Organization · Recon Complete · aadbd18f

Deutsche Bank AG

German multinational investment bank and financial services company headquartered in Frankfurt, Germany, providing corporate and investment banking services globally.

Primary URL: db.com
Completed: 2026-05-26 19:45 UTC
Duration: 42m 0s

Entities

Relationships

Evidence

Judgments

Timeline

Geo

Bottom Line Up Front

Deutsche Bank AG (LEI 7LTWFZYICNSX8D621K86, HRB 30000) is a globally systemic German universal bank headquartered in Frankfurt, reporting EUR 1.44T total assets at 2025-12-31 across investment banking, corporate banking, private banking, asset management (DWS), and wealth management. GLEIF enumerates 326 direct LEI children across 40+ jurisdictions, and DB operates three distinct enterprise ASNs (AS8373/RIPE EU, AS15769/RIPE London, AS2824/ARIN NA) with a deliberately segregated network footprint, strict DMARC (p=reject; sp=reject; adkim=s) via Proofpoint, and EV-certificated apex TLS. The headline analytical finding is a very likely mixed security posture: perimeter and email-security controls are mature, but the Hudson Rock Cavalier corpus enumerates 344 distinct DB-employee infostealer sessions concentrated on the dbrasweb.db.com Citrix RAS / Pulse Secure SSL VPN portal — a current, exploitable credential-exposure surface. Residual hardening gaps include absent DNSSEC on db.com, a dense 16+ Salesforce org-ID SaaS footprint with shared-SAN-cert exposure, third-party-hosted research.db.com on Markit On Demand (AS7334), and the likely compliance-drift signal of the Deutsche Cayman Ltd. LEI lapsed 2024-01-15. Confidence is high overall — most load-bearing evidence is A1/A2 registry-grade — with the OpenSanctions tool-gap flagged as the principal collection limitation.

§ 01

Key Judgments

5 · graded per ICD 203

KJ-01

Deliberately segregated enterprise network footprint

High Confidence

Three DB-owned ASNs (AS8373 EU/RIPE, AS15769 London/RIPE, AS2824 NA/ARIN) all share a single technical-contact pattern (dns.admin@db.com + Reiner Schaefer, ent_037) which is very likely intentional geographic separation rather than accidental sprawl. DMARC enforces p=reject; sp=reject; adkim=s via Proofpoint (ent_050), and the apex TLS cert is DigiCert EV with full O=DEUTSCHE BANK AG subject — collectively a posture inconsistent with the "incidental sprawl" hypothesis.

KJ-02

344 employee sessions infostealer-compromised; Citrix VPN is the hottest endpoint

High Confidence

Hudson Rock Cavalier enumerates 344 distinct DB-employee infostealer sessions among 4,771 total db.com-touching sessions (ent_034). The top-five exposed URLs are all DanaInfo-Citrix-RASweb endpoints behind dbrasweb.db.com (ent_021), with 81 sessions on ua.intranet.db.com/Citrix/RASweb alone. Even though individual MD-level lookups returned clean (ev_035, ent_042), the corpus-level signal is very likely a current operational risk — not a one-off historical artifact — because the captured paths are first-hop authentication URLs that only resolve from active stealer telemetry.

KJ-03

Email security strong; DNSSEC absent

High Confidence

DMARC for db.com is very likely a hardened deployment: p=reject; sp=reject; adkim=s; fo=1; ri=3600 with Proofpoint-fronted rua/ruf reporting. SPF authorizes only ip4:160.83.0.0/16 ~all. The defensive gap is structural rather than operational: db.com RDAP reports delegationSigned=false — DNSSEC is not enabled, and no TLS-RPT or BIMI records were surfaced.

KJ-04

326 direct LEI children; corporate structure A1-corroborated

High Confidence

GLEIF's 326-child enumeration (US 91, DE 66, GB 27, LU 25, KY 17) is almost certainly the current authoritative structure: every spot-checked subsidiary (DWS Group ent_007, norisbank ent_008, Deutsche Bank Europe ent_009, Trust Company Americas ent_010, Deutsche Cayman Ltd. ent_014) has a separate primary-registry corroboration (HRB filing, Wikidata, SEC EDGAR mailing address, or Cayman company register). The competing hypothesis — that the LEI children list is stale — fails the spot-check at every node.

KJ-05

dbrasweb.db.com Citrix portal is the highest-value attack surface

High Confidence

Of the recon-surfaced authentication endpoints (login.isso.db.com Autobahn SSO, identity.db.com Keycloak, dbrasweb.db.com Citrix RAS, scfportal.db.com Salesforce), only dbrasweb.db.com shows direct infostealer overlap. Very likely the highest-impact remote-access target an adversary would prioritize, both because of pre-existing credential capture and because successful authentication lands inside ua.intranet.db.com with internal Citrix session access.

KJ-06

Dense SaaS dependency cluster — Salesforce, Atlassian, Markit, Frontify

Moderate Confidence

TXT-record enumeration surfaces a likely dense SaaS footprint: 16+ Salesforce org IDs, Atlassian, Adobe IdP, Pexip, Docker. URLScan corroborates that research.db.com is hosted on Markit On Demand (AS7334) and brand.db.com on Frontify (AWS eu-central-1). Confidence is held to moderate because the count of Salesforce org IDs implies multiple business units have provisioned independent tenants — each with its own trust posture that recon cannot observe.

KJ-07

Deutsche Cayman Ltd. LEI lapsed — compliance/reputation pressure point

Moderate Confidence

Deutsche Cayman Ltd. (ent_014, Cayman company 64883, registered at Intertrust Corporate Services since 1996) is likely in active wind-down: legal status is ACTIVE but LEI 529900PLMCWKG4WW7813 lapsed 2024-01-15 and was not renewed. This generates a small but real reputational/compliance pressure point given regulator focus on offshore-vehicle transparency — even though the entity remains legally valid.