What 345 Days of Untested Exposure Looks Like at a Bank

In April, a single VPN vulnerability led to data breaches at more than seventy financial institutions running Marquis Software's infrastructure, according to American Banker's reporting on the incident. The patch existed. The institutions affected likely had recent penetration tests on file. Neither prevented the exposure from compounding across the portfolio.

The math is straightforward. A standard annual external penetration test runs two to three weeks of active testing. That leaves roughly 345 days of operational reality unvalidated.

Mandiant's M-Trends 2026 report puts the 2025 median dwell time at fourteen days, reversing a multi-year decline, with espionage actors averaging 122-days.

CrowdStrike's 2026 Global Threat Report ranks financial services fourth in interactive intrusion targeting. Adversaries did not wait between annual assessments. The model assumed they would.

Regulators Set the Floor Against a Slower Threat Model