Case Study Financial Services ·India · September 20, 2025

Security Assessment & Cloudflare Deployment for a Mumbai Financial Services Company

A Mumbai-based wealth management firm needed a security assessment and web protection ahead of their enterprise client onboarding. CyberneticsPlus delivered a combined VAPT and Cloudflare WAF deployment, enabling them to onboard 3 institutional clients.

22

Findings Identified

3

Enterprise Clients Onboarded

45 days

Assessment to Clearance

Penetration TestingCloudflare WAF DeploymentVulnerability AssessmentSecurity Hardening

Background

A Mumbai-based wealth management platform serving high-net-worth individuals (HNI) was in advanced discussions with three institutional clients — a family office, a corporate treasury, and a trust company. Each prospective client required a security assessment report and evidence of web application protection as part of their vendor due diligence.

The company had no prior formal security assessment and no WAF. Their application handled client portfolio data, investment transaction records, and identity documents — making it a high-value target.

Timeline pressure: the largest institutional client had a 45-day deadline for security clearance or they would proceed with an alternative vendor.

Engagement Design

Given the timeline, CyberneticsPlus proposed a parallel-track engagement:

  • Track 1: Web application and API penetration test (2 weeks)
  • Track 2: Cloudflare WAF deployment (begins immediately, concurrent with pen test)

Both tracks ran simultaneously, with WAF deployment providing protection during the penetration test period.

Penetration Test Findings

Critical: Insecure Direct Object Reference on Portfolio Data

Finding: The portfolio holdings endpoint /api/portfolio/{portfolio_id}/holdings returned holding data without verifying the authenticated user’s ownership of the portfolio. Portfolio IDs were sequential integers, enabling enumeration across all client portfolios.

Impact: Any authenticated user (even a company employee with a basic login) could access the complete investment portfolio, transaction history, and document vault of any other client. In a wealth management context — where client confidentiality is a regulatory and competitive necessity — this represented a severe data protection failure.

Fix: Portfolio access wrapped in an ownership check against the authenticated user’s client ID.

Critical: Unprotected Client Document Storage

Finding: Client identity documents (PAN cards, Aadhaar, passports, bank statements) were stored in S3 with a predictable URL structure: https://clientdocs.company.com/{client_id}/{document_type}.pdf

The subdomain resolved to an S3 bucket with ListBucket and GetObject granted to AllUsers. Documents were not behind authentication.

Fix: Document access converted to server-side pre-signed URL generation with 15-minute expiry. Bucket public access blocked.

High Findings (7)

  • Session tokens with 30-day lifetime and no idle timeout
  • Admin panel accessible from any IP (no IP allowlisting)
  • Missing CSRF protection on transaction approval endpoints
  • Verbose error messages exposing ORM queries
  • No MFA for advisor accounts (who have read access to all client portfolios)
  • CloudTrail disabled in ap-south-1 (Mumbai) region
  • RDS instance publicly accessible (security group allowed 0.0.0.0/0 on port 5432)

Cloudflare Deployment

Concurrent with the pen test, the Cloudflare deployment progressed:

Week 1:

  • DNS migration to Cloudflare proxy
  • Cloudflare Business plan activated
  • Origin server restricted to Cloudflare IPs

Week 2:

  • WAF managed rules (Cloudflare + OWASP) enabled with Block action
  • Custom rules deployed to protect financial endpoints
  • Rate limiting on authentication and transaction endpoints
  • Bot management enabled

Tuning period (Week 3):

  • False positives from legitimate HNI clients using older mobile browsers identified and excepted
  • Portfolio management API’s bulk data export feature required a WAF exception for large response bodies

WAF performance (first 30 days):

  • 284,000 requests blocked or challenged
  • 14 confirmed attack attempts blocked (SQL injection probes, credential stuffing)
  • Zero false positives affecting legitimate transactions

Remediation Timeline

SeverityCountTime to Resolve
Critical25 business days
High712 business days
Medium925 business days
Low4Accepted (documented)

Outcome

CyberneticsPlus issued a remediation certification letter 38 days after engagement start — within the 45-day institutional client deadline.

Enterprise client onboarding:

  • Family office: Onboarded as client (named CyberneticsPlus report and Cloudflare protection as key clearance factors)
  • Corporate treasury: Onboarded after reviewing report and retest evidence
  • Trust company: Onboarded after additional due diligence call with CyberneticsPlus to explain findings and remediation

Security posture improvement:

  • Critical data exposure eliminated
  • All client documents behind authenticated access
  • WAF actively protecting the application
  • Security monitoring via Cloudflare + AWS GuardDuty (enabled during assessment)

The company’s revenue from the three institutional onboardings covered the cost of the security programme 8× in the first year.

A

Anonymous

Financial Services · India

Want similar results for your business?

Book a free consultation and we'll assess your current security posture.

Book a Free Consultation