Penetration Testing & Compliance for an Austrian FinTech Platform
Challenge
A Vienna-based FinTech company providing digital payment solutions needed to strengthen its security posture while preparing for GDPR and PSD2 compliance audits. Handling tens of thousands of customer accounts, the client faced risks such as insecure APIs, data leakage, and potential financial fraud. Their internal IT team had already performed basic vulnerability scans but lacked expertise in manual penetration testing and business logic flaw identification. The main challenge was conducting a comprehensive penetration test and ensuring compliance within a tight 90-day regulatory deadline—without disrupting active customer transactions.
A Vienna-based FinTech company providing digital payment solutions needed to strengthen its security posture while preparing for GDPR and PSD2 compliance audits. Handling tens of thousands of customer accounts, the client faced risks such as insecure APIs, data leakage, and potential financial fraud. Their internal IT team had already performed basic vulnerability scans but lacked expertise in manual penetration testing and business logic flaw identification. The main challenge was conducting a comprehensive penetration test and ensuring compliance within a tight 90-day regulatory deadline—without disrupting active customer transactions.
Solution
defencerabbit.com deployed its penetration testing team and followed OWASP, NIST SP 800-115, and ENISA guidelines to address the client’s needs. The engagement included:
Web & Mobile Application Testing – targeting OWASP Top 10 vulnerabilities, encryption weaknesses, and session handling flaws.
API Security Review – identifying broken authentication, authorization bypass, and insecure endpoints.
Cloud Security Assessment – AWS misconfigurations, IAM role management, and data exposure checks.
Business Logic Exploitation – uncovering payment workflow abuses not detected by scanners.
Compliance Mapping – aligning findings with GDPR & PSD2 security standards.
Developer Enablement – remediation workshops and secure coding training.
DefenderRabbit delivered a detailed risk report with severity scoring and remediation steps, followed by verification re-testing before the client’s official audit.
defencerabbit.com deployed its penetration testing team and followed OWASP, NIST SP 800-115, and ENISA guidelines to address the client’s needs. The engagement included:
Web & Mobile Application Testing – targeting OWASP Top 10 vulnerabilities, encryption weaknesses, and session handling flaws.
API Security Review – identifying broken authentication, authorization bypass, and insecure endpoints.
Cloud Security Assessment – AWS misconfigurations, IAM role management, and data exposure checks.
Business Logic Exploitation – uncovering payment workflow abuses not detected by scanners.
Compliance Mapping – aligning findings with GDPR & PSD2 security standards.
Developer Enablement – remediation workshops and secure coding training.
DefenderRabbit delivered a detailed risk report with severity scoring and remediation steps, followed by verification re-testing before the client’s official audit.
Results
Detected 39 vulnerabilities, including 8 critical flaws in authentication and API workflows.
Prevented a potential data breach impacting 60,000 Austrian customers.
Enabled successful GDPR & PSD2 audit clearance within 90 days.
Reduced vulnerability remediation time by 40% thanks to structured guidance.
Strengthened platform trust, allowing the client to expand across Austria, Germany, and Switzerland.
Detected 39 vulnerabilities, including 8 critical flaws in authentication and API workflows.
Prevented a potential data breach impacting 60,000 Austrian customers.
Enabled successful GDPR & PSD2 audit clearance within 90 days.
Reduced vulnerability remediation time by 40% thanks to structured guidance.
Strengthened platform trust, allowing the client to expand across Austria, Germany, and Switzerland.