
Executive Summary
Branch is a leading workforce payments infrastructure provider trusted by over 1,300 enterprise organizations—including Uber, Instacart, and Union Square Hospitality Group. —to power instant payments, earned wage access, and digital banking for millions of W-2 and 1099 workers. With over 1200% growth over the last three years and a new embedded payments partnership with Stripe, Branch processes sensitive financial data at massive scale across its mobile app, public APIs, and white-label integrations. Faced with an expanding attack surface and the limitations of annual third-party penetration tests, Branch’s security team deployed Assail’s Ares platform to deliver autonomous, continuous offensive security testing across its most critical assets. Within the first engagement, Ares identified a critical vulnerability in minutes that had gone undetected by Branch’s previous consultancy for years. Since deployment, Branch has maintained continuous offensive coverage across its full stack, fundamentally changing how the organization approaches security validation.
The Challenge
Branch’s infrastructure handles real-time wage disbursements, cashless tip payouts, and Mastercard-issued debit card transactions for hundreds of thousands of workers daily. Every API endpoint, every mobile session, and every white-label integration represents a potential entry point for adversaries targeting financial data.
Like most enterprises in regulated industries, Branch relied on annual penetration testing engagements—typically a two-to-three-week assessment conducted by an external consultancy once per year. But the pace of Branch’s product development had outstripped the testing cadence. New API endpoints, mobile app releases, and partner integrations were shipping continuously, while security validation happened on a static, annual schedule.
Jeff Buelt, VP of Security at Branch, identified three critical gaps:
Limited testing frequency that left new code unvalidated for months between annual assessments
Narrow scope that couldn’t keep pace with their growing integration footprint across new partners, enterprise white-labels, and new API surfaces
Slow remediation validation that created uncertainty about whether fixes actually closed the exposure—often waiting until the next annual cycle to confirm
Compliance pressure from PCI DSS requirements and financial partner audits demanding evidence of ongoing security validation—not just a single point-in-time report
Testimonial
“As a fintech moving real money for all kinds of workers, our API and mobile attack surface changes faster than any quarterly pentest can keep up with. Ares gave us continuous autonomous red teaming across our APIs, web app, and mobile clients — and the validation layer means every finding that reaches my team is a real, exploitable issue, not noise. In the first engagement, Ares surfaced exploit chains our previous testing missed entirely. It's the first AI security product I've deployed that actually gives my team time back.” — Jeff Buelt, VP of Security, Branch
The Solution
After working with Assail to scope a proof of concept, Branch deployed Ares to deliver autonomous, continuous offensive security testing across its highest-risk assets. Ares operates as a multi-agent autonomous red team — coordinating specialized agents purpose-built for API testing, web application exploitation, and mobile client analysis, with a dedicated validation layer that confirms every finding is a real, exploitable issue before it ever reaches a human analyst. Ares chains vulnerabilities into complete kill chains the way a skilled human adversary would, and proves exploitability end-to-end rather than surfacing unverified findings for the security team to triage.
Branch directed Ares at its external attack surface — including the public APIs powering instant payments, earned wage access, and white-label partner integrations — and the Branch mobile application. Ares runs continuously against both production and staging environments, allowing the security team to validate new code, new endpoints, and new partner integrations as Branch's footprint expands. This continuous model complements Branch's existing annual third-party penetration testing engagement, providing offensive validation that moves in lockstep with engineering velocity and contributing evidence to support ongoing PCI DSS and financial partner security reviews.
The Result
During the initial deployment, Ares autonomously discovered a critical-severity vulnerability in Branch’s application within three minutes of engagement—a finding that the company’s previous third-party consultancy had failed to identify across multiple annual assessment cycles.
“What sold us was seeing Ares surface a critical vulnerability in three minutes that our annual consultancy couldn’t find in three weeks. That’s not an incremental improvement—that’s a fundamentally different capability.” — Jacob Ronald, Director of Security, Branch
Beyond the initial discovery, Branch now runs Ares continuously against its production and staging environments, enabling the security team to:
Validate remediations in real time rather than waiting months for the next annual pentest to confirm fixes closed the exposure
Test new API endpoints as they ship, keeping security validation in lockstep with development velocity
Maintain continuous offensive pressure across an attack surface that grows with every new enterprise integration and partner deployment
Strengthen compliance posture with continuous evidence of offensive testing for PCI DSS audits and financial partner security reviews
Real-world examples of how security teams identify threats faster, strengthen operational resilience, and gain continuous visibility across critical systems.