Penetration testing in Africa: a guide for regulated institutions

Across Africa, the institutions that hold the most sensitive data and move the most money are also the ones under the most pressure to prove they are secure. Banks, fintechs, telecoms running mobile money, government ministries, and healthcare systems all face the same question from regulators, partners, and their own boards: have you tested your defences against someone who is actually trying to break in?

This is the guide to answering that question properly. It covers why regulated institutions across the continent need manual penetration testing, the regional regulatory map that shapes what testing has to demonstrate, what real testing involves versus an automated scan, and how to choose a provider that can operate across African markets. Where a claim is specific, it is verifiable. We do not invent statistics.

Why regulated institutions across Africa need manual VAPT

The African financial landscape is not a smaller copy of Europe's or North America's. It is structurally different, and those differences change the attack surface.

Mobile-first banking is the default, not the exception. A large share of customers reach financial services through a phone rather than a branch or a desktop browser. That means the mobile app, the USSD menu, and the mobile money wallet are not peripheral channels. They are the core of the bank, and they carry the core of the risk.

The specific attack surfaces that matter most across the continent:

• Mobile money platforms. USSD and app-based wallets process enormous transaction volumes and are tightly integrated with banks, billers, and agent networks. Flaws in transaction authorisation, PIN handling, or agent provisioning translate directly into financial loss.
• USSD channels. USSD is session-based, runs over telecom infrastructure, and is easy to under-test because it does not look like a normal web application. Session hijacking, replay, and weak transaction signing are recurring problems.
• Core banking interfaces and APIs. Modern institutions expose core banking through APIs to power apps, partner integrations, and payment processors. A single broken authorisation check on an API can expose every customer.
• Third-party and vendor risk. Few African institutions build everything in-house. They integrate switch operators, payment aggregators, KYC providers, and cloud services. Each integration is a trust relationship an attacker can target, and the institution remains accountable for the data that flows across it.

Automated tools do not understand any of this. A scanner can flag a missing security header. It cannot reason about whether an agent in a mobile money network can provision a wallet they should not, or whether a transaction can be replayed to double a credit. Those are the findings that cost money, and they require a human who tests the system the way an attacker would. We cover the channel-specific detail in our guide to mobile money security testing, and the integration angle in supply chain attacks on African financial institutions.

The regulatory map across Africa

There is no single African cybersecurity regulation. Each major market has its own supervisor and its own expectations, layered on top of cross-border standards that apply regardless of where you operate. Understanding both layers is the difference between a test that satisfies your regulator and one that does not.

Rwanda: National Bank of Rwanda (BNR)

The National Bank of Rwanda supervises financial institutions and sets cybersecurity and IT risk expectations for the institutions it regulates, including independent security testing of critical systems. Reporting that maps findings to the regulator's expectations is what makes a test useful to a Rwandan institution rather than just a technical exercise. We go deep on this in BNR cybersecurity requirements and penetration testing in Rwanda.

Kenya: Central Bank of Kenya (CBK)

The Central Bank of Kenya has issued guidance on cybersecurity for the banking and payments sector, setting expectations for governance, risk management, and independent assessment of critical systems. Kenya's deep mobile money penetration makes the channel-level testing described above especially relevant. See CBK cybersecurity guidance for Kenyan banks and our Kenya penetration testing guide.

Nigeria: Central Bank of Nigeria (CBN)

The Central Bank of Nigeria sets cybersecurity and risk-management expectations for banks and other financial institutions under its supervision, including requirements around security testing and incident readiness. Nigeria's scale and the density of its fintech sector make independent testing a competitive as well as a regulatory matter. Our Nigeria penetration testing guide covers the local detail.

Ghana: Bank of Ghana and the Cyber Security Authority

Ghana has two relevant authorities. The Bank of Ghana supervises financial institutions and their security posture, while the national Cyber Security Authority oversees broader cybersecurity matters, including the licensing of cybersecurity service providers. Institutions operating in Ghana should account for both. See our Ghana penetration testing guide.

South Africa: SARB and POPIA

South Africa combines prudential supervision through the South African Reserve Bank (SARB) with a data-protection regime under the Protection of Personal Information Act (POPIA). POPIA imposes obligations around the security of personal information, which makes testing of systems that process customer data a data-protection concern as well as a financial one. Our South Africa penetration testing guide goes further.

