If you run a bank, fintech, payment platform, or any technology business in Rwanda, penetration testing is no longer optional. BNR mandates it for regulated entities, and even businesses outside financial services are increasingly required to demonstrate security due diligence to clients, partners, and the National Cyber Security Authority.
This guide covers what penetration testing actually is, who needs it in Rwanda, what BNR requires, what a test covers, how to choose a provider, what to verify before you sign, what it costs, and what happens after the test.
What is penetration testing?
A penetration test (often called a pentest, or VAPT: vulnerability assessment and penetration testing) is a structured, authorised attempt to break into your systems in the same way a real attacker would. Unlike automated scanning tools, a skilled human tester thinks creatively, chains vulnerabilities together, and attempts to achieve real business impact (accessing customer data, transferring funds, compromising internal accounts) to prove that vulnerabilities are actually exploitable.
The goal is not to damage your systems but to find the weaknesses before a real attacker does, document them clearly, and give you a prioritised remediation plan.
Penetration testing vs vulnerability scanning: An automated scanner checks for known vulnerabilities. A penetration test uses both tools and human expertise to actually exploit those vulnerabilities and understand what an attacker could realistically achieve. For regulated industries in Rwanda, manual penetration testing is required. Automated scanning alone does not satisfy BNR requirements. Full comparison: penetration testing vs vulnerability scanning.
Who needs penetration testing in Rwanda?
The following organisations need regular penetration testing:
- BNR-regulated institutions: commercial banks, microfinance institutions (MFIs), insurance companies, pension funds, payment service providers, mobile money operators, electronic money issuers, and savings and credit cooperatives (SACCOs). All are explicitly required by BNR to conduct regular VAPT.
- Government agencies and parastatals handling sensitive citizen data or critical services
- Telecom companies operating in Rwanda under RURA regulation
- Healthcare organisations handling patient data
- E-commerce and SaaS companies needing to demonstrate security to enterprise clients
- Any business seeking ISO 27001 certification: technical vulnerability management is required under Annex A, and penetration testing is the standard approach
What does BNR require?
The National Bank of Rwanda requires all supervised institutions to maintain a formal cybersecurity programme, and penetration testing is an explicit component of it. BNR Regulation N°50/2022 requires supervised financial institutions to run a penetration test at least annually and vulnerability assessments at least twice a year, conducted by testers holding recognised credentials (the regulation names OSCP among them). An executive summary of the findings is filed with the National Bank of Rwanda within 15 days of the test, and an annual self-attestation is due by 15 January. Those are the written minimums. A testing programme that holds up at examination time also includes:
- Re-testing after significant changes to systems: good practice an examiner will recognise, though the regulation itself does not mandate it
- Coverage of all internet-facing systems: web applications, APIs, mobile banking platforms, USSD gateways, network perimeter
- A formal written report with findings ranked by severity and remediation guidance
- Evidence of remediation and re-testing
For institutions running mobile banking, payment processing, or card systems, we recommend testing more frequently than the regulatory minimum. See our detailed breakdown: BNR cybersecurity requirements for banks in Rwanda.
Penetration testing and Rwanda's regulatory landscape
In Rwanda, penetration testing is rarely a standalone exercise. It supplies the evidence three overlapping obligations require, and the report you commission should be written to serve all three at once.
- BNR Regulation N°50/2022. For BNR-supervised financial institutions, this is the binding requirement: a penetration test at least annually, vulnerability assessments at least twice a year, an executive summary of findings filed with the National Bank of Rwanda within 15 days of the test, and an annual self-attestation due by 15 January. The report has to be structured so a supervisor can read it. See our BNR-compliant penetration testing service for how we map findings to the regulation.
- SWIFT Customer Security Programme (CSP). Any institution connected to SWIFT files an annual attestation against the Customer Security Controls Framework, and the higher assurance levels expect that attestation to be backed by an independent assessment rather than pure self-certification. A penetration test of the SWIFT-connected environment is the natural way to produce that independent evidence. See our SWIFT CSP assessment service.
- Data Protection Law N°058/2021 and the NCSA. Rwanda's data protection law requires controllers and processors to put appropriate technical and organisational measures in place to protect personal data, and the National Cyber Security Authority (NCSA) sets expectations for organisations handling sensitive citizen data. Penetration testing is how you demonstrate those technical measures are not just documented but actually effective. See our NCSA and data protection compliance service.
