Why Your IDV Vendor Needs Adversarial Testing
.jpeg)
Fernanda Sottil
June 18, 2026•
June 18, 2026•
Every identity verification (IDV) vendor in 2026 claims to stop deepfakes. So much so, that the claims blur together. Buyers can separate fact from fiction by asking themselves: which vendors have been tested by experts who know how to find the edge cases?
The experts worth trusting have spent enough time close to the threat landscape to know how attack techniques get developed and what surfaces they touch before they show up in production environments. With a fraud red team and adversarial pen testing, experts put that experience to work and gauge how secure a vendor truly is.
Forbes research shows that 75% of enterprise tech buying decisions happen outside of the IT department. HR, finance, operations, and revenue teams are picking their own tools, often without a single decision-maker from security in the room.
That silo enables speed, but it also creates exposure. When identity and security teams are not part of the conversation early on, cybersecurity gaps emerge. And fraudsters have learned to exploit those gaps at scale.
Given this buying climate, it’s critical that teams adopt strategies to identify persistent security vulnerabilities that exist within their inter-department dependencies and policies, not solely underlying code.
Most executives I talk to are familiar with pen tests. But few understand the difference between a general penetration test and what Incode runs: a fraud red team. While general penetration tests hunt for system vulnerabilities, fraud red teams test whether your fraud detection works against the attack techniques real fraudsters use.
According to Neovera, which conducts this testing at scale: “Fraud Red Team is an external, third-party identity, authentication and fraud-testing service designed to identify weaknesses that fraudsters are using, without your knowledge, to exploit your controls and processes.”
Organizations' widest vulnerabilities often live in policies and procedures, specifically in how uniformly they're enforced across teams and regions. Standard penetration tests focus on underlying code and don't touch those gaps.
But fraudsters do. In the environments Incode operates in, including digital banking, fintech onboarding, and crypto exchanges, the most common exploits don't target the core verification engine. They target the edges:
Fraud red teams find those gaps by doing what real fraudsters do: probing the full system under realistic conditions using the actual tools in circulation, including deepfakes, video injection attacks, AI-generated documents, and synthetic identity combinations.
Fraud red teams find those gaps by doing what real fraudsters do: probing the full system under realistic conditions, not just the parts that show up in a standard audit. They test how an organization performs when someone is actively trying to get through at scale, across the exact attack vectors that are circulating in production environments today.
If you are evaluating identity verification in 2026, my advice is to stop reading the brochure and start asking four questions.
Incode has been recognized by Gartner® as a Leader in the Gartner® Magic Quadrant™ for Identity Verification two years in a row. We have been featured as a Leading Vendor in Liminal's Link Index and a Trust Leader in the Flagship Prism Report.
Analyst recognition like this indicates if a vendor is a serious, evaluated player across the market and provides evidence for how they compare on product, execution, and customer outcomes. But it does not indicate how the product performs when someone is actively trying to break down defenses, nor what true positive and true negative rates look like across a dataset in production conditions.
Standards bodies like NIST and certifications like iBeta measure technical performance against controlled benchmarks, such as face matching accuracy, presentation attack detection, and liveness.
But the level of certification matters. iBeta now operates across three tiers: Level 1 covers 2D attacks like printed photos and video replay, Level 2 adds 3D masks and dynamic artifacts, and Level 3, introduced in 2026, tests against ultra-realistic deepfake animations capable of responding to liveness prompts. Incode holds iBeta Level 3 certification, the highest bar currently available for liveness technology.
There is still one gap certifications don't close: injection attacks. iBeta measures resistance to presentation attacks, meaning spoofs delivered in front of a camera. Deepfakes delivered via software injection into the video stream are a separate attack vector entirely, and one that certifications alone don't cover. That's where adversarial testing can help.
This is the hardest validation to obtain and the least visible to buyers. A fraud red team doesn't just scan for code vulnerabilities. It probes the full system the way a real fraudster would, including injection attacks, synthetic identity combinations, and the edge cases that only show up when someone with deep knowledge of attacker behavior is actively trying to find them. The question it answers isn't just "can you be hacked?" It's whether your defenses hold up against the attack techniques currently circulating in production environments, including the ones that didn't exist when your certifications were written.
External pen tests are only as valuable as what happens after. A vendor with a dedicated internal fraud red team means results get acted on, attack patterns get fed back into product development, and the security posture improves continuously rather than at the pace of the next scheduled audit.
Ask your vendor whether they have an internal red team. If they do, interrogate how often they test their own system and how they address the results of those tests.
We hired SocialProof Security, an adversarial research firm, and gave them a sandboxed account and one instruction: try to break us.
Across 13 distinct attack types, including hardware and software video injection, deepfakes of real and synthetic identities, replay attacks, emulators, rooted devices, and AI-generated identity documents, zero bypasses were achieved across our mobile verification flows.
The people running those tests do this for a living. Finding holes in products like ours is their entire job. Zero bypasses is the difference between a claim and a proof point. It means real customers get through and fraudsters don't.
Analyst recognition puts us in the conversation. Certifications confirm we meet the technical bar. Adversarial testing proves the defenses hold when it counts: across most sophisticated attacks.
We'll keep hiring external researchers, keep publishing what they find, and keep running our internal fraud red team and fraud lab. The threat landscape doesn't slow down, and neither does our willingness to be measured against it.
Trust in this category is a track record, and a track record only exists when people outside your company put their name on it.
See how Incode performs under real adversarial pressure. Click here for the full breakdown.
%20(1).avif)
