Why this decision matters more than you think
A penetration test is not a commodity. The difference between a competent assessment and a checkbox exercise can be the difference between catching a critical BOLA flaw in your payment API and missing it entirely — then reading about it in a breach disclosure six months later.
The Nigerian fintech ecosystem is growing fast, and with it comes a surge of firms offering "penetration testing services." Some are excellent. Many are not. I've reviewed pentest reports from other vendors that were clearly auto-generated vulnerability scan outputs with a logo slapped on top. That's not a pentest — it's a PDF you paid too much for.
Whether you're preparing for CBN compliance, investor due diligence, or an enterprise partnership, the quality of your pentest vendor directly impacts your security posture and business outcomes.
Certifications: what to look for
Certifications are not everything, but they are a useful baseline filter. Here's what each one signals:
OSCP (Offensive Security Certified Professional)
This is the gold standard for hands-on exploitation skills. OSCP holders have passed a gruelling 24-hour practical exam where they must compromise multiple machines. If the lead tester holds an OSCP, they can actually break things — not just run tools.
CREST
CREST certification means the firm follows a standardised testing methodology and its testers have passed rigorous exams. CREST-accredited reports are accepted by regulators across multiple jurisdictions, which matters if you operate beyond Nigeria.
CEH (Certified Ethical Hacker)
CEH is a knowledge-based certification. It proves the holder understands offensive security concepts, but it does not guarantee hands-on exploitation capability. A CEH alone is a yellow flag — look for it combined with practical certifications. For more context, see our guide on pentest certifications in Nigeria.
Demand practical proof, not just logos
Ask which specific certifications the assigned tester holds — not the company. A firm can display OSCP on their website while assigning your project to a junior with no practical certs. Ask for the tester's name and credentials before scoping begins.
Methodology: OWASP, PTES, or proprietary?
Any credible pentest firm should follow a recognised framework. The two most common are:
OWASP Testing Guide — the standard for web and API security testing. If a firm tests fintech applications without referencing OWASP's fintech-relevant categories, that's a problem. OWASP covers authentication flaws, injection, BOLA, SSRF, and the business logic issues that matter most in payment systems.
PTES (Penetration Testing Execution Standard) — a broader framework covering pre-engagement, intelligence gathering, threat modelling, exploitation, post-exploitation, and reporting. PTES gives structure to the entire engagement, not just the testing phase.
Some firms use a "proprietary methodology." That's fine if they can clearly explain how it maps to OWASP or PTES. If they can't articulate their methodology in concrete terms, walk away. You can learn more about what good methodology looks like in our pentest tools and methodology guide.
The sample report test
Ask for a redacted sample report before signing. This single document tells you more than any sales call. Here's what to look for:
Executive summary: Is it written for business stakeholders? Does it quantify risk in business terms, not just CVSS scores? A good executive summary tells the CTO exactly what's broken and why it matters commercially.
Finding detail: Each finding should include a description, steps to reproduce, evidence (screenshots, request/response pairs), impact assessment, and remediation guidance. If the report just says "XSS found on login page" with no proof-of-concept, it's a scan report. Check our pentest report guide for what a proper report looks like.
Business logic findings: Automated scanners cannot find business logic flaws — things like being able to transfer money to yourself in a loop, or bypassing KYC verification steps. If the sample report contains only generic OWASP Top 10 findings and zero business logic issues, the testers likely rely too heavily on tools.
Scoping and communication
A good pentest company will ask you hard questions during scoping. They should want to understand your architecture, tech stack, user roles, payment flows, and compliance requirements before quoting a price. If a firm quotes you a flat fee after a 10-minute call with no technical questions, they're guessing — and you'll get a generic test.
During the engagement, you should receive regular status updates. At Simpa Labs, we use a dedicated Slack or WhatsApp channel per engagement. If we find a critical vulnerability mid-test, we flag it immediately — not in the final report two weeks later. Ask your vendor what their communication protocol looks like. For a breakdown of what a solid engagement process looks like, read how our pentest process works.
Retest policy
Remediation verification is not optional. After you fix the issues we find, someone needs to confirm the fixes actually work. A credible firm includes at least one round of retesting in the engagement price, or offers it at a clearly defined cost. If a vendor delivers a report and disappears, they're not a partner — they're a contractor.
Red flags to watch for
Over the years, I've seen patterns that reliably predict a bad engagement:
No scoping call: They quote without understanding your system. This means the test will be shallow and generic.
Guaranteed finding count: "We guarantee we'll find at least 50 vulnerabilities." This incentivises padding reports with informational findings. Quality matters, not quantity.
No retesting included: A report without remediation verification is half a service.
Refusal to share a sample report: If they won't show you what the deliverable looks like, they're hiding something.
No NDA or rules of engagement: A professional firm will define the legal boundaries of the test in writing before starting. No NDA means no professionalism.
Looking for a pentest partner who ticks every box on this list? Let's talk about your application.
Book a scoping callIndustry experience matters
Fintech is not generic IT. Your pentest vendor needs to understand payment flows, wallet systems, KYC/BVN verification, webhook callbacks, and the specific API vulnerabilities that hit payment platforms. A firm that primarily tests corporate intranets will miss the business logic flaws unique to financial services.
Ask for case studies or references in your vertical. If they've tested mobile money platforms, payment gateways, or lending platforms, they'll understand the threat model before day one.
Making your final decision
The right pentest company is one that acts as an extension of your security team, not a vendor you deal with once a year. Evaluate them on technical depth, communication quality, methodology rigour, and their willingness to be transparent about how they work. The cheapest option is almost never the best — and the consequences of a missed vulnerability far outweigh the savings. For a deeper look at pricing, check our pentest cost guide for Nigeria.
Related reading
Blog: How Simpa Labs pentest works · Penetration testing Nigeria guide · Would hackers attack my fintech?
Guides: Top pentest companies in Nigeria · How to book a pentest · Pentest report explained
Services: Penetration testing · API security · Vulnerability assessment