Cross-border standards that apply everywhere

Three standards cut across all of these jurisdictions:

• PCI DSS. Any institution that stores, processes, or transmits cardholder data is in scope. PCI DSS explicitly requires regular penetration testing of the cardholder data environment, not just scanning.
• ISO 27001. The international standard for information security management systems. It is voluntary but widely adopted across African institutions as a way to demonstrate a managed approach to security to partners and regulators.
• SWIFT Customer Security Programme (CSP). Any institution connected to the SWIFT network is subject to the CSP's mandatory security controls and annual attestation. We cover this in SWIFT CSP compliance.

The practical implication: a single institution can be answerable to a national banking supervisor, a data-protection authority, PCI DSS, and the SWIFT CSP at the same time. Good testing produces evidence that serves all of them, rather than four disconnected exercises.

Real penetration testing vs automated scanning

The single most common problem we see in the African market is a scan sold as a penetration test. The two are not the same, and a competent regulator can tell the difference.

An automated vulnerability scan runs a tool against your systems and produces a list of known issues matched against a signature database. It is fast, cheap, and useful as a hygiene check. It is also blind to anything that requires reasoning: business logic, authorisation across user roles, transaction flows, and the chaining of small issues into a serious compromise.

Manual penetration testing is performed by a person who attempts to exploit what the scan flags, finds what the scan misses, and demonstrates real impact:

• Exploitation, not just detection. A finding is proven, not guessed. A report that says "this user can read another customer's full transaction history, and here is the request that does it" is worth more than a generic severity rating.
• Business logic testing. Can a transaction be replayed? Can a loan approval flow be automated to bypass intended friction? Can an agent in a mobile money network exceed their authority? No scanner tests these.
• Authorisation testing across roles. A scanner does not log in as two different users and check whether one can act as the other. A tester does.
• Chaining. Individual low-severity findings often combine into a critical compromise. Identifying the chain is human work.

The output should be evidence-led: reproducible steps, the actual requests and responses, the business impact, and remediation a developer can act on. For supervised institutions, the report should also map each finding to the regulator's expectations so the engagement does double duty as compliance evidence. Our security assessments and penetration testing services are built around this standard.

How to choose a provider operating across Africa

Choosing a testing provider is a buyer-education problem more than a procurement one. The market includes firms that deliver genuine offensive-security work and firms that resell a scan. Here is what to evaluate.

Manual capability, demonstrably. Ask what proportion of the engagement is manual, and ask to see a redacted sample report. A report dominated by tool output with generic remediation text is a scan in disguise. A report with proven exploitation paths and specific, system-aware remediation is the real thing.

Industry benchmarks for capability. Buyers commonly look for OSCP as a marker of hands-on testing skill at the individual level, and CREST as a firm-level benchmark in some markets. Treat these as signals to check, not guarantees. The point is to verify offensive-security depth rather than only management-system certifications.

A methodology you can review. A credible provider can explain how they test before the first invoice: discovery, authentication and authorisation testing, business-logic testing, and reporting. If they cannot describe a methodology, they do not have one.

Reporting that serves your regulator. If you are supervised by BNR, CBK, CBN, the Bank of Ghana, or SARB, the report has to be readable by both a board and a regulator. Ask whether the provider maps findings to your supervisor's expectations and to the cross-border standards you are subject to.

Cross-border consistency. If you operate in several African markets, a provider who already works across the continent gives you one consistent methodology and one reporting standard, rather than a patchwork of local vendors of uneven quality.

Firm, not freelancer. A firm brings continuity, peer review, and accountability that a single contractor cannot match across a multi-country engagement programme. You want the same standard applied to every system, every year.

Where IMIZI Cyber fits

IMIZI Cyber is an offensive-security firm based in Kigali, Rwanda. We test the regulated institutions of Africa: banks, fintechs, telecoms running mobile money, government systems, healthcare providers, and the organisations that sit in the payment rails between them.

Our work is manual and evidence-led. We exploit what we find, we prove impact, and we write reports that a board and a regulator can both act on, with findings mapped to BNR expectations and to the cross-border standards that apply to you. We test the systems that matter most in these markets: mobile and USSD channels, mobile money platforms, core banking APIs, and the third-party integrations that connect them. Our managed security engagements extend that testing into a continuous relationship rather than an annual snapshot.

The detail on individual markets lives in our country guides for Rwanda, Kenya, Nigeria, Ghana, and South Africa. You can read more about the firm and the people behind it on our about page.

If your internet-facing applications, mobile channels, payment integrations, or core banking systems have not been tested by people who understand how attacks actually unfold in African financial services, contact us to scope an assessment.