Penetration testing in Nigeria: a guide for regulated institutions

Nigeria runs one of the largest financial-services markets in Africa, and one of the most digitally exposed. A vast base of customer accounts, a deep payment-service-provider ecosystem, USSD banking that reaches customers with no smartphone, and card volumes that make the country a constant target. Every one of those rails is software, and software written under pressure to ship has flaws. Penetration testing is how a regulated institution finds those flaws before an attacker does.

This guide covers what penetration testing means for Nigerian banks, fintechs and PSPs: the regulatory drivers, the parts of the Nigerian environment that carry the most risk, what real testing looks like as opposed to scanning, and how to choose a provider. It is buyer education first. Where it describes how IMIZI Cyber works, that is to show what a credible engagement looks like, not to recite credentials.

The regulatory picture in Nigeria

Two bodies set most of the security expectations a Nigerian institution has to meet.

The Central Bank of Nigeria (CBN) issues risk-based cybersecurity frameworks for the institutions it supervises: deposit money banks, payment service providers, mobile money operators, other financial institutions, and microfinance banks. The common thread across these frameworks is the same set of expectations you see from regulators across the continent: board-level ownership of cyber risk, a designated security function, documented risk assessment, and regular, independent vulnerability assessment and penetration testing of critical systems with results reported up to the board. The CBN also operates incident-reporting expectations, requiring supervised institutions to notify it of significant cyber incidents.

The Nigeria Data Protection Act 2023 (NDPA), overseen by the Nigeria Data Protection Commission (NDPC), replaced the earlier NDPR as the primary data-protection law. It requires data controllers and processors to apply appropriate technical and organisational measures to protect personal data. Penetration testing is the most direct evidence that those technical measures actually withstand attack, rather than existing only on a policy page.

On top of both, PCI DSS applies to any institution that stores, processes or transmits cardholder data. PCI DSS explicitly requires penetration testing, internal and external, at least annually and after significant change. For a Nigerian bank or PSP touching cards, this is not optional.

The practical reading: if you hold customer funds, move payments, or process card or personal data in Nigeria, regular independent penetration testing is an expectation under at least one of these regimes, and usually several at once.

Why the Nigerian environment carries specific risk

A generic "test the website" engagement misses where Nigerian institutions actually get hit. The risk concentrates in a few places.

The PSP and fintech ecosystem

Nigeria's payment ecosystem is unusually layered. Licensed PSPs, switching and processing companies, mobile money operators, and a large fintech sector all interconnect through APIs. A single customer payment can traverse several organisations. Every integration point is an authorisation boundary, and every authorisation boundary is somewhere a tester should be probing for broken object-level authorisation, replay, and trust assumptions between systems. Our API security guide for banking covers these flaws in detail, because in a payment ecosystem the API is the product.

USSD and feature-phone banking

USSD banking is core infrastructure in Nigeria, not a legacy channel. It reaches customers with no smartphone and no data plan, a large share of the market. USSD flows carry their own risks: session hijacking, weak or absent transaction signing, PIN handling over a channel that was never designed for confidentiality, and business-logic gaps in menus that were bolted onto core banking. These flows are routinely left out of testing scope because they do not look like a "web app". They should be in scope.

Mobile money and agent networks

Mobile money operators and agent banking extend the financial system to the last mile, and extend the attack surface with it. The risks mirror those we describe in our mobile money security testing guide: float manipulation, velocity-check bypasses, agent-account takeover, and business-logic flaws in the channel between the wallet and the core ledger.

Third-party and supply-chain exposure

Most Nigerian banks and fintechs run on vendor-supplied core banking, switching and internet-banking platforms. A flaw in a shared platform is a flaw in every institution that uses it, and a compromise of a shared vendor can cascade across the sector. This is the pattern we examine in supply-chain attacks on African financial institutions: the weakest link is often a system the institution did not write and has never independently tested. Critical third-party systems belong in the penetration testing scope, with the contractual right to test them.

Real penetration testing versus scanning

This is the distinction that decides whether an engagement is worth anything.

