A 0–1 playbook for fintech security

Running example

Meet Volta (fictional)

Business

Cross-border remittance. Users deposit fiat through a web app, Volta converts to USDC for settlement, and recipients withdraw in any local currency. Think Wise, but with a crypto settlement layer underneath.

Team

22 people. 10 engineers, 3 in operations, 4 in customer support, the rest in business and compliance. No dedicated security hire. Tomás, a senior backend engineer, is interested in security and has done some informal hardening, but it's not his primary responsibility. Leah, the CTO, owns security decisions by default because nobody else does.

Stack

React frontend and Node.js API backend, hosted on AWS
PostgreSQL database for user accounts and transaction records
Third-party KYC provider for identity verification
Banking-partner API for fiat on/off-ramps
Third-party custody service for holding USDC reserves
Internal admin panel used by support and operations staff
CI/CD through GitHub Actions, deploying to ECS containers

Situation

Volta just closed a Series A and is preparing for growth. They hold roughly $12M in customer funds across their custody and banking relationships. A board member has started asking pointed questions about their security posture after reading about the ByBit breach. Leah knows they need to get serious, but isn't sure where to start or how to prioritize given their limited resources.

FramingWhy a methodology matters.

Most organizations approach security reactively. Something breaks, someone panics, a vendor gets hired, a report gets filed, and things go quiet until the next incident. This pattern is expensive, stressful, and most importantly, doesn't reduce risk over time. The organization ends up patching individual holes without ever understanding the shape of the thing it's trying to protect.

A methodological approach changes that. It provides a repeatable process for understanding an attack surface, identifying what matters most, and making deliberate decisions about where to invest limited security resources. It turns security from a series of fire drills into a program that can be reasoned about, communicated to stakeholders, and improved over time.

FrameworkThe OODA loop as a security framework.

The methodology presented here borrows its structure from John Boyd's OODA loop, a decision-making framework originally developed for military strategy that has since found application in business, competitive strategy, and, as it turns out, information security. OODA stands for Observe, Orient, Decide, Act. It describes a cycle: gather information about the environment, make sense of it in context, choose a course of action, execute, and then start the cycle again with updated information. The steps map naturally to organizational security.

Figure 01 · The methodologyBoth sides run the same loop. The question is whose runs faster.

Security is a race of two loops, both running the same four phases against the same target. The attacker observes, orients, decides, and acts, in hours or sometimes minutes. The defender's edge is running the loop at all.

This framework is effective because it provides structure, and because attackers operate the same way. A competent adversary will observe an organization's external footprint, orient around what's valuable and reachable, decide on an attack path, and execute.

Most organizations, when they engage with security at all, are stuck somewhere in Observe. Many never get past Orient. Almost none complete the full cycle repeatedly. The goal of this methodology is to move through the entire loop, learn from each pass, and build a security posture that improves continuously rather than decaying between incidents.

01ObserveIntelligence gathering.

The first step is building an honest picture of the current state. It's not possible to protect what isn't visible, and most organizations have gaps in their own understanding of the attack surface they need to manage. This phase is about assembling that picture from the outside in, and the inside out.

The external footprint

The starting point is what an attacker would see. External reconnaissance is the first step any adversary takes when evaluating a target, and for a moderately sized company, it typically takes less than an afternoon to get a usable picture of the exposed surface.

External footprinting covers four surfaces:

DNS and subdomains. The full extent of internet-facing infrastructure, including what may have been forgotten: staging environments left running, internal tools exposed to the public internet, leftover infrastructure from defunct projects.
Exposed services. Open ports, admin panels, database interfaces, development tools reachable from the internet. All potential entry points.
Cloud resources. Storage buckets, serverless endpoints, container registries that may be misconfigured or unintentionally public.
Public information leakage. Job postings, open-source repos, social media, technical blog posts. These reveal tech stacks, internal tooling, infrastructure patterns, and even the security team's size (or its absence) to an attacker doing their homework.

The tools for this work are freely available. Shodan and Censys index internet-facing infrastructure and support searching for specific assets of organizations. Subfinder and Amass automate subdomain discovery. Certificate transparency logs at crt.sh show every TLS certificate ever issued for a given domain. Attackers use all of these, so defenders should use them first.

Volta: Example

Checking back in on Volta, Tomás spends a Friday afternoon running Subfinder against volta.xyz and cross-checking results in Shodan. He discovers 14 subdomains. Most are expected: app.volta.xyz, api.volta.xyz, docs.volta.xyz. But three stand out:

staging-api.volta.xyz is a staging environment still running an older API version with debug mode enabled, returning full stack traces on errors.
admin-old.volta.xyz is a deprecated admin panel from before the current one was built. Still running. Still reachable.
jenkins.volta.xyz is the CI server, accessible from the public internet with the default Jenkins login page.

