In April, a single VPN vulnerability led to a data breach at more than seventy financial institutions using Marquis Software’s infrastructure, according to an American Banker report on the incident. The episode was there. Affected institutions may have more recent entrance exams on file. None of which precluded exposure to compounding across the portfolio.
The math is straightforward. A typical annual external entrance exam uses two to three weeks of practical testing. That leaves about 345 days of unguaranteed work.
Mandiant’s M-Trends 2026 report puts the average dwell time for 2025 at fourteen days, reversing a multi-year decline, with intelligence agents averaging 122 days.
CrowdStrike’s 2026 Global Threat Report ranks financial services fourth in the direction of interactive intrusion. Enemies do not wait in the middle of the annual test. The model thought it would be.
Controls Set the Floor Against a Slow Threat Model
PCI DSS, FFIEC, and NYDFS are all penetration testing references for their requirements and guidelines. None of them describe the annual cadence as sufficient.
PCI DSS 4.0 Requirement 11.3.1 mandates external access testing after any critical infrastructure or system upgrade or modification. The FFIEC IT Examination Handbook describes penetration testing as part of ongoing risk management, not a separate annual event. NYDFS Section 500.05 mandates annual inspection and ongoing monitoring obligations reinforced in the 2023 amendments to 23 NYCRR 500.
Each of these agencies already assumes that testing occurs because of change. A control floor was written for facilities where significant changes occurred in quarterly release cycles.
That cadence is no match for modern banking infrastructure. Digital banking rollouts, cloud service migration, fintech API integration, third-party portal launches, and M&A consolidation work all produce an unexplored attack surface within the annual audit.
The question of compliance is no longer whether the institution inspected last year. It is whether the institution was examining the things that really changed.
Financial institutions are experiencing change from cloud migration, fintech consolidation, and M&A. Your attack zone does not wait for the next engagement.
See how continuous testing closes gap controls that are already waiting for you to close.
Build a Business Case
What the Gap Produces, Written Down
In a recent interview at a regional bank, Sprocket auditors identified findings on a mortgage origination portal targeting local bank customers. The portal is operated by a third-party platform vendor, with the bank’s logo and host name presented to applicants. The property was in an external inspection facility.
The platform has exposed an API endpoint that returns organization records when given a tenant ID. The endpoint required no authentication and no session of any kind. The cross-origin platform policy allowed any third-party site to make the same request from the visitor’s browser without user interaction.
The tenant ID itself was visible in the public-facing portal files, so an unauthorized caller didn’t have to guess it. Extending each tenant’s ID returns the next facility’s records to the shared location. Repetition in the range appeared records of all financial institutions operating in this field, as well as the internal tenant of the merchant.
The records returned were not normal. Each had named employees with business email addresses, direct phone numbers, job titles, and an internal platform code used to authenticate the borrower’s referrals to specific employees.
That code was important on its own: any caller with a valid code could submit a potential borrower’s request on behalf of a named official against that official’s institution, and the platform would treat the submission as a valid take in the loan origination pipeline.
The bank did not present this disclosure. The platform vendor did. The bank’s previous annual external audit may have included the host’s name at the time of the audit, but no automated scanner reveals this finding.
Catching it required going through successive tenant IDs in an undocumented storage facility and verifying that records were returned from other facilities, and production shipments had to be continued.
Downstream risk is what makes acquisition inherently regulatory, not just technical. The data in all other institutions in the shared environment is extracted by the name of the bank host.
Any fraud, phishing, or compliance incident that has resulted from that disclosure will be traced to the URL named entity, regardless of which tenant data the attacker used.
Continuous Testing is an Effective Response to Over-Engagement
The above findings are largely ignored in the annual model. Three reasons, each directly related to marriage.
The goods entered the bank’s external area when the seller boarded the bank to the platform, not when the bank’s pentest was checked. If the scope of involvement had been set against an infrastructure summary from six months earlier, the host’s name might not have been listed. Attack zone management closes this gap by treating new hosts and newly exposed services as test triggers, not by waiting for the next annual scope discussion.
Property is also the type of item that institutions tend to exclude from the annual census. Portals operated by front-end vendors in the domain under the institution itself occupy a gray area in scoping discussions.
They are not bank applications, the bank does not own the source code, the bank does not control the release, and the merchant maintains its own security system.
Institutions reasonably determine that the platform vendor is responsible for testing its code and does not include the host’s name in the collaboration. Continuous external evaluation does not respect that boundary.
If the hostname is accessible on the open Internet under the domain that the bank hosts, it is part of the bank’s external attack surface, and an attacker who identifies the bank’s circuit will encounter it even if the bank’s most recent scope document is listed.
Findings also required active human testing, not scanner output. A vulnerability scanner that sweeps the hostname would report that the endpoint is responsive and the CORS policy is permissive, perhaps flag the authentication header as missing, and stop there.
It would not move employer IDs, ensure the recovery of employer data, or bind employee responsibility codes in the event of fraud. The possibilities of default locations. Testers find out what is actually usable, and what the bottom line is if it is.
Sprocket Security uses a progressive model for this goal. The following evidence shows what was tested against the infrastructure that was in place at the time of the test, not a snapshot of the previous twelve months.
Gap Created, Not a Cadence Problem
A gap of 345 days is not a marketing number. It is a structural feature of the annual assessment model. Regulators write testing requirements assuming that agencies will test things that have changed, when they change.
Many institutions examine what was present at the time of the interaction, in the system for which the interaction was planned, and take the resulting evidence as a description of the current exposure. That definition becomes less accurate every day after the test ends.
Institutions that close the gap are not the ones that test often. They are their test system that reacts to what their infrastructure is doing.
See how you can build your case for regular reviews in the financial world today.
Sponsored and written by Sprocket Security.
