PCI DSS, GLBA, SOX, DORA, NIS2 — the alphabet soup of frameworks keeps security teams busy all year, preparing for audits, and drowning in compliance. Meanwhile, in 2024, 65% of financial institutions were affected by ransomware, with average recovery costs per breach reaching $5.9 million (Sophos, 2024). Yet these same institutions often hold clean audit reports.

The problem is simple: compliance measures what looks good on paper. Adversaries measure what works in practice.

The Fortress Illusion

Banks, insurers, and fintechs invest millions in perimeter defenses because that is where auditors and regulators typically look. They harden firewalls, test customer-facing applications, and monitor the obvious choke points.

Attackers avoid those surfaces. They go where no one is watching. They exploit credential patterns, forgotten login portals, and physical access systems that rarely feed into a SIEM. The path of least resistance is never the one with the biggest budget.

The Data Center at 3 AM

A fortified data center looks impenetrable from the outside. One entrance, cameras everywhere, guards trained to stop intruders. On paper, it is a fortress.

But at 3 AM, the story plays out differently.

We had already gained administrative access to the badge system. Inside that system, we created a fake employee record and linked it to a forged ID. Badge systems rarely generate real-time alerts when records are added or modified. If those changes are noticed at all, it is during a quarterly audit. To the guard on duty, the entry looked routine. For an adversary, it was invisible.

The guard slid a visitor badge across the desk. On paper, it had limited rights, good for little more than opening the lobby door. The engineer pocketed it, walked through the first checkpoint, and ducked into a bathroom down the hall.

Inside, he called his partner, who still had administrative control of the badge system. Reading off the badge number printed on the card, he waited as the change was made. Within seconds, a visitor profile became a master key.

When the engineer stepped back into the hallway, nothing about the badge looked different. To the guard, it was still a disposable visitor card. But now it unlocked everything: server cages, data halls, and critical infrastructure cabinets. A badge meant for temporary access had silently become a “God key”.

At that point, a real attacker could have done anything. Plant a rogue device for persistent access. Cut fiber to disrupt payment processing. Pull customer data from systems moving billions of dollars. None of it would have been detected because badge activity rarely integrates with SIEMs or MDR platforms.

By morning, the badge was back on the guard’s desk. No alerts. No questions. Just another quiet night in the log.

This is what compliance cannot measure. Audits never test how controls fail in practice.

Attackers Log In More Than They Break In

When most financial institutions envision a breach, they typically picture zero-day exploits, ransomware payloads, or advanced malware. The reality is far less cinematic. Attackers log in more often than they hack in.

Lares engagements repeatedly show the same patterns inside financial services environments:

• Reuse Credentials Across Environments: Employees use the same passwords across QA, UAT, and production. In one case, QA credentials gave us working logins into payment processing infrastructure. That single gap could have been leveraged to disrupt transactions or manipulate payment instructions on a large scale.
• Predict Password Mutations: Seasonal and year-based mutations remain rampant. A user rotates Winter2024! into Spring2025! and believes they are secure. Our engineers cracked one password set, applied a mutation rule, and gained access to Active Directory, VPN gateways, and SaaS services tied directly to systems that handle wire transfers and trading platforms.
• Bypass Forgotten Portals: MFA may be enforced for the main employee portal, but legacy systems or third-party integrations often lack it. In one engagement, we chained access from an endpoint management portal, into an authorization platform, then into Active Directory, and finally into Microsoft 365 — all with valid credentials and no alerts. At that point, we could access sensitive PII stored in email archives and cloud repositories.
• Expose Credentials in Plain Sight: Admins leave RDP files, VPN profiles, and credential stores on desktops or home directories. In one test, we found plaintext mainframe credentials next to the emulator needed to connect. Those systems processed high-value financial data, including account balances and ACH transfer details.
• Deploy Weak MFA: Many institutions have MFA, but it’s broken or not in all the right places. SMS codes and push notifications can be phished or socially engineered. Worse, some applications enforce MFA for web logins but allow password-only access through APIs or mobile clients. One valid credential can silently reach clearinghouse systems or fraud-detection dashboards.

Attackers exploit these weaknesses every day. They target systems where customer PII, wire transfers, and market transactions are processed. A single compromised set of credentials can lead to fraud, data theft, or the disruption of services critical to the economy.

The real danger is that these compromises do not generate the telemetry that auditors or SOC analysts are trained to look for. A valid login at 2 AM looks like an employee working late. Lateral movement with native Windows commands blends into normal admin activity. By the time fraud is executed or records are exfiltrated, the adversary has already lived undetected in the network for weeks.

Attackers do not need sophisticated exploits. They need weak credentials, overlooked portals, and institutions that confuse audit readiness with resilience.

Audit vs Effectiveness

Every financial institution knows the audit drill. Assessors arrive with a checklist, validate controls in a report, and confirm they exist. That process may keep regulators satisfied, but it does little to measure how those controls perform under pressure.

Audits measure design. Adversaries measure effectiveness.

• Auditors ask: Do you have an API firewall? Is MFA enabled for remote access? Are logs reviewed monthly? Is there a badge system at your data center?
• Adversaries ask: Can that firewall be misconfigured to allow lateral movement? Can an overlooked VPN gateway still accept single-factor logins? Can a help desk reset MFA with nothing more than a convincing phone call? Can a fake employee record pass every guard check at 3 AM?