None of these assets were on anyone's radar. The staging API alone would give an attacker a lower-security copy of the backend to probe for vulnerabilities before turning their attention to production. The exposed Jenkins instance is worse: if default credentials or a known vulnerability allowed access, an attacker could tamper with build pipelines and ship malicious code directly to Volta's customers.

Additionally, Tomás checks Volta's frontend JavaScript bundle and API documentation for references to wallet addresses. He finds a USDC settlement address hardcoded in the frontend as part of a transaction status feature. Plugging that address into Etherscan reveals Volta's current reserve balance, transaction frequency, peak settlement times, and counterparty addresses. This is all public data on-chain, so anyone can see it. For an attacker in the reconnaissance phase, it's a free look at how much Volta is worth targeting and when their highest-value transactions occur.

Tomás reacts: He puts the Jenkins instance behind Volta's VPN the same day. That's a configuration change in AWS security groups that takes 15 minutes. He files tickets for the other two: the deprecated admin panel gets prioritized for decommissioning, and the staging API gets debug mode turned off immediately (a one-line environment-variable change) while the team figures out whether a partner integration still depends on it. Total time: about four hours of discovery and another two hours of immediate fixes. No additional budget was required, no external help needed. Tomás was just observing.

The wallet-address exposure is a different kind of fix. Tomás moves the transaction-status lookup to a backend endpoint so the raw address is no longer shipped to the client. This doesn't make the on-chain data private (blockchain transactions are public by design), but it stops the address from being trivially discoverable through Volta's own code. Leah makes a note that their on-chain footprint is something the Orient phase should factor in: anyone who does find the address knows exactly how much is worth stealing.

Internal asset inventory

External footprinting reveals what the world can see. Internal inventory reveals what actually exists. These two pictures are different, and the gap between them is the space that attackers attempt to occupy.

An internal asset inventory should cover services and their relationships. It maps what components make up the system, what talks to what, and where sensitive data flows between them. It should enumerate third-party integrations, which are every external service the system depends on, from KYC providers to banking APIs to analytics services. Each integration is a trust relationship with security implications. It should include software dependencies. Lastly, it should document who can reach what, through which interfaces, and at what privilege level.

While an asset inventory may seem daunting, it doesn't need to be formalized in a CMDB or an enterprise asset management platform. For a small to medium-sized business, a well-maintained spreadsheet or internal wiki page is a perfectly valid starting point. What matters is that the inventory exists and that someone owns keeping it up to date.

One category of assets that consistently escapes inventory efforts is personal accounts used for business operations. It's common, especially in early-stage companies, for infrastructure to end up registered under a founder's personal email or individual account. This could be a Cloudflare account managing production DNS, an Apple Developer account tied to a personal Apple ID that publishes the company's mobile app, or a domain registrar login known only to one person. These accounts are invisible to any automated inventory process because they exist outside the organization's identity boundary. They often lack MFA, aren't subject to access reviews, and represent single points of failure: if the account holder leaves, loses access, or gets personally compromised, the business-critical resource goes with them.

Volta: Example

At Volta, Leah asks Tomás to build a basic inventory of their systems and integrations. He puts together a shared spreadsheet with columns for: system or service name, what it does, what sensitive data it touches, and who has access. The exercise takes about two days of intermittent work and conversations with other engineers.

The inventory surfaces several things nobody had a complete picture of:

Their KYC provider's API integration has broader permissions than expected. It can pull full identity documents, not just verification pass/fail results.
Three engineers have direct production database access. So does a contractor who finished their engagement two months ago.
The custody provider integration uses a single API key shared across staging and production environments. A compromise of staging would expose the same key that controls production funds.
Nobody is entirely sure which npm packages are in the dependency tree of the backend. The last time anyone looked was during initial setup.
Volta's mobile app is published through an Apple Developer account registered to the personal Apple ID of an engineer who left three months ago. The Cloudflare account managing their DNS and TLS certificates is under the founder's personal email with no MFA enabled. Neither account appeared in any system inventory because neither is tied to a Volta corporate login.

