key Takeaways
  • Ensured PCI DSS and ISO 27001 readiness with full-scope testing
  • Prevented DoS attack and mitigated critical vulnerabilities
  • Conducted black-box pentest of two web resources and infrastructure components
    • 2
    weeks to complete the testing
    19
    vulnerabilities identified
    100%
    of project goals achieved
    Security Audit of Banking Web, Mobile & API Systems
    Jun 6, 2025
    14 min
    Is it possible to prepare a global company’s digital assets to meet partnership security requirements in just two weeks? Yes, it is! A consulting company hired Datami to perform a black-box pentest of its web resources and infrastructure. Our team identified 19 vulnerabilities and delivered effective recommendations to enhance cybersecurity.

    The client is an international company that provides consulting services in the pharmaceutical and medical device sectors. It supports brands at every stage of entering the Eurasian markets — from regulatory strategy to certification, marketing, and localization.

    As the company operates in a regulated industry and is partially involved with medical data, information security and compliance with partner requirements and international standards are top priorities.

    Objectives and challenges
    The company approached Datami for a security testing as part of its preparation for a strategic partnership. The potential partner had specific information security requirements — meeting them was a key condition for collaboration.

    The goal of the project was to evaluate the security posture of public-facing digital assets: web resources with UK and UA domains and related infrastructure components.
    • Conduct black-box penetration testing without access to source code or internal systems
    • Identify vulnerabilities, assess their severity, and map out possible attack vectors
    • Deliver a structured report with findings and recommendations to improve security posture
    icon
    Penetration testing
    External black-box testing of web resources and infrastructure
    icon
    Threat identification
    Risk analysis of public domains and digital services
    icon
    Report and recommendations
    Summary of findings and actionable steps to meet partner security requirements
    Datami Methodology: Security Testing of Digital Infrastructure
    Our approach

    We applied a black-box pentest — the team had no prior access to source code or internal systems, which allowed us to simulate the actions of a real attacker.

    The assessment covered two web resources with Ukrainian and British domains, along with associated infrastructure components.

    We combined manual and automated techniques, using modern scanners and attack simulation methods.

    Despite limited visibility, the testing successfully identified vulnerabilities of varying severity — from configuration issues to technical flaws.

    Black-box
    Black-box
    The testing was performed without access to internal information — only from the perspective of an external user, closely simulating real-world cyber threats.
    Key project stages and solutions

    During the testing, the Datami team followed a structured approach focused on external testing without access to internal information.

    This ensured maximum realism and allowed us to evaluate the system’s resilience to attacks while meeting the partner’s security requirements.

    • Preparation
      Analysis of public resources, clarification of the scope, and identification of testing priorities.
    • Pentest Execution
      External black-box testing of two web resources and related infrastructure components. A combination of automated scanners and manual verification was used.
    • Analysis and Reporting
      Preparation of a report detailing the discovered vulnerabilities (1 High, 8 Medium, 7 Low, 3 Informational) along with recommendations for remediation and improved protection.
    Cybersecurity starts with action
    How we can help you?

    Every cybersecurity case study we solve involves deep analysis, tailored solutions, and measurable results.
    Datami has already helped over 600 companies strengthen their digital defenses — and we can do the same for your business.
    Ready to take action?

    Let’s start with a free consultation!
    Results and recommendations
    Fewer critical risks — more confidence
    Results and recommendations

    At the start of the project, the client’s digital assets faced elevated risks: outdated CMS components were discovered, potentially exposing the systems to attack vectors. The public-facing infrastructure lacked adequate protection and access controls.

    During the black-box pentest, the Datami team identified 19 vulnerabilities: 1 high-risk (unauthorized access to the admin panel), 8 medium, 7 low, and 3 informational.

    The client received clear recommendations to improve security, including:

    1. updating all CMS components to the latest versions;
    2. implementing additional access controls for critical areas;
    3. monitoring and configuring event logging;
    4. fixing vulnerabilities in plugins and infrastructure configurations.

    After implementing these recommendations, the risk of cyberattacks was significantly reduced. The company avoided potential reputational and financial losses associated with the leakage of sensitive data.

    The project was completed within two weeks. All critical vulnerabilities were promptly addressed by the client upon receiving the technical report.

    Our certificates
    Key project takeaways

    This case study demonstrated how the project provided the company with a clear understanding of the cybersecurity status of its digital assets, along with concrete steps to eliminate vulnerabilities and improve compliance with information security standards.

    Penetration testing enabled the client to prepare for partner compliance requirements without risking sensitive data exposure. All project goals were achieved within the planned timeframe.

    Aspect
    Before the project
    After implementation
    Security posture
    High risk due to outdated CMS components and lack of protection
    19 vulnerabilities identified; remediation steps provided
    Critical vulnerabilities
    Risk of unauthorized access to protected areas of web resources
    1 critical issue discovered and promptly resolved by the client
    Account compromise
    Risk of unauthorized access to protected areas of web resources
    1 critical issue discovered and promptly resolved by the client
    Account compromise
    Potential due to exposed interfaces and weak configurations
    Risk reduced after restricting access and updating systems
    Security compliance
    Partial compliance with partner requirements
    Access control strengthened; implementation of recommendations initiated
    More success stories with Datami
    Browse other project case studies
    Preparing a smart contract for release on Web3

    Preparing a smart contract for release on Web3

    • The code was prepared for certification.
    • The project was secured against 99% of known threats.
    Services:
    Smart contract audit (White-box source code review)
    Sep 16, 2025
    Web3 Project Random Walk: Smart Contract Audit

    Web3 Project Random Walk: Smart Contract Audit

    • Secure launch on Polygon mainnet ensured within 5 days
    • Risk level reduced from medium to minimal
    Services:
    Smart contract audit (White-Box source code analysis)
    Sep 2, 2025
    Smart Contract Audit of a Web3 Company

    Smart Contract Audit of a Web3 Company

    • The product was prepared for a secure market launch.
    • The risk was reduced from high to minimal.
    Services:
    Smart contract audit (White-box source code analysis)
    Aug 20, 2025
    Back to all cases
    Security image
    Ready to assess your project's security?
    Contact Datami — we’ll help you identify risks, strengthen your cybersecurity, and confidently pass certification.
    Datami articles
    Web Applications Penetration Testing: A Pentest Guide Oleksandr Filipov: Security engineer at Datami, author of articles
    Oleksandr Filipov: Security engineer at Datami, author of articles

    Web Applications Penetration Testing: A Pentest Guide

    Web applications are targeted by attacks every day - from simple scanners to deliberate breaches. To understand how vulnerable a web application is and how to protect it from hackers’ actions, a special assessment is conducted - penetration testing (pente

    Oct 1, 2025
    Microsoft enables email bombing protection Datami Newsroom
    Datami Newsroom

    Microsoft enables email bombing protection

    Microsoft announced a new update to Defender for Office 365 that automatically detects and blocks email bombing attacks. The rollout started in June, and most users will receive the feature by mid-July 2025.

    Sep 12, 2025 3 min
    Cloudflare Repelled a Record DDoS Attack of 11.5 Tbit/s Datami Newsroom
    Datami Newsroom

    Cloudflare Repelled a Record DDoS Attack of 11.5 Tbit/s

    Cloudflare reported that it stopped the most powerful UDP flood DDoS attack aimed at exhausting system resources. In 35 seconds, the attackers flooded the company with traffic at 11.5 Tbit/s.

    Sep 5, 2025 2 min
    Show all articles
    Order a free consultation
    By submitting this form, I confirm that I have read and agree to the Privacy policy
    We value your privacy
    We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies. Cookie policy