If you run a bank, fintech, payment platform, or any technology business in Rwanda, penetration testing is no longer optional. BNR mandates it for regulated entities, and even businesses outside financial services are increasingly required to demonstrate security due diligence to clients, partners, and the National Cyber Security Authority.
This guide covers everything you need to know: what penetration testing actually is, who needs it in Rwanda, what BNR requires, what a test covers, how to choose a provider, what certifications matter, what it costs, and what happens after the test.
What is penetration testing?
A penetration test (often called a pentest, or VAPT: vulnerability assessment and penetration testing) is a structured, authorised attempt to break into your systems in the same way a real attacker would. Unlike automated scanning tools, a skilled human tester thinks creatively, chains vulnerabilities together, and attempts to achieve real business impact: accessing customer data, transferring funds, compromising internal accounts, to prove that vulnerabilities are actually exploitable.
The goal is not to damage your systems but to find the weaknesses before a real attacker does, document them clearly, and give you a prioritised remediation plan.
Penetration testing vs vulnerability scanning: An automated scanner checks for known vulnerabilities. A penetration test uses both tools and human expertise to actually exploit those vulnerabilities and understand what an attacker could realistically achieve. For regulated industries in Rwanda, manual penetration testing is required. Automated scanning alone does not satisfy BNR requirements. Full comparison: penetration testing vs vulnerability scanning.
Who needs penetration testing in Rwanda?
The following organisations need regular penetration testing:
- BNR-regulated institutions: commercial banks, microfinance institutions (MFIs), insurance companies, pension funds, payment service providers, mobile money operators, electronic money issuers, and savings and credit cooperatives (SACCOs). All are explicitly required by BNR to conduct regular VAPT.
- Government agencies and parastatals handling sensitive citizen data or critical services
- Telecom companies operating in Rwanda under RURA regulation
- Healthcare organisations handling patient data
- E-commerce and SaaS companies needing to demonstrate security to enterprise clients
- Any business seeking ISO 27001 certification: technical vulnerability management is required under Annex A, and penetration testing is the standard approach
What does BNR require?
The National Bank of Rwanda requires all supervised institutions to maintain a formal cybersecurity programme. Penetration testing is an explicit component of this. BNR expects:
- Regular VAPT conducted by a qualified provider (not internal IT staff alone)
- Annual penetration testing at minimum; after significant changes to systems
- Coverage of all internet-facing systems: web applications, APIs, mobile banking platforms, USSD gateways, network perimeter
- A formal written report with findings ranked by severity and remediation guidance
- Evidence of remediation and re-testing
For quarterly-tested institutions (those running mobile banking, payment processing, or card systems) we recommend quarterly assessments. See our detailed breakdown: BNR cybersecurity requirements for banks in Rwanda.
What does a penetration test in Rwanda cover?
A complete penetration test for a Rwandan financial institution typically includes:
External network and perimeter testing
All internet-facing assets are mapped and tested. This includes web servers, API endpoints, remote access systems (VPN, RDP), email infrastructure, and any other service reachable from the internet. We identify misconfigurations, unpatched software, and exploitable entry points that an external attacker would use.
Web application penetration testing
Your core banking interface, customer portal, admin panels, and any web-based applications are tested against the OWASP Top 10 and beyond. This includes SQL injection, broken authentication, insecure direct object references (IDOR), cross-site scripting (XSS), business logic flaws, and many more. Web applications are consistently the most common source of significant findings.
API security testing
Modern banking systems expose a large number of APIs, covering mobile apps, third-party integrations, and internal services. These are tested for authentication weaknesses, authorisation bypass, excessive data exposure, and the OWASP API Security Top 10. See API security in modern banking for common findings.
Mobile application testing (Android and iOS)
Your mobile banking app is tested on both platforms. We examine client-side storage of sensitive data, certificate pinning implementation, runtime manipulation, and deep-link vulnerabilities. The app is often used as a launchpad to attack backend APIs. See why your mobile banking app needs a security assessment.
USSD and mobile money testing
For operators running USSD services or mobile money platforms (MTN MoMo, Airtel Money), we specifically test session handling, transaction flow manipulation, and enumeration attacks. This is a unique attack surface we have deep expertise in. See USSD security testing guide.
Internal network penetration testing
We simulate a scenario where an attacker has already gained internal access (through a phishing email, a compromised workstation, or physical intrusion) and test for lateral movement, privilege escalation, and access to critical systems and data.
Social engineering testing
Phishing simulations, vishing (phone calls), and physical security tests reveal how resilient your staff are to manipulation. Human error remains the leading cause of security incidents globally, and East Africa is not immune. See social engineering threats facing East African financial institutions.