Tomás immediately revokes the former contractor's database access, which is a five-minute task that had just never been done. He files a ticket to generate separate custody API keys for staging and production, which the custody provider supports, but Volta never configured. He raises the KYC API permissions issue with Leah so she can take it up with the provider. And he runs npm audit on the backend for the first time, which surfaces 12 known vulnerabilities in transitive dependencies, 3 of them rated high severity. The high-severity ones get patched that week. The total cost is essentially zero, but the risk reduction is tangible.

The personal-account situation is more involved. Transferring the Apple Developer account requires contacting Apple and the former engineer. Leah thus starts that process immediately since it has external dependencies. For Cloudflare, the founder enables MFA on his personal account that afternoon as a stopgap, and Tomás begins migrating DNS management to a new Cloudflare account under a shared corporate login. Neither fix is technically complex, but both would have been invisible without explicitly asking the question.

Figure 02 · Volta's inventory, abbreviatedWhat an inventory produces: systems, trust edges, and the assets that sit outside the org boundary.

Everything inside the dashed rectangle is visible to any automated inventory. The two boxes outside aren't. They were registered under personal emails, don't appear in any org-level audit, and yet control production DNS and the mobile-app release channel. Identifying them takes one question: which services are you managing through a personal account?

Existing protection mechanisms

While mapping assets, it's worth documenting what protections are already in place. The goal is to complete the picture. Notable examples are: TLS configuration, rate limiting, WAF or DDoS protection, logging and monitoring, access-control policies, secrets-management approach, MFA enforcement, and incident-response procedures.

Volta: Example

At Volta, Tomás catalogs their existing defenses.

What they have: TLS everywhere (good), rate limiting on the public API (good, though the thresholds were set at launch and never revisited), AWS CloudTrail enabled (good, but nobody reviews the logs), MFA required for AWS console access (good), and code reviews are required for merges to the main branch (good, though reviewers don't specifically look for security issues).

What they don't have: Centralized secrets management (secrets live in environment variables and one .env file that was once shared in a Slack channel), monitoring or alerting on admin-panel access patterns, any documented incident-response procedure, and no regular review of third-party access or API key rotation.

For now, Tomás can't do anything except write down his findings. The list of what exists and what's missing is an input to the next phase. Trying to fix everything at once would be counterproductive. The point of this step is to have an honest and complete picture before making prioritization decisions.

02OrientThreat modeling and contextualization.

Observation produces raw information. Orientation provides meaning based on that information. In this phase, the inventory from the previous step gets examined through three questions: What needs protecting? Who might attack it? And where are the gaps between the current posture and the actual risk?

Critical asset identification

Not all assets are created equal, and not all breaches are equally damaging. A defacement of a marketing website is embarrassing. A breach of customer funds is existential. Orientation starts with identifying critical assets and ranking them by the impact of their compromise.

For a fintech or payments company, critical assets typically fall into a few categories:

Customer funds held in custody or banking relationships.
Cryptographic keys that control access to wallets or authorize transactions.
Customer identity data, including KYC documents, personal information, and transaction histories.
Partner and banking credentials, such as API keys and access tokens for fiat rails.
Operational infrastructure, providing the ability to process transactions and serve customers.

Each of these has a different value to an attacker and a different impact on the business if compromised. Funds and keys are directly monetizable. Identity data can be sold, used for further fraud, or leveraged for extortion. Partner credentials could enable unauthorized transactions through banking relationships. And operational disruption, most commonly through ransomware, can be used as an extortion lever even if no data is actually exfiltrated.

Ranking these forces is a conversation that many organizations avoid: does the security investment actually reflect the stated priorities? If the most critical asset is the private keys controlling $12M in customer funds, but the majority of security effort has gone into hardening the web application, there's a misalignment worth examining.

Volta: Example

Volta in practice: Leah and Tomás sit down for an hour and list Volta's critical assets, then rank them by impact. The ranking:

Custody access and private keys
Customer funds
Banking-partner credentials
Customer identity data
Operational systems and infrastructure

The ranking itself isn't surprising. What's revealing is the comparison with where security effort has actually been spent. Most of Volta's hardening (rate limiting, input validation, code reviews) has focused on the web application and API. The custody integration, which ranks #1, has received almost no security scrutiny beyond what the custody provider offers by default. The banking-partner API credentials, ranking #3, are stored in the same environment-variable file as everything else and have never been rotated.

Leah reacts: She doesn't change anything yet, but she now has a documented priority list that can guide the rest of the assessment. When trade-offs come up later ("do we fix X or Y first?"), this ranking provides the answer. She also schedules a call with their custody provider to understand exactly what security controls are available on their account and which ones Volta hasn't enabled.

