What is an intelligence-led pentest under Bank Negara RMiT?

Intelligence-led testing combines bespoke threat intelligence on the institution with a red-team operation modelled on real adversary tradecraft. It is the most rigorous form of testing recognised under RMiT 10.51, and is broadly aligned with the CREST STAR and TIBER frameworks used by other regulators in the region.

Does a digital-bank launch always require red-team testing?

RMiT does not prescribe red teaming for every release, but it does require independent assurance proportionate to risk. For a board-visible digital channel handling a new customer base, intelligence-led testing is widely accepted as the standard of care.

How long does a multi-year pentest programme typically run?

A continuous programme for a Tier-1 bank typically runs across one to three years, with quarterly application retests, an annual red-team exercise and ad-hoc assessments timed to major releases. The total annual investment is generally in the higher six-figure range in Malaysian Ringgit.

Will the engagement disrupt branch or treasury operations?

No. Field activity is bounded by a rules-of-engagement document signed by the head of information security and the chief operating officer. Core banking and treasury platforms are tested in dedicated mirror environments unless the bank explicitly requests live-fire validation under tight controls.

Can nCrypt act as the bank's testing partner under a Bank Negara framework retainer?

Yes. nCrypt operates under master service agreements with several Malaysian licensed institutions, and the firm is CREST-accredited at organisational level for both penetration testing and STAR-aligned intelligence-led testing.

Back to Case Studies

BankingRMiT 10.51Intelligence-Led Pentest

Top-5 Malaysian Bank Stood Up a Digital Channel Under a Multi-Year Pentest Programme

How nCrypt ran a three-year intelligence-led pentest and red-team programme covering the launch and continuous assurance of a Top-5 Malaysian bank's digital channel. Client identifying details have been anonymised under the engagement non-disclosure agreement.

3 years

Continuous Programme

End-to-End Attack Paths Demonstrated

On time

Digital Bank Launch

100%

Board Approval at Go-Live

14 min

MTTD After SOC Uplift (was 72h)

Critical Findings on Final Retest

The Client

A Top-5 Malaysian Universal Bank Building a New Digital Channel

The client is a Top-5 Malaysian universal bank with a domestic branch network of several hundred locations and a regional presence across ASEAN. The institution operates a traditional core banking platform alongside a newly launched digital channel intended to serve a younger demographic with mobile-first onboarding, instant card issuance and embedded investment products.

The engagement spanned the run-up to the digital-channel launch and the two years that followed, covering the launch readiness assessment, an intelligence-led red-team exercise prior to general availability, quarterly application retests after launch and a SOC capability uplift designed to compress mean-time-to-detect on the new channel.

The board had given the technology executive a clear instruction: the bank would not go live without independent evidence that an attacker could not move from the external internet through to a customer impact, and that the SOC could detect a realistic intrusion within minutes rather than days. nCrypt was selected as the independent testing partner against a competitive panel of CREST member firms.

Engagement Summary

Sector: Banking
Regulators: BNM RMiT, SWIFT CSP
Programme Length: 36 months
Methodology: CREST STAR, OWASP ASVS L3, MITRE ATT&CK
Team: CREST CCT-INF / CCT-APP / CCSAS-led

The Challenge

Independent Assurance for a Board-Visible Launch

The bank's digital channel was being launched into a market where two licensed digital banks were already live and several incumbents had publicly stumbled on production incidents during their own launches. The reputational risk of a material security event in the first six months of operation was assessed by the board as one of the principal risks on the corporate risk register.

On a technical level, the new channel sat alongside a long-established core banking estate with twenty years of accumulated complexity, including legacy mainframe integrations, several generations of middleware and a corporate Active Directory forest that had grown organically through three previous acquisitions. The principal challenge was to demonstrate that the new channel could be operated safely without a full and disruptive rebuild of the surrounding estate.

The SOC team had been stood up alongside the new channel and was running on a ninety-day-old SIEM deployment with limited tuning. Mean time to detect a realistic intrusion, when measured against an internal purple-team exercise prior to nCrypt's engagement, sat at approximately seventy-two hours — well outside the bank's own operational risk appetite for the new channel.

Finally, the engagement had to operate inside the bank's established RMiT governance framework. Every test had to be documented, every change had to flow through the standard change advisory process and every finding had to map back to a specific RMiT control objective for the board sub-committee that owned technology risk.

Our Approach

A Three-Year Programme Anchored to Each Release Train

nCrypt structured the engagement as a continuous programme rather than a series of point assessments. The first ninety days delivered a launch-readiness assessment covering all seven application surfaces of the new channel and a focused infrastructure review of the cloud account, the integration middleware and the relevant slice of the corporate forest.

The second phase, immediately prior to general availability, was a six-week intelligence-led red-team exercise. nCrypt's threat-intelligence cell developed a bespoke profile of three plausible adversaries — a financially motivated cybercrime group, a regional state-aligned actor and an insider-assisted scenario — and the red team executed against the full estate from initial reconnaissance through to objective achievement, with the bank's SOC unaware of the timing.

Post-launch, the programme transitioned into a quarterly cadence. Each quarter included a focused web and API retest of the digital channel, a SOC purple-team exercise to validate that detection coverage had not regressed, and a rolling thematic review of one adjacent risk area such as third-party API integrations, privileged-access management or change-management hygiene.

The SOC uplift workstream ran in parallel and was the single biggest contributor to the mean-time-to-detect improvement. nCrypt's detection engineers worked alongside the in-house team to build behavioural detections mapped to MITRE ATT&CK techniques relevant to the bank's estate, and to instrument every red-team operation as a ground-truth dataset for future tuning.

Findings

Where the Programme Created the Most Value

Critical

Active Directory Privilege Escalation via Kerberoasting

Two service accounts with weak passphrases and elevated privileges in the corporate forest could be cracked offline within hours. The same forest had a one-way trust into the digital-banking estate that allowed lateral movement into pre-production core banking.

Critical

Customer Onboarding API Lacked Server-Side State Validation

The new digital-banking onboarding flow trusted client-supplied identifiers in the final approval call. A modified mobile client could promote a pending applicant to approved without triggering the second-factor reviewer step.

High

SWIFT Operator Workstation Reachable from User VLAN

Network segmentation testing showed a partial exposure of SWIFT-CSP operator workstations from the standard corporate user VLAN, in conflict with CSCF segregation control 1.1.

High

Core Banking Reporting Replica Exposed to Wider Audience

An analytics replica of the core ledger had been exposed to a broader read-only audience than the original RMiT data-classification permitted, including a third-party BI consultancy.

Medium

Phishing-Resistant MFA Not Enforced for Privileged Users

Push-based MFA was the default for administrators of the new digital channel. A targeted social-engineering operation by the red team successfully phished one administrator using an adversary-in-the-middle proxy.

Outcomes

Launched on Time, Detected in Minutes

The digital channel went live on its committed launch date with unanimous board approval following an executive briefing of the red-team results and the remediation evidence pack. All seven end-to-end attack paths demonstrated during the intelligence-led exercise were closed before launch, and the final retest produced zero critical findings and only two medium-severity items, both of which were accepted with documented compensating controls.

The SOC capability uplift compressed mean time to detect on a realistic intrusion from approximately seventy-two hours at the start of the engagement to roughly fourteen minutes by the end of the second year, measured against repeated purple-team exercises. The bank's board-level risk appetite statement for the digital channel was met for the first time.

Two years into the programme, the bank has not experienced a material security incident on the new channel. The continuous-assurance model has been adopted by the parent group and is now being extended to the bank's regional ASEAN subsidiaries under a harmonised RMiT-equivalent framework.

Related Work