How to choose a penetration testing company in Rwanda
Not all security providers are equal. For a detailed guide on evaluating providers in Kigali, including red flags and scoping questions, see our enterprise guide to choosing a penetration testing firm. The key factors to look for:
Verified certifications
The most important thing to verify is whether the actual tester holds recognised offensive security certifications. The industry standard is OSCP (Offensive Security Certified Professional), a hands-on exam where the tester must actually compromise machines under strict exam conditions. OSCP cannot be passed by memorisation; it proves practical skill. Be wary of providers who only list theoretical certifications (CISSP, CEH alone).
Experience with financial institutions
Testing a bank is different from testing an e-commerce website. Banking systems have complex transaction flows, regulatory sensitivities, and unique attack surfaces like core banking systems, USSD gateways, and SWIFT connections. Ask specifically about the provider’s experience with banks and fintechs in the region.
Local presence in Rwanda
For engagements that include on-site testing, physical security assessment, or social engineering, having a team physically located in Kigali matters. Remote-only providers cannot perform physical penetration testing and may struggle with timezone-sensitive coordination.
Clear methodology and deliverables
Ask for a sample report. A good penetration test report should include: an executive summary for leadership (not just technical staff), technical findings with proof-of-concept screenshots, severity ratings (CVSS or equivalent), and actionable remediation guidance that your IT team can actually implement, not generic advice.
NDA and engagement agreement
A professional provider will always establish a signed Rules of Engagement document and NDA before testing begins. This defines the scope, protects your business, and establishes the legal authority for the test. Never work with a provider who starts testing without a signed agreement.
What certifications should your pentest provider hold?
In order of importance for Rwanda-based engagements:
- OSCP (Offensive Security Certified Professional): the gold standard. Practical, exam-based. Proves the tester can actually hack systems, not just run tools.
- OSEP / OSED / OSWE: advanced Offensive Security certifications for evasion, exploit development, and web application exploitation
- CEH (Certified Ethical Hacker): knowledge-based, less rigorous than OSCP but widely recognised
- CREST membership: a UK-based professional body with high standards for penetration testing
- CISSP: strong for governance and management-level security, less relevant for hands-on testing
imizicyber is OSCP-certified. Our lead tester holds OSCP and has conducted penetration tests across banks, fintechs, and payment providers in Rwanda and East Africa. We are based in Kigali and can conduct on-site testing when required.
How long does a penetration test take? What does it cost?
Timeline depends on scope. Typical durations:
- Web application test (single app): 3 to 5 business days of testing
- API security assessment: 2 to 4 business days
- Mobile app test (one platform): 3 to 5 business days
- Full external + web + mobile package: 7 to 12 business days
- Full-scope enterprise engagement (network, web, mobile, internal, social engineering): 2 to 4 weeks
Pricing is scoped to your environment. Contact us for a tailored quote. We will scope the engagement, provide a fixed-price proposal, and deliver within an agreed timeline. See our guide to penetration testing costs in Rwanda for what factors affect pricing.
After the test: report, debrief, remediation
The deliverable is a formal written report delivered within 5 to 7 business days of testing completion. A good report contains:
- Executive summary: suitable for board presentation, covering overall risk posture and key findings in plain language
- Technical findings: each vulnerability documented with description, severity (Critical/High/Medium/Low), proof-of-concept screenshots, business impact, and step-by-step remediation guidance
- Risk heat map: visual overview of findings by severity and affected system
- Remediation roadmap: prioritised action plan
After the report is delivered, we conduct a debrief call with your technical team to walk through findings and answer questions. Once remediation is complete, we offer a free re-test to verify that critical and high findings have been properly fixed. This retest is a standard part of our engagements, not an extra charge.
Frequently asked questions
Will the penetration test disrupt our systems?
A properly scoped penetration test conducted by professionals should not cause outages. We test against a defined scope agreed in advance, avoid denial-of-service techniques unless explicitly agreed, and can work during off-hours for critical systems. We have never caused a production outage in our testing engagements.
Can we do a penetration test on a test/staging environment?
Yes, and for systems where production testing carries operational risk, we often recommend testing a staging environment first. However, production testing is more realistic and often reveals issues that staging environments don’t have, such as real transaction data or live integrations.
Do we need a penetration test if we already had a vulnerability assessment?
A vulnerability assessment identifies known vulnerabilities via scanning. A penetration test proves they are exploitable and finds issues that scanners miss (business logic flaws, authentication weaknesses, chained vulnerabilities). BNR and most compliance frameworks explicitly require penetration testing, not just vulnerability scanning. See VAPT in Rwanda: what it means and what to expect.
How often should we conduct penetration tests?
At minimum, annually. After significant system changes (new applications, major upgrades, changes to network architecture). Before major regulatory inspections. For payment systems and mobile banking: quarterly is best practice.
Get started
For full details on our penetration testing methodology, deliverables, and engagement process, see our penetration testing service page. For broader security assessment needs including compliance gap analysis, see our security assessments service page.