Threat modeling

Threat modeling fundamentally means understanding who might attack, why, and how. Not every organization faces the same threats. A DeFi protocol with $700M in smart-contract TVL and a fiat-to-crypto payments company with $12M in custody face very different adversary profiles, even though both operate in the cryptocurrency space. Realistic adversary categories for a fintech company typically include:

Financially motivated criminal groups. Organized operations that target companies for direct monetary gain, including state-sponsored groups like Lazarus that fund national programs through crypto theft.
Opportunistic attackers. Individuals or groups scanning the internet for low-hanging fruit, running known exploits against unpatched services, and moving on if the initial effort doesn't pay off.
Insiders. Current or former employees, contractors, or support staff who have or had legitimate access and might misuse it, whether through malice, coercion, or carelessness.
Supply-chain compromise. Attacks that reach a target indirectly by compromising a vendor, library, or tool in the dependency chain.

The point of the threat modeling exercise is to be realistic about who the likely adversaries are, so that security investments are proportionate. Over-indexing on nation-state threats when the most likely attacker is an opportunistic adversary running default Shodan queries leads to spending money on the wrong things.

Volta: Example

Volta in practice: Leah and Tomás assess Volta's adversary profile. Given Volta's size and the value of assets they hold, the most likely threats are:

Opportunistic attackers probing for exposed services, default credentials, and known vulnerabilities. The exposed Jenkins instance and staging API from the Observe phase are exactly what these attackers look for.
Financially motivated groups targeting the custody integration or banking credentials. $12M is not enough to attract the most sophisticated nation-state operations, but it's well within range for organized criminal groups.
Insider risk from the support team, which has access to the admin panel and customer data. The Coinbase incident demonstrated how support staff can be bribed or socially engineered.
Supply-chain risk through their dependency on third-party custody, KYC, and banking APIs, plus the npm packages in their codebase.

What this changes: Leah deprioritizes some concerns (Volta probably doesn't need to worry about custom zero-day exploits or hardware implants) and elevates others (the admin-panel access controls, the third-party integrations, and the unreviewed npm dependencies are higher priority than she initially thought). While this document isn't a formal threat model, it helps the team develop a shared understanding of the realistic adversary landscape, which informs every decision that follows.

Mapping the gaps

With assets ranked and adversaries identified, the next step is mapping the gap between what exists and what's needed. For each critical asset: what controls are currently in place? Given the identified adversaries, are those controls sufficient? Where are the most obvious weaknesses?

This exercise produces a list of gaps ranked by the criticality of the asset they affect and the realism of the threat they're exposed to. It doesn't need to be exhaustive to be useful. Even identifying the top five gaps gives a concrete starting point.

Volta: Example

At Volta, Tomás maps their protections against their priorities:

Critical asset	Current controls	Gap
Custody access / keys	Provider defaults, shared API key across environments	No key segregation, no additional access controls configured, no monitoring on custody API calls
Customer funds	Rate limiting on API, standard application security	No transaction-anomaly detection, no velocity checks beyond the API rate limit
Banking credentials	Stored in env vars alongside other config	No rotation policy, no vault, no alerting on credential use outside expected patterns
Customer identity data	KYC provider holds raw data, Volta stores references	KYC API has broader access than needed, no audit logging on data access
Admin panel	Password-protected, accessible internally	No MFA, no access logging, no role-based restrictions (support staff have the same access as ops)

At its core, this table is a conversation tool. Leah can look at it and immediately see that the highest-priority asset (custody) has the weakest controls, while the web application, which ranks lower, has received the most attention. That misalignment is the main insight the Orient phase should surface.

Figure 03 · Where Volta actually standsAsset criticality against protection strength. Most effort has gone into the lower-right; the danger lives in the upper-left.

The insight isn't that web apps don't matter. It's that the most consequential assets, custody and banking credentials, are sitting in the most exposed quadrant. That mismatch is what the Orient phase is meant to surface.

03DecidePrioritized vulnerability assessment.

With observation and orientation complete, the picture is clear: what needs protecting, who might attack it, and where the gaps are. The Decide phase turns that understanding into a prioritized action plan. This phase is about building a triage system that feeds clean, prioritized results to the people who need to act on them, rather than adding yet another source of noise. It starts with leadership defining strategic areas of focus based on the Orient output, and those focus areas then motivate the engineer to run targeted, specialized assessments rather than broad sweeps.

Prioritization is based on impact, likelihood, and exploitability. A critical vulnerability in the custody integration, which could be exploited by a known adversary using freely available tools, is fixed before a theoretical weakness in a system that holds no sensitive data is addressed. Not everything needs fixing. What matters is fixing the right things first.

