Case Study: Varo Bank achieves national bank charter and stronger security with Synack continuous pentesting

Synack continuous pentesting helps Varo become a full-fledged online bank

Varo Bank, an app-based online bank founded in 2015, was preparing to spin out from its sponsor-bank model and had to prove ongoing security readiness to banking regulators (FFIEC) as it scaled. To supplement automated scans and limited point-in-time pentests, Varo engaged Synack and its Synack365 continuous pentesting service to improve vulnerability testing and provide regulator-ready evidence.

Synack delivered continuous, on-demand pentesting—maintaining a cloud resource map, assigning custom missions for GraphQL, and providing thorough reports with researcher follow-ups—so each release was scrutinized and remediation could be iterated. Using Synack’s platform (including Vulnerability Burndown charts) Varo demonstrated measurable trends and remediation speed to regulators and stakeholders, steadily reduced security bugs, and in part thanks to Synack’s testing data became the first U.S. consumer fintech to receive a national bank charter from the OCC in August 2020.

Varo Bank

Sal Dazzo

Director of Engineering