The full engagement lifecycle
A professional penetration test follows a structured process. Understanding each phase helps you prepare, set internal expectations, and move faster. Here's exactly what happens from the moment you reach out.
Initial contact
Reach out via WhatsApp, email, or a contact form. You don't need a detailed RFP: a brief description of what you're building (mobile money app, lending platform, payment gateway) and why you need testing (CBN compliance, investor request, internal initiative) is enough. We'll schedule a scoping call within 24–48 hours.
Scoping call (30–45 minutes)
This is where we map your product. We'll walk through your application architecture, user roles, third-party integrations, payment flows, and any specific areas of concern. We'll also discuss your compliance requirements: whether the report needs to satisfy CBN examiners, PCI DSS auditors, or investor due diligence teams. This call determines the engagement scope.
Proposal delivery (within 48 hours)
You receive a written proposal that details: exactly what will be tested (and what won't), the testing methodology, the engagement timeline, deliverable format, and pricing. No ambiguity, no hidden fees. The proposal is free and non-binding: you'll know exactly what you're buying before any commitment.
Access provisioning
Once approved, you set up testing access. For most fintech engagements, this means: test accounts across each user role (customer, merchant, admin), access to a staging environment, and any API documentation your team can share. We provide a clear checklist of what we need. Provisioning typically takes 1–3 business days depending on your team's availability.
Testing (5–10 business days)
An engineer manually tests your application: payment flows, authentication chains, API endpoints, and admin tools. If a critical vulnerability is found during testing, we flag it immediately rather than waiting for the final report. You'll have a dedicated point of contact throughout the engagement for any questions or coordination needs.
Report delivery and walkthrough
You receive the full report: executive summary, detailed findings with severity ratings, proof-of-concept demonstrations, business impact analysis, and engineering-ready remediation guidance. We then schedule a live walkthrough with your engineering team to review findings, answer questions, and help prioritize fixes based on real-world risk.
Remediation and retesting
Your team fixes the identified vulnerabilities. When you're ready, we retest every critical and high finding to verify proper remediation. The final report is updated with verification results: this is the document you hand to regulators, investors, or auditors. Retesting is included, not an upsell.
Ready to start? Describe your product and we'll send you a scoped proposal within 48 hours.
Start a Scoping ConversationWhat to prepare before the scoping call
You don't need extensive documentation. But having clarity on these items makes the scoping call more productive and gets you an accurate proposal faster:
- Product type and platform: Web app, mobile app (iOS/Android), APIs, admin dashboards. Knowing your full product surface helps us scope accurately.
- User roles: Who uses the product? Customers, merchants, agents, support staff, admins? Each role adds authorization testing scope.
- Third-party integrations: Payment processors (Paystack, Flutterwave), identity verification (BVN/NIN providers), telco billers, banking APIs. Integration boundaries are where configuration mistakes create exploitable gaps.
- Compliance drivers: Is this test driven by CBN examination, PCI DSS certification, investor due diligence, or internal security initiative? This determines report format and methodology requirements.
- Timeline constraints: Is there a regulatory deadline, fundraising timeline, or product launch date driving urgency? We can prioritize scheduling when needed.
- Previous testing: Have you had a pentest or vulnerability assessment before? Sharing previous reports helps us focus on areas that haven't been tested or need deeper coverage.
Common approaches: black-box, grey-box, white-box
The engagement type determines how much information testers receive about your application. Each approach has trade-offs:
Black-box testing
Testers receive no internal knowledge: they approach the application as an external attacker would. Realistic but time-intensive. Best for testing your external-facing defenses without any insider advantage.
Grey-box testing
Testers receive authenticated accounts and basic architecture information. The most common approach for fintech applications because it maximizes coverage within the engagement timeline: testers spend time on business logic, not reconnaissance.
White-box testing
Testers receive full access including source code, architecture diagrams, and internal documentation. Maximum depth and coverage. Best for security-critical applications where total coverage outweighs the external-attacker simulation model.
Grey-box is almost always the right choice for fintechs
For Nigerian fintech applications, we typically recommend grey-box testing. It gives testers enough context to quickly navigate to high-risk flows (payment processing, fund transfers, KYC verification) while still testing authorization and access control as an attacker would. Black-box testing wastes engagement days on discovery that authenticated access would shortcut. White-box is reserved for applications processing extremely high transaction volumes or sensitive data where maximum coverage is non-negotiable.
How to write the proposal request
If your organization requires a formal proposal request (RFP), keep it simple. The most useful information for pentest scoping is practical, not bureaucratic:
What to include
Product description, technology stack, user roles, third-party integrations, compliance requirements, and your timeline. A few paragraphs is enough: we'll refine scope on the call.
What to skip
Generic RFP templates with 40-page questionnaires, requests for organizational charts, insurance certificates up front, or detailed methodology descriptions. These slow the process without improving the proposal quality.
After the engagement: what to do with the report
A penetration test report is only valuable if your team acts on it. Here's the prioritization framework we recommend:
Fix critical and high findings immediately
These are exploitable vulnerabilities with direct financial or data exposure impact. Assign them to your most experienced engineers and ship fixes within days, not sprints.
Schedule medium findings into your next sprint
Medium-severity findings require specific conditions to exploit but represent real risk. They belong in your development backlog, not a "security debt" spreadsheet that never gets addressed.
Request retesting
Once critical and high findings are fixed, trigger the retest. We verify each fix is implemented correctly and update the report with verification results. This clean report is what you submit to regulators or share with investors.
Skip the procurement cycle. Describe your product and get a proposal in 48 hours: no commitment required.
Get a Free ProposalRelated resources
Learn what drives penetration test pricing in Nigeria, understand how to evaluate pentest firms, or explore the difference between vulnerability assessments and penetration testing. If you're preparing for a regulatory audit, see our CBN compliance guide. For startups, check our startup engagement model.
Frequently asked questions
How long does it take to book a penetration test?
From initial contact to testing kickoff, most engagements start within 1–2 weeks. The scoping call takes 30–45 minutes, we deliver a proposal within 48 hours, and testing begins as soon as access is provisioned. If you're under regulatory deadline pressure, we can prioritize scheduling.
What information do I need before contacting a pentest firm?
You don't need a detailed technical specification. Know your product type (mobile app, web platform, API), the general user roles (customers, merchants, admins), any compliance requirements driving the engagement (CBN, PCI DSS, investor diligence), and your rough timeline. We'll work out the technical details during scoping.
Do I need to give pentesters access to source code?
It depends on the engagement type. Black-box testing simulates an external attacker with no inside knowledge. Grey-box testing (most common for fintech apps) provides authenticated user accounts and basic architecture documentation so testers can focus on business logic rather than spending days on reconnaissance. White-box testing includes source code access for maximum coverage. We'll recommend the right approach during scoping.
What if we need the report formatted for a specific regulator?
Tell us during scoping. We regularly format reports for CBN examiners, PCI DSS QSAs, and investor due diligence reviews. There's no extra charge for regulatory formatting: it's part of understanding your deliverable requirements.
Can we request a penetration test proposal without commitment?
Yes. The scoping call and proposal are free and non-binding. We'll map your product surface, recommend the right engagement type, and send you a proposal with clear scope, timeline, and pricing. You'll know exactly what you're buying before any commitment.
What happens if critical vulnerabilities are found during testing?
We flag critical findings immediately: we don't wait until the final report. If we discover a vulnerability that poses immediate financial risk (like an exploitable payment bypass), we notify your team within hours so you can begin remediation while testing continues on other areas.