MANAGED EXTERNAL ATTACK SURFACE MONITORING

Your attack surface is being scanned right now.
The question is: by whom?

Exposed services, weak configurations, and unmonitored subdomains are the entry points attackers actually use. Not sophisticated zero-days. IMIZI Monitor is a managed service: we watch your external attack surface daily, map findings to regulatory frameworks, and alert you before attackers exploit what they find.

5 Regulatory frameworks mapped
Daily Automated external scans
A-F Security grading per domain
THE REGULATORY SHIFT

Regulators are no longer advising. They are enforcing.

Across Africa, regulators have shifted from guidance to mandatory enforcement, and cybersecurity obligations are now written into supervisory rules.

BNR (Rwanda)

Regulation N°50/2022 sets board-level cybersecurity accountability, a dedicated IT Security Unit, and prior approval for cloud use, and requires data to be hosted in Rwanda unless BNR approves otherwise.

CBK (Kenya)

The Central Bank of Kenya's Guidance Note on Cybersecurity (2017) sets incident-reporting timelines for banks, and in 2025 CBK launched the Banking Sector Cybersecurity Operations Centre to coordinate threat intelligence and incident response across the sector. Weak controls now draw direct supervisory scrutiny.

BOU (Uganda)

The Bank of Uganda's Cyber Risk Management Guidelines took effect 1 December 2024, making cybersecurity and technology risk management requirements mandatory for all supervised financial institutions. This is no longer guidance; it is enforceable obligation.

The talent gap

Africa carries one of the widest cybersecurity workforce shortages of any region (ISC2 Cybersecurity Workforce Study), and demand far outstrips the pool of qualified practitioners. You cannot hire your way out of this problem.

THE SERVICE

What IMIZI Monitor does

External attack surface scanning

Subdomain discovery, port scanning, TLS/SSL analysis, DNS security checks, HTTP headers, cloud storage exposure, and domain health monitoring. Daily automated scans.

Regulatory compliance mapping

Findings are mapped to the applicable controls in BNR Regulation N°50/2022, CBK Cybersecurity Guidance, BOU Cyber Risk Guidelines, PCI DSS v4.0, and the applicable ISO 27001:2022 Annex A controls. Compliance percentage tracked per framework.

Executive PDF reports

Monthly compliance-ready reports with security grades, finding summaries, remediation priorities, and regulatory status. Designed for board meeting packs and regulator submissions.

Real-time alerts

WhatsApp and email notifications when critical findings appear, SSL certificates are expiring, security grades drop, or new assets surface. Instant awareness, not monthly surprises.

Security grading (A-F)

Clear, defensible security grade for your organisation. Track improvements over time. Compare against compliance benchmarks.

Dark web intelligence

Credential leak monitoring, brand impersonation detection, and threat actor mention tracking. Know when your data appears where it should not.

Add-on
HOW IT WORKS

From your domain list to a live dashboard

1

Connect your domains

Tell us which domains to monitor; we handle the rest. First scan results typically follow within a day or two, and your dashboard is set up during kickoff.

2

Automated daily scans

Our scanning engine checks your entire external attack surface every day. No agents to install, nothing to configure on your systems.

3

Dashboard, reports, alerts

View findings in your compliance dashboard, receive alerts when something changes, and download board-ready PDF reports monthly.

WHY IMIZI MONITOR

Why not a global tool?

Global attack-surface tools rarely map findings to BNR, CBK, or BOU expectations out of the box, and they hand you a dashboard, not a managed engagement. You would pay more for less relevance.

Managed monitoring mapped to African compliance

Findings are mapped to the applicable controls in BNR Regulation N°50/2022, CBK Cybersecurity Guidance, and BOU Cyber Risk Guidelines. Global tools' compliance packs centre on NIST CSF and SOC 2; we map findings to the frameworks your supervisor actually examines against.

Based in Kigali, not California

Led by an OSCP-credentialled practitioner, in your timezone. Direct support on WhatsApp. Quarterly security reviews face-to-face, not through a ticketing system. When your regulator calls, you reach our team, not a ticket queue.

Safe for production systems

Non-destructive scanning only. TCP connect scans, rate limited, fully authorised. Works with banking platforms, government portals, insurance systems, and any public-facing infrastructure. We monitor, we do not attack.

Fraction of breach costs

Cybercrime drains hundreds of millions of dollars from African economies each year (INTERPOL African Cyberthreat Assessment). One missed subdomain, one expired certificate, one exposed service is all it takes for a breach that costs far more than continuous monitoring.

Ready to secure your external attack surface?

Contact us for custom pricing tailored to your organisation's needs.

FAQ

Questions and answers

Is scanning safe for our systems?
Yes. IMIZI Monitor uses non-destructive scanning only. TCP connect scans, rate limited to avoid any impact on your systems. This applies to banking platforms, government portals, insurance systems, and any public-facing infrastructure. We monitor from the outside, the same way an attacker would. No agents installed, no credentials needed, no risk to your operations.
What compliance frameworks do you cover?
BNR Regulation N°50/2022 (Rwanda), CBK Cybersecurity Guidance (Kenya), BOU Cyber Risk Guidelines (Uganda), PCI DSS v4.0, and ISO 27001:2022. Findings are mapped to the applicable controls in each framework so you can demonstrate compliance to your board and regulator.
Who is IMIZI Monitor for?
Any regulated organisation across Africa with external-facing digital infrastructure. Banks, microfinance institutions, insurance companies, pension funds, payment processors, government agencies, ministries, and hospitals. If you have domains, public services, and a regulator asking about your security posture, this is for you.
How quickly can we get started?
Onboarding is fast. Tell us your domains; first scan results typically follow within a day or two, and your dashboard is set up during kickoff.
What do we receive when onboarding starts?
Onboarding begins with a baseline assessment of your external attack surface: a branded report covering your current security grade, top findings, and compliance gaps, using your own data. Your live monitoring dashboard is set up during kickoff.
Do you replace our annual penetration test?
No. Penetration testing and continuous monitoring serve different purposes. A pentest is a deep manual assessment at a point in time. IMIZI Monitor watches your attack surface every day and catches changes between pentests: new subdomains, expiring certificates, configuration drift, exposed services. We recommend both.

Find out what attackers already know about you

Continuous external monitoring grades your attack surface daily and maps it to BNR, PCI DSS, and ISO 27001, the evidence your regulator expects to see. Tell us your domains and we will scope a monitoring engagement.