Future of Bank Security Is Being Written by Ethical Hackers

Historically, banks built security the same way they built vaults: thick walls, high fences and minimal exposure.

But digital transformation has upended that perimeter. Open banking APIs, third-party FinTech integrations, cloud-native architectures and rapid app deployments have created an attack surface far too broad for static defenses. Banks’ security postures have to evolve in parallel with the products they launch.

“Banks work with money, so they’re always targeted,” Santiago Rosenblatt , founder and CEO of Strike, told PYMNTS.

“Attackers are using AI too,” he said. “If you’re not automating and continuously testing, you’re going to be outpaced. Cybercriminals are optimizing their ROI. They’ll target the weakest link which is the bank testing least often.”

Since launching Strike, Rosenblatt’s team has worked to flip the paradigm from annual penetration tests, or “pen testing,” a sluggish, bloated ritual, to adaptive resilience. After all, the stakes in financial services are uniquely high.

Regarding traditional pen testing, “you’d wait a month to launch a test, then three more to get the report. And in between, zero visibility,” Rosenblatt said, noting that the down time might as well be a welcome mat for cybercriminals.

As the pace of payments innovation accelerates toward embedded finance, programmable money and artificial intelligence (AI)-generated fraud, the gap between defense and offense will continue to narrow. Banks that thrive will not be those with the thickest walls, but those with the most adaptive immune systems.

Rosenblatt, who started hacking when he was six and a half, considers himself a reformed ethical hacker: someone who uses his hacking knowledge and know-how for good. That’s what inspired him to start Strike.

“Luckily for me, and my parents, I realized I was better off helping companies get protected,” he said.

The vulnerabilities Rosenblatt’s team at Strike finds aren’t theoretical. They’ve seen everything from authentication bypasses (which allow attackers to impersonate a user and log into banking accounts) to unencrypted user passwords and even ways to wire money indefinitely.

“We’ve found cases where we could empty an entire bank account with over $1 million in it,” Rosenblatt said. “We’ve accessed admin panels exposing private data like Social Security numbers, addresses. Some systems didn’t even encrypt passwords.”

What makes Strike especially compelling isn’t just its speed, but its intelligent hybrid model. At its core is Strike 360, a platform that blends artificial intelligence with ethical hacking. AI is becoming a sidekick to Strike’s human hackers, called “strikers.” It suggests potential vulnerabilities they might’ve missed based on the context of their current work.

“Security experts don’t want to spend time reporting or retesting. They want to hack and find security gaps,” said Rosenblatt. “We’re giving them superpowers.”

“I studied cybersecurity and AI at Oxford,” he said. “Back then, I was told the tech wasn’t mature enough to automate penetration testing. So, I started collecting data, knowing that when the models were ready, we’d be able to train them.”

That bet paid off. Strike 360 is now automating modules of the pen test process, from discovery to retesting, with precision and speed.

“Retesting used to take two days and a human. Now it’s 10 seconds, zero people. If you only partially fix something, we’ll show you exactly what was missed,” said Rosenblatt. “You even get the PDF report for compliance instantly.”

Looking ahead, Rosenblatt sees two tiers of pen testing emerging: fully automated and hybrid.

“By the end of next year, we’ll have 80% of pen testing automated,” he said. “Premium Pen Testing will be 100% AI-driven. Premium Plus will still include ethical hackers for that critical 20%.”

In five years, Rosenblatt believes, 90% of companies will rely on automated testing, with only the most critical assets reserved for hybrid models.

“If you’re still doing pen tests once a year, you’re toast,” he said. “Cybercriminals are moving fast. You have to move faster.”

Still, quantifying cybersecurity ROI is notoriously tricky.

“You can’t say, ‘I had a breach and fixed it, so here’s the ROI,’” Rosenblatt said. “You want no breaches. But how do you measure prevention?”

His answer: shift from cost-per-engagement to value-per-discovery. “With automation, we’ll be able to charge for what we find, what we cover, and how we help avoid breaches. That’s a clearer, fairer way to show ROI.”

And for compliance-heavy industries like banking, the appeal is immediate.

“They’re asked for pen test reports more often than anyone. Now they can show proof of real-time testing, even before the test is done,” Rosenblatt said. “That’s huge.”

The post Future of Bank Security Is Being Written by Ethical Hackers appeared first on PYMNTS.com.