A single, well-scoped engagement can produce evidence that addresses all three regimes, which is why scoping the test against your specific obligations matters more than buying a generic "annual pentest" off a price list.
What does a penetration test in Rwanda cover?
A complete penetration test for a Rwandan financial institution typically includes:
External network and perimeter testing
All internet-facing assets are mapped and tested. This includes web servers, API endpoints, remote access systems (VPN, RDP), email infrastructure, and any other service reachable from the internet. We identify misconfigurations, unpatched software, and exploitable entry points that an external attacker would use.
Web application penetration testing
Your core banking interface, customer portal, admin panels, and any web-based applications are tested against the OWASP Top 10 and beyond. This includes SQL injection, broken authentication, insecure direct object references (IDOR), cross-site scripting (XSS), business logic flaws, and many more. Web applications are consistently the most common source of significant findings.
API security testing
Modern banking systems expose a large number of APIs, covering mobile apps, third-party integrations, and internal services. These are tested for authentication weaknesses, authorisation bypass, excessive data exposure, and the OWASP API Security Top 10. See API security in modern banking for common findings.
Mobile application testing (Android and iOS)
Your mobile banking app is tested on both platforms. We examine client-side storage of sensitive data, certificate pinning implementation, runtime manipulation, and deep-link vulnerabilities. The app is often used as a launchpad to attack backend APIs. See why your mobile banking app needs a security assessment.
USSD and mobile money testing
For operators running USSD services or mobile money platforms (MTN MoMo, Airtel Money), our team specifically tests session handling, transaction flow manipulation, and enumeration attacks. This attack surface is often left out of testing scopes entirely; our methodology covers it in depth. See USSD security testing guide.
Internal network penetration testing
Our team simulates a scenario where an attacker has already gained internal access (through a phishing email, a compromised workstation, or physical intrusion) and tests for lateral movement, privilege escalation, and access to critical systems and data.
The human attack surface
Phishing, vishing, and pretext-based manipulation remain among the leading causes of security incidents across African institutions, and no amount of technical hardening removes the risk entirely. The most reliable way to lower it over time is sustained staff awareness training: teaching employees to recognise the manipulation patterns attackers actually use. See our security awareness training service.
How to choose a penetration testing company in Rwanda
Not all security providers are equal. For a detailed guide on evaluating providers in Kigali, including red flags and scoping questions, see our enterprise guide to choosing a penetration testing firm. The key factors to look for:
Verified certifications
The most important thing to verify is whether the actual tester holds recognised offensive security certifications. The industry standard is OSCP (Offensive Security Certified Professional), a hands-on exam where the tester must actually compromise machines under strict exam conditions. OSCP cannot be passed by memorisation; it proves practical skill. Be wary of providers who only list theoretical certifications (CISSP, CEH alone).
Experience with financial institutions
Testing a bank is different from testing an e-commerce website. Banking systems have complex transaction flows, regulatory sensitivities, and unique attack surfaces like core banking systems, USSD gateways, and SWIFT connections. Ask specifically about the provider's experience with banks and fintechs in the region.
Local presence in Rwanda
For engagements that include on-site testing, internal network assessment, or physical-access review, having a team physically located in Kigali matters. Remote-only providers cannot perform on-site testing and may struggle with timezone-sensitive coordination.
Clear methodology and deliverables
Ask for a sample report. A good penetration test report should include: an executive summary for leadership (not just technical staff), technical findings with proof-of-concept screenshots, severity ratings (CVSS or equivalent), and actionable remediation guidance that your IT team can actually implement, not generic advice.
NDA and engagement agreement
A professional provider will always establish a signed Rules of Engagement document and NDA before testing begins. This defines the scope, protects your business, and establishes the legal authority for the test. Never work with a provider who starts testing without a signed agreement.
A scoping call before any quote
No competent provider can price a penetration test without first understanding what is in scope: how many applications and APIs, whether mobile and USSD are included, whether internal network testing is needed, and which compliance report the result has to satisfy. A scoping call before any quote is the baseline. A fixed number emailed within minutes of first contact is a sign the provider is selling a scanner run, not a test.
Red flags to walk away from
- A quote with no scoping call. Real scope drives real pricing. A price quoted blind almost always means a templated scan.
- "Penetration tests" that are just scanner dumps. If the deliverable is an unedited Nessus or Acunetix export with no manual validation, no chained exploitation, and no business-impact narrative, it is a vulnerability scan being sold as a pentest, and it will not satisfy BNR.
