SECTOR — FINTECH & FCA-REGULATED
CREST-certified penetration testing for UK fintech, payments, and FCA-regulated firms. SYSC-aligned methodology, payment APIs, mobile banking, PSD2 SCA scrutiny. Live findings, free retests, 24-hour startup.
CREST
Approved Provider
IASME
Cyber Essentials Body
ISO 27001
BSI-Audited
24h
Scope to Active Test
REGULATORY CONTEXT
What FCA Expects from Penetration Testing
SYSC Controls
FCA Handbook (SYSC 4.1.1R, 6.1.1R, 13) requires effective systems and controls, operational risk management, and customer data protection.
Annual Cadence
Pen testing is the primary mechanism for ongoing technical assurance to supervisors. Most regulated firms commission annually plus after major changes.
Audit Evidence
Reports must be acceptable as supervisor-return evidence. EJN reports map findings directly to SYSC control references your team can submit without translation.
SCOPE
What We Test for Fintech
CUSTOMER-FACING
Web Applications
Onboarding, KYC, AML, account management. OWASP Top 10, IDOR, broken authorisation, SSRF, business-logic flaws.
MOBILE
iOS & Android Apps
OWASP Mobile Top 10. Certificate pinning bypass, insecure local storage, biometrics, runtime tampering, jailbreak/root detection.
APIs
REST, GraphQL, SOAP
OWASP API Top 10. PSD2 Strong Customer Authentication flows, broken object-level auth, mass assignment, rate-limit bypass.
INFRASTRUCTURE
Network & Active Directory
External attack surface, internal segregation, AD attacks (Kerberoasting, ACL abuse), lateral movement, Domain Admin escalation.
ADVANCED
Red Team Engagements
Multi-week assume-breach engagements modelled on real adversaries. Spear phishing, persistent C2, full kill-chain demonstration.
SOCIAL
Phishing Assessments
Targeted campaigns against treasury, ops, finance, executive users. Credential harvesting, MFA bypass, susceptibility analysis.
OUR PROCESS
From Scope to Attestation in 4-6 Weeks
Scoping Call
30-minute technical scoping call. Define attack surface, methodology, rules of engagement, and timeline. Fixed-price quote within 24 hours.
Active Testing
3-15 days of hands-on testing by CREST-certified pen testers. Daily status updates and live findings delivered to your client portal.
Reporting
Executive summary plus full technical report with CVSS scores, reproduction steps, screenshots, and specific remediation. 60-minute walkthrough call.
Free Retest
After remediation, we retest at no extra charge. Letter of attestation provided for FCA submission, audit, or insurance underwriting.
COMPLIANCE READY
Reports Aligned to Every Framework
Findings map to specific control references in each framework, so your audit team submits the report directly without translation work.
FCA SYSC
SYSC 4.1.1R, 6.1.1R, 13 controls mapped to each finding.
ISO 27001
Annex A.12.6.1 technical vulnerability management.
SOC 2
CC4.1 monitoring and CC7.1 system operations.
PCI DSS
Requirement 11 across cardholder data environments.
PSD2 / Open Banking
FAPI 1.0 Advanced security profile, SCA flow scrutiny.
UK GDPR
Article 32 effectiveness testing, customer data protection.
PRICING
Indicative Fintech Engagement Pricing
Fixed-price quotes confirmed during scoping. Free retest, executive summary, walkthrough call, and letter of attestation included.
Single web application
£6,000 – £18,000 depending on scope, authentication tiers, and business-logic complexity.
Mobile + API combined
£10,000 – £30,000 covering iOS, Android, and the supporting REST/GraphQL backend.
Internal network + AD
£12,000 – £40,000 across DMZ, AD forest, segregation, and privileged access scenarios.
FAQ
Frequently Asked
How does EJN handle FCA notification during testing?
For non-disruptive penetration testing, FCA notification is not typically required, but the firm’s own incident-response runbook may require pre-test notification to Compliance and the Board. EJN provides a standard notification template covering scope, timing, kill-chain, and rules of engagement.
Will you test in production?
For most fintechs we test in a production-equivalent environment (UAT or staging that mirrors production with masked PII). Production testing is supported with explicit firm-side approval, restricted scope, real-time SOC coordination, and an incident-response liaison.
How does the report support our FCA SYSC evidence pack?
The technical report explicitly maps each finding to the relevant SYSC control reference plus ISO 27001 Annex A controls, PCI DSS requirements (where in scope), and Open Banking security profile clauses (where applicable). Your compliance team should be able to drop it into the next supervisor return without translation.
Can you test our Open Banking integration?
Yes. EJN tests Open Banking PISP/AISP integrations under the FAPI 1.0 Advanced security profile. Common findings include incomplete consent flow validation, missing client authentication, and weak JWS/JWE handling.
Multiple jurisdictions (UK + EU + US)?
Reports support concurrent UK FCA, EU EBA RTS, and US SOC 2 mappings. For PCI DSS scope spanning multiple cardholder data environments, segmentation testing is included. We do not deliver against US-only frameworks (FedRAMP, FFIEC) directly; partner referrals available.
Do you provide attestation letters for cyber insurance underwriting?
Yes. After remediation and free retest, EJN provides a letter of attestation suitable for cyber insurance broker submissions, FCA evidence packs, ISO 27001 Stage 2 audits, and SOC 2 Type II controls.
What sectors of fintech do you serve?
Payments, retail banking, wealth management, neobanks, crypto-asset firms (where FCA-registered), insurtech, lending platforms, accountancy SaaS, and Open Banking TPPs. Crypto-asset engagements include smart contract audit; ask about our blockchain audit service.
Book a Fintech Scoping Call
30 minutes with a CREST-certified pen tester who has actually delivered FCA-regulated engagements. Fixed-price quote within 24 hours.
