Case study
African Fintech Neobank
Ongoing private engagement on consumer banking stack. Discovered KYC bypass via predictable document ID, plus card-tokenization scope confusion.
Findings summary
Problem
The brief.
A Series B African neobank serving hundreds of thousands of retail customers needed continuous adversarial coverage to support SOC 2 Type II. Their internal AppSec team was two engineers deep and could not cover the product velocity.
Approach
How we ran it.
Three-month retainer engagement. Every major release reviewed within one business day of merge-to-main. Focus areas: KYC onboarding, wallet mutations, card tokenization, and webhook signature validation.
Result
What changed.
Three Critical findings including KYC bypass via predictable document ID, direct wallet-mutation BFLA through shared backend keys, and unsigned partner callback injection. Six High findings in payout routing and auth. All reports structured as SOC 2 Type II evidence artifacts.
Methodology
What we did.
- Continuous release-tied review
- KYC + card flows end-to-end
- Webhook signature + replay validation
- SOC 2 evidence-ready reports
Outcome
Client cleared SOC 2 Type II observation on vulnerability management using our reports as audit evidence. Estimated 6-week remediation saved vs. comparable incidents.
What impressed our board was not just the findings — it was how defensible the severity ratings were. CVSS justification on every issue made the conversation with auditors painless.