GLBA Safeguards Rule Penetration Testing

The FTC now mandates annual penetration testing. Make sure yours actually protects customer data.

Request a Quote
Schedule a 30 Minute Walkthrough

GLBA Penetration Testing That Proves Your Controls Work

The updated FTC Safeguards Rule now requires annual penetration testing for financial institutions handling customer NPI. Raxis delivers human-led, AI-augmented testing that validates your access controls, encryption, MFA, and incident response readiness under real attack conditions.

Request A Quote Schedule Call

Access Control & Least Privilege Validation

Real testing of who can access customer NPI, whether permissions follow least privilege, and what happens when those controls are challenged by an attacker.

Encryption & MFA Testing

Verify that data encryption in transit and at rest is properly implemented, and that MFA can’t be bypassed through session hijacking, token manipulation, or social engineering.

Board-Ready Reporting

Reports structured for your Qualified Individual’s board reporting obligations, with executive summaries, technical detail, and remediation priorities in one deliverable.

The Problem with Most GLBA Pentests

The Safeguards Rule made penetration testing mandatory. But most vendors treat GLBA compliance as a checkbox, delivering automated scans that satisfy the letter of the rule while leaving your customer data just as exposed as before. The FTC didn’t write these requirements so you could file a report. They wrote them so you’d find and fix the problems.

A Vulnerability Scan Is Not a Penetration Test

The Safeguards Rule requires penetration testing, not vulnerability scanning. They’re different assessments with different outcomes. A scan identifies known CVEs. A pentest chains exploits, tests business logic, attempts privilege escalation, and demonstrates what an attacker can actually reach. If your vendor delivers a scanner report and calls it a pentest, you’re not compliant and you’re not secure. Raxis engineers manually test your environment the way a real adversary would.

Scope That Misses Where NPI Actually Lives

GLBA requires testing of all systems connected to customer nonpublic personal information. That includes CRMs, loan origination platforms, document management systems, third-party cloud services, and customer-facing web applications. A pentest that only covers your network perimeter leaves the systems that actually store and process NPI untested. Raxis scopes every engagement around where your customer data flows.

No Testing of the Controls the Rule Requires

The updated Safeguards Rule mandates encryption, MFA, access controls, and change management. A generic pentest doesn’t validate whether those specific controls hold up under attack. Raxis tests each of them directly: can MFA be bypassed? Is encrypted data exposed through misconfiguration? Do access controls enforce least privilege when challenged? You get evidence, not assumptions.

GLBA Applies to More Than Banks

Mortgage lenders, auto dealers offering financing, insurance companies, tax preparers, payday lenders, financial advisors, and credit unions all fall under GLBA. Many of these organizations are encountering mandatory pentesting for the first time and getting the cheapest option available. Cheap doesn’t mean compliant. Raxis delivers testing that meets the FTC’s intent, not just its minimum word count.

Request A Quote Schedule Call

Why Raxis for GLBA Penetration Testing

Test the specific controls the Safeguards Rule requires

OSCP-certified engineers validate your access controls, encryption implementation, MFA effectiveness, and network segmentation against real attack techniques. You get proof that each Safeguards Rule requirement holds under pressure.

Cover every system that touches customer NPI

We scope testing around your data inventory, covering internal networks, web applications, customer portals, CRMs, loan origination systems, third-party integrations, and cloud environments where NPI is stored, processed, or transmitted.

Deliver reports your Qualified Individual can present

The Safeguards Rule requires your Qualified Individual to report to the board on the overall status of your information security program. Raxis delivers executive summaries, technical detail, and prioritized remediation in one report built for that obligation.

Strengthen incident response before you need it

Real attack simulation gives your team actionable intelligence to validate and improve your incident response plan, another Safeguards Rule requirement. When you see how an attacker moves through your systems, you know exactly where your response playbook needs work.

Close the loop with remediation retesting

Finding vulnerabilities is only half the job. Raxis retests after your team remediates to confirm fixes are effective. You get documented evidence of identified-and-resolved vulnerabilities, exactly the kind of artifact regulators and auditors value most.

Go beyond annual with continuous testing

Annual testing meets the Safeguards Rule minimum. Raxis Attack (PTaaS) delivers continuous, AI-augmented testing with real-time results and unlimited retesting through the Raxis One portal. The FTC recommends continuous monitoring. We make it practical.

Request A Quote Schedule Call

Frequently Asked Questions About GLBA Penetration Testing

Yes. The updated FTC Safeguards Rule (finalized 2023) requires annual penetration testing and semi-annual vulnerability assessments for financial institutions that don’t maintain continuous monitoring. This applies to any organization classified as a financial institution under GLBA, not just banks.

GLBA applies broadly to any business classified as a financial institution. This includes banks, credit unions, mortgage lenders and brokers, insurance companies, auto dealers offering financing, payday lenders, tax preparers, financial advisors, and real estate settlement services. If your organization handles customer financial data, the Safeguards Rule likely applies. Institutions serving fewer than 5,000 customers are exempt from certain requirements, but not from the obligation to maintain an information security program.

A GLBA penetration test focuses specifically on systems that store, process, or transmit customer nonpublic personal information (NPI). It also validates the specific controls the Safeguards Rule requires: access controls, encryption, MFA, and network segmentation. Raxis scopes every GLBA engagement around your NPI data flows and maps findings directly to Safeguards Rule requirements.

No. The Safeguards Rule requires both, and treats them as separate assessments. A vulnerability scan identifies known weaknesses using automated tools. A penetration test goes further by attempting to exploit those weaknesses, chain them together, and demonstrate real-world impact. Using a scan report as your pentest evidence does not satisfy the requirement.

We test internal and external networks, web applications, customer portals, CRMs, loan origination and document management systems, cloud environments, wireless infrastructure, and third-party integrations. Every engagement is scoped around your NPI data inventory to ensure full coverage of systems the Safeguards Rule requires you to protect.

Raxis Attack is our Penetration Testing as a Service platform, delivering continuous, AI-augmented testing with real-time results and unlimited retesting through the secure Raxis One portal. For GLBA, it satisfies the continuous monitoring alternative to annual pentesting and semi-annual vulnerability scanning.

At minimum annually, with semi-annual vulnerability assessments. The Safeguards Rule also requires testing after significant changes to your systems or information security program. Institutions that implement continuous monitoring through a platform like Raxis Attack can satisfy these requirements on an ongoing basis.

The FTC enforces the Safeguards Rule for non-bank financial institutions with fines up to $51,744 per violation. Beyond fines, non-compliance can result in lawsuits, reputational damage, increased regulatory scrutiny, and loss of customer trust. Banking regulators (FDIC, OCC, Federal Reserve) enforce similar requirements for banks and credit unions through their examination process.

Raxis testers hold industry-leading certifications including OSCP, CEH, GPEN, GFACT, and more listed on our certifications page.

Can’t find an Answer?

Name(Required)
Please let us know what's on your mind. Have a question for us? Ask away.
Popped Culture Newsletter
Would you like to opt in and receive our Popped Culture Newsletter? Typically about once a month, we send out an email with news on the latest in the cybersecurity industry, as well as insights on penetration testing trends.

Our security experts will contact you within 1 business day