What a real APT simulation finds in a South African fintech (and why scanners don't)

A vulnerability scanner tells you which doors and windows look unlocked. A penetration test demonstrates that one of them actually is. An Advanced Persistent Threat simulation does something different: it asks "if a motivated, well-resourced adversary spent four weeks trying to compromise this business, what would they actually achieve?" The output is not a list of vulnerabilities. It is a story of how the business gets breached, end to end, with evidence at each stage.

This post explains how an APT simulation differs from a pentest, what the engagement actually looks like, what kind of findings emerge, and when it's the right product to buy.

What "APT" actually means in this context

An Advanced Persistent Threat is shorthand for a category of attacker: well-resourced, goal-driven, patient. Real APT groups (nation-states, organised crime syndicates, ransomware operators) plan campaigns over weeks or months, blend in with normal traffic, and move slowly enough to avoid detection. The compromise of a typical fintech rarely looks like the noisy scanning patterns a pentest emulates.

An APT simulation engagement uses the techniques those actors actually use, mapped to a recognised framework (MITRE ATT&CK is the standard reference) and scoped to a specific objective (steal customer PII, initiate a fraudulent payment, exfiltrate the source code repository, ransomware the production database). It is not "more aggressive pentesting." It is a different product with a different purpose.

How the engagement runs

A representative engagement structure:

Reconnaissance (week 1). Public-source intelligence on the target. Employee names from LinkedIn. Email patterns from leaked breach data. Open job postings revealing the tech stack. Code in public GitHub repositories. Pictures from the office on Instagram. The attacker spends days building a picture of the organisation before they touch a single system.

Initial access (week 2). Most modern compromises start with a phish. A spear-phishing email tailored to a specific employee, designed to look like a vendor invoice, a recruiter, a regulatory notice. The simulation usually targets a small cohort of pre-agreed users with the awareness that some will click. The objective is to obtain working credentials or a session token. Alternative initial-access paths: a vulnerable internet-exposed service (often a VPN appliance or admin panel), a malicious package added to a project dependency, or a third-party software supply chain.

Persistence (week 3). Once inside, the attacker establishes ways to come back: a stolen OAuth refresh token, a scheduled task, a new service account, a malicious browser extension on a developer workstation. The objective is to survive a password reset or a session timeout.

Lateral movement and privilege escalation (week 3 to 4). From the initial foothold, the attacker enumerates the environment, finds higher-value accounts, and escalates. This is where misconfigured cloud IAM, over-permissioned service accounts, stale admin credentials in environment variables, and unfederated SaaS apps with weak SSO become the attack chain.

Objective and exfiltration (week 4). The pre-agreed objective is achieved. Customer database queried. Wire-transfer email sent from the CFO's account. Source code repository cloned to attacker infrastructure. Evidence captured at each step. Then the team writes it up.

What APT simulations find that pentests don't

Detection gaps

A pentest tells you what is exploitable. An APT simulation tells you whether you would notice. Most organisations have alerting on the wrong things (firewall logs, AV alerts) and no alerting on the right things (anomalous OAuth grants, unusual cloud API patterns, lateral SSH from non-admin accounts). The simulation surfaces this because the team intentionally tries to operate quietly and tracks which actions did or did not generate alerts.

Response gaps

An alert that fires at 3 a.m. and routes to a Slack channel nobody reads is the same as no alert. Simulations expose the response chain: who got the alert, what did they do, did they escalate, did the on-call analyst correctly identify it as malicious or dismiss it as noise. Most fintechs we engage have credible detection technology and a broken response process.

Human-layer failures

The CFO's executive assistant approves a wire transfer based on an email that "looked legitimate." A junior developer commits a credential to a public repository under pressure to ship. An ops manager grants temporary admin to a vendor and forgets to revoke. The simulation tests these paths because real attackers exploit them.

Chained findings

A pentest reports findings as a list. A simulation reports them as a chain. "The exposed staging environment was misconfigured to share IAM with production. A developer's leaked GitHub token had access to staging. We pivoted from staging into production via the shared IAM role. From production we accessed the customer database." Each link in the chain might be low or medium severity individually; the chain is critical.

Scope and rules of engagement

Without clear rules of engagement, simulations get dangerous. The pre-engagement document needs to specify: the objective (what counts as "success"), what systems are in scope and out of scope, time-of-day restrictions (no testing during market open for trading platforms), what the team is authorised to do (clone the database, yes; actually exfiltrate it to attacker-controlled infrastructure, no), and the abort conditions (a "stop the test" command path with named authorisers).

The other critical document is the deconfliction protocol: a way for the blue team or the SOC to verify, during the engagement, that suspicious activity they're seeing is the simulation and not a real attacker. Without this, your incident response team will (correctly) escalate and you will (incorrectly) wake up your CEO at 4 a.m.

When this is the right product

An APT simulation is a high-investment engagement. It is the right product when:

You already have a mature security programme (a pentest is the right starting point if you don't). You have an internal blue team or SOC and want to test their detection and response. You hold genuinely high-value data and need to know how it actually gets stolen. You are subject to regulatory requirements (Joint Standard 2 of 2024, SARB Directive 1 of 2024 in the NPS) that require evidence of resilience testing, not just vulnerability management. You have a board-level conversation pending that needs a credible answer to "how bad would it actually be?"

If you have not run a pentest in the last year, do that first. If you have, and the findings are remediated, and the team wants to know what's left, the APT simulation is what's left.

What you do with the report

An APT simulation report is structurally different from a pentest report. The narrative matters as much as the findings. A good report includes: the attack timeline (what was done, when, with what), the detection timeline (what was alerted on, when, by whom), the response timeline (what the defenders did, what they missed), a gap analysis mapping each undetected step to the control that should have caught it, and prioritised remediation focused on detection-and-response improvements as much as on patching vulnerabilities.

The debrief is the most valuable part. A facilitated session with the blue team, walking through the attack chain step by step, explaining the techniques used, what defenders saw, what they could have seen. This is where the organisation actually learns.

A serious adversary will not stop at the first locked door. They will try every door, walk the perimeter, befriend the security guard, social-engineer the cleaner, and come back next week. An APT simulation tells you, before any of that happens to you for real, what they would have found.