Volta: Example

Volta in practice: Leah reviews the gap analysis from the Orient phase and identifies three strategic focus areas for the first assessment cycle:

Custody and financial-integration security. The highest-value assets with the weakest controls. Any vulnerability here has existential impact.
Internal access controls and admin tooling. The admin panel is under-protected and the insider threat model from Orient makes this a realistic attack path.
Pipeline and deployment integrity. A compromised CI/CD pipeline could give an attacker access to everything, bypassing application-level controls entirely.

These three areas don't cover everything. The web-application frontend, the KYC integration, and the monitoring gaps are all real concerns. However, they're lower priority given the threat model. By narrowing the focus, Leah gives Tomás a clear mandate: assess these three areas in depth rather than scanning everything at surface level.

With that direction, Tomás selects tools and approaches matched to each focus area rather than running default scans against the full stack.

Reviewing the code

With the strategic focus areas defined, code review narrows to the components that matter most. For Volta, that means the custody integration code, the admin panel, and the CI/CD pipeline configuration. It's important to underline that this should never entail the entire codebase.

For organizations without a dedicated security team, automated tooling is the most practical starting point. Static analysis tools like Semgrep or CodeQL scan source code for known vulnerability patterns such as SQL injection, cross-site scripting, insecure cryptographic usage, and hardcoded secrets. They're not perfect, and they produce false positives, but they catch the class of issues that are most embarrassing to miss. Dependency auditing tools like npm audit, pip-audit, Dependabot, and Snyk check the dependency tree against databases of known vulnerabilities. The key with automated tools is fine-tuning. Running a scanner with default rules against a large codebase produces a report full of noise. Running it with rules tuned to the relevant stack and risk profile produces findings worth acting on. The difference between the two is usually a few hours of configuration.

Volta: Example

Volta in practice: Tomás starts with the admin panel and custody integration code (the areas Leah flagged as highest priority). Rather than running Semgrep against the entire repository with default rules, he configures it with Node.js security and secrets-detection rulesets (p/nodejs, p/secrets) and scopes the scan to the relevant directories. The scoped scan returns 23 findings instead of the 80+ a full-repository default scan would have produced. Five findings particularly stand out:

Two instances of SQL queries built with string concatenation rather than parameterized queries, both in the admin panel's search functionality.
A JWT-verification function that catches exceptions and falls through to an unauthenticated code path instead of failing closed.
A hardcoded API key for their analytics service, committed directly in source.
An endpoint that accepts user-supplied redirect URLs without validation, which could be used for phishing.

Separately, npm audit reports 14 known vulnerabilities in dependencies, including 3 high-severity issues in packages used in production. What's notable here is that Tomás is naturally running a smaller OODA loop within the larger one. He observed the codebase (scoped scan), oriented around what the findings mean in context (the admin-panel SQLi is dangerous because the admin panel also lacks MFA), decided what to prioritize (SQLi and JWT issues first, analytics-key rotation second), and will act on the fixes. This pattern is the methodology applied recursively at different scales and a sign that the framework is working as intended.

What Tomás does about it: The SQL-injection issues in the admin panel are highest priority because the admin panel also lacks MFA. These go into the current sprint. The JWT fallthrough is next because it could allow authentication bypass. The hardcoded analytics key is lower risk (it's a read-only analytics API, not a financial integration), but it still gets rotated and moved to environment config. The vulnerable npm packages with known exploits get updated that week; the rest go into the backlog.

Total setup time: roughly an hour to configure Semgrep with the right rulesets and run the first scan, at zero cost since Semgrep's community rules are free. The hardest part was making time to triage the output and actually address the valid findings.

Figure 04 · Scan-to-actionEvery cell is one finding from the default scan. Five survived all four filters.

The tool produced 1,400 findings; the engineer produced 5. Most of the collapse happens before the scan runs: choosing rulesets that match the stack and scoping to the paths that already ranked as critical in the Orient phase. The last cut, from 23 to 5, is human judgement on whether a finding is exploitable in context. None of it requires more tooling.

Reviewing the infrastructure

The infrastructure review focuses on the environment in which the code runs, scoped to the same strategic focus areas. For Volta, that means focusing on the CI/CD pipeline configuration and the cloud infrastructure supporting custody and admin-panel operations, rather than conducting a comprehensive audit of every AWS service in use.

Tools like Prowler automate configuration checks for AWS environments. Scoped to the relevant services and run with findings filtered to high and critical severity, they often produce actionable output without much time commitment.

