Autonomous offensive security replaces our previous yearly red team exercises, delivering continuous coverage across APIs and our mobile app handling millions of financial transactions.
Branch is a leading workforce payments platform trusted by over 500 enterprise organizations—including Uber Freight, Kelly, and Walmart Spark—to power instant payments, earned wage access, and digital banking for millions of W-2 and 1099 workers. With a recent $75M Series C and a new embedded payments partnership with Stripe, Branch processes sensitive financial data at massive scale across its mobile app, public APIs, and white-label integrations. Faced with an expanding attack surface and the limitations of annual third-party penetration tests, Branch’s security team deployed Assail’s Ares platform to deliver autonomous, continuous offensive security testing across its most critical assets. Within the first engagement, Ares identified a critical vulnerability in minutes that had gone undetected by Branch’s previous consultancy for years. Since deployment, Branch has maintained continuous offensive coverage across its full stack, fundamentally changing how the organization approaches security validation.
Executive Summary
The Challenge
Branch’s platform handles real-time wage disbursements, cashless tip payouts, and Mastercard-issued debit card transactions for hundreds of thousands of workers daily. Every API endpoint, every mobile session, and every white-label integration represents a potential entry point for adversaries targeting financial data.
Like most enterprises in regulated industries, Branch relied on annual penetration testing engagements—typically a two-to-three-week assessment conducted by an external consultancy once per year. But the pace of Branch’s product development had outstripped the testing cadence. New API endpoints, mobile app releases, and partner integrations were shipping continuously, while security validation happened on a static, annual schedule.
Jeff Buelt, VP of Security at Branch, identified three critical gaps:
Limited testing frequency that left new code unvalidated for months between annual assessments
Narrow scope that couldn’t keep pace with their growing integration footprint across Stripe, enterprise white-labels, and new API surfaces
Slow remediation validation that created uncertainty about whether fixes actually closed the exposure—often waiting until the next annual cycle to confirm
Compliance pressure from PCI DSS requirements and financial partner audits demanding evidence of ongoing security validation—not just a single point-in-time report
Testimonial
“As a fintech moving real money for hourly workers, our API and mobile attack surface changes faster than any quarterly pentest can keep up with. Ares gave us continuous autonomous red teaming across our APIs, web app, and mobile clients — and the validation layer means every finding that reaches my team is a real, exploitable issue, not noise. In the first engagement, Ares surfaced exploit chains our previous testing missed entirely. It's the first AI security product I've deployed that actually gives my team time back.” — Jeff Buelt, VP of Security, Branch
The Solution
The Result
During the initial deployment, Ares autonomously discovered a critical-severity vulnerability in Branch’s application within three minutes of engagement—a finding that the company’s previous third-party consultancy had failed to identify across multiple annual assessment cycles.
“What sold us was seeing Ares surface a critical vulnerability in three minutes that our annual consultancy couldn’t find in three weeks. That’s not an incremental improvement—that’s a fundamentally different capability.” — Jacob Ronald, Director of Security, Branch
Beyond the initial discovery, Branch now runs Ares continuously against its production and staging environments, enabling the security team to:
Validate remediations in real time rather than waiting months for the next annual pentest to confirm fixes closed the exposure
Test new API endpoints as they ship, keeping security validation in lockstep with development velocity
Maintain continuous offensive pressure across an attack surface that grows with every new enterprise integration and partner deployment
Strengthen compliance posture with continuous evidence of offensive testing for PCI DSS audits and financial partner security reviews
Real-world examples of how security teams identify threats faster, strengthen operational resilience, and gain continuous visibility across critical systems.