Despite warnings from academics, former intelligence community officials, and federal law enforcement, some security professionals at financial services companies harbor a willingness to attack their adversaries. Not necessarily to destroy outside infrastructure, but more likely to identify adversaries, surveil criminal activities, and disrupt threats to their businesses. 

Such activities, which are legally ambiguous and ill-defined, at best, aren’t conducted in a vacuum. They’re not even a first step. Ultimately, this and other types activities are meant to degrade threats, while deceiving and denying bad actors before or as they carry out their crime

Regardless, there are significant risks associated with “hacking back,” including a persistent fear that unskilled vigilantes may act irresponsibly. In the worst cases, they may act as agents of foreign policy — potentially crossing a line, and accidentally escalating global tensions. 

Key questions discussed in this report:

  • What are some potential motives for practicing such activities?
  • What are those FIs’ chief concerns in conducting such operations?
  • What some of the risks associated with such activities? 

Companies Mentioned: Attivo Networks, CrowdStrike, Cymmetria, Fidelis Cybersecurity, FireEye/ Mandiant, TrapX Security, SANS Institute


Javelin conducted a series of interviews involving industry executives, vendor executives, and other relevant stakeholders to gain an understanding of the topic. Interviewees represented a variety of organizations, including those contributing to public policy. 

Data in this report is based on information collected in a random-sample panel of 800 information technology security decision-makers, 200 of whom work in financial services. For questions answered by all 800 survey respondents, the maximum margin of sampling error is ±3.46 percentage points at the 95% confidence level. For questions answered by all 200 financial services respondents, the maximum margin of sampling error is ±6.93 percentage points at the 95% confidence level. The maximum margin of sampling error is higher for questions answered by segments of respondent