Reviewing internal processes

Technical controls only work if the processes around them hold up. A perfectly configured secrets vault doesn't help if the onboarding process gives every new hire access to every secret. A well-designed access-control system doesn't help if offboarding consistently forgets to revoke access.

Key processes to examine:

Incident-response readiness. Is there a documented plan for what to do when something goes wrong? Has anyone rehearsed it? Who gets called, and who makes decisions?
Key management. Who holds cryptographic keys, how are signing ceremonies structured, what's the recovery process, and what's the bus factor?
Access-control hygiene. Is the principle of least privilege applied in practice? Are access reviews happening regularly? Are credentials rotated regularly?
Security awareness. Do employees handling sensitive data or customer interactions know what phishing and spear-phishing look like? Is there a process for reporting suspicious messages? Has the organization communicated baseline expectations around credential handling and social engineering?

Volta: Example

At Volta, Leah and Tomás review their operational processes against a basic checklist:

Incident response: No written plan. When an issue occurred six months ago (a database connection leak that caused downtime), the response was ad hoc. Engineers communicated in Slack, Leah made decisions on the fly, and the postmortem was a brief conversation the next day. If a security breach occurred at 2 AM, there is no documented on-call rotation, no communication template, and no pre-authorized decision framework for things like "should we halt transactions?"
Offboarding: The contractor access that Tomás found in the Observe phase wasn't an isolated case. There's no offboarding checklist that covers system access. When people leave, HR deactivates their email, but application-level access removal depends on someone remembering to do it.
Access reviews: These don't happen. Access is granted when needed and essentially never revoked unless someone asks.

What Leah does about it: She drafts a one-page incident-response plan. It's not a comprehensive framework, but a starting point: who to contact, what communication channels to use, who has authority to make critical decisions (halt transactions, rotate keys, engage external help), and a commitment to written postmortems. She also creates a basic offboarding checklist that maps each system to the access-revocation step required, and assigns it to the ops team to own. Finally, she sets a quarterly calendar reminder for access reviews. For now, these are a simple process in which each team lead confirms that their team members' access levels are still appropriate.

Leah also drafts a short internal document on phishing and social-engineering awareness, aimed specifically at the support and operations teams. It covers what targeted phishing looks like (emails referencing real internal projects or customer names to build credibility), a clear rule that no legitimate process will ever request credentials via email or chat, and a Slack channel for reporting suspicious messages. This establishes baseline expectations and a reporting mechanism where none existed before.

None of this required security expertise. Leah had to decide which actions were important and spend a few hours writing them down. The hardest part will be the organizational commitment to actually follow through.

Thoughts on prioritization

When this phase is complete, findings from the code, infrastructure, and process reviews will be on the table. Some will be quick fixes, others will require architectural changes. The temptation is to fix the easy things first because it feels productive.

Prioritization should be based on an issue's impact on critical assets. If the asset ranking from the Orient phase puts custody access at rank 1, then the shared API key across environments and the lack of monitoring on custody API calls should be at the top of the remediation list, even if the SQL injection in the admin panel is technically easier to fix.

Volta: Example

At Volta, Tomás and Leah compile their findings into a single list and sort them by priority. Their top five, considering asset criticality and exploitability:

Segregate custody API keys between staging and production (protects the highest-priority asset, moderate effort).
Fix the admin-panel SQL injection and add MFA to the admin panel. The panel protects customer data and internal access. The combination of SQLi + no MFA is particularly dangerous.
Scope down CI/CD IAM permissions and restrict GitHub Actions secrets (prevents a compromised pipeline from accessing production resources).
Establish API-key rotation for banking-partner credentials and move to a secrets manager (protects financial integration, moderate effort).
Set up basic monitoring such as CloudWatch alerts for suspicious AWS activity and logging on admin-panel access (provides visibility for the next loop iteration).

Not every prioritization decision is this clean. Tomás flagged the banking API credentials as a critical risk: never rotated, stored in plaintext, authorizing fiat transfers. From a pure engineering perspective, it should rank higher than #4.

But when Leah raises it with Volta's Head of Finance, a different picture emerges: the banking partner enforces per-transaction limits and velocity checks on their side, and Volta's business insurance covers unauthorized fiat transfers up to $5M. The residual risk after accounting for those compensating controls is materially lower than the credential-storage issue alone would suggest.

Tomás is uncomfortable with this. Relying on insurance feels like accepting a known vulnerability. He's not wrong. But the CI/CD and admin-panel fixes have no compensating controls at all, while the banking integration has several layers of external mitigation already in place. The credential rotation will still happen. It just doesn't take priority.

