Why IMIZI Cyber
A scanner-led firm runs the tool, repackages the output, and calls it a day. That approach misses the vulnerabilities that actually matter: the business logic flaws, the authentication bypasses, the chained attack paths that real adversaries exploit.
IMIZI Cyber is manual-first. We run every engagement by hand, using recognised offensive-security methodology and the kind of attacker tradecraft that holds up inside BNR-supervised regulated-enterprise environments. This methodology routinely surfaces the access-control and authentication flaws that scanners miss, such as IDOR and broken object-level authorisation, JWT validation gaps, and privilege-escalation paths chained across networks. Every report is written by hand by the testers who ran the engagement.
Whether you are a bank, fintech, telecom, government body or healthcare institution that needs a report that holds up with regulators, boards and BNR-supervised counterparties, or a vendor-list technical reviewer evaluating methodology depth before the first call, you get a dedicated offensive-security team, not a generalist IT firm that also does pentesting on the side.
How a penetration test works
Every engagement follows a structured methodology. No surprises, clear communication throughout.
Scoping
We define targets, methodology, rules of engagement, and success criteria together. You know exactly what we will test and how.
Reconnaissance
Passive and active information gathering to map your attack surface, the same approach a real adversary would take.
Exploitation
Manual testing and exploitation of identified vulnerabilities. We chain findings to demonstrate real business impact, not just theoretical risk ratings.
Reporting
Detailed technical report with executive summary, proof-of-concept evidence, CVSS risk ratings, and prioritised remediation guidance.
Debrief
Walkthrough session with your technical team and management. We explain every finding and answer questions.
Retest
Free verification testing on remediated findings. You get a clean retest report for your records and your regulator.
What you receive
Every penetration test produces a complete evidence package:
- Executive summary: non-technical overview for board and management, with risk ratings and strategic recommendations
- Technical findings report: each vulnerability documented with description, affected system, CVSS v3.1 score, proof-of-concept evidence (screenshots, HTTP requests/responses), and step-by-step reproduction instructions
- Remediation guidance: prioritised fix recommendations for each finding, including specific configuration changes, code patches, or architectural improvements
- Risk heat map: visual summary of findings by severity and affected system for compliance reporting
- Live debrief session: walkthrough with your technical team and management explaining every finding and answering questions
- Retest report: after remediation, free verification testing with a clean report confirming resolved findings, ready for your regulator or auditor
Who this is for
VAPT at IMIZI Cyber serves regulated institutions across Africa, where security is not optional and a breach means regulatory consequences, financial loss, and eroded trust.
- Banks and BNR-supervised enterprises: commercial banks, microfinance institutions, and payment service providers whose vendor-list technical reviewers score methodology depth before requesting a call
- Government and ministries: public-sector bodies securing citizen-facing services, registries, and critical infrastructure
- Telecoms and mobile money operators: organisations handling millions of financial transactions daily
- Healthcare and insurance: hospitals and insurers managing sensitive patient and policyholder data under evolving regulatory requirements
- Fintechs and startups: fast-moving companies that need security validation before launch or fundraising
Compliance alignment
Penetration testing is referenced across several frameworks that apply to regulated institutions in Rwanda and across Africa. Testing is one input to compliance, not the whole of it; our methodology and reporting supply the technical evidence these frameworks call for:
- BNR Regulation N°50/2022: requires supervised institutions to conduct a penetration test at least annually and vulnerability assessments at least twice a year, with results filed with the National Bank of Rwanda. See our dedicated BNR-compliant penetration testing service for the full mandate, cadence, and reporting detail
- PCI DSS v4.0: Requirement 11.4 mandates external and internal penetration testing at least annually and after significant changes. Requirement 11.3 requires quarterly vulnerability scanning. Requirement 6.2 requires secure development practices and software security testing throughout the development lifecycle
- ISO 27001:2022: Annex A Control 8.8 (Management of technical vulnerabilities) requires timely identification and remediation of vulnerabilities. Control 5.35 (Independent review of information security) mandates independent security reviews. Control 8.34 (Protection of information systems during audit testing) governs how testing is conducted safely in production environments. ISO 27001 does not mandate penetration testing outright; our testing supplies evidence that supports these controls
- SOC 2: examinations against the AICPA Trust Services Criteria are performed by licensed CPA firms. Penetration test reports are among the most common evidence items those auditors request when evaluating the Security criteria; our testing and reporting supply that evidence
- SWIFT CSP: the Customer Security Programme includes controls on vulnerability scanning and security assessment for institutions on the SWIFT network, and requires an independent assessment behind the annual attestation. See our SWIFT CSP independent assessment service
- Rwanda Data Protection Law No 058/2021: requires data controllers to implement appropriate technical and organisational measures to protect personal data. Penetration testing provides evidence that supports this obligation. See our NCSA & Law 058/2021 security testing service
Our reports include the executive summary, technical detail, and remediation evidence that auditors and regulators expect. For institutions working toward PCI DSS, ISO 27001, or SOC 2, we handle the readiness side (gap preparation, testing evidence, remediation guidance) and coordinate independent audit and certification firms through our partner network; the certificate or attestation is always issued by that independent third party. For more on BNR requirements, see our guide on BNR cybersecurity requirements for banks in Rwanda.
Frequently asked questions
How long does a penetration test take?
What certifications should we look for in a penetration testing provider?
Do you perform penetration testing for banks in Rwanda?
What is the difference between penetration testing and vulnerability assessment?
Will testing disrupt our systems?
What do we receive after the test?
How much does penetration testing cost in Rwanda?
For organisations needing a broader security review, see our security assessments service.
If you want to build security testing into your development pipeline, explore our custom security tooling.
Ready to test your defences?
Tell us what you need secured. We reply within 24 hours to set up a scoping call, and a detailed proposal follows within 48 hours of that call.