The 345 Day Gap in Security Testing
In April, a single VPN vulnerability led to data breaches at over 70 financial institutions running Marquis Software’s infrastructure. The patch existed, and the affected institutions likely had recent penetration tests on file. Yet the exposure compounded across the entire portfolio. The math is straightforward: a standard annual external penetration test covers two to three weeks of active testing. That leaves roughly 345 days of operational reality unvalidated.
Mandiant’s M-Trends 2026 report shows the 2025 median dwell time at 14 days, reversing a multi year decline, with espionage actors averaging 122 days. CrowdStrike’s 2026 Global Threat Report ranks financial services fourth in interactive intrusion targeting. Adversaries do not wait between annual assessments, but the traditional model assumes they will.
Regulatory Frameworks Already Point Beyond Annual Testing
PCI DSS, FFIEC, and NYDFS all reference penetration testing in their requirements, but none describe an annual cadence as sufficient. PCI DSS 4.0 Requirement 11.3.1 mandates external testing after any significant infrastructure or application upgrade. The FFIEC IT Examination Handbook describes testing as part of ongoing vulnerability management, not a discrete annual event. NYDFS Section 500.05 requires annual testing alongside continuous monitoring obligations, strengthened in the 2023 amendments.
These frameworks were written assuming significant changes happened on quarterly release cycles. That cadence does not match modern banking infrastructure. Digital banking releases, cloud workload migrations, fintech API integrations, third party portal launches, and merger integration work all generate untested attack surface between annual tests. The compliance question is no longer whether the institution tested last year. It is whether the institution tested the things that actually changed.
Real World Finding Shows the Cost of the Gap
In a recent engagement at a regional bank, testers identified a critical finding on a customer facing mortgage origination portal. The bank fronts the portal at a subdomain it owns, but the portal is operated by a third party platform vendor. The asset was in scope for external testing. The platform exposed an API endpoint that returned organization records when given a tenant ID, with no authentication required. The platform’s cross origin policy allowed any third party site to invoke the same request from a visitor’s browser without user interaction. The tenant ID itself was visible in the portal’s own public facing files.
Incrementing the tenant ID by one returned records for the next institution on the shared platform. Iterating through the range surfaced records for every financial institution running on the platform, plus the vendor’s own internal tenant. Each record contained named staff with business email addresses, direct dial phone numbers, job titles, and an internal code used to attribute borrower submissions. Possession of a valid code could allow submission of a prospective borrower application in a named officer’s name, and the platform would treat the submission as legitimate intake into the loan origination pipeline.
The bank did not introduce this exposure; the platform vendor did. But catching it required walking sequential tenant IDs against an undocumented endpoint and validating that records belonged to other institutions. It had to run against the production deployment. No automated scanner would surface this finding. Data from every other institution on the platform was extractable through the bank’s hostname. Any fraud or compliance incident would route to the institution named in the URL, regardless of which tenant’s data the attacker used.
Continuous testing is the operational answer. The asset entered the bank’s external footprint when the vendor onboarded the bank, not when the pentest was scoped. If the engagement scope was set against a snapshot from six months earlier, the hostname might not have been listed. Attack surface management changes daily, and annual testing cannot keep pace.
Source: BleepingComputer
