Resources
/
Case Studies
/
Asset Management Company (AMC)

Asset Management Company (AMC)

Securing Your Future, One Asset at a Time

Industry

Asset Management Company (AMC)

Services rendered
  • Investor Portal Pentest
  • Back-office API Security Audit
  • Mobile App Pentest (iOS & Android)
  • Endpoint & Insider Threat Review
Frameworks
  • CERT-In
  • SEBI CSCRF
  • ISO/IEC 27001:2022
  • DPDP Act 2023
  • NIST CSF 2.0
Engagement

10 weeks

Region

India

Scope

Investor portal, NAV and transaction APIs, mobile apps, and back-office endpoints assessed end-to-end.

The Challenge

What the team was up against

Challenge 01

SEBI CSCRF MII-grade controls deadline approaching

The AMC had to evidence SEBI CSCRF compliance across Identify-Protect-Detect-Respond-Recover domains within a fixed audit window, covering investor portal, RTA integrations, and back-office systems carrying folio-level PII.

Challenge 02

Investor portal exposed to account-takeover and KYC abuse

Self-service folio access, redemption flows, and Aadhaar-linked KYC re-verification created a high-value attack surface where session, OTP-bypass, or IDOR flaws could trigger unauthorised redemptions and SEBI-reportable incidents.

Challenge 03

Opaque third-party RTA and payment gateway trust boundaries

NAV publishing, folio reconciliation, and payment settlement depended on CAMS/KFintech and PG APIs over the internet, with limited visibility into authentication, replay protection, and data-in-transit controls at integration edges.

Our Approach

How we solved it

Step 01

Threat-modelled grey-box pentest aligned to SEBI CSCRF

Mapped every finding to SEBI CSCRF sub-controls and CERT-In reporting clauses. Ran grey-box testing on investor portal and APIs using Burp Suite Pro, custom Python fuzzers, and OWASP ASVS L2 checklists against folio, NAV, and redemption flows.

Step 02

Mobile + API chained-exploit assessment

Performed MASVS-aligned static and dynamic analysis on iOS and Android apps using MobSF, Frida, and Objection. Chained mobile findings with backend API tests to validate real-world investor-impersonation and redemption-tampering scenarios end-to-end.

Step 03

Insider-threat and back-office privilege review

Conducted assumed-breach simulation on the back-office network: Active Directory tiering review, BloodHound path analysis, and dealer-terminal segmentation tests to validate that an insider could not pivot from a workstation to the order management system.

The Results

What changed after the engagement

63

Vulnerabilities surfaced across portal, APIs, and apps

Including 4 critical issues in redemption and OTP flows that could have enabled folio takeover, plus 11 high-severity API authorisation gaps.

100%

Remediation verified before SEBI CSCRF audit

Every finding retested and signed off in a CERT-In format closure report, giving the AMC clean evidence for its SEBI CSCRF and statutory cyber audit submission.

0

Reportable cyber incidents in 18 months post-engagement

No SEBI CSCRF or CERT-In reportable incident on in-scope assets since closure; the AMC has since onboarded Certbar for continuous quarterly attack-surface reviews.

At Certbar Security, we partnered with a leading Asset Management Company (AMC) to bolster their cybersecurity posture. This case study illustrates how our comprehensive approach addressed their unique challenges, ensuring robust protection against emerging threats. Through meticulous planning and execution, we provided solutions that not only met but exceeded the client’s expectations, safeguarding their critical assets.


Our engagement with the AMC involved a thorough analysis of their existing security framework, identification of vulnerabilities, and implementation of advanced security measures. The results were transformative: enhanced security protocols, reduced risk exposure, and improved overall operational resilience. This case study outlines the journey, challenges faced, and the impactful outcomes achieved, demonstrating the value Certbar Security brings to its clients.

FAQs

FAQs

The main objective was to enhance the client's cybersecurity posture by identifying vulnerabilities and implementing advanced security measures to protect critical assets.

Keep reading

More case studies

Get the same outcomes

Want a similar audit for asset management security?

Talk to a CERT-In empanelled auditor. We'll scope the engagement, share a fixed price, and start within a week.