Hardening a fintech gateway processing $1.2B/yr

A regional payment-gateway operator processing more than one-point-two billion dollars per year across forty thousand merchants engaged ZhenyYET ahead of a major card-scheme audit and an upcoming geographic expansion. Their internal team had matured rapidly but had never been tested by a determined external adversary modelling the actual threat landscape — organised cybercrime targeting MENA fintech, opportunistic abuse of merchant onboarding, and insider-style abuse of the merchant portal. Compliance scans were green; their nervous system told them that wasn't the whole story. We scoped an eight-week engagement covering the public payment APIs, the merchant onboarding and dashboard portal, the supporting cloud infrastructure across two regions, the mobile SDKs and a focused internal segment representing the most sensitive crown-jewel systems. Threat modelling was driven by business risk rather than technical surface area: account takeover of high-value merchants, payment manipulation, mass enumeration of cardholder identifiers, and lateral movement from a compromised employee laptop into the cardholder data environment. Within the first week our team chained three individually low-rated findings — a verbose error message, an inconsistent rate-limit and a permissive CORS policy — into a viable mass-enumeration of merchant identifiers that would have triggered immediate scheme penalties had it been discovered externally. Over the remaining weeks we identified eleven distinct findings, three of them high or critical, each delivered with a working proof-of-concept, the exact request and an engineer-grade remediation written by people who have shipped payment software themselves. Findings were triaged daily with the operator's engineering leads so fixes shipped while the engagement was still live, and every fix was retested at no extra cost within the engagement window. By the closing week, all critical and high findings were closed and verified, the audit was passed first time without remediation conditions, and the platform expansion proceeded on schedule. The operator has since enrolled in our continuous purple-team programme to keep their defenders sharp between formal tests.