Payments, lending, and brokerage stacks tested by researchers who chain auth, money-movement, and OAuth flows the way attackers do.

40+

Disclosed CVEs from SL7 Lab across payment SDKs, KYC pipelines, and OAuth providers used by regulated FinTech platforms.

Three named threats we test for

01
Card-data exfil via business-logic abuse
Pricing rules, refund overrides, and tokenisation gaps that let an attacker pull cardholder data without ever breaking PCI cryptography.
02
Refund-flow race conditions
Settlement, dispute, and reversal endpoints raced against each other to double-spend, settle phantom transactions, or break ledger reconciliation.
03
OAuth callback hijack across linked accounts
Account-linking and SSO flows tested for state-binding gaps, open-redirect chains, and partner-app trust abuse that surface real fraud paths.

Findings cite real CVE records from SL7 Lab disclosure history, not screenshot mockups.

How we run the engagement

FinTech

01
Scope and threat-model
Engagement lead walks the platform with your engineering and risk owners. Outcome is a written threat model, not a checklist.
02
Manual exploitation
Researchers attack the auth chain, money-movement endpoints, and partner integrations by hand. Tools assist, they do not lead.
03
Chained-finding write-up
Every report shows the path from entry to impact, with reproduction steps a developer can replay on a laptop.
04
Retest and sign-off
Fixes are retested against the original exploit chain, not just the patched endpoint. CISO gets a signed letter for the audit file.

Compliance mapping

PCI-DSS · SOC 2 Type II · ISO 27001 · RBI Cybersecurity Framework

Engagement leads at SecureLayer7

Pruthvi Reddy

Engagement lead

Munmun

Engagement lead

Want this engagement scoped against your platform?

SecureLayer7 · FinTech tear-sheet · v1