- Offshore vendors that self-rank in listicles with no local presence. A vendor that tops a "top 10 pentest companies in Rwanda" listicle but has no Kigali office, no named local engagements, and no on-site capability is ranking on SEO, not on work delivered in Rwanda.
Provider archetypes compared
The Rwanda search results for penetration testing are dominated by offshore self-ranking listicles and templated multi-country pages, so the shortlist you assemble from a search rarely reflects who can actually do the work. Whatever provider type you are talking to, verify rather than assume: ask who will perform the test and what they hold. The table below compares provider archetypes, not named firms, and every cell is a question worth asking.
| Selection criterion | Offshore listicle vendor | Generalist IT / GRC shop | Large regional (SA) firm | Kigali-based offensive-security specialist |
|---|---|---|---|---|
| Local / Kigali presence | None; ranks via SEO | Usually local, IT-led | Regional HQ, fly-in for on-site | Based in Kigali, on-site capable |
| Recognised offensive-security credentials (OSCP / CREST) | Rarely named or verifiable | Varies; ask for the tester's credential | Often present on larger teams | Core; held by the practitioner who tests |
| Manual depth vs scanner | Mostly scanner output | Varies; ask for the manual share of effort | Manual, varies by team assigned | Manual, evidence-led, chained exploitation |
| BNR / SWIFT / NCSA fluency | Generic, multi-country boilerplate | Strong on GRC; ask about offensive depth | Strong, but Rwanda-specific knowledge varies | Reports written in a BNR-fileable format |
| Scoped quoting | Instant blind quote | Often scoped | Scoped, slower procurement | Scoping call before any quote |
What certifications should your pentest provider hold?
In order of importance for Rwanda-based engagements:
- OSCP (Offensive Security Certified Professional): the gold standard. Practical, exam-based. Proves the tester can actually hack systems, not just run tools.
- OSEP / OSED / OSWE: advanced Offensive Security certifications for evasion, exploit development, and web application exploitation
- CEH (Certified Ethical Hacker): knowledge-based, less rigorous than OSCP but widely recognised
- CREST membership: a UK-based professional body with high standards for penetration testing
- CISSP: strong for governance and management-level security, less relevant for hands-on testing
IMIZI Cyber tests under recognised offensive-security methodology. Our team has run penetration tests for banks, fintechs, and payment providers across Rwanda and East Africa, with reporting structured for BNR-aligned engagements. We are based in Kigali and can conduct on-site testing when required.
How long does a penetration test take? What does it cost?
Timeline depends on scope. Typical durations:
- Web application test (single app): 3 to 5 business days of testing
- API security assessment: 2 to 4 business days
- Mobile app test (one platform): 3 to 5 business days
- Full external + web + mobile package: 7 to 12 business days
- Full-scope enterprise engagement (external, web, mobile, API, internal network): 2 to 4 weeks
Pricing is scoped to your environment. Contact us for a tailored quote. We will scope the engagement, provide a fixed-price proposal, and deliver within an agreed timeline. See our guide to penetration testing costs in Rwanda for what factors affect pricing.
After the test: report, debrief, remediation
The deliverable is a formal written report delivered within 5 to 7 business days of testing completion. A good report contains:
- Executive summary: suitable for board presentation, covering overall risk posture and key findings in plain language
- Technical findings: each vulnerability documented with description, severity (Critical/High/Medium/Low), proof-of-concept screenshots, business impact, and step-by-step remediation guidance
- Risk heat map: visual overview of findings by severity and affected system
- Remediation roadmap: prioritised action plan
After the report is delivered, we conduct a debrief call with your technical team to walk through findings and answer questions. Once remediation is complete, we re-test the critical and high findings to verify they have been properly fixed. This re-test is a standard part of our engagements, included at no extra charge.
For a deeper comparison of how the two exercises differ for regulated institutions, see our guide on penetration testing versus vulnerability assessment for banks.
Get started
IMIZI Cyber is an offensive-security firm based in Kigali. We run manual, evidence-led penetration tests for banks, fintechs, payment providers, telecoms, government bodies, and healthcare organisations across Rwanda and the wider region, with reporting structured for BNR-aligned engagements.
For full details on our methodology, deliverables, and engagement process, see our penetration testing service page. For broader needs such as compliance gap analysis, see our security assessments service page. When you are ready to scope an engagement, contact us and we will respond with a tailored proposal within 48 hours.