Lares routinely sees controls that pass audit scrutiny but fail against even basic adversarial testing:

• API Firewalls: A bank’s API firewall passed compliance review, but misconfigurations allowed us to query customer PII directly without triggering alerts.
• MFA Deployment: An insurer enforced MFA for employee portals but left a legacy Citrix gateway unprotected. Auditors confirmed MFA was deployed. Our red team logged in with stolen credentials and accessed internal systems within minutes.
• Logging and Monitoring: Institutions show auditors proof of monthly log reviews. In practice, those reviews are snapshots. During engagements, we have exfiltrated data and maintained persistence for weeks without a single alert.
• Physical Access Controls: Auditors note that data centers have guards, cameras, and badge readers. In reality, Lares compromised a badge system, created a fake employee record, and paired it with a forged ID. A visitor badge was issued, escalated to full access, and used to walk through critical infrastructure. On paper, the control existed. In practice, it was meaningless.

Compliance frameworks ask, “Does the control exist?” Adversaries ask, “Can I break it?”

Financial institutions that stop at design-level validation live with a false sense of security. Only adversarial testing can measure how controls behave under real attack paths.

Legacy Infrastructure, Modern Targets

Mainframes and legacy systems still run the backbone of financial services. They process ACH transfers, market transactions, and customer PII at scale. Because migrating decades of code is risky and expensive, these systems remain in production with security controls frozen in the 1980s.

Lares assessments frequently uncover systemic weaknesses in mainframe environments:

• Weak Authentication: Many mainframes still rely on green-screen emulators like TN3270 or TN5250. These often lack multi-factor authentication, enforce weak password rules, and in some cases, do not allow special characters. Lockout policies are rare, making brute force trivial.
• Exposed Credentials: Emulator binaries are often left on admin workstations alongside plaintext credential files. In one engagement, we retrieved mainframe logins from operator home directories within minutes of initial access.
• Transmitted in Cleartext: Legacy sessions are sometimes unencrypted, exposing credentials and commands to anyone with network visibility.
• Poorly Segmented Networks: Mainframes are often reachable through jump boxes that are not properly isolated. Once we had AD access, pivoting into mainframe networks required little effort.
• Limited Monitoring: Unlike modern servers, mainframe access logs are rarely integrated into SIEM platforms. Adversaries can enumerate, authenticate, and exfiltrate data without generating alerts.

These weaknesses are not theoretical. In one case, Lares accessed live ACH transfer data and account balances without detection. In another, operator credentials were stored in plaintext next to emulator binaries that connected directly to trading infrastructure.

The risk is operational and immediate. These systems move billions of dollars daily. Passing an audit means the mainframe exists, is patched, and has documented procedures. It does not mean adversaries cannot walk in with weak credentials and access the financial core of the institution.

Purple Teaming: Live Fire for Defenders

Most financial services security teams rarely get to face a real adversary. Their dashboards show blocked attempts. Their reports highlight malware stopped at the gateway. However, when something slips through, defenders often lack the reps to investigate artifacts, pivot through logs, or connect events into a kill chain.

Purple Teaming closes that gap. It is not a tabletop exercise or a compliance check. It is an adversarial activity run in your live environment with your defenders responding in real time.

During a Lares Purple Team engagement, our red teamers simulate real attack paths, including credential abuse, API exploitation, lateral movement in Active Directory, persistence in cloud workloads, and exfiltration over trusted channels. At each step, we work side by side with your SOC and detection engineers to answer the most important questions:

• Did your tools generate any telemetry?

• Did your analysts recognize the activity as malicious?

• How fast could your team respond and contain the threat?

• What coverage gaps were revealed, and how can they be closed?

The process turns abstract TTPs into hands-on learning:

• Credential Attacks: Red teamers perform password spraying against an OWA portal. Blue teamers practice building custom detection rules and tuning alerts to catch low-and-slow spraying attempts.
• Lateral Movement: We utilize Kerberoasting or RDP pivoting to escalate privileges within Active Directory. Defenders trace authentication logs and practice correlating unusual movements with potential compromise.
• Cloud Persistence: Our team creates unauthorized IAM roles in Azure or AWS. The SOC learns to spot privilege escalation artifacts in cloud audit logs.
• Data Exfiltration: We stage sensitive records and move them out via DNS tunneling or HTTPS beacons. Blue teams validate which tools can detect the outbound flow and where blind spots exist.

This is not a lab scenario. It is defenders watching an attack unfold, mapping it against MITRE ATT&CK, and practicing how to respond. They do not just get a report; they get seat time in their own environment, under live fire, with guidance from experts who know exactly how adversaries operate.

Audits cannot replicate this. Penetration tests cannot replicate this. Purple Teaming is not about proving a missing patch can be exploited. Save that for your penetration test. It focuses on techniques, detection, and response. It transforms defense from a checkbox exercise into a measurable capability. This is where defenders actually learn to fight.

Raising the Bar

Financial services firms will always need to meet compliance requirements. Those reports keep regulators satisfied, but they do not stop adversaries. Compliance is the floor, not the ceiling.

Nation-state actors, organized crime groups, and insider threats are not bound by scope or audit cycles. They target where visibility is weakest: legacy systems, badge infrastructure, forgotten portals, and over-trusted credentials. They exploit what auditors never test.

Modern CISOs in banking, insurance, and fintech are already aware of this. They are shifting from checkbox security to full-scope adversarial testing (Red Teaming, Purple Teaming, and assumed breach exercises) to measure how programs perform under real pressure.

Lares helped define modern red teaming and co-authored the Penetration Testing Execution Standard (PTES). We have tested some of the most targeted financial institutions in the world against nation-states, fraud syndicates, and insider threats.

The real question is not whether you will pass your next audit. It is whether you will detect the attacker walking into your data center at 3 AM, logging in with a weak credential, or pivoting into your mainframe unnoticed.

Contact Lares to put your defenses to the test before your adversaries do.