Case Study: Major U.S. Financial Service Company exposes critical vulnerabilities and strengthens detection and response with NetSPI

NetSPI Testing Highlights Security Flaws for Leading Financial Services Firm

Major U.S. Financial Service Company engaged NetSPI to perform a time-boxed, anonymous scenario-based red team/internal penetration test across all internal networks in just four days. The goal was to evaluate detection and response capabilities and surface vulnerabilities; NetSPI delivered this as a targeted internal penetration testing engagement using manual testing and offensive techniques.

NetSPI executed passive network enumeration, WPAD/NBNS poisoning to capture NTLMv2 hashes, GPU-accelerated cracking (recovering over 50% of domain passwords), exploited an unpatched Kerberos issue to gain domain admin, and bypassed two-factor protections to access the PCI zone and cardholder data—demonstrating full network compromise in a short period. NetSPI’s findings enabled the firm to evaluate its incident response, increase detective controls, and remediate multiple critical vulnerabilities that could have led to costly breaches.