This is a common dynamic. Engineers assess risk through a technical lens, which is necessary but not always complete. Leadership has visibility into compensating controls, contractual protections, and insurance coverage that change the effective severity of a finding. Good prioritization requires both perspectives, and the reasoning should be documented so that the decision can be revisited in the next cycle.

04ActRemediation and hardening.

The Act phase is where findings get fixed. This sounds straightforward, and for individual issues it often is. But at the organizational level, remediation can be difficult. One reason for that is findings competing with product roadmap priorities for engineering time. A lack of clear ownership of security issues, coordination across teams or with external providers, and the risk of downtime or issues when touching production infrastructure are other significant reasons. It's important that any obstacles are considered and acknowledged upfront.

Remediation

Remediation should follow the priority order established in the Decide phase. For each finding, the approach is: understand the fix, test it in a non-production environment, deploy it, and verify it worked.

For code-level issues, remediation can be covered by the existing development workflows. Security fixes go through the same code review and deployment process as feature work, ideally with a clear label or tag so they're visible in sprint planning and don't quietly lose priority.

For infrastructure issues, the process is similar, but the blast radius of mistakes is larger. Configuration changes to IAM policies, network rules, or secrets management should be tested carefully. An overly aggressive IAM policy change can break production in ways that are difficult to diagnose quickly.

Volta: Example

Volta in practice: Tomás and Leah work through their top five findings over three weeks:

Custody API key segregation: Tomás generates a new API key through the custody provider's dashboard and configures it for the staging environment only. Production stays on the original key. The staging swap runs first so the team can monitor for issues over the following days before touching production. Once engineers confirm staging has been clean for a week, the production key gets rotated. Elapsed time: two hours of initial work, plus the monitoring window.
Admin-panel SQL injection and MFA: The SQL-injection fix is a code change, i.e., replacing string concatenation with parameterized queries. Two-line change per query, tested locally, deployed through the normal pipeline. Adding MFA to the admin panel takes longer because it requires integrating a TOTP library. Tomás uses an existing Node.js library, adds TOTP enrollment to admin user accounts, and enforces it at login. Total: about a day and a half of development work.
CI/CD permissions: Tomás writes a scoped IAM policy that limits the deployment role to ECR image pushes and ECS service updates. He tests it by running a full deployment in a staging environment before applying it to production. The GitHub Actions migration to environments takes a sprint because it requires updating all workflow files and having each developer re-enroll their branch protections. But once done, deployment secrets are only accessible to the production deployment workflow, not every workflow in the repository.
Secrets management: Rather than deploying a full vault solution immediately, Tomás migrates the most critical credentials (custody API keys, banking-partner tokens) to AWS Secrets Manager, which Volta already pays for through its AWS account. Fewer critical secrets remain in environment variables for now. This is a pragmatic compromise, not a permanent solution.
Basic monitoring: CloudWatch alarms for root-account login, failed authentication attempts above a threshold, and security-group modifications. For the admin panel, Tomás adds request logging with user identity, action performed, and timestamp, writing to a dedicated log stream. Neither of these is a complete monitoring solution, but they provide visibility that didn't exist before.

Three weeks of mostly Tomás's work, with some support from other engineers on code reviews and testing. No external consultants. No new tooling budget. Volta's security posture has improved materially because the most critical gaps have been addressed in a structured way.

Hardening

Remediation addresses specific findings. Hardening is the broader work of making systems more resilient to classes of attacks, not just individual vulnerabilities. After the immediate fixes are in place, the patterns they revealed point toward architectural improvements that prevent entire categories of issues from recurring.

Detection

After addressing the known findings, investment in detection capability pays for itself. Monitoring, alerting, and logging aren't ends in themselves but fundamental components of an observation layer for the next OODA cycle. At a minimum, an organization should know when someone accesses a system they don't normally access, when authentication patterns change (e.g., unusual login times, locations, or frequency), when critical configuration changes occur in the cloud environment, and when unexpected outbound connections appear from the infrastructure. A SIEM or a SOC isn't necessary to achieve this. CloudWatch alerts, application-level logging, and a Slack channel that receives security-relevant notifications provide more visibility than having nothing.

The continuous loop

Security isn't a project with a completion date. It's a recurring process. Organizations evolve, and so does the threat landscape. Every assessment has a shelf life.

