Why imizicyber
Most penetration testing firms run automated scanners, repackage the output into a PDF, and call it a day. That approach misses the vulnerabilities that actually matter: the business logic flaws, the authentication bypasses, the chained attack paths that real adversaries exploit.
imizicyber is different. Every engagement is manual-first, led by our OSCP-certified lead consultant with hands-on red team experience at Tier-1 banking institutions across Europe and Africa. We have found critical IDOR vulnerabilities in banking home loan platforms, bypassed JWT authentication in production financial applications, and identified privilege escalation paths across multinational banking networks.
When we test your systems, you get the depth of a dedicated offensive security specialist, not a generalist IT firm that also does pentesting on the side.
How a penetration test works
Every engagement follows a structured methodology. No surprises, clear communication throughout.
Scoping
We define targets, methodology, rules of engagement, and success criteria together. You know exactly what we will test and how.
Reconnaissance
Passive and active information gathering to map your attack surface, the same approach a real adversary would take.
Exploitation
Manual testing and exploitation of identified vulnerabilities. We chain findings to demonstrate real business impact, not just theoretical risk ratings.
Reporting
Detailed technical report with executive summary, proof-of-concept evidence, CVSS risk ratings, and prioritised remediation guidance.
Debrief
Walkthrough session with your technical team and management. We explain every finding and answer questions.
Retest
Free verification testing on remediated findings. You get a clean retest report for your records and your regulator.
What you receive
Every penetration test produces a complete evidence package:
- Executive summary: non-technical overview for board and management, with risk ratings and strategic recommendations
- Technical findings report: each vulnerability documented with description, affected system, CVSS v3.1 score, proof-of-concept evidence (screenshots, HTTP requests/responses), and step-by-step reproduction instructions
- Remediation guidance: prioritised fix recommendations for each finding, including specific configuration changes, code patches, or architectural improvements
- Risk heat map: visual summary of findings by severity and affected system for compliance reporting
- Live debrief session: walkthrough with your technical team and management explaining every finding and answering questions
- Retest report: after remediation, free verification testing with a clean report confirming resolved findings, ready for your regulator or auditor
Who this is for
Our penetration testing services are built for organisations where security is not optional. A breach means regulatory consequences, financial loss, and eroded public trust.
- Banks and financial institutions: BNR-regulated commercial banks, microfinance institutions, and payment service providers across Rwanda and East Africa
- Telecoms and mobile money operators: organisations handling millions of financial transactions daily
- Government agencies: ministries and public institutions managing citizen data and critical national infrastructure
- Insurance companies: firms managing sensitive policyholder data under evolving regulatory requirements
- Fintechs and startups: fast-moving companies that need security validation before launch or fundraising
Compliance alignment
Penetration testing is not just good practice; it is a requirement under multiple frameworks that apply to financial institutions in Rwanda and East Africa. Our methodology and reporting satisfy:
- BNR Regulation on Cyber Resilience for the Financial Sector: requires supervised institutions to conduct regular penetration testing and vulnerability assessments, and mandates an annual review of the institution's cybersecurity programme, which must include independent security testing
- PCI DSS v4.0: Requirement 11.4 mandates external and internal penetration testing at least annually and after significant changes. Requirement 11.3 requires quarterly vulnerability scanning. Requirement 6.2 requires secure development practices and software security testing throughout the development lifecycle
- ISO 27001:2022: Annex A Control 8.8 (Management of technical vulnerabilities) requires timely identification and remediation of vulnerabilities. Control 5.36 (Compliance with policies, rules and standards) mandates independent security reviews. Control 8.34 (Protection of information systems during audit testing) governs how testing is conducted safely in production environments
- SWIFT CSP: the Customer Security Programme requires regular assessments for institutions on the SWIFT network
- Rwanda Data Protection Law No 058/2021: Article 30 requires data controllers to implement appropriate technical and organisational measures to protect personal data. Penetration testing demonstrates compliance with this obligation
Our reports include the executive summary, technical detail, and remediation evidence that auditors and regulators expect. For more on BNR requirements, see our guide on BNR cybersecurity requirements for banks in Rwanda.
Frequently asked questions
How long does a penetration test take?
What certifications does your lead tester hold?
Do you perform penetration testing for banks in Rwanda?
What is the difference between penetration testing and vulnerability assessment?
Will testing disrupt our systems?
What do we receive after the test?
How much does penetration testing cost in Rwanda?
For organisations needing a broader security review, see our security assessments service.
If you want to build security testing into your development pipeline, explore our custom security tooling.
Ready to test your defences?
Tell us what you need secured. We respond within 24 hours with a scoping call and detailed proposal.