What 345 Days of Untested Exposure Looks Like at a Bank

Executive summary: A single unpatched VPN vulnerability and insecure vendor-operated APIs led to large-scale exposures across financial institutions, highlighting that annual penetration tests leave substantial unvalidated attack surface; a Sprocket engagement found an unauthenticated tenant-ID API with permissive CORS that returned staff PII and allowed submission-forgery across tenants, demonstrating how vendor-hosted assets and change-driven infrastructure create ongoing regulatory and fraud risk and motivating continuous testing and attack-surface management.