Each cycle through the OODA methodology should produce:

An updated asset inventory reflecting new services, integrations, and dependencies.
A revised threat model accounting for changes in the threat landscape.
New findings from re-running assessment tools and reviewing recently changed code and infrastructure.
Validated fixes confirming that previous remediation actually worked and hasn't regressed.
Adjusted priorities reflecting the current state of risk.

How often the full cycle runs depends on how quickly the environment changes and how much effort and budget are warranted by an organization's risk profile. For a company like Volta, a quarterly full assessment with monthly lightweight checks (re-running automated scans, reviewing access lists, checking monitoring dashboards) is a reasonable starting cadence.

Volta: Example

Volta in practice, three months later: Tomás runs the second cycle. The external footprint scan shows two new subdomains, both expected (a new partner integration portal and a documentation site). The staging-environment issues from the first cycle were fixed and haven't recurred. Semgrep catches a new finding in recently shipped code: an API endpoint that doesn't validate content types, which could allow a content-type confusion attack. npm audit shows three new vulnerabilities in updated packages, one high-severity. The CloudWatch alerts have been quiet except for a spike in failed login attempts on the admin panel one weekend, which turned out to be a credential-stuffing attempt. The MFA added in the first cycle prevented any successful unauthorized access.

Volta still doesn't have a dedicated security hire. But they have a methodology, they have tooling, they have a prioritized understanding of their risk, and they have evidence that the work done so far is paying off. When Leah eventually hires security staff or engages an external firm for a deeper assessment, the starting point will be one of clarity rather than chaos.

LimitsWhen to bring in external help.

This methodology is designed to be actionable without deep security expertise. A technically strong engineer with some curiosity and dedicated time can meaningfully improve an organization's security posture by working through these steps. But there are limits to what internal efforts can achieve, and it's worth being explicit about where those limits are.

Most valuable when

An adversarial perspective is needed. Someone dedicated to thinking like an attacker, not a defender. Internal teams have blind spots because they built the systems they're assessing.
Depth in a specialized area is required. Cryptographic review, smart-contract auditing, advanced threat modeling, red-team exercises. These skills demand specific expertise that doesn't generalize from other engineering work.
Validation is the goal. Confirming that a self-assessment is accurate and that critical issues haven't been missed due to familiarity bias.
Speed matters. A consultancy can compress months of part-time internal effort into weeks of focused engagement.

Least valuable when

The basics haven't been done. Default credentials on internet-facing services, known vulnerabilities unpatched, no asset inventory. The first step is internal work, not a penetration test. An external assessment conducted before the low-hanging fruit is addressed will surface findings that could have been found internally.
There's no capacity to act on findings. A thorough audit report that sits in a shared drive because nobody has time to remediate the findings is money poorly spent.

The ideal engagement point is after completing at least one full cycle of this methodology. The environment will be understood, priorities will be clear, and the engagement with external assessors will be as informed partners rather than passive recipients of a report.

CloseSummary.

The methodology presented in this document isn't novel. It doesn't require proprietary tools, expensive platforms, or specialized knowledge to get started. What it requires is structure, honesty about the current state, and the discipline to follow through.

That's the point. Security isn't a destination. It's the loop.

Let's discuss your next
security milestone

A 0–1 playbook
for fintech security.

Meet Volta (fictional)

FramingWhy a methodology matters.

FrameworkThe OODA loop as a security framework.

01ObserveIntelligence gathering.

The external footprint

Internal asset inventory

Existing protection mechanisms

02OrientThreat modeling and contextualization.

Critical asset identification

Threat modeling

Mapping the gaps

03DecidePrioritized vulnerability assessment.

Reviewing the code

Reviewing the infrastructure

Reviewing internal processes

Thoughts on prioritization

04ActRemediation and hardening.

Remediation

Hardening

Detection

The continuous loop

LimitsWhen to bring in external help.

CloseSummary.

Let's discuss your next security milestone

A 0–1 playbookfor fintech security.

Meet Volta (fictional)

FramingWhy a methodology matters.

FrameworkThe OODA loop as a security framework.

01ObserveIntelligence gathering.

The external footprint

Internal asset inventory

Existing protection mechanisms

02OrientThreat modeling and contextualization.

Critical asset identification

Threat modeling

Mapping the gaps

03DecidePrioritized vulnerability assessment.

Reviewing the code

Reviewing the infrastructure

Reviewing internal processes

Thoughts on prioritization

04ActRemediation and hardening.

Remediation

Hardening

Detection

The continuous loop

LimitsWhen to bring in external help.

CloseSummary.

Let's discuss your next
security milestone

A 0–1 playbook
for fintech security.