A vulnerability scan runs an automated tool against your systems, matches them against a database of known issues, and produces a report. Scans are useful for hygiene and for catching missing patches at scale. They are also full of false positives, they cannot understand your business logic, and they prove nothing about exploitability. A scan will tell you a port is open. It will not tell you that a customer can read another customer's transactions by changing a number in a request.

A penetration test is manual and evidence-led. A tester reasons about how your specific systems were built, chains individual weaknesses into a real attack path, and demonstrates impact: account takeover, unauthorised fund movement, access to data the user should never see. The deliverable is not a tool dump. It is a set of findings, each with the steps to reproduce it, the proof it works, the business impact, and a remediation that fits your environment.

The flaws that actually cause losses in Nigerian financial systems (broken authorisation in a payment API, a replayable transaction, a USSD menu that skips a check, a business-logic gap in an agent flow) are exactly the flaws a scanner cannot find and a manual tester is paid to find.

The methodology that holds up to a regulator

IMIZI Cyber's testing is manual, evidence-led, and aligned to the same regulatory expectations Nigerian institutions answer to. A credible engagement looks roughly like this:

1. Scoping and authorisation. Agree the systems in scope, including the channels that usually get dropped: USSD, mobile, payment and partner APIs. Establish rules of engagement and written authorisation before anything is touched.
2. Reconnaissance and mapping. Enumerate the real attack surface, including endpoints and flows that are not in the documentation.
3. Manual exploitation. Test authentication and authorisation on every endpoint, business logic in payment and transfer flows, input handling, and the trust boundaries between integrated systems. Chain weaknesses to demonstrate real impact.
4. Evidence capture. Document each finding with reproduction steps and proof, so it is not a matter of opinion.
5. Reporting. Deliver findings rated by real business risk, written so a technical team can fix them and a board or regulator can understand them. This is the BNR-aligned, evidence-led reporting standard we apply across every engagement, and it maps cleanly onto CBN and NDPA expectations.
6. Retest. Verify that remediations actually close the findings.

The point of the methodology is not the checklist. It is that every claim in the report is backed by proof, which is what a board can act on and a regulator will accept.

How to choose a provider operating across Africa

Penetration testing is a market with a wide quality range, and the badge on the website is not the differentiator. When evaluating any provider, including us, look for:

• Manual testing, not a rebadged scan. Ask directly: how much of the engagement is hands-on, and how do you find business-logic flaws? If the answer is vague, the engagement is a scan.
• Recognised competence benchmarks. OSCP is the widely recognised benchmark for proving hands-on exploitation skill; CREST is a recognised assessor accreditation in many markets. Treat these as general benchmarks for evaluating any provider, not as a substitute for asking what they actually do.
• Financial and payment systems experience. A tester who understands payment flows, card data, USSD and mobile money will find issues a generalist walks past.
• Evidence-led reporting. Ask to see a sample report structure. You want reproduction steps, proof, business-risk ratings and clear remediation, not a tool export.
• A firm, not a freelancer. Continuity, accountability, retesting and a report that stands behind a regulatory conversation come from an established firm with a defined methodology.

How we can help

IMIZI Cyber is an offensive security firm based in Kigali, working with banks, fintechs, payment service providers, telecoms and other regulated institutions across Africa, Nigeria included. Our testing covers web applications, APIs, mobile banking, USSD and payment flows, network infrastructure and cloud, delivered as manual, evidence-led engagements. Our work is grounded in recognised offensive-security methodology, BNR-aligned engagement experience, and reporting a board and a regulator can both act on. We test it, and we write the report.

For broader context on offensive security across the continent, see our penetration testing in Africa overview. If you operate in neighbouring markets, our guides to penetration testing in Kenya, penetration testing in Ghana, and penetration testing in South Africa cover the local regulators and risks in each. For details on our methodology and deliverables, see our penetration testing and security assessments service pages, and our about page for how engagements run. To scope an assessment for your Nigerian institution, contact us.