KIGALI, RWANDA · AFRICA

Offensive security & penetration testing for Africa's regulated institutions

Manual VAPT for banks, fintechs, telecoms, government and healthcare. Evidence-led reporting, aligned to BNR supervision.

The team behind the testing

Every engagement is hands-on and every report is written by hand, start to finish. Credentials, background, and how we engage are below.

Aristofanis Chionis Koufakos, Lead Penetration Tester
Aristofanis Chionis Koufakos Lead Penetration Tester Aristofanis Chionis is OSCP-certified and a BlackHat Europe Arsenal contributor, with red-team and penetration-testing experience across Nordic and pan-African banking, and an MSc in Computer Security.
48hFrom scoping call to proposal
By handEvery report, start to finish
Africa-wideEngagements across multiple markets
CREDENTIALS
CERT
OSCP Offensive Security
CERT
PNPT TCM Security
TALK
BlackHat Europe Arsenal Contributor, London 2023
MSc
Computer Security Technical University of Denmark
BSc
Informatics & Telecommunications NKUA
OSS
Google Summer of Code Honeynet Project 2023/2024

Why choose IMIZI Cyber

01

Manual depth, not scanner output

Every finding is hand-verified and exploited, not flagged by a scanner and forgotten. The depth automated tools cannot reach.

02

Evidence-led reports, written by hand

No audit-team handoff, no committee laundering, no scanner-dump PDFs. The person who ran the test writes the findings and the remediation guidance.

03

Banking-grade adversary testing

Built on threat-led red team operations inside a Tier-1 Nordic bank and penetration testing across pan-African banking. The same attacker mindset, turned on your systems.

What we do

Manual VAPT for banks, fintechs, telecoms, government, ministries, healthcare and other regulated institutions across Africa. Every report is evidence-led and written by hand.

Managed Security

Two capabilities we deliver as part of a retained managed-security engagement: continuous external monitoring and security awareness, run on the cadence your environment needs.

Consulting Services

How we work

From scoping to remediation, we keep it straightforward.

1

Scoping call

We understand your environment, compliance needs, and testing objectives

2

Proposal and SOW

Clear scope, timeline, cost, and rules of engagement within 48 hours

3

Testing

1 to 6 weeks of manual testing with daily status updates on critical findings

4

Report and support

Detailed report with remediation guidance and one free retest within 30 days

Common questions

Why do banks in Rwanda need penetration testing?
BNR Regulation N°50/2022 requires regulated financial institutions to run annual penetration tests and bi-annual vulnerability assessments as part of their cybersecurity programme, with results filed with the regulator. Penetration testing finds vulnerabilities in your web apps, mobile banking, APIs, and USSD services before attackers do.
Do you help with BNR cybersecurity compliance?
Yes. We help banks, microfinance institutions, and insurance companies meet BNR cybersecurity requirements through penetration testing, vulnerability assessments, security audits, and ongoing managed security.
How much does penetration testing cost in Rwanda?
Every engagement is scoped individually based on the number of applications, infrastructure complexity, and testing depth. Contact us with your requirements; we reply within 24 hours, and a scoped proposal follows within 48 hours of the scoping call.
What is BNR Regulation on cybersecurity?
BNR Regulation N°50/2022 requires regulated financial institutions to run a cybersecurity programme that includes annual penetration testing, bi-annual vulnerability assessments, incident response plans, and security awareness training, with results filed with the National Bank of Rwanda. We help organisations meet these requirements.
What certifications does your lead practitioner hold?
Certifications: OSCP (Offensive Security Certified Professional), PNPT (TCM Security). Speaking: BlackHat Europe Arsenal contributor, 2023. Based in Kigali, Rwanda.
How often should banks do penetration testing?
BNR Regulation N°50/2022 requires at least annual penetration testing and bi-annual vulnerability assessments for supervised institutions, plus testing after any significant infrastructure or application change. Many institutions test critical systems such as mobile banking and payment APIs more frequently.
What is the difference between VAPT and penetration testing?
VAPT combines automated vulnerability scanning with manual penetration testing. Vulnerability assessment identifies weaknesses using tools. Penetration testing goes further by manually exploiting vulnerabilities to demonstrate real business impact. We do both.
Do I need ISO 27001 certification in Rwanda?
ISO 27001 is not legally mandatory in Rwanda. BNR encourages ISO 27001 alignment for financial institutions. We help organisations prepare through gap analysis, technical testing evidence, and remediation guidance; certification itself is issued by an independent certification body.
Can you help us get ISO 27001, PCI DSS, or SOC 2 certified?
We handle the readiness side: gap preparation, the technical testing evidence these frameworks require, and remediation guidance until findings close. Certification and attestation are always issued by independent audit and certification firms, which we coordinate through our partner network. We prepare you to pass their assessment; we do not certify or audit you ourselves.
Do you offer cybersecurity training for employees?
Yes. We deliver security awareness training for all staff levels, from executive briefings to hands-on technical workshops for developers and IT teams. Training covers phishing recognition, secure coding practices, incident response procedures, and BNR compliance requirements. Available on-site in Kigali or remotely across Africa.
Do you work with organisations outside Rwanda?
Yes. We are based in Kigali and deliver engagements across Africa, including remote assessments. Our team's individual credentials and background are on our about page.

BNR requires regular security assessments. Is your institution compliant?

Your next audit could be weeks away. Get a free 30-minute scoping call to identify compliance gaps before your regulator does.

Get in touch

We respond within 24 hours.

Email
Loading...
Location
Kigali, Rwanda
Entity
IMIZI Cyber Consulting Ltd

Prefer to write? Send us the details